Network Attack and Defense - Research Paper Example

Domain Name System (DNS) is a protocol used to map a domain name to an IP address in a network. The assignment might take several hierarchies depending on representing cache DNS, local networks, and Internet Service Provider (ISP). DNS is used to map a domain such as www.exampledomainname.com to a particular IP address in a remote server (Peng et al. 2017). Understanding the working mechanism of DNS is important when resolving network attacks such as DNS flooding attacks, website redirects, cache poisoning, DNS tunnelling, and Distributed Reflection Denial of Service (DRDoS).

2.3 Address Resolution Protocols (ARP)

The Address Resolution Protocol (ARP) is essential in finding the destination of a data packet. According to Kang and Kang (2016), ARP uses a table containing link-layer addresses such as Media Access Control (MAC) address. The mapping is essential when transmitting packet across different medias such as routers, cables, switches, and computers. Sufficient knowledge on the ARP is essential when securing devices such as routers and switches. The ARP attacks target at changing the mapping of devices on the table through ARP spoofing.

2.4 Transfer Control Protocol (TCP)

The Transfer Control Protocol (TCP) is common in the transmission of information across a network. According to Mohammed et al. (2013), the TCP is a protocol using the relayed circuit in which the data packets are split up in one end and reassembled at the far end through encapsulation and decapsulation. An alternative form of data transmission might involve User Datagram Protocol (UDP) which is common where a delivery flag is not needed. Knowledge gained in understanding both TCP and UDP is essential in designing data transfer channels and implementing security features to prevent a man-in-the-middle attack.

3.0 Attack on Local Networks

Local Area Network (LAN) is the basis on every connection in an organization. The LAN contains terminals connected to the end-users (workers). In other areas, the LAN connection might involve Personal Area Network (PAN) using a simple smartphone Access Point (AP or commonly hotspot). The LAN connection involves end devices inclusive of switches, routers, servers, cabinets, firewalls, and computers. According to Maglaras et al. (2018), port security becomes a major concern in device configuration, including identification of devices within an organization. Since LAN is common in every organization, it is important to highlight common attacks.

3.1 Packet Sniffing

Packet sniffing is the process of intercepting data packets and decrypting them to access the original information. If a data packet is captured using a Wireshark, the user can recognize source IP address, destination IP address, packet size, body, and transmission protocol (Anderson, 2008). The packet’s body should always be encrypted into a scrambled text to avoid interpretation of the content. Also, the man-in-the-middle attacker should not know the encryption key to prevent cracking the text (Ventures, 2017). This type of LAN attack is common when the hacker wants to steal authentication details, important emails, messages, or documents.

3.2 Masquerade

The art of masquerading involves the hackers pretending to be known users within a network. The imitation process might take different forms with each targeting a specific action. The most common masquerade act involves changing the computer’s MAC address to evade port security in switches (Acemoglu et al. 2016). Also, masquerading might involve changing a malicious code’s name to imitate known programs in computing to avoid being detected by antivirus. For instance, a key logger might be changed to contain .doc file extension imitating Microsoft word document. Besides, masquerading might involve creating rogue access points near an origination (Anderson, 2008). Whenever the target connects to the rogue access point, the hacker penetrates in their devices.

3.3 Address-hijacking

Address hijacking involves the art of controlling the routing table of the routers or switches. The Border Gateway Protocol (BGP) hijacking takes over a group of addresses within a network that controls their capabilities. The routing table stores the source and destination of each data packet. Taking over the routing table becomes catastrophic attack since the intruder has superior priorities in controlling various subnets (Kang & Kang, 2016). The attacker might re-route the data packets to an unsafe network and read their contents. Also, Address hijacking is used to create a network botnet used in Distributed Denial of Service (DDoS) attack.

4.0 Attacks Using Internet Protocols

The Internet Protocol model has no real authenticity security mechanism in their default state across the four layers. The challenge is common in the TCP/IP protocol layers resulting in vulnerability in many application and network designs. Consequently, the attackers have taken advantage of the weak implementation to derive various attacks.

4.1 Synchronize (SYN) Flooding

Synchronize (SYN) flooding is common in interjecting transmission on packets across the TCP/IP layers, especially if the transmission channel is using TCP protocol. According to Anderson (2008), a packet is sent to another computer requesting a synchronized connection between the devices. After the establishment of connection, the target device is flooded with more records of SYN packets that the software a handle (Terrill et al. 2018). The attack has been common since the 1980s, and they might be used to bring down the systems if precautionary measures are not observed. Prevention of this attacks involves designing an application which denies another connection to allocate memory or perform a lot of computations.

4.2 Smurfing

Smurfing is another form of attack that uses brute force to bring down a system. The attack exploits the Internet Control Message Protocol (ICMP), which sends a data packet to the end-user and echo feedback indicating whether the connection is active (Terrill, 2018). The attack takes advantage of the availability of broadcast addresses shared by devices within a LAN. The attacker uses the broadcast address to create a smurf amplifier. When packets are sent to the smurf amplifier, they are multiplied to swamp the device. This attack was common when attacking Internet Relay Chat (IRC) servers and taking over discussion forums (Farber & Larson, 2017). Currently, network designers must ensure it is not possible to create amplifiers in the system. Also, feedback and loops are avoided in current network implementations.

