Network Attacks – 101

In order to ensure security within a network, it is first necessary to master the network structure and identify network threats. Attackers’ goals include monitoring or stealing sensitive information by leaving the data as it is or changing the basic structure of the data by deleting, encrypting, or otherwise damaging the data they have access to, and demanding ransom based on the information they obtain. Network threats basically consist of two parts. These;

• Hardware Threats: Causing physical damage to network devices or areas where network devices are located. Physical damage to network equipment may cause communication disruption within the network or data loss by providing a direct connection to devices.

Excessive heat or humidity in the environment where network devices are located causes damage to electronic components and causes the devices to become disabled. Similarly, fluctuations in voltage levels, voltage outages, and voltage increases can cause equipment damage and devices to become disabled.

Situations such as poor cabling applied for the connections of network devices, wear on the cables, neglected or dusty cabinet environments or unlabeled cables cause the access of network devices to be interrupted. It is quite common during a new installation or assembly phase. Such situations make it difficult to detect problems, cause data outages, and cause teams to spend overtime.

• Virtual Threats: Cyber attacks, software vulnerabilities, or misuse are among the threats that will virtually affect network devices.

Today, the biggest target of attacks is targeting users or network administrators who are included in the network system. Harmful or spyware, known as Malware or Spyware, aims to leak data through systems by targeting network layers and users. In addition, if you want to examine virtual threats through OSI layers, which provide the basic working principle of network communication, each layer can be examined on its own.

• Phishing Attacks: They are carried out by the attacker by sending messages or e-mails to users such as saying that you have won a gift, entering a raffle, offering a service, or changing your password. In such attacks, the relevant addresses appear to come from a real or official institution. The attacker’s aim is to capture users’ personal information such as system addresses, usernames/passwords, account numbers, and credit card information by ensuring that the fake address, fake source, or fake message is not noticed. It is also known as a type of fraud that is frequently carried out today, especially on social media. Raising users’ awareness, not sharing personal data, not opening messages from addresses whose reliability is not sure, or ignoring such messages ensure that the relevant attacks fail. No address in the transmitted message should be accessed, and addresses that are unknown or suspicious to the network security teams should be defined as Spam and examined by the relevant network security devices under the supervision of the network management team.

Layer 7 is one of the points where users or applications are targeted.

• Buffer Overflow Attacks: The cache is the area where the data is kept before taking the relevant action while receiving data from the user. It is a type of attack made by the attacker by allowing data larger than the specified cache area to be entered. When the memory overflows, all data stored in the memory is affected and a communication gap occurs. The original data in the buffer prevents the process from moving to the next stage and prevents the system from operating. Additionally, by inserting codes, the system can be damaged or the system can be logged in as an authorized user.

• SQL Injection Attacks: SQL injection is an attack technique applied by externally interfering with SQL queries to attack database-based applications. As a result of the attack, the attacked application is allowed to interfere with the queries it makes to the relevant database. The attacker aims to access the data of users using the attacked application within the network or all other data that the application can access.

• DDoS Attacks: One of the most popular DDoS attacks carried out on Layer 7 can be defined as an HTTP flood. The behavior of this attack on the web page aims to flood the server and cause denial of service by continuously creating HTTP requests on multiple computers at the same time. In this way, it is aimed to prevent, interrupt, and slow down access to an organization’s website or related resources that are attacked. Thousands of computers, called zombies, located far away from each other, are used to carry out the attack. The virtual network where these zombie computers are located is called a ‘botnet’.

• Zero-Day Attacks: These are attacks carried out through software/hardware flaws that contain previously unknown or undetected vulnerabilities on applications or systems that will lead to serious attacks. It is a type of attack that is difficult to detect before the manufacturers have the opportunity to patch the vulnerabilities with updates and often until the attack occurs. Thus, attackers take advantage of this situation by detecting security vulnerabilities and can leak data until network administrators take precautions.

Attacks carried out on Layer 6 target the technologies between the session and the application. Encryption and decryption of data communication is also performed at the presentation layer.

