Networks are susceptible to many different types of attacks, including the denial of service attacks and eavesdropping attacks discussed in earlier videos. Learn the details of advanced networking attacks, including the Christmas Tree Attack, DNS and ARP poisoning, and typosquatting.
- [Narrator] Networks are susceptible to many different types of attack. In the last video, you saw how eavesdropping attacks might compromise the network to listen in on and tamper with communications. Now let's move on to the details of advanced networking attacks, including the Christmas tree attack, DNS and ARP poisoning, and Typosquatting. Packets are the basic unit of network communications. Each time you request a web page, send an email or transfer other information over the network it's divided up into small packets of information that are then reassembled at the receiving system.
Packets carry a data payload, but also must include header information. You can think of a packet header as the envelope that carries the data. It includes information like the source and destination addresses. Headers also include flags. There are single bit fields that contain either a one or a zero. If a field flag is set to one, it indicates a special purpose packet. For example, the SYN flag, is used to set up a new connection. The FIN flag is used to tear down a connection.
Other flags are used to acknowledge connections, prioritize data, or conduct network diagnostics. A typical packet, has only one or two flags set to a value of one. In the Christmas Tree packet, all of those flags are set to one, it's said to be lit up like a Christmas tree. Why would you do this? Well some systems crash when they receive a Christmas Tree packet, because they have poorly designed network stacks that can't handle all of those flags being set. It's a denial-of-service attack.
The Christmas Tree packet can also be used to conduct operating system fingerprinting. Different operating systems respond to receiving a Christmas Tree packet in different ways. By analyzing the exact response, attackers can often identify the specific operating system in use on a target server. This is very useful information when conducting pre-attack reconnaissance. Before moving on to the next attack, let's pause for a moment, and talk about the Domain Name Service, or DNS. DNS translates the common names we use on a regular basis, such as Lynda.com, or ND.EDU, to the IP addresses that computers use, such as 188.8.131.52.
DNS uses a Hierarchical lookup system, where the initial request goes to a server on the client's network. If that server doesn't already know the answer, it then asks a series of other servers, until it finds the one with the correct answer. For example, when looking up www.wikipedia.org, an organization's DNS server first asks the root nameserver. The root nameserver might not know the answer, but can tell the requesting server what name server is responsible for the .org top level domain.
The requester then goes and asks the .org server, who also might not know the answer, but can tell the requester what nameserver is responsible for the wikipedia.org domain. The client, then, finally asks the server responsible for the wikipedia.org domain and receives the correct IP address for the server located at www.wikipedia.org. DNS poisoning attacks disrupts the normal operation of DNS by providing false results. The attacker inserts incorrect DNS records at any point along that hierarchy and can then redirect traffic to the attacker's system.
The attacker's system contains a web server built to closely resemble the system that the unsuspecting victim expects to visit. When the victim logs onto the attacker's fake system, the attacker captures logon information. In a well-done DNS poisoning attack, the attacker passes the credentials through to the real system and then captures all traffic between the client and server, preventing the victim from noticing the attack. That's a man-in-the-middle attack. The Address Resolution Protocol or ARP performs a function similar to DNS, but deeper down in the network stack.
Instead of translating common domain names to IP addresses, ARP translates IP addresses to the hardware addresses used on local area networks. These hardware addresses are known as Machine Address Code, or MAC addresses. MAC is just an acronym here and has nothing to do with Macintosh computers. Much like DNS poisoning, ARP poisoning is a spoofing technique that provides false information in response to ARP requests. Unlike DNS poisoning, ARP poisoning only works on a local network.
Normally, any system on the network sends all traffic bound for outside the network to a gateway system. When ARP spoofing occurs successfully, the victim system believes that another system is the Gateway and sends traffic to it. That's system actually belongs to a malicious user engaging in the man-in-the-middle attack. Typosquatting or URL hijacking is an attack that depends upon people making simple typing mistakes. It's very cheap to register a domain name. Sometimes it's five bucks or less.
Attackers engaging in typosquatting, simply register hundreds of typo variations on official sites. When people incorrectly guess or mistype domain names, they visit the attacker's site, instead of the real one. Typosquatting occurred during the 2012 presidential campaign when attackers registered all sorts of variations on the barackobama.com domain, hoping to redirect legitimate traffic. Networking opens a world of communications possibilities for systems, but it also creates significant risk.
Security Professionals must understand the various risks associated with networking and understand how to mitigate them. Network engineers should carefully configure devices to protect against attackers gaining control and using them to wage DNS or ARP poisoning attacks.
Learn about communication and networking best practices, including TCP/IP networking, network security devices, and secure network design and management. Instructor and cybersecurity expert Mike Chapple also includes coverage of converged protocols, network encryption, and wireless networking. You can find Mike's companion study books for this series at the Sybex test prep site and review the complete CISSP Body of Knowledge at https://www.isc2.org/cissp-domains/default.aspx.
- IP addressing
- Switches and routers
- Content distribution networks
- Designing secure networks
- Specialized networking
- Managing secure networks
- Working with virtualized networks like SDNs
- Detecting and preventing network attaches
- Transport encryption
- Wireless networking
- Host security