A cyber attack is any kind of offensive action that targets systems, infrastructure or computer networks, or personal computers, using various methods to steal, modify or destroy data or computer systems.
Today, we will describe the 10 most common types of cyberattacks:
1. Denial of Service (DoS) and Distributed Denial of Service (DDoS) Attacks
A denial of service attack overwhelms a system’s resources so that the system can not respond to service requests. A DDoS attack also targets the resources of a system, but it is launched from a large number of other host machines infected with attacker-controlled malware.
Unlike attacks designed to allow an attacker to gain or facilitate access, denial of service does not provide a direct benefit to attackers. Denial of service is a satisfaction in itself for some pirates. However, if the attacked resource belongs to a competitor, the advantage for the attacker is then very real. A DoS attack may also aim to put a system offline in order to launch another type of attack. A common example of this technique is session hijacking, which I will describe later.
There are different types of DoS and DDoS attacks; the most common are SYN flood attacks, teardrop attacks , bounce attacks, death ping and botnets.
TCP SYN flood attack
An attacker exploits the use of buffer space during the TCP session initialization handshake . The attacker’s machine floods connection requests with the small processing queue of the target system, but it does not respond when the target system responds to these requests. The target system then times out while waiting for the attacker’s machine response, causing the system to crash or become unusable when the connection queue fills.
There are some parries to SYN flood attacks :
- Place the servers behind a firewall configured to block incoming SYN packets.
- Increase the size of the connection queue and decrease the timeout for open connections.
This attack causes the overlap of fragmentation length and fragmentation gap fields of Internet Protocol (IP) sequential packets at the attacked host; during this process, the attacked system attempts to rebuild the packages but fails. The target system becomes confused and crashes.
If there are no patches to protect against this DoS attack, disable SMBv2 and block ports 139 and 445.
This attack involves usurping an IP address and using the ICMP to saturate a target network’s traffic. This attack method uses ICMP echo requests that target broadcast IP addresses. These ICMP requests come from a spoofed address. For example, if the chosen victim’s address is 10.0.0.0.10, the attacker simulates an ICMP echo request of 10.0.0.0.10 at the broadcast address 10.255.255.255.255. This request is sent to all IP addresses in the range, and all responses are returned to 10.0.0.0.10, thus overwhelming the network. This process is repeatable and can be automated to generate significant congestion on the network.
To protect your devices from this type of attack, disable IP-directed broadcasts to routers. This will block ICMP echo requests at the network devices. Another option is to configure endpoints to prevent them from responding to ICMP packets from broadcast addresses.
Ping of death
This type of attack pings a target system with IP packets larger than the maximum of 65,535 bytes. IP packets of this size are not allowed, so the hacker fragments them. When the target system reassembles packets, it may experience buffer overflows and other crashes.
Ping of death attacks can be blocked using a firewall that checks the maximum size of fragmented IP packets.
Botnets are networks of millions of systems that are infected with malicious software and controlled by hackers to perform DDoS attacks. These botnets or botnets are used to attack target systems, often overwhelming their bandwidth and processing capabilities. These DDoS attacks are hard to trace because botnets are scattered in different geographical locations.
Botnets can be mitigated by:
- RFC3704 filtering, which blocks traffic from spoofed addresses and helps ensure traceability of traffic to its real source network. For example, RFC3704 filtering removes packets from addresses in the Bogon list.
- Black hole filtering, which eliminates unwanted traffic before it enters a protected network. When a DDoS attack is detected, the Border Gateway Protocol (BGP) host must send routing updates to the ISP routers so that they route all traffic to the victim servers to a null0 interface during the jump. next.
2. Attack of the man in the middle (MitM)
A man-in-the-middle attack is a hacker that fits into the communications between a client and a server. Here are some common types of man-in-the-middle attacks:
In this type of MitM attack, an attacker diverts a session between a trusted client and a network server. The attacking computer substitutes its IP address for the trusted client while the server continues the session, believing that it is communicating with the client. For example, the attack could proceed as follows:
- A client connects to a server.
- The attacker’s computer takes control of the client.
- The attacker’s computer disconnects the client from the server.
- The attacker’s computer replaces the client’s IP address with its own IP address and domain name and impersonates the client’s sequence numbers.
- The attacker’s computer continues the dialogue with the server, the server believes that it always communicates with the client.
An attacker can use IP address spoofing to convince a system to communicate with a known and trusted entity to give it access to the system. The attacker sends a target host a packet containing the source IP address of a known and reliable host instead of its own source IP address. It is possible for the target host to accept the packet and act accordingly.
A replay attack occurs when an attacker intercepts and records old messages, and then tries to send them, posing as one of the participants. This type of attack can easily be countered with a session timestamp or a nonce (random number or string varying with time).
