One of the most common network-based attacks is a denial-of-service (DoS). Its purpose is to exhaust a target computer’s network or system resources, temporarily disrupting or stopping service and rendering it inaccessible to regular users. DoS attacks typically work by flooding or swamping the target machine with requests until it cannot handle regular traffic, resulting in a denial of service to other users. DoS attacks are characterized by using a single computer to launch the attack.
Hi Zijian,
This is very good analysis but I do believe that embarking on network security solutions ensure that your organization’s sensitive data and information are protected across all channels and devices so you can focus on building your business to sustain confidentiality, integrity and availability of information at all times.
A couple of interesting takeaways from this week’s reading first, I would agree with the diminishing perimeter security model given the push for today’s distributed remote workforce. The city model, I think, more accurately describes the new world in which we are working, which involves segmenting multiple areas in the network to prevent a flat network architecture. Additionally, I found the distinction between determining whether a DoS is a true attack versus just a network issue to be important. As a security professional, having some foundational knowledge in networking can help provide context when investigating unusual or anomaly behavior within the network.
Hey Kelly, I definitely agree about how important it is to be able to distinguish between a true DoS attack and network issues. One of the tips in “An Introduction to DDoS Distributed Denial of Service Attack” that I think would be particularly useful in this area is researching and analyzing network patterns, that way when something truly unusual occurs, that attack can be spotted easier and mitigated quickly.
Address Resolution Protocol (ARP) is used to resolve the IP address in to associated local MAC addresses. Devices within the network must know each other MAC address before they can use the IP address to send a packet. Devices in the network creates an ARP table as they continue to send packets to the different devices. ARP table includes information such as IP Address. Physical Address, and the type. ARP poisoning is a network attack that could reroute the traffic or it can stop the traffic using an ARP DoS attack. Which can make the destination of the traffic unreachable. The ARP poisoning could affect the functionality and the confidentiality of the network. An ARP DoS attack would impact the available of a network.
One of the takeaways that I took from this reading was the increased attack surface due to advances in technology.
New security concerns arose with the introduction of modern telecommunication networks (and social media platforms), and I think these concerns will only grow in the future and technology becomes more and more advanced.
One interesting thing I found from the article is primarily due to situation where a lot of zombie computers (infected computers that are under the control of the attacker) are used to either directly or indirectly to flood the targeted server(s) – victim, with large amount of information and was done purposely in order to prevent legitimate users from accessing them (mostly web servers that host websites). In most circumstances, the owners of the zombie computers may not be aware that they are being used by attackers which made it increasingly tougher for the owners to spot any unusual activities going on in their computers. It is also interesting to know in certain cases that, there is only a periodic flooding of web servers with large traffic that was meant to degrade the service to achieve their target, and in doing that they glossed over their intended attack of taking it down completely.
Excellent post about how unsuspecting hosts can be part of a DDoS attack via malware infections that render the compromised victims into “zombie bots” which can then be controlled by an attacker. This is a great example of how cybersecurity is truly everyone’s responsibility and concern. If users maintain regularly updated anti-virus solutions, the likelihood of being infected for purposes of a botnet are diminished. Thanks for your post!
One of the main takeaways I had was early on in this chapter, where they said that not all DoS attacks are external. They mention how blaming external attackers on interrupted attackers is easy even when the problem could have occurred internally. Taking the example from the chapter, Newsnet Scotland thought they were a victim to a DoS attack when in reality their services were brought down due to poor coding. This sets a good example to be thorough with what is going on in your environment, and establish the understanding that not all high server activity is a DoS attack, it could be more external user activity and so it is important to verify and set measures in place to identify a DoS attack before taking any sort of action that could cause more harm.
Great points, Dhaval. It is imperative to understand what is occurring from all angles before making any quick decisions that aren’t entirely though out. Establishing activity baselines and understanding expected server loads is standard to have, especially during peak usage times.
Hi Dhaval,
I had always assumed that DoS attacks were external, but it makes sense that it can occur internally as well (this actually happened at my current workplace!). It’s important to investigate these issues and determine the actual cause of the denial of service, in order to better protect ourselves.
The most interesting part of the chapter for me was learning how some mitigations against denial of service attacks are actually implemented. Black holing seems like a pretty subpar solution, as it could have too many negative effects, while rate limiting is moderately effective despite limiting speeds for real users. Pre-validating the TCP handshake with false opens at the firewall seems quite effective in mitigating against DoS however. It was also interesting that the authors note that DoS is a community problem and that the ISP must help if it exceeds a certain point of DoS.
Man in the Middle is a type of attack where a malicious third party listens in on your correspondence. Although it seems like you’re sending encrypted messages to and from your contact, really you are sending encrypted messages to the MitM, and he is passing along those messages to your contact. This way, he can listen in on the conversation. Regular WPA can’t protect against this, but VPNs can. This is because VPNs use pre-shared secrets.. These pre-shared secrets are never transmitted, so the MitM can never intercept them.
