Tue. Jan 24th, 2023

Active threats

These include:

Denial of service attacks – these send repeated requests to a server very rapidly with the aim of stopping the server from responding. Firewalls can easily detect and block repeated traffic from an individual location. However, by escalating to a DDos (Distributed DoS), it becomes not only more powerful – you now use thousands of computers from different locations to attack the server – it also becomes more difficult for the firewall to detect, as the heavy traffic is coming from many locations.

Spoofing is the practise of faking your IP address or MAC address using software tools in order to circumvent network restrictions. These restrictions could be geographical (in the same way Netflix only allows certain titles to be viewed in selected countries), or it could be device management, where only certain devices are allowed to access network resources. Listening in on WiFi communication could enable an attacker to collect data, depending on the level of security applied to the connection.

Man in the middle attacks are directed at HTTPS connections. Usually, the communication between client and server is encrypted, and therefore no outside agent can view the contents. Any attempt to alter the data, or intercept it, will render it useless, as the attacker won’t possess the SSL decryption key. However, in a MITM attack, the attacker sets up a phoney server which connects both to the client, and the server. This malicious server creates a secure connection with the client using one SSL certificate, and then a secure connection the the desired server, using another SSL certificate. The machine in the middle is now able to accept and decode incoming data from either the client or the server. The only sign of an attack like this is the issuance of the security certificate will not appear as expected (e.g. wrong company name). Attacks like these can obviously intercept and steal confidential information, like credentials, bank information and any other communication.

Address Resolution Protocol Poisoning (ARP) – the protocol used by DNS servers to resolve a URL to an IP address. This means that, for example, www.bbc.co.uk could have its entry altered (poisoned) to point to an IP address which is not part of the BBC. Users would only know if there were significant differences in the content, or if the check the issuance of the SSL certificate if on an HTTPS connection.

Buffer overflow attacks rely on submitting data to network-connected services. A buffer is an area of memory set aside for data to be stored in once it arrives. These buffers have a fixed length, and theoretically it should be impossible to exceed this. However, if the software that processes the received data contains bugs, the contents of the data can be maliciously manipulated in order to force the host machine to write data beyond the intended limits. If an attacker knows the memory layout of the software in question, they can intentionally overwrite instructions in the software (the version held in memory), giving the ability to execute arbitrary code on the target device. This method has been used to jailbreak iPhones, attack Windows PCs and Servers, and gain access into top-secret facilities or confidential networks.