CompTIA® Network+ Exam Notes : Network Security Threats

4. Network Security

4.4 Common networking attacks

Network attacks:

Dos(Denial-of-service): DoS attacks, are explicit attempts to block legitimate users system access by reducing system availability. DoS attacks exploit this to target mission-critical services. Any physical or host-based intrusions are generally addressed through hardened security policies and authentication mechanisms. Although software patching defends against some attacks, it fails to safeguard against DoS flooding attacks, which exploit the unregulated forwarding of Internet packets. The Internet architecture provides an unregulated network path to attack innocent hosts.


Smurf attack is a denial-of-service attack that uses spoofed broadcast ping messages to flood a target system

Social engineering: Social engineering is a skill that an attacker uses to trick an innocent person such as an employee of a company into doing a favor. For example, the attacker may hold packages with both the hands and request a person with appropriate permission to enter a building to open the door. Social Engineering is considered to be the most successful tool that hackers use.

Defense against social engineering may be built by:

  • Including instructions in your security policy for handling it, and
  • Training the employees what social engineering is and how to deal with it.

Examples of social engineering:

1. Phishing: Phishing is the act of sending an e-mail to a user claiming to be a reputed organization (such as a bank) in an attempt to scam the user into providing information over the Internet. The e-mail directs the user to a Web site where they are prompted to provide private information, such as credit card, and bank account numbers, that the legitimate organization already has. The Web site, however, is bogus and set up only to steal the user's information.

Phishing is the practice of enticing unsuspecting Internet users to a fake Web site by using authentic-looking email with the legitimate organization's name, in an attempt to steal passwords, financial or personal information, or introduce a virus attack.

2. Piggybacking: It is another type of social engineering. Here the intruder poses as a new recruit, or a guest to your boss. The intruder typically uses his social engineering skills to enter a protected premises on someone else's identity, just piggybacking on the victim

Virus: A computer virus attaches itself to a program or file so it can spread from one computer to another. Almost all viruses are attached to an executable file, and it cannot infect your computer unless you run or open the malicious program. It is important to note that a virus cannot be spread without a human action, (such as running an infected program) to keep it going. A virus is a program that propagates itself by infecting other programs residing on the computer system. Viruses are capable of inflicting serious damage to your system, such as erasing your files or your whole disk, or they may just do lighter things like a pop-up a window with a message.

Worm:Worms spread from computer to computer, but unlike a virus, it has the capability to travel without any help from a person. The danger with a worm is its capability to replicate itself. Unlike Virus, which sends out a single infection at a time, a Worm could send out hundreds or thousands of copies of itself, creating a huge devastating effect. A worm can spread itself (without the help of any other program) over the network from one computer to another. Worms replicate without any user intervention, whereas viruses are known to spread through a user. The replication is based on a security flaw in the Operation System or any other applications running on a system.

Trojan Horse: The Trojan Horse, at first glance appears to be a useful software but will actually do damage once installed or run on your computer. Those on the receiving end of a Trojan Horse are usually tricked into opening it because it appears to be receiving legitimate software or file from a legitimate source. A general term, referring to programs that appear innocent, but actually harmful. For example a download that says "birthday greetings" etc. But when you download and run it, it may do serious damage to your computer system such as damaging important files or even making the computer unusable. The trojan's contents could also be a virus or worm, which then spread the damage.

Logic bomb: A logic bomb is signified by uniqueness of occurrence. It can be a virus or Trojan horse, but activated on the occurrence of an event in the future.


Viruses, worms, and Trojan horses are all harmful pieces of software. The way they differ is how they infect the computers, and spread.

Zero day attack:A zero day attack, also known as a zero hour attack, takes advantage of computer vulnerabilities that do not currently have a solution. Typically, a software company will discover a bug or problem with a piece of software after it has been released and will offer a patch - another piece of software meant to fix the original issue. A zero day attack will take advantage of that problem before a patch has been created. It is named zero day because it occurs before the first day the vulnerability is known.

For detecting spam-ware and virus, one need to install anti spam-ware, and anti virus programs. Installing the latest updates to Operating Systems will protect your system from exploits (like gaining back-door entry), but not necessarily from downloaded virus or spam-ware.