This is a great point. VPN’s provide a range of security benefits such as spoofing your location, encrypting data, and as you said preventing man-in-the-middle attacks. If you are ever on a public WiFi network using a VPN can be very beneficial for protecting your data and location, however, even with a VPN, vulnerabilities start to rise once the data has passed the VPN server and reached its destination.
It was interesting to read that, as network architecture has evolved, so has the threat environment surrounding networks. For a business’s LAN, one way for an attacker to exploit a vulnerability was to plug in to an available jack connected to the wired network. Now, wireless networks can be attacked by “drive-by” hackers who do not need to even enter the building. Therefore it has become increasingly important to understand what vulnerabilities exist in a network, and how to protect a network’s availability, confidentiality, functionality, and access control.
I agree with you that protecting the availability, confidentiality, functionality and access control of the network is becoming more and more important because of the technology that is now available. The threats around the network are endless and many times there are vulnerabilities that are undetectable because there are no sudden changes in the quality of service. It is difficult for network administrators to see the true growth and progression of network traffic.
Hi Patrick,
it certainly is interesting to see how the times are continually evolving, leading to different threat vectors regularly. Regarding your point on wireless networks, it is interesting to see how network engineers design networks by strategically placing certain network devices and choosing which type of antennas to use based on a company’s building layout, in order to attempt to minimize external signal strength while providing reliable connectivity to intended authorized internal users.
One key takeaway from this reading was the different application of security objectives in terms of network security. I really like how Boyle and Panko expanded upon the CIA triad in terms of this topic, since confidentiality, integrity and availability differ for various functions of information security (and through different layers of the OSI Layer Model). Confidentiality is key when preventing attack vectors such as fingerprinting–the data being transmitted through information systems is not the only object requiring confidentiality, since information on users can be passively collected and used to deploy other forms of attacks (i.e. spoofing). In addition, availability of network services is crucial in order to ensure availability of data. Functionality and access control replace integrity in the CIA triad within the context of network security; functionality refers to preventing hackers from altering networking capabilities/services (i.e. ARP poisoning), and access control refers to the preservation of a secure logical access system. Overall, it is important to understand the application of the CIA triad within different stages of the OSI Layer model, and this chapter gave great context on Layer 3.
One of the main takeaways I had was a common non-aggressive loss of service that occurs when a large site links to a much smaller site. Because smaller news sites may be overwhelmed by the dramatic increase in traffic, they are more likely to be lost. On the other hand, the ultimate goal of a DoS attack is to cause harm. The damage for businesses is significant, for example in the form of industry reputation and customer loyalty related losses. The most damaging attacks are those that cannot be identified, and attacks that slowly degrade quality of service are more difficult to detect. These attacks last a long time and difficult to defend.
I agree with your point of view; denial of service attacks usually use the vulnerabilities of transmission protocols, system vulnerabilities, and service vulnerabilities to launch large-scale attacks on the target system and consume available system resources with massive data packets that exceed the processing capabilities of the target system.
One key point I took away from this weeks textbook reading was the difference between a regular DoS attack and DDoS. A DDoS attack is described as “distributed” because multiple systems (a botnet) are used to flood the victim with network traffic and interrupt the regular use of the victims systems. The reasons entities sometimes use DDoS attacks instead of regular DoS attacks is that they can flood the victim with more traffic since they are using more devices, they are harder to detect because communication with multiple devices looks more normal than lots of communication with just one device, and it is more difficult to track down the perpetrator. It is also important to note that DDoS is a type of DoS attack, but not every DoS attack is a DDoS.
It was interesting learning how ARP poisoning works. ARP poisoning is a network attack that manipulates host ARP tables to reroute LAN traffic. An attacker can reroute traffic for a man-in-the-middle attack or stop it in an ARP DoS attack. This is required for an attacker to have a computer on the local area network for ARP poisoning to work. Additionally, it was interesting to learn about the man-in-the-middle term. It is an eavesdropping attack where the cybercriminal can get in the middle and interrupt an existing conversation or data transfer.
I agree that it is interesting how ARP poisoning works, and how negatively it can affect an organization if the attacker is looking for or to disrupt specific pieces of information they expect to be transmitted. It is critical to be able to detect and expel this type of breach, as ARP poisoning can affect all three security categorizations.
zijian ou says
One of the most common network-based attacks is a denial-of-service (DoS). Its purpose is to exhaust a target computer’s network or system resources, temporarily disrupting or stopping service and rendering it inaccessible to regular users. DoS attacks typically work by flooding or swamping the target machine with requests until it cannot handle regular traffic, resulting in a denial of service to other users. DoS attacks are characterized by using a single computer to launch the attack.
kofi bonsu says
Hi Zijian,
This is very good analysis but I do believe that embarking on network security solutions ensure that your organization’s sensitive data and information are protected across all channels and devices so you can focus on building your business to sustain confidentiality, integrity and availability of information at all times.