• XSS Attacks: Also known as cross-query attacks. It is defined as a code injection attack that causes damage via the web browser on user devices. If the relevant address is accessed through the malicious URL created by the attacker, it causes scripting languages (VBScript, JavaScript, etc.) to be executed in the user’s web browser. Unlike other types of attacks such as SQL injections, the application is not directly targeted in an XSS attack. It appears on websites containing advertisements visited by the user, in e-mail contents, in links sent by the attacker, in fake forms placed in this URL, and in malicious scripts. If the user has privileged access or authority within the relevant application, the attacker has full control over the entire functionality of the application and the data contained in the application. Due to the amount of recorded information stored on the browser, it allows data leakage by stealing cookie data, obtaining session information, and redirecting the page to another page. There is more than one type of XSS attack. The most commonly known prevention method is the application of CSP. Thus, CSP detects and helps reduce XSS and some types of attacks.

• Decryption Attacks: The relevant type of attack is generally implemented by decrypting network passwords using special encryption cracking software. Once the encryption algorithm is discovered, an attack is made to determine which algorithm will be decrypted. Adding fake encrypted messages to the network using different methods can be used to detect correct encryption. Thus, it becomes easier to access details about the content of decrypted packages and to leak data. The most frequently used blocking methods are to create a dynamic encryption chain using security protocols such as WEP or WPA2.

In attacks carried out on Layer 5, the communication session itself is targeted.

• Man in the Middle Attacks: It is carried out by positioning the attacker between the communicating source and the target. While the communication goes directly from the source to the target, data transmission is provided through the intervening attacker. The reason why these attacks are difficult to detect is that the communication between the source and the target is maintained without disruption and the continuity of the session continues. The transmitted data can be changed or the endpoint can be imitated well when there is no communication to prevent data leakage.

• Access Control Attacks: This is a type of attack made depending on the privileges of the user or network administrator on the session through which communication is provided, or depending on the infrastructure of the application used. Allowing API access from unauthorized or untrusted sources, weak passwords used for system access or users’ choice of weak passwords, performing file transfers within the session over insecure sessions, recording sessions as cleartext, lack of control over systems, or loose user/network administrator authorizations are these types of problems. It allows attacks to be made. This allows unauthorized disclosure, modification, or destruction of all data. By granting access to sessions only to certain abilities, roles, or users, and encrypting communication on the application, these attacks can be prevented. For example, choosing the SSH protocol instead of the telnet protocol and applying limited authorizations to the user who will access the system can be cited as a precaution.

Attacks carried out on Layer 4 are targeted based on protocol or port.

• DNS Poisoning Attacks: Devices have a DNS cache that stores DNS requests. The web addresses or IP addresses of the servers to which the latest request was sent are stored here until TTL periods expire, the main purpose is to respond to queries much faster. In these attacks, attackers return DNS queries made by users with a different domain name or IP address, allowing them to be directed to a different address than the original.

• Port Scanning Attacks: It is known as a common type of attack used by attackers to discover vulnerabilities on the network. It actively detects the ports used by devices or users to access systems. Vulnerabilities are targeted through vulnerabilities in the protocols or applications of the detected ports. Nmap, which can perform these scans, is one of the most frequently used port scanning tools.

Attacks carried out on Layer 3 are carried out by targeting IP addresses and redirects.

• DDoS Attacks: One of the most popular DDoS attacks carried out on Layer 7 can be defined as ICMP flood. The behavior of this attack on the web page aims to flood the server and cause denial of service by constantly creating ping requests on multiple computers at the same time. In this way, it is aimed to make access to relevant resources difficult, interrupted, and slowed down. Thousands of computers, called zombies, located far away from each other, are used to carry out the attack. The virtual network where these zombie computers are located is called a ‘botnet’.

