Network attacks

- [Instructor] Networks are susceptible to many different types of attack. In the last video, you saw how eavesdropping attacks might compromise the network, to listen in on and tamper with communications. Now, let's move on to the details of advanced networking attacks, including the Christmas tree attack, DNS and ARP poisoning, and typosquatting. Packets are the basic unit of network communications. Each time you request a web page, send an email, or transfer other information over the network, it's divided up into small packets of information that are then reassembled at the receiving system.

Packets carry a data payload, but also must include header information. You can think of a packet header as the envelope that carries the data. It includes information like the source and destination addresses. Headers also include flags. These are single bit fields that contain either a one or a zero. If a field flag is set to one, it indicates a special purpose packet. For example, the SYN flag is used to set up a new connection. The FIN flag is used to tear down a connection.

Other flags are used to acknowledge connections, prioritized data, or conduct network diagnostics. A typical packet has only one or two flags set to a value of one. In the Christmas tree packet, all of those flags are set to one. It's said to be lit up like a Christmas tree. Why would you do this? Well, some systems crash when they receive a Christmas tree packet because they have poorly designed network stacks that can't handle all of those flags being set. It's a denial of service attack.

The Christmas tree packet can also be used to conduct operating system fingerprinting. Different operating systems respond to receiving a Christmas tree packet in different ways. By analyzing the exact response, attackers can often identify the specific operating system in use on a target server. This is very useful information when conducting pre-attack reconnaissance. Before moving on to the next attack, let's pause for a moment and talk about the domain name service, or DNS. DNS translates the common names we use on a regular basis, such as lynda.com, or nd.edu, to the IP addresses that computers use, such as 8.39.42.106.

DNS uses a hierarchical lookup system, where the initial request goes to a server on the client's network. If that server doesn't already know the answer, it then asks a series of other servers until it finds the one with the correct answer. For example, when looking up www.wikipedia.org, an organization's DNS server first asks the root name server. The root name server might not know the answer, but can tell the requesting server what name server is responsible for the dot org top level domain.

The requester then goes and asks the dot org server, who also might not know the answer, but can tell the requester what name server is responsible for the Wikipedia.org domain. The client then finally asks the server responsible for the Wikipedia.org domain, and receives the correct IP address for the server located at www.wikipedia.org. DNS poisoning attacks disrupt the normal operation of DNS by providing false results. The attacker inserts incorrect DNS records at any point along that hierarchy, and can then redirect traffic to the attacker's system.

The attacker's system contains a web server built to closely resemble the system that the unsuspecting victim expects to visit. When the victim logs on to the attackers fake system, the attacker captures log on information. In a well done DNS poisoning attack, the attacker passes the credentials through to the real system, and then captures all traffic between the client and server, preventing the victim from noticing the attack. That's a man-in-the-middle attack. The address resolution protocol, or ARP, performs a function similar to DNS, but deeper down in the network stack.

Instead of translating common domain names to IP addresses, ARP translates IP addresses to the hardware addresses used on local area networks. These hardware addresses are known as machine address code, or MAC addresses. MAC is just an acronym here, and has nothing to do with Macintosh computers. Much like DNS poisoning, ARP poisoning is a spoofing technique that provides false information in response to ARP requests. Unlike DNS poisoning, ARP poisoning only works on a local network.

Normally, any system on the network sends all traffic bound for outside the network to a gateway system. When ARP spoofing occurs successfully, the victim system believes that another system is the gateway, and sends traffic to it. That system actually belongs to a malicious user engaging in a man-in-the-middle attack. Typosquatting, or URL hijacking, is an attack that depends upon people making simple typing mistakes. It's very cheap to register a domain name. Sometimes it's five bucks or less.

Attackers engaging in typosquatting simply register hundreds of typo variations on official sites. When people incorrectly guess or mistype domain names, they visit the attacker's site instead of the real one. Typosquatting occurred during the 2012 presidential campaign, when attackers registered all sorts of variations on the barackobama.com domain, hoping to redirect legitimate traffic. Domain hijacking attacks go a step further, when attackers attempt to steal a legitimate domain.

They may do this by contacting the domain registrar, and attempting to illegitimately transfer actual ownership of the domain to themselves, or they may conduct a DNS attack that changes the legitimate site's DNS records. Networking opens a world of communications possibilities for systems, but it also creates significant risk. Security professionals must understand the various risks associated with networking, and understand how to mitigate them. Network engineers should carefully configure devices to protect against attackers gaining control, and using them to wage DNS or ARP poisoning attacks.