Patterns
IP attacks typically follow a set pattern. This pattern can be recognized, and rules created to help thwart it – this pattern is refered to as an attack signature. Signatures may be used to create IDS rules.
Reconnaissance and Discovery
Would-be attackers usually engage in a well-understood sequence of activities, called reconnaissance and discovery.
During the reconaissance phase The attacker may ping sweep or port probe the target. The purpose of this reconnaissance is to find out what is running and what may be vulnerable.
PING sweep
Can identify active hosts on an IP network
Port probe
Detect UDP- and TCP-based services running on a host
The attack
Attacker focuses on the attack itself. A more seasoned attacker may cover their tracks by attempting to modify log files, or terminating any active direct connections.
One method of is a brute force attack that overwhelms a victim.
Denial of Service Attacks
Designed to interrupt or completely disrupt operations of a network device or communications
SYN Flood attack
Uses the three-way TCP handshake process to overload a device on a network
Broadcast amplification attack
Malicious host crafts and sends ICMP Echo Requests to a broadcast address
Distributed Denial of Service Attack (DDOS)
DoS attacks are launched from numerous devices, such as acommand and control botnet.
DDoS attacks consist of four main elements
Attacker
Handler
Agent
Victim
Session Hijacking
The purpose of session hijacking is to impersonate an authenticated user in order to gain access to a system
Once a session is hijacked, the attacker can send packets to the server as the victim.
RFC 2401: The goal of IPSec are to provide the following kinds of security
- Access control
- Connectionless integrity
- Data origin authentication
- Protection against replays
- Confidentiality
- Limited traffic flow confidentiality
RFC 2196: Indicated that the following documents are components of a good security policy
- An access policy document
- An accountability policy document
- A privacy policy document
- A violations reporting policy document
- An authentication policy document
- An information technology system and network maintenance policy document