Anti-virus package is required for scanning any virus. A virus is a malicious content that regenerates itself without the knowledge of the user. Some times a virus can be destructive.

Rogue accesspoint: A Rogue Access Point is a Wi-Fi Access Point which is setup by an attacker for the purpose of sniffing wireless network traffic. 802.11 (Wi-Fi) utilizes SSIDs (Service Set IDentifiers) to authenticate NICs to wireless access points. There is no similar protocol for authenticating wireless access points. It is possible to place a rogue wireless access point into an 802.11 network. This rogue wireless access point can then be used to hijack the connections of legitimate network users./p>

War driving: Driving around the town looking for an insecure wireless hot spot is known as War driving. The practice of marking the buildings with unsecured wireless networks is called war-chalking. The practice of sniffing wireless networks is known as war-driving. Tempest was the name of a classified (secret) U.S. government project to study the susceptibility of some computer and telecommunications devices to emit electromagnetic radiation (EMR) in a manner that can be used to reconstruct intelligible data. TEMPEST certification ensures that the building is shielded adequately and the EM radiations are within limits to prevent intruders from accessing the information from outside the building.

Evil twin: An evil-twin is a wireless version of the phishing. The term phishing is a variant of fishing, because attackers are "fishing" for victims. An evil-twin in wireless tries to trick users to connect to fake Wi-Fi by posing like a legitimate wireless network. Users connect to Wi-Fi access points (AP) referencing the network SSID. In this case, a hacker can deploy an AP near the cyber cafe Wi-Fi. Users' wireless client will automatically connect to the preset wireless network on the wireless client. The wireless device itself will connect to the wireless AP that has the strongest signal. If the attacker's AP possess the strongest signal, user devices will then connect to the evil twin. In some cases, the evil-twin AP does not have to provide Internet access, instead, it can act like one's mobile Internet provider and ask for credit card information and/or login and password.

Common DDoS attacks types:Some of the most commonly used DDoS attack types include:

UDP Flood:A UDP flood, by definition, is any DDoS attack that floods a target with User Datagram Protocol (UDP) packets. The goal of the attack is to flood random ports on a remote host.

ICMP (Ping) Flood:Similar in principle to the UDP flood attack, an ICMP flood overwhelms the target resource with ICMP Echo Request (ping) packets, generally sending packets as fast as possible without waiting for replies.

SYN Flood:A SYN flood DDoS attack exploits a known weakness in the TCP connection sequence, wherein a SYN request to initiate a TCP connection with a host must be answered by a SYN-ACK response from that host, and then confirmed by an ACK response from the requester. In a SYN flood scenario, the requester sends multiple SYN requests, but either does not respond to the host’s SYN-ACK response, or sends the SYN requests from a spoofed IP address. Either way, the host system continues to wait for acknowledgment for each of the requests, binding resources until no new connections can be made, and ultimately resulting in denial of service.

Ping of Death: A ping of death (“POD”) attack involves the attacker sending multiple malformed or malicious pings to a computer. The maximum packet length of an IP packet (including header) is 65,535 bytes. However, the Data Link Layer usually poses limits to the maximum frame size – for example 1500 bytes over an Ethernet network. In this case, a large IP packet is split across multiple IP packets (known as fragments), and the recipient host reassembles the IP fragments into the complete packet. In a Ping of Death scenario, following malicious manipulation of fragment content, the recipient ends up with an IP packet which is larger than 65,535 bytes when reassembled. This can overflow memory buffers allocated for the packet, causing denial of service for legitimate packets.

HTTP Flood:In an HTTP flood DDoS attack, the attacker exploits seemingly-legitimate HTTP GET or POST requests to attack a web server or application. HTTP floods do not use malformed packets, spoofing or reflection techniques, and require less bandwidth than other attacks to bring down the targeted site or server.

man-in-the-middle (MiTM): A man-in-the-middle (MiTM) attack is a type of cyber attack in which the attacker secretly intercepts and relays messages between two parties who believe they are communicating directly with each other. The attack is a type of eavesdropping in which the attacker intercepts and then controls the entire conversation.

Previous   Contents   Next

Network+ Cram Notes Contents
certexams ad

simulationexams ad