4.4 Distributed Denial of Service (DDoS)

Denial of Service (DoS) attacks a mechanism that prevents the real user the privilege to access essential service at the point of need. When the attacker combines multiple computers (botnets), the attack is known as a Distributed Denial of Service (DDoS) (Ventures, 2017). For instance, an attacker might use brute force to flood UDP packets to a website such that other users might be limited to access the same resource. Botnets have compromised high-profile websites such as Amazon and Yahoo (Peng, Leckie & Ramamohanarao, 2017). Nowadays, DDoS takes various forms of vulnerabilities. One the hackers have established a target; they send spam to the application such as fast-flux then blacklists various IP address connection (Maglaras et al. 2018). The attack might also compromise the Dynamic Host Configuration Protocol (DHCP) server. When the DHCP server is compromised, the IP address pool kicks out the current users and prevents authentication of other connections.

5.0 Malware and Viruses

Malicious software (malware) are computer programs designed with intentions of altering the normal functioning of a computing device. In the 1970s, there was the emergence of large time-sharing of systems (Ventures, 2017). The security implementation was not common since the computing capabilities were still evolving. Also, various web technologies such as Web 2.0 (online knowledge) and Web 3.0 (content management) were still evolving. The community adopted online shopping, banking, and researches. The hackers took advantage of the naivety of the system developers to design programs with the intent of stealing information and money.

The computer worm is a special type of viruses used in developed in the late 1970s. The computer worms can replicate themselves after they are injected in the host computer (Mamatha & Sharma, 2020). Also, they can propagate to adjacent computers within a LAN network or topology and execute independently (Peng, Leckie & Ramamohanarao, 2017). The “Morris Worm” developed in 1988 was the first computer worm to propagate through the internet (Maglaras et al. 2018). Robert Tappan Morris hit the mainstream media attention in the USA after compromising the internet for three days.

The working mechanism of the viruses and malware is sophisticated. A computer virus consists of two components, replication and payload. The proliferation of the viruses involves the transmission of the program to the target machine. Then, the payload activates the function of the virus whenever a certain condition is invoked. Other viruses take the form of the target platform through masquerade. For instance, a virus might turn into EXE, DOS, or COM (Terrill et al. 2018). In other cases, malware might interfere with user privileges. For instance, Rootkits can access the root user's permission in controlling the entire host machine. Also, a hacker might perform activities on the background without the host detecting their device is being controlled.

6.0 Security Defense on Network Attack

After highlighting various forms of attack on networks, it is essential to create awareness on the security defence mechanisms that should be adopted by organizations. Configuration management and operations are the basic forms of security mechanism that the network administrators should observe. According to Kang and Kang (2016), statistics show that majority of the technical attacks on the systems between 2000-2007 were exploited through known vulnerabilities. Consequently, routers and switches configuration should be mandatory and follow update design protocols. Also, the usage of secure channels such as Secure Shells (SSH) in Telnets configuration should be observed in remote access (Mamatha & Sharma, 2020). The organization should also use various tools and software in security implementation.

6.1 Firewalls and Censors

Firewalls are the most critical security feature when securing an internal organization network. A firewall is used in filtering data packets and inspecting malicious patterns in their packet's checksum. Packet filtering is also common in port security in authenticating the right IP address to access a particular port number. Firewalls can prevent IP spoofing by authorizing local datagrams and rejecting foreign packets. Firewalls might be implemented through software or physical hardware such as special switches. The software authorizes common services such as emails through the web traffic, and inspect the packets redirected to a particular network subnet.

Application Relays and Circuit gateways are security mechanisms used to prevent internet protocol attacks. Application relays are common when implementing time delay functions. According to Mohammed et al. (2013), application relays act as a proxy for more various services. They filter applications and weed out spam by removing undesirable contents. Additionally, the circuit gateways are used as session layers of the Open System Interconnection (OSI) model (Farber &Larson, 2017). Also, they are reassembling and inspect a packet for every TCP session. Therefore, they are essential in TCP/IP filtering and redirecting of traffic to an organization’s proxy.

Intrusion Detection Systems (IDS) have an efficient way of informing the network administrator during the time of the attack. The IDS work by detecting an attack activity and triggering an “alarm” and the point of intrusion (Mamatha & Sharma). The IDS might take the basic form of antivirus software or cabinet alarm to complicated mechanism implemented on switches and routers. They are used to detect clone devices such as fake phones and fraudulent credit cards. Also, IDS can scan and audit system in the background at a given interval. Besides, the system keeps a list of suspect vulnerabilities and select them randomly to check if they have been executed recently.

