Skip to content
Generic filters
Exact matches only

Network Security

Denial-of-Service (DoS)

Purposeful attack on a network or resource to prevent legitimate access.

Distributed denial of Service (DDoS) = similar to DoS, it uses many sources (zombies, often not aware)
Symptoms: network unavailable, abnormally slow connectivity, IP-based Services unavailable
Effects: financial loss, loss of customers, network disabled and organization disabled

10.2 DoS Techniques
– SYN Flooding Use of spoofed sources → server connections maxed-out → server cannot accept new connection
– Service Request Floods Use valid sources → create many connections to a service
– Application Level DoS DoS to an application by exploiting a vulnerability
– Bandwidth Overload Distributed system of computers (attackers)
– ICMP Flooding Many ICMP Requests
– Permanent DoS A.K.A. Phlashing; intent: permanent Disable Service

10.3 Botnet
Network of compromised hosts running software that automates tasks through remote Command&Control.

10.4 DoS Attack Tools
– PHP DoS (DDoS Script written in PHP)
– XOIC (website DoS)
– DDOSIM (Linux tool)
– LOIC (Low Orbit Ion Cannon)
– HULK (HTTP Unbearable Load King)
– Tor’s Hammer (HTTP DoS, it anonymize source)

10.5 Detection and Countermeasures
Detection methods:
– Activity profiling → monitoring solution
– Wavelet-based Signal Analysis → detect unknown anomalies
Countermeasures strategies:

  • Protect “zombies”
  • Neutralize Handlers
  • Detect Potential Attacks
  • Deflect Attack (honeypots)
  • Mitigate Attacks (bandwidth increase during the attack)

– Forensics (after DoS)
– Protect devices from botnet
– Perimeter Security
– Contact IPS
– Hardware (several vendors offer DDoS mitigation appliances)

10.6 DoS Protection Tools
– DDoSDefend
– DOSarrest
– FortGuard DDoS Firewall
– Anti-DDoS Guardian
– DefensePro
– WanGuard

Session Hijacking

The purpose of session hijacking is to compromise a valid session between a client and a server (also called TCP session hijacking).
There are many techniques for hijacking: brute force, application level hijacking, MiTM, predict session ID, session ID replay, reset, blind injection.
These techniques are classified as:
– ACTIVE when the hacker takes over the session; the victim is then “frozen” and he knows something is wrong;
– PASSIVE when the hacker just watches; the session is recorded and the victim is unaware of the attack.
These attack techniques are Application-based or Network-based.

11.3 Application level session hijacking
The session IDs are alphanumeric strings (that should be randomly generated) used to establish a stateful connection. These IDs are typically stored in cookies, in URLs or in hidden fields. When the ID is compromised, the attacker can gain access to the session.

SESSION REPLAY → it’s reusing a valid session ID to spoof the client

SESSION PREDICTING → the attacker watches IDs looking for patterns and tries then to predict the next one (that’s why they should be randomly generated). A variation of this type of attack is using brute-force trying many session IDs.

SESSION FIXATION → the attacker uses an established connection with the server trying to get victim to use this connection. In this way the client’s traffic passes through the attacker.

MAN-IN-THE-MIDDLE attacks (11.4) → the attacker is in between the client and the server forcing all the traffic through him/her. Man-in-The-Browser is a variation: the malicious entity is not a separate system, but a client-side program used for capturing data or inserting scripts into web-pages.

CROSS-SITE ATTACKS (11.5) → in this category we find:

  • Cross-Site Scripting (XSS) that is exploiting a valid existing session to inject malicious scripts on the client side
  • Cross-Site Request Forgery similar to the previous but exploits existing session to provide a 3rd party

11.6 Network Level Hijacking

TCP/IP hijacking happens after the second message of the 3-way handshake (SYN & ACK & ISN): the attacker responds to the server instead of the client with the 3rd message.
RESET or RST hijacking → RST packet is sent from the server to the client for reset the connection: the attacker can send this packet to the client who re-authenticate himself but with the attacker.
Others attacks with TCP/IP:

UDP hijacking → UDP is connection-less and UDP requests can contain DNS queries. If the attacker wins the race with the server to respond to an UDP request, he can also respond to a DNS query with a fake web-server.

11.7 Session Hijacking Tools

SURF JACK → hijack HTTP connections to steal cookies (works on both ethernet and wifi)
COOKIE CATCHER → for Cross-Site Scripting
FIRESHEEP → HTTP sessions hijacking
WHATSUP GOLD ENGINEER TOOL → it’s a network diagnostic tool
ZAPROXY → it’s a penetration testing tool that searches for vulnerabilities on web applications

Additional tools:

11.8 Hijacking protection

About network security, use secure networks with firewalls, limit incoming connections, minimize remote access, use HTTPS and not HTTP, send encrypted data, utilize Certification Authorities.