What is packet sniffing?

Packet sniffers intercept packets of data flowing across a

computer network in order to view their contents. This act is
called packet sniffing.
 How it works ??

Web pages and emails are not sent through the internet as one document;
rather, the sending side (your computer) breaks them down into many little data
packets. These packets are then addressed to an IP address at the receiving
end, which has to send back an acknowledgment of each packet it receives.

These packets are not transferred from the sender to the receiver through a
single direct connection. Instead, as each packet traverses the internet en-
route to its destination, it passes through a number of traffic control devices
such as routers and switches. Each time a packet passes through one of these
traffic control devices, it is susceptible to capture and analysis.
How it works ??
 Who can sniff packets?

Anyone who has access to a router can perform packet collection and subsequent
analysis. Since internet users generally have no idea how their traffic is being
routed, it’s not really possible to know who may be observing that traffic.
ISPs use packet sniffing to track all your activities such as:

who is receiver of your email

what is content of that email
what you download
sites you visit
what you looked on that website
downloads from a site
streaming events like video, audio, etc.
Advertising agencies or internet advertising agencies are paid according to:
number of ads shown by them.
number of clicks on their ads also called PPC (pay per click).

Government agencies use packet sniffing to: ensure security of data over the
network. track an organisation’s unencrypted data.

WireShark, SmartSniff are examples of packet sniffing tools.

 How to prevent packet sniffing

One way to protect your network traffic from being sniffed is to encrypt it using a
Secure Sockets Layer (SSL) or Transport Layer Security (TLS).

Encryption does not prevent packet sniffers from seeing source and destination
information, but it does encrypt the data packet’s payload so that all that the sniffer
sees is encrypted content.

Any attempt to modify or inject data into the packets will likely fail since messing
with encrypted data causes errors that will be evident when the encrypted
information is decrypted at the other end.
 ARP Spoofing
What is the ARP Protocol?

Address Resolution Protocol (ARP) is a protocol that enables network communications to reach a
specific device on the network. ARP translates Internet Protocol (IP) addresses to a Media Access
Control (MAC) address. Most commonly, devices use ARP to contact the router or gateway that enables
them to connect to the Internet.

Hosts maintain an ARP cache, a mapping table between IP addresses and MAC addresses, and use it to
connect to destinations on the network. If the host doesn’t know the MAC address for a certain IP
address, it sends out an ARP request packet, asking other machines on the network for the matching
MAC address.

The ARP protocol was not designed for security, so it does not verify that a response to an ARP request
really comes from an authorized party. It also lets hosts accept ARP responses even if they never sent
out a request. This is a weak point in the ARP protocol, which opens the door to ARP spoofing attacks.

ARP only works with 32-bit IP addresses in the older IPv4 standard. The newer IPv6 protocol uses a
different protocol, Neighbor Discovery Protocol (NDP), which is secure and uses cryptographic keys to
verify host identities. However, since most of the Internet still uses the older IPv4 protocol, ARP remains
in wide use.

Communication on the Internet using ARP

 What is ARP Spoofing (ARP Poisoning)?

An ARP spoofing, also known as ARP poisoning, is a Man in the Middle (MitM) attack that allows
attackers to intercept communication between network devices. The attack works as follows:
1. The attacker gains access to the network and identifies the IP address of at least two devices on
the same network.
2. The attacker then uses an ARP spoofing tool in order to send out forged ARP replies on the
network which leads to ARP cache poisoning.
3. The fake ARP response convinces both devices that the MAC address of the attacker’s system is
the right one and thereby both devices end up connecting to that system instead of each other.
4. Once connected, the ARP cache entries are updated for all future communications and the
attacker thereby gains access to any and all communications between the two devices.

How to Detect an ARP Cache Poisoning Attack?

Here is a simple way to detect that a specific device’s ARP cache has been poisoned, using the
command line. Start an operating system shell as an administrator. Use the following command
to display the ARP table, on both Windows and Linux:
arp -a
The output will look something like this:

Internet Address Physical Address

192.168.5.1 00-14-22-01-23-45

192.168.5.201 40-d4-48-cr-55-b8

192.168.5.202 00-14-22-01-23-45

If the table contains two different IP addresses that have the same MAC address, this indicates
an ARP attack is taking place. Because the IP address 192.168.5.1 can be recognized as the
router, the attacker’s IP is probably 192.168.5.202.
To discover ARP spoofing in a large network and get more information about the type of
communication the attacker is carrying out, you can use the open source Wireshark protocol.

ARP Spoofing Prevention

Here are a few best practices that can help you prevent ARP Spoofing on your network:

1. Use a Virtual Private Network (VPN)⁠—a VPN allows devices to connect to the
Internet through an encrypted tunnel. This makes all communication encrypted, and
worthless for an ARP spoofing attacker.

2. Use static ARP⁠—the ARP protocol lets you define a static ARP entry for an IP address,
and prevent devices from listening on ARP responses for that address. For example, if
a workstation always connects to the same router, you can define a static ARP entry for
that router, preventing an attack.

3. Use packet filtering⁠—packet filtering solutions can identify poisoned ARP packets by
seeing that they contain conflicting source information, and stop them before they reach
devices on your network.

4. Run a spoofing attack⁠—check if your existing defenses are working by mounting a

spoofing attack, in coordination with IT and security teams. If the attack succeeds,
identify weak points in your defensive measures and remediate them.
 PORT SCANNING

What is a Port Scan?

A port scan is a method for determining which ports on a network are open. As ports on a computer are
the place where information is sent and received, port scanning is analogous to knocking on doors to see
if someone is home. Running a port scan on a network or server reveals which ports are open and
listening (receiving information), as well as revealing the presence of security devices such as firewalls
that are present between the sender and the target. This technique is known as fingerprinting. It is also
valuable for testing network security and the strength of the system’s firewall. Due to this functionality,
it is also a popular reconnaissance tool for attackers seeking a weak point of access to break into a
computer.

Ports vary in their services offered. They are numbered from 0 to 65535, but certain ranges are more
frequently used. Ports 0 to 1023 are identified as the “well-known ports” or standard ports and have been
assigned services by the Internet Assigned Numbers Authority (IANA). Some of the most prominent
ports and their assigned services include:

 Port 20 (udp) – File Transfer Protocol (FTP) for data transfer

 Port 22 (tcp) – Secure Shell (SSH) protocol for secure logins, ftp, and port forwarding
 Port 23 (tcp) – Telnet protocol for unencrypted text commutations
 Port 53 (udp) – Domain Name System (DNS) translates names of all computers on internet to IP
addresses
 Port 80 (tcp) – World Wide Web HTTP

There are standard services offered on ports after 1023 as well, and ports that, if open, indicate an
infected system due to its popularity with some far-reaching Trojans and viruses.