6.2 Network Encryption

Most of the online activities involve the transfer of information through communication channels. The information needs encryption mechanisms to protect data packet in case of interception. The most common type of data transfer used by most people is through browsers. The browser used Hypertext Transfer Protocol (HTTP) to establish an end-to-end connection (Singh et al. 2019). However, the information transfer of packet through HTTP is in plain text, making it easy to read the text. Hence, addition Secure Shell (SSH) layer is added to encrypt data resulting in HTTPS (Acemoglu et al. 2016). All users must ensure they use HTTPS instead of HTTP in all connection to ensure their text is encrypted.

Furthermore, another encryption area that needs emphasis on access point (hotspot) security. Wireless Fidelity (Wi-Fi) is a common type of Wireless Local Area Network (WLAN). There are two types of encryption used in WLANs (Ullah et al. 2020). Firstly, it is better to have security than leaving the connection open. That is why Wireless Equivalent Privacy (WEP) encryption was implemented in some access points. However, cracking such encryption to a cybersecurity expert is easy. Hence, the standard should never be used to encrypt sensitive networks whenever an alternative is available (Wakchaure et al. 2020). Secondly, a more secure form of security applied through Wireless Protected Access (WPA) encryption. In the latest updated version of the standard, WPA2, encryption contains sophisticated data encryption that is hard to crack compared to WEP.

7.0 Conclusion

In conclusion, the control of network attacks needs a comprehensive knowledge of security engineering. The organization should be informed on trending network attacks and defence. The complexity of security mechanism might require the organization to invest a lot of money in preventing attacks. This research paper has addressed network attack and defence mechanisms. In-network attacks, the vulnerability in network protocols such as IP, DNS, ARP, and TCP have been highlighted. Also, LAN attacks are common, inclusive of packet sniffing, masquerade, and address-hijacking. Common attacks in internet protocols include SYN flooding, smurfing, and DDoS attacks. In preventing the attacks, organizations should implement network security measures. The most basic and affordable measure is configuration management of routers, switches, and devices. Also, firewalls and sensors should be implemented, inclusive of application relays, circuit gateways, and IDS. Besides, encryption should be addressed by connecting through HTTPS and implementing WAP in access points instead of WEP.

3.1 Packet Sniffing

Packet sniffing is the process of intercepting data packets and decrypting them to access the original information. If a data packet is captured using a Wireshark, the user can recognize source IP address, destination IP address, packet size, body, and transmission protocol (Anderson, 2008). The packet’s body should always be encrypted into a scrambled text to avoid interpretation of the content. Also, the man-in-the-middle attacker should not know the encryption key to prevent cracking the text (Ventures, 2017). This type of LAN attack is common when the hacker wants to steal authentication details, important emails, messages, or documents.

3.2 Masquerade

The art of masquerading involves the hackers pretending to be known users within a network. The imitation process might take different forms with each targeting a specific action. The most common masquerade act involves changing the computer’s MAC address to evade port security in switches (Acemoglu et al. 2016). Also, masquerading might involve changing a malicious code’s name to imitate known programs in computing to avoid being detected by antivirus. For instance, a key logger might be changed to contain .doc file extension imitating Microsoft word document. Besides, masquerading might involve creating rogue access points near an origination (Anderson, 2008). Whenever the target connects to the rogue access point, the hacker penetrates in their devices.

3.3 Address-hijacking

Address hijacking involves the art of controlling the routing table of the routers or switches. The Border Gateway Protocol (BGP) hijacking takes over a group of addresses within a network that controls their capabilities. The routing table stores the source and destination of each data packet. Taking over the routing table becomes catastrophic attack since the intruder has superior priorities in controlling various subnets (Kang & Kang, 2016). The attacker might re-route the data packets to an unsafe network and read their contents. Also, Address hijacking is used to create a network botnet used in Distributed Denial of Service (DDoS) attack.

4.0 Attacks Using Internet Protocols

The Internet Protocol model has no real authenticity security mechanism in their default state across the four layers. The challenge is common in the TCP/IP protocol layers resulting in vulnerability in many application and network designs. Consequently, the attackers have taken advantage of the weak implementation to derive various attacks.

4.1 Synchronize (SYN) Flooding

Synchronize (SYN) flooding is common in interjecting transmission on packets across the TCP/IP layers, especially if the transmission channel is using TCP protocol. According to Anderson (2008), a packet is sent to another computer requesting a synchronized connection between the devices. After the establishment of connection, the target device is flooded with more records of SYN packets that the software a handle (Terrill et al. 2018). The attack has been common since the 1980s, and they might be used to bring down the systems if precautionary measures are not observed. Prevention of this attacks involves designing an application which denies another connection to allocate memory or perform a lot of computations.

4.2 Smurfing

Smurfing is another form of attack that uses brute force to bring down a system. The attack exploits the Internet Control Message Protocol (ICMP), which sends a data packet to the end-user and echo feedback indicating whether the connection is active (Terrill, 2018). The attack takes advantage of the availability of broadcast addresses shared by devices within a LAN. The attacker uses the broadcast address to create a smurf amplifier. When packets are sent to the smurf amplifier, they are multiplied to swamp the device. This attack was common when attacking Internet Relay Chat (IRC) servers and taking over discussion forums (Farber & Larson, 2017). Read More