Kelly Sharadin says
A couple of interesting takeaways from this week’s reading first, I would agree with the diminishing perimeter security model given the push for today’s distributed remote workforce. The city model, I think, more accurately describes the new world in which we are working, which involves segmenting multiple areas in the network to prevent a flat network architecture. Additionally, I found the distinction between determining whether a DoS is a true attack versus just a network issue to be important. As a security professional, having some foundational knowledge in networking can help provide context when investigating unusual or anomaly behavior within the network.
Patrick Jurgelewicz says
Hey Kelly, I definitely agree about how important it is to be able to distinguish between a true DoS attack and network issues. One of the tips in “An Introduction to DDoS Distributed Denial of Service Attack” that I think would be particularly useful in this area is researching and analyzing network patterns, that way when something truly unusual occurs, that attack can be spotted easier and mitigated quickly.
Vraj Patel says
Address Resolution Protocol (ARP) is used to resolve the IP address in to associated local MAC addresses. Devices within the network must know each other MAC address before they can use the IP address to send a packet. Devices in the network creates an ARP table as they continue to send packets to the different devices. ARP table includes information such as IP Address. Physical Address, and the type. ARP poisoning is a network attack that could reroute the traffic or it can stop the traffic using an ARP DoS attack. Which can make the destination of the traffic unreachable. The ARP poisoning could affect the functionality and the confidentiality of the network. An ARP DoS attack would impact the available of a network.
Andrew Nguyen says
One of the takeaways that I took from this reading was the increased attack surface due to advances in technology.
New security concerns arose with the introduction of modern telecommunication networks (and social media platforms), and I think these concerns will only grow in the future and technology becomes more and more advanced.
kofi bonsu says
One interesting thing I found from the article is primarily due to situation where a lot of zombie computers (infected computers that are under the control of the attacker) are used to either directly or indirectly to flood the targeted server(s) – victim, with large amount of information and was done purposely in order to prevent legitimate users from accessing them (mostly web servers that host websites). In most circumstances, the owners of the zombie computers may not be aware that they are being used by attackers which made it increasingly tougher for the owners to spot any unusual activities going on in their computers. It is also interesting to know in certain cases that, there is only a periodic flooding of web servers with large traffic that was meant to degrade the service to achieve their target, and in doing that they glossed over their intended attack of taking it down completely.
Kelly Sharadin says
Hi Kofi,
Excellent post about how unsuspecting hosts can be part of a DDoS attack via malware infections that render the compromised victims into “zombie bots” which can then be controlled by an attacker. This is a great example of how cybersecurity is truly everyone’s responsibility and concern. If users maintain regularly updated anti-virus solutions, the likelihood of being infected for purposes of a botnet are diminished. Thanks for your post!
Kindly,
Kelly
Dhaval Patel says
One of the main takeaways I had was early on in this chapter, where they said that not all DoS attacks are external. They mention how blaming external attackers on interrupted attackers is easy even when the problem could have occurred internally. Taking the example from the chapter, Newsnet Scotland thought they were a victim to a DoS attack when in reality their services were brought down due to poor coding. This sets a good example to be thorough with what is going on in your environment, and establish the understanding that not all high server activity is a DoS attack, it could be more external user activity and so it is important to verify and set measures in place to identify a DoS attack before taking any sort of action that could cause more harm.
Antonio Cozza says
Great points, Dhaval. It is imperative to understand what is occurring from all angles before making any quick decisions that aren’t entirely though out. Establishing activity baselines and understanding expected server loads is standard to have, especially during peak usage times.
Andrew Nguyen says
Hi Dhaval,
I had always assumed that DoS attacks were external, but it makes sense that it can occur internally as well (this actually happened at my current workplace!). It’s important to investigate these issues and determine the actual cause of the denial of service, in order to better protect ourselves.
Thanks for sharing your thoughts!
Best,
Andrew
Antonio Cozza says
The most interesting part of the chapter for me was learning how some mitigations against denial of service attacks are actually implemented. Black holing seems like a pretty subpar solution, as it could have too many negative effects, while rate limiting is moderately effective despite limiting speeds for real users. Pre-validating the TCP handshake with false opens at the firewall seems quite effective in mitigating against DoS however. It was also interesting that the authors note that DoS is a community problem and that the ISP must help if it exceeds a certain point of DoS.
Madalyn Stiverson says
Man in the Middle is a type of attack where a malicious third party listens in on your correspondence. Although it seems like you’re sending encrypted messages to and from your contact, really you are sending encrypted messages to the MitM, and he is passing along those messages to your contact. This way, he can listen in on the conversation. Regular WPA can’t protect against this, but VPNs can. This is because VPNs use pre-shared secrets.. These pre-shared secrets are never transmitted, so the MitM can never intercept them.