A port scan sends a carefully prepared packet to each destination port number. The basic techniques that
port scanning software is capable of include:

 Vanilla– the most basic scan; an attempt to connect to all 65,536 ports one at a time. A vanilla scan is a
full connect scan, meaning it sends a SYN flag (request to connect) and upon receiving a SYN -ACK
(acknowledgement of connection) response, sends back an ACK flag. This SYN, SYN-ACK, ACK
exchange comprises a TCP handshake. Full connect scans are accurate, but very easily detected because
full connections are always logged by firewalls.
 SYN Scan– Also referred to as a half-open scan, it only sends a SYN, and waits for a SYN-ACK
response from the target. If a response is received, the scanner never responds. Since the TCP connection
was not completed, the system doesn’t log the interaction, but the sender has learned if the port is open or
not.
 XMAS and FIN Scans– an example of a suite of scans used to gather information without being logged
by the target system. In a FIN scan, an unsolicited FIN flag (used normally to end an established session)
will be sent to a port. The system’s response to this random flag can reveal the state of the port or insight
about the firewall. For example, a closed port that receives an unsolicited FIN packet, will respond with a
RST (an instantaneous abort) packet, but an open port will ignore it. An XMAS scan simply sends a set
 of all the flags, creating a nonsensical interaction. The system’s response by can be interpreted to better
understand the system’s ports and firewall.
 FTP Bounce Scan– allows for the sender’s location to be disguised by bouncing the packet through an
FTP server. This is also designed for the sender to go undetected.
 Sweep scan– pings the same port across a number of computers to identify which computers on the
network are active. This does not reveal information about the port’s state, instead it tells the sen der
which systems on a network are active. Thus, it can be used as a preliminary scan.

Scans that are developed for the sender to go undetected by a receiving system’s log are known as stealth
scans and are of particular interest to attackers. Despite its popularity in this area, port scanning is a
valuable tool for fingerprinting a network and for a penetration tester to assess the strength of network
security.

Port Scanning is the name for the technique used to identify open ports and services available on a network host.
It is sometimes utilized by security technicians to audit computers for vulnerabilities, however, it is also used by
hackers to target victims. It can be used to send requests to connect to the targeted computers, and then keep
track of the ports which appear to be opened, or those that respond to the request.

When a criminal targets a house for a burglary, typically the first thing he or she checks is if there is an open
window or door through which access to the home can be gained. A Port scan is similar, only the windows and
doors are the ports of the individual's personal computer. While a hacker may not decide to "break in" at that
moment, he or she will have determined if easy access is available. Many people feel this activity should be
illegal, which it is not, however, due to the fact that the potential attacker is merely checking to see if a possible
connection could be made, in most areas, it is not considered a crime. However, if repetitive port scans are made,
a denial of service can be created.

Hackers typically utilize port scanning because it is an easy way in which they can quickly discover services they
can break into. In some cases, hackers can even open the ports themselves in order to access the targeted
computer. Hackers also use port scanners to conduct tests for open ports on Personal Computers that are
connected to the web.

Port Sweeping
Port sweeping is regarded by certain systems experts to be different from port scanning. They point out that port
scanning is executed through the searching of a single host for open ports. However, they state that port sweeping
is executed through the searching of multiple hosts in order to target just one specific open port. While Port
scanning and sweeping have legitimate uses with regard to network management, unfortunately, they are used
almost as frequently for the purpose of criminal activity.

A Serious Threat
Anytime there are open ports on one's personal computer, there is potential for the loss of data, the occurrence of
a virus, and at times, even complete system compromise. It is essential for one to protect his or her virtual files,
as new security risks concerning personal computers are discovered every day. Computer protection should be
the number one priority for those who use personal computers. Port scanning is considered a serious threat to
one's PC, as it can occur without producing any outward signs to the owner that anything dangerous is taking
place.

Firewall Protection
Protection from port scanning is often achieved through the use of a firewall. A firewall monitors incoming and
outgoing connections through one's personal computer. One technique used by firewall technology is the opening
of all the ports at one time. This action stops port scans from returning any ports. This has worked in many
situations in the past, however, most experts agree it is best to have all open ports investigated individually.
Another approach is to filter all port scans going to one's computer. An individual can also choose to port scan
his or her own system, which enables one to see the personal computer through the eyes of a hacker.
Firewalls are the best protection one can invest in with regard to port scanning. Firewalls deny outside access to
an individual's personal computer. With this type of protection, a personal computer is essentially hidden from
unwelcome visitors and is also protected from a variety of other hacking techniques. With firewall software, an
individual is assured that his or her sensitive and personal information remains protected.

In today's age of cyber crimes, identity theft, and the myriad of other criminal activities which can be executed
through electronic technology, one should never assume that he or she can be too careful. Most people who have
become the victim of cyber theft, or other similar crimes, state they wish they would have paid closer attention to
the tools available through which their personal computers could have been made safer, and less vulnerable to
attack.
 IP Spoofing
What is IP spoofing?

IP spoofing is the creation of Internet Protocol (IP) packets which have a modified source address in order to
either hide the identity of the sender, to impersonate another computer system, or both. It is a technique often used
by bad actors to invoke DDoS attacks against a target device or the surrounding infrastructure.
Sending and receiving IP packets is a primary way in which networked computers and other devices communicate,
and constitutes the basis of the modern internet. All IP packets contain a header which precedes the body of the
packet and contains important routing information, including the source address. In a normal packet, the source IP
address is the address of the sender of the packet. If the packet has been spoofed, the source address will be
forged.

IP Spoofing is analogous to an attacker sending a package to someone with the wrong return address listed. If the
person receiving the package wants to stop the sender from sending packages, blocking all packages from the
bogus address will do little good, as the return address is easily changed. Relatedly, if the receiver wants to
respond to the return address, their response package will go somewhere other than to the real sender. The ability
to spoof the addresses of packets is a core vulnerability exploited by many DDoS attacks.

DDoS attacks will often utilize spoofing with a goal of overwhelming a target with traffic while masking the
identity of the malicious source, preventing mitigation efforts. If the source IP address is falsified and
continuously randomized, blocking malicious requests becomes difficult. IP spoofing also makes it tough for law
enforcement and cyber security teams to track down the perpetrator of the attack.

spoofing is also used to masquerade as another device so that responses are sent to that targeted device instead.
Volumetric attacks such as NTP Amplification and DNS amplification make use of this vulnerability. The ability
to modify the source IP is inherent to the design of TCP/IP, making it an ongoing security concern.
Tangential to DDoS attacks, spoofing can also be done with the aim of masquerading as another device in order to
sidestep authentication and gain access to or “hijack” a user’s session.

How to protect against IP spoofing (packet filtering) ?

While IP spoofing can’t be prevented, measures can be taken to stop spoofed packets from infiltrating a network.
A very common defense against spoofing is ingress filtering, outlined in BCP38 (a Best Common Practice
document). Ingress filtering is a form of packet filtering usually implemented on a network edge d evice which
examines incoming IP packets and looks at their source headers. If the source headers on those packets don’t
match their origin or they otherwise look fishy, the packets are rejected. Some networks will also implement
egress filtering, which looks at IP packets exiting the network, ensuring that those packets have legitimate source
headers to prevent someone within the network from launching an outbound malicious attack using IP spoofing.
 TCP SYN Flood
What is a SYN flood attack?
TCP SYN flood (a.k.a. SYN flood) is a type of Distributed Denial of Service (DDoS) attack that exploits part of
the normal TCP three-way handshake to consume resources on the targeted server and render it unresponsive.

Essentially, with SYN flood DDoS, the offender sends TCP connection requests faster than the targeted machine
can process them, causing network saturation.

Attack description

When a client and server establish a normal TCP ―three-way handshake,‖ the exchange looks like this:

1. Client requests connection by sending SYN (synchronize) message to the server.

2. Server acknowledges by sending SYN-ACK (synchronize-acknowledge) message back to the client.
3. Client responds with an ACK (acknowledge) message, and the connection is established.