• IP Spoofing Attacks: Similar to the Man in the Middle attack, this is a type of attack in which the attacker intervenes and poses as the user and takes the responses to the packets sent by the user during communication. After sending a packet to the source destination, it has the opportunity to capture and read the packets returning in response over the network by presenting its IP address as the source IP. In such cases, traffic may be intercepted openly and data loss may also occur at a high rate. When the attack in question is carried out over the internet, the attacker stops the handshake before starting the third stage of TCP authentication. It achieves this by exploiting loopholes in the protocol. After the interception, the attacker sends a fake confirmation containing the fake IP address. When the receiver starts to transfer data thinking that he is connected to the real sender, he does not realize that he is paired with a fake IP which causes data loss.

The weakest point of the attacks is defined as Layer 2. Some of the attacks that can be performed on Layer 2 are summarized below to give an idea.

• MAC Table Attacks: The MAC table can be filled by sending thousands of MAC requests per second to the network device. The MAC Table can keep 8000 MAC address records on the switches used today. If the table is full, the FIFO algorithm works the first written addresses are deleted and new records are written. Thus, with this attack method, the MAC addresses of real users are deleted from the table and access is blocked.

• VLAN Attacks: Dynamic Trunking Protocol (DTP) is activated and imitated, allowing the data sent to the switches to jump between different VLANs or to enable traffic to be sent to any VLAN. DTP is a protocol that allows switches to configure the port they are connected to as a trunk port, with the DTP message shared between switches. With another VLAN attack, a double VLAN tag is added to the VLAN packet header, so that the first packet header is removed during the sending phase and the tag of the second packet header can be accessed when the broadcast is broadcast.

• DHCP Attacks: If a Starvation attack is used in a network structure with DHCP, this attack is directed towards the DHCP server. Thus, the resources in the pool of the DHCP server become unusable when the devices on the targeted network become busy in the face of intense requests. Creates a DoS attack to connect users to the network. If a spoofing attack is used, fake IP-DeftaultGW-Server addresses are shared with the devices, and users are directed to the fake server. In this case, the attacker can set his machine as the default gateway and monitor the traffic. With DHCP Snooping, it is possible to prevent these attacks in most cases by specifying reliable ports and the source address of the reliable DHCP server.

• ARP Attacks: There are multiple types of ARP attacks in which the user can present himself as an ARP source, make a direct attack on the ARP table, or specify himself as a target, as experienced in Man in the Middle or IP Spoofing attacks. This is done by the attacker using the target IP address to which the packets will be transmitted as if it were his own, and constantly sending ARP requests to find the MAC address of the users. Thus, all ARP requests on the network are forwarded to the attacker. A scenario similar to the MAC table attack is experienced. The attacker poses as the real target by getting between the real target and the user and can access the data after ARP recording. ARP attacks can be prevented by performing Port Security or Dynamic ARP Inspection.

• STP Attacks: With a change in the topology, STP priorities are interfered with and since STP is active, the entire traffic direction can be changed by the attacker and data can be captured.

• CDP Attacks: CDP messages contain all detailed information about the network (NativeVLAN, IP information, IOS version, etc.). Thus, capturing unrestricted or unencrypted CDP messages makes it easier to identify possible attacks.
  Attacks carried out on Layer 1 generally target physical environments.

• Traffic Eavesdropping Attacks: For wired environments, they are carried out by capturing the signaling on the cable or data transmitted through physical media such as wireless signals. At the same time, ensuring the traceability of traffic by capturing raw data in traffic by installing applications such as Wireshark can be cited as an example of this type of attack. In this way, the packets are analyzed and data leakage occurs.

To ensure network security, first of all, it is necessary to ensure the appropriateness of the conditions in the physical environment where the equipment is located and the physical protection of the devices. Once device protection and operating conditions are appropriate, users within the network must be trained to ensure healthy communication. Devices such as computers, tablets, and phones, which are defined as end devices, are defined as points that are always vulnerable to attacks. It should be treated consciously and cautiously, especially during e-mail and web browsing, as it is susceptible to attacks.

Both the network structure and user data can be protected from attacks with the precautions taken by the Network Security teams at points overlooked by the users. The most frequently used technologies that ensure the security of users on end devices can be defined as NAC, SSL, and WSA-WAP combinations.