Dhaval Patel says
Hi Madalyn,
This is a great point. VPN’s provide a range of security benefits such as spoofing your location, encrypting data, and as you said preventing man-in-the-middle attacks. If you are ever on a public WiFi network using a VPN can be very beneficial for protecting your data and location, however, even with a VPN, vulnerabilities start to rise once the data has passed the VPN server and reached its destination.
Patrick Jurgelewicz says
It was interesting to read that, as network architecture has evolved, so has the threat environment surrounding networks. For a business’s LAN, one way for an attacker to exploit a vulnerability was to plug in to an available jack connected to the wired network. Now, wireless networks can be attacked by “drive-by” hackers who do not need to even enter the building. Therefore it has become increasingly important to understand what vulnerabilities exist in a network, and how to protect a network’s availability, confidentiality, functionality, and access control.
Dan Xu says
Hi Patrick,
I agree with you that protecting the availability, confidentiality, functionality and access control of the network is becoming more and more important because of the technology that is now available. The threats around the network are endless and many times there are vulnerabilities that are undetectable because there are no sudden changes in the quality of service. It is difficult for network administrators to see the true growth and progression of network traffic.
Antonio Cozza says
Hi Patrick,
it certainly is interesting to see how the times are continually evolving, leading to different threat vectors regularly. Regarding your point on wireless networks, it is interesting to see how network engineers design networks by strategically placing certain network devices and choosing which type of antennas to use based on a company’s building layout, in order to attempt to minimize external signal strength while providing reliable connectivity to intended authorized internal users.
Lauren Deinhardt says
One key takeaway from this reading was the different application of security objectives in terms of network security. I really like how Boyle and Panko expanded upon the CIA triad in terms of this topic, since confidentiality, integrity and availability differ for various functions of information security (and through different layers of the OSI Layer Model). Confidentiality is key when preventing attack vectors such as fingerprinting–the data being transmitted through information systems is not the only object requiring confidentiality, since information on users can be passively collected and used to deploy other forms of attacks (i.e. spoofing). In addition, availability of network services is crucial in order to ensure availability of data. Functionality and access control replace integrity in the CIA triad within the context of network security; functionality refers to preventing hackers from altering networking capabilities/services (i.e. ARP poisoning), and access control refers to the preservation of a secure logical access system. Overall, it is important to understand the application of the CIA triad within different stages of the OSI Layer model, and this chapter gave great context on Layer 3.
Dan Xu says
One of the main takeaways I had was a common non-aggressive loss of service that occurs when a large site links to a much smaller site. Because smaller news sites may be overwhelmed by the dramatic increase in traffic, they are more likely to be lost. On the other hand, the ultimate goal of a DoS attack is to cause harm. The damage for businesses is significant, for example in the form of industry reputation and customer loyalty related losses. The most damaging attacks are those that cannot be identified, and attacks that slowly degrade quality of service are more difficult to detect. These attacks last a long time and difficult to defend.
zijian ou says
I agree with your point of view; denial of service attacks usually use the vulnerabilities of transmission protocols, system vulnerabilities, and service vulnerabilities to launch large-scale attacks on the target system and consume available system resources with massive data packets that exceed the processing capabilities of the target system.
Michael Jordan says
One key point I took away from this weeks textbook reading was the difference between a regular DoS attack and DDoS. A DDoS attack is described as “distributed” because multiple systems (a botnet) are used to flood the victim with network traffic and interrupt the regular use of the victims systems. The reasons entities sometimes use DDoS attacks instead of regular DoS attacks is that they can flood the victim with more traffic since they are using more devices, they are harder to detect because communication with multiple devices looks more normal than lots of communication with just one device, and it is more difficult to track down the perpetrator. It is also important to note that DDoS is a type of DoS attack, but not every DoS attack is a DDoS.
Victoria Zak says
It was interesting learning how ARP poisoning works. ARP poisoning is a network attack that manipulates host ARP tables to reroute LAN traffic. An attacker can reroute traffic for a man-in-the-middle attack or stop it in an ARP DoS attack. This is required for an attacker to have a computer on the local area network for ARP poisoning to work. Additionally, it was interesting to learn about the man-in-the-middle term. It is an eavesdropping attack where the cybercriminal can get in the middle and interrupt an existing conversation or data transfer.
Michael Jordan says
Hi Victoria,
I agree that it is interesting how ARP poisoning works, and how negatively it can affect an organization if the attacker is looking for or to disrupt specific pieces of information they expect to be transmitted. It is critical to be able to detect and expel this type of breach, as ARP poisoning can affect all three security categorizations.
-Mike