In a SYN flood attack, the attacker sends repeated SYN packets to every port on the targeted server, often using a
fake IP address. The server, unaware of the attack, receives multiple, apparently legitimate requests to establish
communication. It responds to each attempt with a SYN-ACK packet from each open port.

The malicious client either does not send the expected ACK, or—if the IP address is spoofed—never receives the
SYN-ACK in the first place. Either way, the server under attack will wait for acknowledgement of its SYN -ACK
packet for some time.
During this time, the server cannot close down the connection by sending an RST packet, and the connection stays
open. Before the connection can time out, another SYN packet will arrive. This leaves an increasingly large
number of connections half-open – and indeed SYN flood attacks are also referred to as ―half-open‖ attacks.
Eventually, as the server’s connection overflow tables fill, service to legitimate clients will be denied, and the
server may even malfunction or crash.

While the ―classic‖ SYN flood described above tries to exhaust network ports, SYN packets can also be used in
DDoS attacks that try to clog your pipes with fake packets to achieve network saturation. The type of packet is not
important. Still, SYN packets are often used because they are the least likely to be rejected by default.

Methods of mitigation
While modern operating systems are better equipped to manage resources, which makes it more difficult to
overflow connection tables, servers are still vulnerable to SYN flood attacks.

There are a number of common techniques to mitigate SYN flood attacks, including:

1. Micro blocks—administrators can allocate a micro-record (as few as 16 bytes) in the server memory for
each incoming SYN request instead of a complete connection object.
2. SYN cookies—using cryptographic hashing, the server sends its SYN-ACK response with a sequence
number (seqno) that is constructed from the client IP address, port number, and possibly other unique
identifying information. When the client responds, this hash is included in the ACK packet. The server
verifies the ACK, and only then allocates memory for the connection.
3. RST cookies—for the first request from a given client, the server intentionally sends an invalid SYN -
ACK. This should result in the client generating an RST packet, which tells the server something is wrong.
If this is received, the server knows the request is legitimate, logs the client, and accepts subsequent
incoming connections from it.
4. Stack tweaking—administrators can tweak TCP stacks to mitigate the effect of SYN floods. This can
either involve reducing the timeout until a stack frees memory allocated to a connection, or selectively
dropping incoming connections.
5. Obviously, all of the above mentioned methods rely on the target network’s ability to handle large -scale
volumetric DDoS attacks, with traffic volumes measured in tens of Gigabits (and even hundreds of
Gigabits) per second.
 DNS Spoofing
What is DNS Spoofing?

Domain Name Server (DNS) spoofing (a.k.a. DNS cache poisoning) is an attack in which altered DNS records are
used to redirect online traffic to a fraudulent website that resembles its intended destination.

Once there, users are prompted to login into (what they believe to be) their account, giving the perpetrator the
opportunity to steal their access credentials and other types of sensitive information. Furthermore, the malicious
website is often used to install worms or viruses on a user’s computer, giving the perpetrator long -term access to it
and the data it stores.

Methods for executing a DNS spoofing attack include:

1. Man in the middle (MITM) – The interception of communications between users and a DNS server in
order to route users to a different/malicious IP address.
2. DNS server compromise – The direct hijacking of a DNS server, which is configured to return a malicious
IP address.
 DNS cache poisoning example

The following example illustrates a DNS cache poisoning attack, in which an attacker (IP 192.168.3.300)
intercepts a communication channel between a client (IP 192.168.1.100) and a server computer belonging to the
website www.estores.com (IP 192.168.2.200).

In this scenario, a tool (e.g., arpspoof) is used to dupe the client into thinking that the server IP is 192.168.3.300.
At the same time, the server is made to think that the client’s IP is also 192.168.3.300.

Such a scenario would proceed as follows:

1. The attacker uses arpspoof to issue the command: arpspoof 192.168.1.100 192.168.2.200. This modifies
the MAC addresses in the server’s ARP table, causing it to think that the attacker’s computer belongs to
the client.
2. The attacker once again uses arpspoof to issue the command: arpspoof 192.168.2.200 192.168.1.100,
which tells the client that the perpetrator’s computer is the server.
3. The attacker issues the Linux command: echo 1> /proc/sys/net/ipv4/ip_forward. As a result, IP packets
sent between the client and server are forwarded to the perpetrator’s computer.
4. The host file, 192.168.3.300 estores.com is created on the attacker’s local computer, which maps th e
website www.estores.com to their local IP.
5. The perpetrator sets up a web server on the local computer’s IP and creates a fake website made to
resemble www.estores.com.
6. Finally, a tool (e.g., dnsspoof) is used to direct all DNS requests to the perpetrator’s local host file. The
fake website is displayed to users as a result and, only by interacting with the site, malware is installed on
their computers.

DNS spoofing mitigation using domain name server security (DNSSEC)

DNS is an unencrypted protocol, making it easy to intercept traffic with spoofing. What’s more, DNS servers do
not validate the IP addresses to which they are redirecting traffic.

DNSSEC is a protocol designed to secure your DNS by adding additional methods of verification. The protocol
creates a unique cryptographic signature stored alongside your other DNS records, e.g., A record and CNAME.
This signature is then used by your DNS resolver to authenticate a DNS response, ensuring that the record wasn’t
tampered with.

While DNSSEC can help protect against DNS spoofing, it has a number of potential downsides, including:
1. Lack of data confidentiality – DNSSEC authenticates, but doesn’t encode DNS responses. As a result,
perpetrators are still able to listen in on traffic and use the data for more sophisticated attacks.

2. Complex deployment – DNSSEC is often misconfigured, which can cause servers to lose the security
benefits or even deny access to a website altogether.

3. Zone enumeration – DNSSEC uses additional resource records to enable signature validation. One such
record, NSEC, is able to verify the non-existence of a DNS zone. It can also be used to walk through a
DNS zone to gather all existing DNS records—a vulnerability called zone enumeration. Newer versions of
NSEC, called NSEC3 and NSEC5, publish hashed records of hostnames, thereby encrypting them and
preventing zone enumeration.
 DOS / DDOS Attacks
What is a denial-of-service attack?

A denial-of-service (DoS) attack occurs when legitimate users are unable to access information systems, devices,
or other network resources due to the actions of a malicious cyber threat actor. Services affected may include
email, websites, online accounts (e.g., banking), or other services that rely on the affected computer or network. A
denial-of-service condition is accomplished by flooding the targeted host or network with traffic until the target
cannot respond or simply crashes, preventing access for legitimate users. DoS attacks can cost an organization
both time and money while their resources and services are inaccessible.

What are common denial-of-service attacks?

There are many different methods for carrying out a DoS attack. The most common method of attack occurs when
an attacker floods a network server with traffic. In this type of DoS attack, the attacker sends several requests to
the target server, overloading it with traffic. These service requests are illegitimate and have fabricated return
addresses, which mislead the server when it tries to authenticate the requestor. As the junk requests are processed
constantly, the server is overwhelmed, which causes a DoS condition to legitimate requestors.

In a Smurf Attack, the attacker sends Internet Control Message Protocol broadcast packets to a number of hosts
with a spoofed source Internet Protocol (IP) address that belongs to the target machine. The recipients of these
spoofed packets will then respond, and the targeted host will be flooded with those responses.

