Network Attacks
Man-in-the-Middle
Intercepting and possibly altering communication between two parties.
Mitigations:
| Technique | Explanation |
|---|---|
| Replay Attacks | Usually target authentication or session tokens. |
| Attack Method | Attacker resends captured packets without modifying TCP sequence numbers. |
| Normal Behavior | Variations in TCP sequence or acknowledgment are normal network behavior and do not indicate a replay attack. |
Packet Sniffing
Illegally intercepting and examining unencrypted data packets.
Mitigations:
| Technique | Description |
|---|---|
| Encryption | Protect data in transit using HTTPS or VPNs. |
| Secure Wi-Fi | Use WPA3 for wireless network security. |
| Network Segmentation | Limit access to sensitive data by segmenting networks. |
| Network Monitoring | Detect unauthorized packet sniffing or traffic. |
Christmas Tree Packet Attack
Packets are the basic unit of network communications. Every time information is transferred over the network, it is divided up into small packets of information that are then reassembled once they reach the destination system.
- Packets contain data payload to be sent, but also includes header information
- Packet headers are like "envelopes" that carry the data
- Headers include information such as source, destination, and flags
Flags are single-bit fields that contain either a 1 or a 0. If a field is set to 1, it indicates a special purpose packet. As an example, if the SYN flag is set to 1, a connection is established, while a FIN flag set to 1 means connection is tear down.
A typical packet only has one or two flags set to a value of 1.
In a christmas tree packet, all of the flags are set to 1. It is simlar to having a "christmas tree" all lit up.
Attackers send this kind of packet because some systems crash when they receive a christmas tree packets. These systems may have apoorly designed network stack that can't handle the packet when all the flags are set to a value of 1.
- All flags set to
1are similar to a denial of service attack. - Attackers can determine the type of OS depending on the response of the server.
- Useful for conducting pre-attack reconnaissance.
Oversized Packet Attack
Oversized packet attacks involve sending data packets that exceed the maximum allowable size, exploiting vulnerabilities in network protocols.
Mitigations:
| Technique | Description |
|---|---|
| Packet Size Limits | Enforce maximum allowed packet sizes. |
| Network Monitoring | Detect patterns of oversized packets. |
| Rate Limiting | Restrict the flow of large packets. |
| Firewall Rules | Block packets that exceed normal size limits. |
Fragmented Packet Attack
Fragmented packet attacks involve breaking down data into smaller fragments to bypass network security measures, exploiting vulnerabilities in reassembly processes.
Mitigations:
| Technique | Description |
|---|---|
| Reassembly Timeouts | Set time limits for packet reassembly. |
| Fragmentation Limits | Restrict the size and number of fragments. |
| IDS/IPS | Detect abnormal or suspicious fragmentation patterns. |
| Secure Protocols | Use protocols designed to handle fragmentation safely. |
Reverse Shell
A reverse shell is a malicious connection where the target machine initiates a connection to the attacker's machine, allowing remote control over the target system. This technique bypasses firewalls that block incoming connections but allow outbound ones.
- Attackers establish a connection from the victim's machine to their own, avoiding security controls.
- Methods include exploiting vulnerabilities or using social engineering to run malicious code.
Mitigations:
- Implement egress filtering to control outbound connections.
- Regularly update and patch software to fix exploitable vulnerabilities.
Sample diagram:
