Chapter 7 - Protecting Against Advanced Attacks Flashcards
SYN Flood Attacks
A common DDoS attack use against servers on the internet, easy to launch and cause significant problems. The SYN flood disrupts the Transmission Control Protocol (TCP) 3-way process when establishing a session and can prevent legitimate clients from connecting.
Spoofing
Occurs when a person or entity impersonates or masquerades as someone or something else.
Some common spoofing methods are related to an email address, an Internet Protocol (IP) address, and a media access control (MAC) address (which is assigned to the NIC and hard-coded into the NIC).
On-path attack
Also called a Man-in-the-Middle attack is a form of interception or active eavesdropping. It uses a separate computer that accepts traffic from each party in a conversation and forwards traffic between the two.
The two computers are unaware of the attacking computer, but the attacker can interrupt the traffic at will, insert malicious code or simply eavesdrop.
When secure channels are used, the on-path system may use certificates that aren’t issued by a CA and will generate certificate warnings. SSH gives a warning if previously established keys have changed.
SSL Stripping
Secure Sockets Layer (SSL) Stripping attack changes a HTTPS connection to a HTTP connection. HTTPS uses TLS instead of SDSL in almost all instances, so it can also be considered TLS stripping.
ARP Poisoning
Attack that misleads computers or switches about the actual MAC address of a system.
ARP resolves IP addresses to their hardware address (MAC) and store the results in an area of memory known as the ARP cache.
ARP is very trusting and launches an ARP request and will believe in any ARP rely, so an attacker can easily create an ARP reply packet with a spoofed or bogus MAC address and poison the ARP cache on systems in the network.
-Commonly used for MITM and DoS attacks (ie impersonating a gateway so no traffic leaves a network).
MAC Flooding
An attack against a switch that attempts to overload it with different MAC addresses associated with each physical port.
Sometimes a switch will run out of memory to store all of the MAC addresses and will enter a fail-open state, where instead of working as a switch it ends up operating as a hub, sending traffic to all switch ports.
*Switches commonly contain a flood guard to protect against MAC flood attacks, which can limit the amount of memory used to store MAC addresses for each port.
MAC Cloning
Simply changing a system’s MAC address to another MAC address, often to fool an ISP into thinking that a different networking device isn’t different, meaning they might give you an IP addresses.
DNS Poisoning
Attempts to modify or corrupt DNS data, such as modifying the IP addresses associated with espn.com and replace it with a malicious website.
If successful, and users attempt to go to espn.com, they will be sent to a malicious website instead.
*A primary indicator of a DNS poisoning attack is when users enter the URL of one website but are taken to a different website.
DNSSEC (Domain Name System Security Extensions) protects servers from DNS attacks.
Pharming attack
Another attack that manipulates DNS name resolution process. It either tries to corrupt the DNS server or the DNS client, also redirecting a user to a different website.
This normally takes the form of modifying someone’s hostname mappings on their host computer.
URL Redirection
Common technique used to redirect traffic to a different webpage within a site, or even a different site completely.
Attackers can use URL redirection for malicious purposes like sending traffic to a website.
–> You attempt to go to a website, and you’re redirected to another website.
Domain hijacking
In a domain hijacking attack, an attacker changes a domain name registration without permission from the owner.
Attackers often do this with social engineering techniques to gather unauthorized access to the domain owner’s email account.
DNS sinkhole
A DNS sinkhole is a DNS server that gives incorrect results for one or more domain names.
If the DNS server has a sinkhole for a domain name you won’t be able to access the site. Authorities have used sinkholes to disrupt botnets and malware, since botnets frequently check in with command and control servers, authorities have reversed engineered the domain names within the malware that direct traffic to that server and will redirect that traffic destined for those domain names.
Replay attack
When an attacker replays data that was already part of a communication session.
Attacker first captures data sent over a network between two systems, modifies the data and then tries to impersonate one of the clients in the original session and send the modified data in session replays. Can occur on both wired and wireless networks.
Many protocols and systems such as Kerberos use timestamps and sequence numbers to thwart replay attacks.
OWASP
Open Web Application Security Project
A non-profit foundation focused on improving the security of the software, including hundreds of local chapters that produce free documentation, tools and methodologies and techniques to improve web application security.
Code reuse
Code reuse saves time and helps prevent coders from introducing new bugs. It’s the process of reusing tested code instead of creating brand new code for a similar application.
Third party libraries and SKDs
These are popular methods of code reuse.
Libraries contain a wide assortment of prewritten and tested code that can be used for almost any purpose. They can include functions and other code snippets. Developers can add a line of code within a web app to reference a library available online, then call any of the library’s functions within their web app without needed to write the code from scratch.
SDKS are like third party libraries but are typically tied to a specific vendor, like Android when creating an Android app, you’d use a an Android SDK. SDKs include software tools that will help you create apps for Android-based devices. They also include a code library and much more, like tools for debugging an app, APIs, documentation and tutorials.
Input validation
Input validation is the practice of checking data for validity before using it. It prevents an attacker from sending malicious code that an application will use by either sanitizing the input to remove the malicious code or rejecting the code.
This is one of the most important security steps that developers should adopt as a secure coding practice.
*Improper input handling (or lack of input validation) is one of the most common web app security issues and allows buffer overflow attacks, SQL injections, dynamic link library (DLL) injections and cross-site scripting attacks.
What are some common checks performed by input validation?
- Verifying proper characters
-Some fields like a zip code should only use numbers while state should only include letters, others hybrid. Developers can configure input validation code to check for specific character types and verify they are entered correctly. - Blocking HTML code
-Some malicious attacks like XSS embed HTML code with the input as part of an attack. Input validation code can detect HTML code such as the < and > characters and not use it. - Preventing the use of certain characters
-Attacks like SQL injections use specific characters such as the dash (-), apostrophe (‘), and equal sign (=) so blocking these helps to prevent these attacks. - Implementing boundary or range checking
-These checks ensure that values are within expected boundaries or ranges, such as if the max purchase for a product is 3, it checks that the quantity is 3 or less. This identifies when data is outside the range and the application doesn’t use it.
Client-side vs. server-side input validatioon
Client-side execution indicates that the code runs of the client’s system, such as a user’s web browser, while server-side execution indicates the code runs on the sever, such as on a web server.
- Client side input validation is quicker but is vulnerable to attacks. Server-side input validation takes longer but is secure because it ensures the application doesn’t receive invalid data. Many apps use both
In client-side input validation, the validation code is included in the HTML page sent to the user. If he enters a quantity outside the boundaries, the HTML code gives him an error message and doesn’t submit the page to the server until the user enters the correct data.
-However it’s possible to bypass client-side validation, as many browsers allow you to disable JavaScript in your web browser, and you can also use a web proxy to capture the client’s data in the HTTP POST command and modify it before forwarding it to the server.
Server-side input validation checks the inputted values when reaches the server, ensuring that the user hasn’t bypassed the client-side checks.
Using both provides speed and security.
Race condition
When two or more modules of an application, or two or more applicatoons, attempt to access a resource at the same time, it can create a conflict known as a race condition. Most developers know about this and input methods to avoid this but if ignored by a new developer these can cause significant problems.
EXAMPLE: two people buying an identical airplane ticket online at the exact same time. A good coding design is to:
-Lock the selection before offering it to a customer
-Double check for a conflict later in the process.
-Databases often have concurrency processes to prevent entities from modifying a value at the same time.
TOCTOU
Time of Check to Time to Use (TOCTOU) is a type of race condition, sometimes called a state attack.
Attacker tries to race the OS to do something malicious with data after the OS verifies access is allowed (time of check) but before the OS performs a legitimate action at the time of use.
Proper error handling
ERRORS TO USERS SHOULD BE GENERAL, NOT DETAILED
Detailed error information should be logged for internal use.
Error and exception handling helps protect the OS’s integrity and controls the errors shown to uses. Apps should show generic error messages to users but log detailed information.