A SYN flood occurs when an attacker sends a request to connect to the target server but does not complete the
connection through what is known as a three-way handshake—a method used in a Transmission Control Protocol
(TCP)/IP network to create a connection between a local host/client and server. The incomplete handshake leaves
the connected port in an occupied status and unavailable for further requests. An attacker will continue to send
requests, saturating all open ports, so that legitimate users cannot connect
.
Individual networks may be affected by DoS attacks without being directly targeted. If the network’s internet
service provider (ISP) or cloud service provider has been targeted and attacked, the network will also experience a
loss of service.

What is a distributed denial-of-service attack?

A distributed denial-of-service (DDoS) attack occurs when multiple machines are operating together to attack one
target. DDoS attackers often leverage the use of a botnet—a group of hijacked internet-connected devices to carry
out large scale attacks. Attackers take advantage of security vulnerabilities or device weaknesses to control
numerous devices using command and control software. Once in control, an attacker can command their botnet to
conduct DDoS on a target. In this case, the infected devices are also victims of the attack.

Botnets—made up of compromised devices—may also be rented out to other potential attackers. Often the botnet
is made available to “attack-for-hire” services, which allow unskilled users to launch DDoS attacks.

DDoS allows for exponentially more requests to be sent to the target, therefore increasing the attack power. It also
increases the difficulty of attribution, as the true source of the attack is harder to identify.

DDoS attacks have increased in magnitude as more and more devices come online through the Internet of Things
(IoT) (see Securing the Internet of Things). IoT devices often use default passwords and do not have sound
security postures, making them vulnerable to compromise and exploitation. Infection of IoT devices often goes
unnoticed by users, and an attacker could easily compromise hundreds of thousands of these devices to conduct a
high-scale attack without the device owners’ knowledge.

How do you avoid being part of the problem?

While there is no way to completely avoid becoming a target of a DoS or DDoS attack, there are proactive steps
administrators can take to reduce the effects of an attack on their network.

1. Enroll in a DoS protection service that detects abnormal traffic flows and redirects traffic away from your
network. The DoS traffic is filtered out, and clean traffic is passed on to your network.

2. Create a disaster recovery plan to ensure successful and efficient communication, mitigation, and recovery
in the event of an attack.

3. It is also important to take steps to strengthen the security posture of all of your internet -connected devices
in order to prevent them from being compromised.

4. Install and maintain antivirus software: Install a firewall and configure it to restrict traffic coming into and
leaving your computer (see Understanding Firewalls for Home and Small Office Use).

5. Evaluate security settings and follow good security practices in order to minimalize the access other
people have to your information, as well as manage unwanted traffic (see Good Security Habits).
 How do you know if an attack is happening?

Symptoms of a DoS attack can resemble non-malicious availability issues, such as technical problems with a
particular network or a system administrator performing maintenance. However, the following symptoms could
indicate a DoS or DDoS attack:

1. Unusually slow network performance (opening files or accessing websites),

2. Unavailability of a particular website, or
3. An inability to access any website.

The best way to detect and identify a DoS attack would be via network traffic monitoring and analysis. Network
traffic can be monitored via a firewall or intrusion detection system. An administrator may eve n set up rules that
create an alert upon the detection of an anomalous traffic load and identify the source of the traffic or drops
network packets that meet a certain criteria.

What do you do if you think you are experiencing an attack?

If you think you or your business is experiencing a DoS or DDoS attack, it is important to contact the appropriate
technical professionals for assistance.

Contact your network administrator to confirm whether the service outage is due to maintenance or an in -house
network issue. Network administrators can also monitor network traffic to confirm the presence of an attack,
identify the source, and mitigate the situation by applying firewall rules and possibly rerouting traffic through a
DoS protection service.

Contact your ISP to ask if there is an outage on their end or even if their network is the target of the attack and you
are an indirect victim. They may be able to advise you on an appropriate course of action.

In the case of an attack, do not lose sight of the other hosts, assets, or services residing on your network. Many
attackers conduct DoS or DDoS attacks to deflect attention away from their intended target and use the
opportunity to conduct secondary attacks on other services within your network.
Different Types of DoS Attacks
Given below are the different types of attacks:

 Volume-based attacks

 Protocol attacks

 Application-layer attacks

 UDP attacks

 ICMP attacks

 Ping of death

 Slowloris

 NTP application

 HTTP flood

1. Denial of Service Attacks

Broadly, there are three different types of DOS attacks:

 DoS attacks based on volume: The attackers aim to saturate the bandwidth of

the affected site during this attack, and the magnitude of the attack is measured

in bits per second. This type of attack includes spoof-packet, ICMP, and UDP

floods.

 DoS attacks based on the protocol: The goal of this attack is to consume the

resources of real servers or the component implemented for intermediate

communication, such as a load balancer and a firewall. The transmission rate is

 measured in packets per second. This attack includes Ping of Death, Smurf

denial of services, SYN floods, and fragmented packet attacks.

 DoS attacks on the application layer: The attack aims to break down the web

server, measured in requests per second. It has specific targets such as Apache,

OpenBSD, and Windows. Example of these attacks is GET/POST floods and Low-

and-Slow attacks.

2. UDP Attacks
UDP flood attacks it to target and flood random ports on the remote host. The host

continuously checks for the application ports and sends a destination unreachable

ICMP packet message when it does not find any port. This affects the host resources

and leads to the inaccessibility of services. As the name implies, it affects and attacks

the host with User Datagram Protocol packets (UDP).

3. ICMP Attacks
ICMP attacks consume both incoming and outgoing bandwidth because all the

affected servers will frequently attempt to react with ICMP echo reply packets, resulting

in a shutdown or slowdown of the entire system. It is similar to the UDP attacks, but if

approaches and affects the target with an ICMP echo request packet and sends with a

high transmission rate instead of waiting for any reply.

In the SYN flood attack, the requestor transmits many SYN requests but never reacts

to the response of host SYN-ACK, or it transmits the SYN request from a spoofed or

masked IP address. Now the host server waits for the acknowledgment of every

request from the receiver and the persistent binding of resources until the
establishment of new connections, ultimately resulting in the denial of services. It

happens to exploit the defined weakness in the connection sequence of TCP. It is

similar to a three-way handshake. When initiating a TCP connection with any host

server, any SYN request should be acknowledged by SYN-ACK responses and

subsequently verified by ACK messages from the requestor. Hence this type of attack

affects the responses from the requestor denying services.

4. Ping of Death
This attack includes transmitting continuous malfunctioned or malicious pings to the

server. The maximum packet length of the IP packet, including the header, is 65535

bytes. The data link layer has the limits of a maximum frame size of 1500 bytes over

an Ethernet. In this scenario, the receiving host possesses the IP packets or fragments

necessary to complete the entire IP, as a maximum IP packet is segmented across

multiple IP fragments. When the malware manipulates the fragment data, it can result

in larger recipient packets than 65535 bytes when reassembling. When the memory

space allocated for a packet is overwhelmed, it can cause a denial of service, impacting

the processing of legitimate and real packets.

5. Slowloris
This attack has a huge impact, such as enabling one web server by bringing down the

other web server without impacting other ports or services of the host network. It does

this by holding multiple connections to the host web server as long as possible and

achieves this by establishing a connection to the host server, but it transmits only

partial requests.
It persistently transmits more headers of HTTP but never satisfies the request. The host

system maintains the open port or services for this false connection, affecting the

space for legitimate requests. As the name insists, this causes a slowdown of the entire

system by overwhelming the concurrent connection range.

