Leveling up your mind

Troubleshoot Networ...
 
Notifications
Clear all

Troubleshoot Network Security  

 
Sohaib
(@sohaib-ops)
Member Admin

DoS and DDoS:

Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks impact system availability by flooding the target system with traffic or requests or by exploiting a system or software flaw.

Ping of Death:

The ping of death attack uses the ping utility to send oversized ICMP packets (larger than 65,536 bytes). The attacker sends a ping of death packet directly to the victim, which overflows the memory buffers on that system and causes it to freeze, crash, or reboot.

ARP Poisoning:

In ARP poisoning, spoofed ARP messages are sent to hosts on an Ethernet LAN that contain false source MAC addresses. By doing this, the ARP tables on each host are updated with incorrect information.

Sniffing:

The process of capturing all network frames being transmitted. Network card must be in promiscuous mode.

Backdoor Access:

A backdoor is an unprotected access method or pathway into a network system.

Quote
Posted : 01/03/2020 12:43 am
Sohaib
(@sohaib-ops)
Member Admin

Denial of Service:

A DoS attack depends upon the ability to flood a target system with spurious network traffic to the point that it can no longer process legitimate network requests. Your network can be involved in a DoS attack in two different ways:

• As an amplifier network that is being exploited to attack a target system.
• As the target of the attack itself.

To prevent your network from becoming an amplifier network in this kind of attack, you can cover any vulnerabilities doing these:

• Configure your firewall to block OUTBOUND traffic from your network that has a source IP address that isn't on your network. A DoS attack spoofs the source IP address with the address of the victim.
• Block broadcast packets on your network routers. This prevents external ICMP packets from being sent to broadcast addresses.
• If necessary, block all ICMP traffic in your network and host firewalls. This prevents your systems from responding to the ICMP requests used in a DoS attack.

To prevent your network from becoming the victim of a DoS attack, you can:

• Block all inbound ICMP traffic on your network firewall.
• If you need to allow inbound ICMP traffic, enable a committed access rate (CAR) for ICMP traffic on your routers and set it very low. This reduces ICMP traffic significantly. Any ICMP traffic that exceeds the threshold you set are dropped.

Ping of Death:

The ping of death attack uses the ping utility to send oversized ICMP packets (larger than 65,536 bytes). The attacker sends a ping of death packet directly to the victim, which overflows the memory buffers on that system and causes it to freeze, crash, or reboot.

To defend against a ping of death attack, keep all of your operating systems updated.

ARP Poisoning:

In ARP poisoning, spoofed ARP messages are sent to hosts on an Ethernet LAN that contain false source MAC addresses. By doing this, the ARP tables on each host are updated with incorrect information. The attacker's goal is to associate his or her MAC address with the IP address of another legitimate network host.

You can use two strategies to defend against ARP poisoning:
• Statically configure the ARP table on each network hosts with the correct MAC address and IP address mappings. Most operating systems discard ARP messages received on the network if a static entry already exists in the ARP table for the MAC address in the ARP frames. This strategy is cumbersome to implement and difficult to maintain on a network that changes frequently (such as a wireless network).
• Deploy security software that is designed to monitor each network device's ARP table and compare it against a known good table of MAC addresses mappings.

Sniffing:

A host on your network with its network card configured to run in promiscuous mode can capture all network frames being transmitted, not just those directly addressed to it. On a switched network, the attacker may conduct a MAC flood attack to expose all network frames to its network interface so they can be captured.

In a MAC flood attack, the network switch is flooded with frames containing spurious MAC addresses, overflowing the switch's CAM table. When this happens, the switch fails over into open mode and begins to function like a hub. This exposes all the frames being transmitted.

You can detect hosts on the network that are running in promiscuous mode using the sniffer-detect script with the NMAP utility. To prevent network device port sniffing, you should use only encrypted protocols on your network.

Backdoor Access:

A backdoor is an unprotected access method or pathway into a network system. Backdoors may include hard-coded passwords and hidden service accounts. Backdoors are sometimes added by engineers during development as a shortcut to circumvent security. Other backdoors may be added by attackers who gain unauthorized access to a system.

If backdoors exist and are not removed, they present a serious security threat. Detecting backdoors can be challenging. You can often use an internet search engine to locate information about vendor backdoors. Backdoors introduced by an attacker are much more difficult to locate. You may need to use a variety of tools to identify them, such as:

• An intrusion detection system
• A security information and event management system

Authentication Strength:

You can strengthen authentication by configuring systems to use multiple authentication factors. There are three categories of authentication factors:

• Type 1: Something you know
• Type 2: Something you have
• Type 3: Something that you are

Using two or more authentication factors creates a more secure system. A configuration that requires a username and password only uses a single authentication factor. A stronger authentication configuration might require the user to provide a username, a password, and a fingerprint. In this configuration, two authentication factors are used. Another way to configure two-factor authentication is to require a username, a password, and then something that the user has, such as a token.

AAA Misconfiguration Issues:

There are several misconfiguration issues that you need to be aware of when managing a network that uses a TACACS or RADIUS server for authentication.

• Each network host needs to be configured to use the AAA server for authentication instead of its own local system by specifying the AAA server's host name or IP address and UDP port numbers. If you're having problems, verify that the IP address information for the AAA server is correct.
• Ensure that the authentication settings you configured on the device match those required by the AAA server.
• Most AAA servers employ the user of a security certificate to secure communications. Verify that the certificate has not expired.
• If the AAA configuration uses a shared secret, that shared secret must be the same on both the host and the AAA server.

Untrusted SSL Certificate:

An untrusted SSL certificate error is displayed when the browser does not trust the company signing the SSL certificate. The message varies according to the browser. Reasons why this may happen include:

• The website is self-signing the certificate.
• The website is using a free SSL certificate.
• The site is using a trusted certificate, but it is missing an intermediate certificate. To fix this problem, you can install the missing intermediate certificate on the web server.

ReplyQuote
Posted : 01/03/2020 12:48 am