There is currently no single technology or unique configuration to prevent all attacks of man in the middle. In general, encryption and digital certificates offer effective protection against attacks of this type, ensuring both confidentiality and the integrity of communications. But an attack by the middle man can be injected into the heart of the communications so that the encryption is of no help. For example, the attacker “A” intercepts the public key of the person “P” and replaces it with his own public key. Subsequently, any user wishing to send an encrypted message to P using the public key of P unknowingly uses the public key of A. A can read the message intended for P, then send it to P, encrypted with the P’s real public key, and P will never notice that the message has been compromised. Moreover, A can modify the message before transmitting it to P. The latter, using encryption, thinks that his information is protected, but it is not, because of the attack of the middle man.
Under these conditions, how can you make sure that the public key of P belongs to P and not to A? Certificate Authorities and hash functions have been created to address this problem. If a person P2 wants to send a message to P, and P wishes to make sure that A will not read or modify the message and that the message is indeed from P2, the following method must be used:
- P2 creates a symmetric key and the digit with the public key of P.
- P2 sends the encrypted symmetric key to P.
- P2 calculates a hash function of the message and the sign numerically.
- P2 encrypts his message and signed hash with the symmetric key and sends it to P.
- P is able to receive the symmetric key of P2 because he is the only one to have the private key to decipher.
- Only P can decrypt the encrypted message symmetrically and the signed hash because it has the symmetric key.
- It can verify that the message has not been corrupted because it can calculate the hash of the received message and compare it with the digitally signed hash.
- P is also able to prove to himself that P2 is the sender, because only P2 can sign the hash so that it is checked with the P2 public key.
3. Phishing and spear phishing attacks
Phishing is the sending of emails that appear to come from trusted sources for the purpose of obtaining personal information or encouraging users to do something about it. This technique combines social engineering and technical ploy. It can involve an attachment to an email, which loads malicious software onto your computer. It may also use a link to an illegitimate website that prompts you to download malware or transmit your personal information.
Spear phishing is a very targeted phishing. Attackers take the time to research their targets and create personal and relevant messages. For this reason, harpooning can be very difficult to identify and even more difficult to combat. One of the easiest ways for a hacker to carry out a spearfishing attack is to spoof an e-mail address, that is, to falsify the “From” section of an e-mail, to give you the impression that the message was sent by a person you know, for example your supervisor or a partner company. Another technique that scammers use to add credibility to their story is the cloning of websites:
To reduce the risk of being a victim of phishing, you can use the following techniques:
- Critical Mind – Do not take an e-mail for cash simply because you are busy or stressed or have 150 other unread messages in your inbox. Take a break and analyze this email.
- Hover over links – Move your mouse cursor over links, but without clicking! It’s just a question of where these links would take you. Be critical in deciphering the URL.
- Analyzing email headers – Email headers indicate how an email has arrived at your address. The “Reply To” and “Return Path” parameters must lead to the same domain as indicated in the e-mail.
- Sandboxing – You can test the contents of an email in a sandbox environment , by recording the activity that follows the opening of the attachment or the clicks on the links in the email.
4. Attack by Drive by Download
Stealth download attacks are a common method of spreading malware. Hackers look for unsafe websites and insert a malicious script into the HTTP or PHP code of one of the pages. This script can install malware directly on a visitor’s computer, or redirect it to a site controlled by hackers. Stealth downloads can occur when visiting a website or viewing an email or pop-up window. Unlike many other types of computer attacks, a stealth download does not require that a user actively triggers the attack – no need to click a download button or open a malicious attachment to be infected.
To protect against stealth downloads, update your browsers and operating systems and avoid websites that may contain malicious code. Limit yourself to the sites you usually use, keeping in mind that even these sites can be hacked. Do not store too many unnecessary programs and applications on your machine. The more plug-ins you have, the more vulnerabilities that can be exploited by stealth downloads.
5. Password Attack
Since passwords are the most commonly used mechanism for authenticating users of a computer system, obtaining passwords is a common and effective attack approach. A person’s password can be obtained by searching the person’s physical desktop, monitoring the connection to the network to acquire unencrypted passwords, using social engineering, accessing a database of password data or just guessing. The latter approach – guessing – can be random or systematic:
- The brute force attacks consist of taking a random approach: try different passwords hoping that one of them will work. Some logic can be applied: try passwords related to the person’s name, position, hobbies or similar items.
- In a dictionary attack , a dictionary of common passwords is used to attempt to access a user’s computer and network. One approach is to copy an encrypted file containing the passwords, apply the same encryption to a dictionary of commonly used passwords, and compare the results.
To protect yourself from dictionary or brute force attacks, you must implement an account lockout policy that will lock an account after a few unsuccessful password attempts. These good account lockout practices allow you to do this properly.