6. Amplification of NTP
In this attack, the hacker attacks the public accessing Network Time Protocols to

overflow a host server by generating UDP traffic. The description of amplification

stabbing suggests that the ratio of a query to response in such cases is 1:20 or 1:200,

or even higher. It signifies that the hacker gets a list of open NTP servers, producing

the maximum volume of DoS attacks and distressing maximum bandwidth. This type

of attack only focuses on NTP protocols.

7. HTTP Flood
Here the hacker attacks the legitimate and generic HTTP GET or POST response to

exploit a web application or server. It doesn’t use spoofing techniques, reflection

methods, or malfunctioning packets. It consumes only a minimum of bandwidth than

other attacks to slow down the application or a host server. It is more effective when

it pushes the system or application to allow the maximum possible resources in

response to every unit request.

 UDP Flood
What is UDP Flood?

“UDP flood” is a type of Denial of Service (DoS) attack in which the attacker overwhelms random ports on the
targeted host with IP packets containing UDP datagrams.

The receiving host checks for applications associated with these datagrams and—finding none—sends back a
“Destination Unreachable” packet. As more and more UDP packets are received and answered, the system
becomes overwhelmed and unresponsive to other clients.

In the framework of a UDP flood attack, the attacker may also spoof the IP address of the packets, both to make
sure that the return ICMP packets don’t reach their host, and to anonymize the attack. There are a number of
commercially-available software packages that can be used to perform a UDP flood attack (e.g., UDP Unicorn).

Attack description

User Datagram Protocol (UDP) is a connectionless and sessionless networking protocol. Since UDP traffic doesn’t
require a three-way handshake like TCP, it runs with lower overhead and is ideal for traffic that doesn’t need to be
checked and rechecked, such as chat or VoIP.

However, these same properties also make UDP more vulnerable to abuse. In the absence of an initial handshake,
to establish a valid connection, a high volume of “best effort” traffic can be sent over UDP channels to any host,
with no built-in protection to limit the rate of the UDP DoS flood. This means that not only are UDP flood attacks
highly-effective, but also that they could be executed with a help of relatively few resources.

Some UDP flood attacks can take the form of DNS amplification attacks, also called “alphabet soup attacks”. UDP
does not define specific packet formats, and thus attackers can create large packets (sometimes over 8KB), fill
them with junk text or numbers (hence the “alphabet soup”), and send them out to the host under attack.

When the attacked host receives the garbage-filled UDP packets to a given port, it checks for the application
listening at that port, which is associated with the packet’s contents. When it sees that no associated application is
listening, it replies with an ICMP Destination Unreachable packet.

It should be noted that both amplified and non-amplified UDP floods could originate from botnet cluster of
various sizes. The use of multiple machines will classify this attack as Distributed Denial of Service (DDoS)
threat. With such attack the offender’s goal is to overbear firewalls and other components of the more resilient
network infrastructures.
 Methods of mitigation

At the most basic level, most operating systems attempt to mitigate UDP flood attacks by limiting the rate of
ICMP responses. However, such indiscriminative filtering will have an impact on legitimate traffic.

Traditionally, UDP mitigation method also relied on firewalls that filtered out or block malicious UDP packets.
Yet, such methods are now becoming irrelevant, as modern high-volume attacks can simply overbear firewalls,
which are not designed with overprovisioning in mind.
IPsec (Internet Protocol Security)
What is IPsec (Internet Protocol Security)?

IPsec (Internet Protocol Security) is a suite of protocols and algorithms for securing data transmitted over
the internet or any public network. The Internet Engineering Task Force, or IETF, developed the IPsec
protocols in the mid-1990s to provide security at the IP layer through authentication and encryption of
IP network packets.

IPsec originally defined two protocols for securing IP packets: Authentication Header (AH) and
Encapsulating Security Payload (ESP). The former provides data integrity and anti-replay services, and the
latter encrypts and authenticates data.

The IPsec suite also includes Internet Key Exchange (IKE), which is used to generate shared security keys to
establish a security association (SA). SAs are needed for the encryption and decryption processes to
negotiate a security level between two entities. A special router or firewall that sits between two networks
usually handles the SA negotiation process.

Applications of IPsec
IPsec provides the capability to secure communications across a LAN, across private and public WANs, and
across the Internet. Examples of its use include:

• Secure branch office connectivity over the Internet: A company can build a secure virtual private
network over the Internet or over a public WAN. This enables a business to rely heavily on the Internet and
reduce its need for private networks, saving costs and network management overhead.

• Secure remote access over the Internet: An end user whose system is equipped with IP security
protocols can make a local call to an Internet Service Provider (ISP) and gain secure access to a company
network. This reduces the cost of toll charges for traveling employees and telecommuters.

• Establishing extranet and intranet connectivity with partners: IPsec can be used to secure
communication with other organizations, ensuring authentication and confidentiality and providing a key
exchange mechanism.

• Enhancing electronic commerce security: Even though some Web and electronic commerce applications
have built-in security protocols, the use of IPsec enhances that security. IPsec guarantees that all traffic
designated by the net work administrator is both encrypted and authenticated, adding an additional layer
of security to whatever is provided at the application layer.

Figure 1 is a typical scenario of IPsec usage. An organization maintains LANs at dispersed locations. Non
secure IP traffic is conducted on each LAN. For traffic offsite, through some sort of private or public WAN,
IPsec protocols are used. These protocols operate in networking devices, such as a router or firewall, that
connect each LAN to the outside world.

The IPsec networking device will typically encrypt and compress all traffic going into the WAN and decrypt
and decompress traffic coming from the WAN; these operations are transparent to workstations and
servers on the LAN. Secure transmission is also possible with individual users who dial into the WAN. Such
user workstations must implement the IPsec protocols to provide security

Figure 1: An IP Security Scenario

IPsec protocols
IPsec authenticates and encrypts data packets sent over both IPv4- and IPv6-based networks. IPsec
protocol headers are found in the IP header of a packet and define how the data in a packet is handled,
including its routing and delivery across a network. IPsec adds several components to the IP header,
including security information and one or more cryptographic algorithms.
The following are key IPsec protocols:

 IP Authentication Header (AH). It provides data integrity and transport protection services. AH was
designed to be inserted into an IP packet to add authentication data and protect the contents from
modification.

 IP ESP. ESP provides authentication, integrity and confidentiality through encryption of IP packets.

 IKE. IKE is a protocol that enables two systems or devices to establish a secure communication channel
over an untrusted network. The protocol uses a series of key exchanges to create a secure tunnel between a
client and a server through which they can send encrypted traffic. The security of the tunnel is based on the
Diffie-Hellman key exchange.

 Internet Security Association and Key Management Protocol (ISAKMP). It is a framework for key
establishment, authentication and negotiation of an SA for a secure exchange of packets at the IP layer. In
other words, ISAKMP defines the security parameters for how two systems, or hosts, communicate with each
other. Each SA defines a connection in one direction, from one host to another. The SA includes all attributes
of the connection, including the cryptographic algorithm, the IPsec mode, the encryption key and any other
parameters related to data transmission over the connection.

How does IPsec work?

