A handful of network attacks that can compromise your network nodes
TCP SYN attack: This attack begins as a normal TCP connection, the client and server exchange information in TCP packets. A client sends an ACK packets to the server requesting a connection. The server will respond with a packet acknowledging the connection and then the data transmission may continue as normal. But in this attack the client continually sends ACK packets but does not open a session with the server. This causes the server to hold open all of these sessions which uses up resources and stops others from accessing resources on the server machine.
This attack is virtually unstoppable. The only way to combat this is to set limits on the length of an initial session to force sessions that have not completed to close out. This attack may be carried out from a spoofed invalid IP address and it will still be successful. TCP will respond to any valid request made from the IP layer.
TCP sequence number attack: TCP sequence number attacks occur when an attacker takes control of one end of a TCP session. This is a successful attack when the attacker kicks the attacked end node off the network for the duration of the attack. Each time a TCP message is sent, either the client or the server generate a sequence number. In this attack, the attacker intercepts and then responds with a sequence number that is similar to the one used in the original session. This attack can either disrupt or hijack a valid session. If a valid sequence number is guessed, this allows the attacker to place their system in between the client and the server. This allows access to the system privileges of the target system.
TCP/IP Hijacking: TCP/IP Hijacking, also called active sniffing, involves an attacker gaining access to a host on a network and then logically disconnecting it from the network. The attacker then may insert their own machine in place without anyone noticing the change. The network server will not know this has happened and will respond to requests from the machine as it is the original trusted machine. This is not an easy attack to counter, but having secure management of your network and monitoring would go a long way towards countering this threat.
A UDP attack uses either the maintenance protocol or a UDP service to overload network services and initiate a DoS situation. UDP attacks may also use the UDP protocol. UDP packets are not connection oriented. They are susceptible to interception by third parties and this may allow attacks upon the UDP layer. UDP like TCP, does not check the validity of IP addresses. The IP layer is trusted with this task. The most common UDP attacks involve UDP flooding. UDP flooding overloads services, networks and servers. Large streams of UDP packets are focused at a target and this causes the UDP services on the host to shut down. UDP floods also cause the network bandwidth to be overloaded and this is how a Denial of Service situation may occur.
ICMP attacks are carried out by triggering a response from ICMP to a seemingly innocuous maintenance request.
The ICMP protocol supports maintenance and reporting in a network situation. This is commonly used as everyone has used the ping command on Windows or Linux. There are two attack types that are used to attack a network with ICMP, Smurf Attacks and ICMP tunneling.
Smurf attacks: Smurf attacks can create much havoc on a network. Smurf attacks use IP spoofing and broadcasting to send a ping request to a group of hosts on a network. The ICMP ping request is answered if the target system is up, otherwise it will return an unreachable message. If the broadcast is sent to the network, all of the hosts will answer the ping, this can overload to network due to the volume of data being transferred.
ICMP tunneling: ICMP messages may contain data about timing & routes. If a packet is crafted that contains information that is different from the intended content, this could be used to as a communications channel between two systems. This could be used to carry a trojan horse or other types of malicious packets. This is another way to cause havoc on a network.
The solution to this is to deny ICMP traffic on your network. This would protect against this type of attack.
Port scanning: Port scanning as the name implies, is the act of scanning for open ports on a network. An attacker could then use an open port to launch an attack. A properly configured firewall with sane rules will prevent this from affecting your network. Do not have ports open unless they are absolutely required for the netowk to connect to the outside world. Requiring a VPN to connect to the network before accessing network resources is one way that this can be avoided, as only the VPN port will be visible and this will not be accessible without the keys.
Malicious E-Mail attachments: Malicious E-Mail attachments are usually trojan horses or viruses that are executed when a user clicks on an attachment in an E-Mail message. The solution to this is software that will scan attachments for malicious code before they are allowed to be accessed by the user, as well as educating the users on how to deal with suspicious messages.