There are five key steps involved with how IPsec works. They are as follows:

1. Host recognition. The IPsec process begins when a host system recognizes that a packet needs
protection and should be transmitted using IPsec policies. Such packets are considered "interesting traffic"
for IPsec purposes, and they trigger the security policies. For outgoing packets, this means the appropriate
encryption and authentication are applied. When an incoming packet is determined to be interesting, the host
system verifies that it has been properly encrypted and authenticated.

2. Negotiation, or IKE Phase 1. In the second step, the hosts use IPsec to negotiate the set of policies
they will use for a secured circuit. They also authenticate themselves to each other and set up a secure
channel between them that is used to negotiate the way the IPsec circuit will encrypt or authenticate data
sent across it. This negotiation process occurs using either main mode or aggressive mode.

With main mode, the host initiating the session sends proposals indicating its preferred encryption and
authentication algorithms. The negotiation continues until both hosts agree and set up an IKE SA that defines
the IPsec circuit they will use. This method is more secure than aggressive mode because it creates a
secure tunnel for exchanging data.

In aggressive mode, the initiating host does not allow for negotiation and specifies the IKE SA to be used.
The responding host's acceptance authenticates the session. With this method, the hosts can set up an
IPsec circuit faster.
3. IPsec circuit, or IKE Phase 2. Step three sets up an IPsec circuit over the secure channel
established in IKE Phase 1. The IPsec hosts negotiate the algorithms that will be used during the data
transmission. The hosts also agree upon and exchange the encryption and decryption keys they plan to use
for traffic to and from the protected network. The hosts also exchange cryptographic nonces, which are
random numbers used to authenticate sessions.

4. IPsec transmission. In the fourth step, the hosts exchange the actual data across the secure tunnel
they've established. The IPsec SAs set up earlier are used to encrypt and decrypt the packets.

5. IPsec termination. Finally, the IPsec tunnel is terminated. Usually, this happens after a previously
specified number of bytes have passed through the IPsec tunnel or the session times out. When either
of those events happens, the hosts communicate, and termination occurs. After termination, the hosts
dispose of the private keys used during data transmission.

What are the IPsec modes?

There are 2 modes in IPSec Security:

Transport mode:
 The transport mode encrypts only the payload ; so the IP header of the original packet is not encrypted.
 The IPsec Transport mode is implemented for client-to-site VPN scenarios.
 The transport mode is usually used when another tunneling protocol is used to first encapsulate the IP
data packet, then IPsec is used to protect the packets.
 In transport mode, the IP addresses in the outer header are used to determine the IPsec policy that
will be applied to the packet.

Tunnel mode:

 Tunnel mode protects the internal routing information by encrypting the IP header of the original
packet. The original packet is encapsulated by a another set of IP headers.
 It is widely implemented in site-to-site VPN scenarios.
 In tunnel mode, two IP headers are sent. The inner IP packet determines the IPsec policy that protects
its contents.
Secure Socket Layer (SSL) provides security to the data that is transferred
between web browser and server. SSL encrypts the link between a web server
and a browser which ensures that all data passed between them remain
private and free from attack.

Secure Socket Layer Protocols:

 SSL record protocol
 Handshake protocol
 Change-cipher spec protocol
 Alert protocol

SSL Protocol Stack:

SSL Record Protocol:

SSL Record provides two services to SSL connection.
 Confidentiality
 Message Integrity

In the SSL Record Protocol application data is divided into fragments. The
fragment is compressed and then encrypted MAC (Message Authentication
Code) generated by algorithms like SHA (Secure Hash Protocol) and MD5
(Message Digest) is appended. After that encryption of the data is done and
in last SSL header is appended to the data.
Handshake Protocol:
Handshake Protocol is used to establish sessions. This protocol allows the
client and server to authenticate each other by sending a series of messages
to each other. Handshake protocol uses four phases to complete its cycle.

 Phase-1: In Phase-1 both Client and Server send hello-packets to each

other. In this IP session, cipher suite and protocol version are exchanged
for security purposes.

 Phase-2: Server sends his certificate and Server-key-exchange. The

server end phase-2 by sending the Server-hello-end packet.

 Phase-3: In this phase, Client replies to the server by sending his

certificate and Client-exchange-key.

 Phase-4: In Phase-4 Change-cipher suite occurred and after this

Handshake Protocol ends.
SSL Handshake Protocol Phases diagrammatic representation

Change-cipher Protocol:

This protocol uses the SSL record protocol. Unless Handshake Protocol is
completed, the SSL record Output will be in a pending state. After the
handshake protocol, the Pending state is converted into the current state.
Change-cipher protocol consists of a single message which is 1 byte in length
and can have only one value. This protocol’s purpose is to cause the pending
state to be copied into the current state.
Alert Protocol:

This protocol is used to convey SSL-related alerts to the peer entity. Each
message in this protocol contains 2 bytes.

The level is further classified into two parts:

Warning (level = 1):

This Alert has no impact on the connection between sender and
receiver. Some of them are:
 Bad certificate: When the received certificate is corrupt.
 No certificate: When an appropriate certificate is not available.
 Certificate expired: When a certificate has expired.
 Certificate unknown: When some other unspecified issue arose in
processing the certificate, rendering it unacceptable.
 Close notify: It notifies that the sender will no longer send any
messages in the connection.

Fatal Error (level = 2):

This Alert breaks the connection between sender and receiver. The
connection will be stopped, cannot be resumed but can be restarted. Some
of them are:
 Handshake failure: When the sender is unable to negotiate an
acceptable set of security parameters given the options available.
 Decompression failure: When the decompression function receives
improper input.
 Illegal parameters: When a field is out of range or inconsistent with
other fields.
 Bad record MAC: When an incorrect MAC was received.
 Unexpected message: When an inappropriate message is received.
The second byte in the Alert protocol describes the error.

Salient Features of Secure Socket Layer:

 The advantage of this approach is that the service can be tailored to the
specific needs of the given application.
 Secure Socket Layer was originated by Netscape.
 SSL is designed to make use of TCP to provide reliable end-to-end secure
service.
 This is a two-layered protocol.

Versions of SSL:
SSL 1 – Never released due to high insecurity.
SSL 2 – Released in 1995.
SSL 3 – Released in 1996.
TLS 1.0 – Released in 1999.
TLS 1.1 – Released in 2006.
TLS 1.2 – Released in 2008.
TLS 1.3 – Released in 2018.
 Secure Socket layer(SSL)
What is an SSL Certificate and How Does it Work?

SSL certificates create an encrypted connection and establish trust

.
One of the most important components of online business is creating a trusted environment where potential
customers feel confident in making purchases. SSL certificates create a foundation of trust by establishing a secure
connection. To assure visitors their connection is secure, browsers provide special visual cues that we call EV
indicators -- anything from a green padlock to branded URL bar.

SSL certificates have a key pair: a public and a private key. These keys work together to establish an encrypted
connection. The certificate also contains what is called the “subject,” which is the identity of the
certificate/website owner.

To get a certificate, you must create a Certificate Signing Request (CSR) on your server. This process creates a
private key and public key on your server. The CSR data file that you send to the SSL Certificate issuer (called a
Certificate Authority or CA) contains the public key. The CA uses the CSR data file to create a data structure to
match your private key without compromising the key itself. The CA never sees the private key.

Once you receive the SSL certificate, you install it on your server. You also install an intermediate certificate that
establishes the credibility of your SSL Certificate by tying it to your CA’s root certificate. The instructions for
installing and testing your certificate will be different depending on your server.

In the image below, you can see what is called the certificate chain. It connects your server certificate to your
CA’s (in this case DigiCert’s) root certificate through an intermediate certificate.
The most important part of an SSL certificate is that it is digitally signed by a trusted CA, like DigiCert. Anyone
can create a certificate, but browsers only trust certificates that come from an organization on their list of trusted
CAs. Browsers come with a pre-installed list of trusted CAs, known as the Trusted Root CA store. In order to be
added to the Trusted Root CA store and thus become a Certificate Authority, a company must comply with and be
audited against security and authentication standards established by the browsers.

An SSL Certificate issued by a CA to an organization and its domain/website verifies that a trusted third party has
authenticated that organization’s identity. Since the browser trusts the CA, the browser now trusts that
organization’s identity too. The browser lets the user know that the website is secure, and the user can feel safe
browsing the site and even entering their confidential information.

What is Secure Sockets Layer (SSL)?

Secure Sockets Layer (SSL) is a standard security technology for establishing an encrypted link between a server
and a client—typically a web server (website) and a browser, or a mail server and a mail client (e.g., Outlook).

SSL allows sensitive information such as credit card numbers, social security numbers, and login credentials to be
transmitted securely. Normally, data sent between browsers and web servers is sent in plain text —leaving you
vulnerable to eavesdropping. If an attacker is able to intercept all data being sent between a browser and a web
server, they can see and use that information.

More specifically, SSL is a security protocol. Protocols describe how algorithms should be used. In this case, the
SSL protocol determines variables of the encryption for both the link and the data being transmitted.

All browsers have the capability to interact with secured web servers using the SSL protocol. However, the
browser and the server need what is called an SSL Certificate to be able to establish a sec ure connection.

SSL secures millions of peoples’ data on the Internet every day, especially during online transactions or when
transmitting confidential information. Internet users have come to associate their online security with the lock icon
that comes with an SSL-secured website or green address bar that comes with an Extended Validation SSL-
secured website. SSL-secured websites also begin with https rather than http.

How Does the SSL Certificate Create a Secure Connection?

When a browser attempts to access a website that is secured by SSL, the browser and the web server establish an
SSL connection using a process called an “SSL Handshake” (see diagram below). Note that the SSL Handshake is
invisible to the user and happens instantaneously.
Essentially, three keys are used to set up the SSL connection: the public, private, and session keys. Anything
encrypted with the public key can only be decrypted with the private key, and vice versa.

Because encrypting and decrypting with private and public key takes a lot of processing power, they are only used
during the SSL Handshake to create a symmetric session key. After the secure connection is made, the session key
is used to encrypt all transmitted data.

1. Browser connects to a web server (website) secured with SSL (https). Browser requests that the server
identify itself.

2. Server sends a copy of its SSL Certificate, including the server’s public key.

3. Browser checks the certificate root against a list of trusted CAs and that the certificate is unexpired,
unrevoked, and that its common name is valid for the website that it is connecting to. If the browse r trusts
the certificate, it creates, encrypts, and sends back a symmetric session key using the server’s public key.

4. Server decrypts the symmetric session key using its private key and sends back an acknowledgement
encrypted with the session key to start the encrypted session.

5. Server and Browser now encrypt all transmitted data with the session key.
What is PGP Encryption and How Does It Work?

Pretty Good Privacy (PGP) is an encryption system used for both sending encrypted emails
and encrypting sensitive files. Since its invention back in 1991, PGP has become the de facto
standard for email security.

 The popularity of PGP is based on two factors:

 The first is that the system was originally available as freeware, and so spread rapidly
among users who wanted an extra level of security for their email messages.

 The second is that since PGP uses both symmetric encryption and public-key encryption,
it allows users who have never met to send encrypted messages to each other without
exchanging private encryption keys.

How Does PGP Encryption Work?

PGP shares some features with other encryption systems you may have heard of,
like Kerberos encryption (which is used to authenticate network users) and SSL
encryption (which is used to secure websites).

At a basic level, PGP encryption uses a combination of two forms of encryption: symmetric
key encryption, and public-key encryption.

At the highest level, this is how PGP encryption works:

 First, PGP generates a random session key. This key is a huge number that cannot be
guessed, and is only used once.
 Next, this session key is encrypted. This is done using the public key of the intended
recipient of the message. The public key is tied to a particular person’s identity, and
anyone can use it to send them a message.
 The sender sends their encrypted PGP session key to the recipient, and they are
able to decrypt it using their private key. Using this session key, the recipient is now
able to decrypt the actual message.
This might seem like a strange way to do things. Why would we encrypt the encryption key
itself?

Well, the answer is pretty simple. Public key cryptography is much, much slower than
symmetric encryption. Using symmetric encryption requires, though, that a sender share
the encryption key with the recipient in plain text, and this would be insecure. So by
encrypting the symmetric key using the (asymmetric) public-key system, PGP combines the
efficiency of symmetric encryption with the security of public-key cryptography.
Example of PGP Encryption in Action
In practice, sending a message encrypted with PGP is simpler than the above explanation
makes it sound. Let’s take a look at ProtonMail – as an example.

ProtonMail natively supports PGP, and all you have to do to encrypt your email is to select
Sign Mail. You will see a padlock icon on the subject line of their emails. The email will look
like this (the email addresses have been blurred for privacy reasons):

ProtonMail – like most email clients that offer PGP – hides all of the complexity of the
encryption and decryption of the message. If you are communicating to users outside of
ProtonMail, you need to send them your public key first.
Uses of PGP Encryption

There are, essentially, three main uses of PGP:

 Sending and receiving encrypted emails.

 Verifying the identity of the person who has sent you this message.
 Encrypting files stored on your devices or in the cloud.
Of these three uses, the first – sending secure email – is by far the dominant application of
PGP. But let’s take a brief look at all three

Encrypting Emails:

As in the example above, most people use PGP to send encrypted emails. In the early years
of PGP, it was mainly used by activists, journalists, and other people who deal with sensitive
information. The PGP system was originally designed, in fact, by a peace and political
activist named Paul Zimmerman, who recently joined Startpage, one of the most popular
private search engines.

Today, the popularity of PGP has grown significantly. As more users have realized just how
much information corporations and their governments are collecting on them, huge
numbers of people now use the standard to keep their private information private.
Digital Signature Verification:

A related use of PGP is that it can be used for email verification. If a journalist is unsure
about the identity of a person sending them a message, for instance, they can use a Digital
Signature alongside PGP to verify this.

Digital signatures work by using an algorithm to combine the sender’s key with the data
they are sending. This generates a “hash function,” another algorithm that can convert a
message to a block of data of fixed size. This is then encrypted using the sender’s private
key.

The recipient of the message can then decrypt this data using the sender’s public key. If
even one character of the message has been changed in transit, the recipient will know.
This can indicate either the sender is not who they say they are, that they have tried to fake
a Digital Signature, or that the message has been tampered with.

Encrypting Files:

A third use of PGP is to encrypt files. Because the algorithm used by PGP – normally the RSA
algorithm – is essentially unbreakable, PGP offers a highly secure way of encrypting files at
rest, especially when used alongside a Threat Detection and Response Solution. In fact, this
algorithm is so secure that it has even been used in high-profile malware such as the
CryptoLocker malware.

Back in 2010, Symantec acquired PGP Corp., which held the rights for the PGP system. Since
then, Symantec has become the dominant vendor of PGP file-encryption software through
such products as Symantec Encryption Desktop and Symantec Encryption Desktop Storage.
This software offers PGP encryption for all your files, whilst also hiding the complexities of
encryption and decryption processes.

Do I Need Pretty Good Privacy Encryption?

Whether you need to use PGP encryption will depend on how secure you want your
communications (or files) to be. As with any privacy or security software, using PGP
requires that you do a little more work when sending and receiving messages, but can also
dramatically improve the resilience of your systems to attack.

Let’s take a closer look.

Pros of PGP Encryption:

The major pro of PGP encryption is that it is essentially unbreakable. That’s why it is still
used by journalists and activists, and why it is often regarded as the best way of improving
cloud security. In short, it is essentially impossible for anyone – be they a hacker or even
the NSA – to break PGP encryption.

Though there have been some news stories that point out security flaws in some
implementations of PGP, such as the Efail vulnerability, it’s important to recognize that PGP
itself is still very secure.

Cons of PGP Encryption:

The biggest con of PGP encryption is that it is not that user-friendly. This is changing –
thanks to off-the-shelf solutions that we will come to shortly – but using PGP can add
significant extra work and time to your daily schedule. In addition, those using the system
need to be aware of how it works, in case they introduce security holes by using it
incorrectly. This means that businesses considering a move to PGP will need to provide
training.

For that reason, many businesses might want to consider alternatives. There are encrypted
messaging apps like Signal, for instance, that offer encryption that is more straightforward
to use. In terms of storing data, anonymisation can be a good alternative to encryption and
can be a more efficient use of resources.

Finally, you should be aware that PGP encrypts your messages, but it doesn’t make you
anonymous. Unlike anonymous browsers using proxy servers or working through a VPN to
hide your true location, emails sent through PGP can be traced to a sender and recipient.
Their subject lines are not encrypted either, so you shouldn’t put any sensitive information
there.
 Firewall
Introduction of Firewall in Computer Network
.
A firewall is a network security device, either hardware or software -based, which monitors all incoming
and outgoing traffic and based on a defined set of security rules it accepts, rejects or drops that specific
traffic.

Accept : allow the traffic

Reject : block the traffic but reply with an “unreachable error”
Drop : block the traffic with no reply

A firewall establishes a barrier between secured internal networks and outside untrusted network, such as
the Internet.

History and Need for Firewall

Before Firewalls, network security was performed by Access Control Lists (ACLs) residing on routers.
ACLs are rules that determine whether network access should be granted or denied to specific IP address.
But ACLs cannot determine the nature of the packet it is blocking. Also, ACL alone does not have the
capacity to keep threats out of the network. Hence, the Firewall was introduced.
Connectivity to the Internet is no longer optional for organizations. However, accessing the Internet
provides benefits to the organization; it also enables the outside world to interact with the internal network
of the organization. This creates a threat to the organization. In order to secure the internal network from
unauthorized traffic, we need a Firewall.

How Firewall Works

Firewall match the network traffic against the rule set defined in its table. Once the rule is matched,
associate action is applied to the network traffic. For example, Rules are defined as any employee from HR
department cannot access the data from code server and at the same time another rule is defined like system
administrator can access the data from both HR and technical department. Rules can be defined on the
firewall based on the necessity and security policies of the organization.

From the perspective of a server, network traffic can be either outgoing or incoming. Firewall maintains a
distinct set of rules for both the cases. Mostly the outgoing traffic, originated from the server itself, allowed
to pass. Still, setting a rule on outgoing traffic is always better in order to achieve more security and prevent
unwanted communication.

Incoming traffic is treated differently. Most traffic which reaches on the firewall is one of these three major
Transport Layer protocols- TCP, UDP or ICMP. All these types have a source address and destination
address. Also, TCP and UDP have port numbers. ICMP uses type code instead of port number which
identifies purpose of that packet.

Default policy: It is very difficult to explicitly cover every possible rule on the firewall. For this reason, the
firewall must always have a default policy. Default policy only consists of action (accept, reject or drop).

Suppose no rule is defined about SSH connection to the server on the firewall. So, it will follow t he default
policy. If default policy on the firewall is set to accept, then any computer outside of your office can
establish an SSH connection to the server. Therefore, setting default policy as drop (or reject) is always a
good practice.
 Generation of Firewall (TYPES OF FIREWALLS)

Firewalls can be categorized based on its generation.

First Generation- Packet Filtering Firewall:

Packet filtering firewall is used to control network access by monitoring outgoing and incoming packet and
allowing them to pass or stop based on source and destination IP address, protocols and ports. It analyses
traffic at the transport protocol layer (but mainly uses first 3 layers).

Packet firewalls treat each packet in isolation. They have no ability to tell whether a packet is part of an
existing stream of traffic. Only It can allow or deny the packets based on unique packet headers. Packet
filtering firewall maintains a filtering table which decides whether the packet will be forwarded or
discarded. From the given filtering table, the packets will be Filtered according to following rules:

Incoming packets from network 192.168.21.0 are blocked.

Incoming packets destined for internal TELNET server (port 23) are blocked.
Incoming packets destined for host 192.168.21.3 are blocked.
All well-known services to the network 192.168.21.0 are allowed.

• It is the simplest and easy to implement firewall

• If this firewall is placed just behind the router, then the traffic can be analyzed easily.

• The biggest disadvantage of the packet filtering firewalls is that it requires a lot of detailing to set

policies.
 Second Generation: Stateful Inspection Firewall:

Packet Filtering is done 1 packet at a time. Sometimes the attackers may use this technique for their attacks.

Attackers can split their complete script of attack into different packets so that the complete script of attack

cannot be identified by the packet filtering firewall. To avoid this, stateful inspection firewalls were

introduced which keeps record of the states of the packets from one to another.

Stateful firewalls (performs Stateful Packet Inspection) are able to determine the connection state of packet,

unlike Packet filtering firewall, which makes it more efficient. It keeps track of the state of networks

connection travelling across it, such as TCP streams. So, the filtering decisions would not only be based on

defined rules, but also on packet’s history in the state table.

 Third Generation- Application Layer Firewall (Proxy Firewalls):

Packet filters cannot see the content of each packet. From the packet headers, they just get the IP addresses
for filtering. Application layer firewall can inspect and filter the packets on any OSI layer, up to the
application layer. It has the ability to block specific content, also recognize when certain application and
protocols (like HTTP, FTP) are being misused.

In other words, Application layer firewalls are hosts that run proxy servers. A proxy firewall prevents the
direct connection between either side of the firewall, each packet has to pass through the proxy. It can allow
or block the traffic based on predefined rules.
 Personal Firewalls:

A personal firewall is software application that shields internet users from potential hackers by permitting or
denying network traffic to and from their computer and warning them about attempted intrusions. It’s like a
filter between the Internet and your network.

A personal firewall is an application which controls network traffic to and from a computer, permitting or
denying communications based on a security policy.[1] Typically it works as an application layer firewall.

A personal firewall differs from a conventional firewall in terms of scale. A personal firewall will usually
protect only the computer on which it is installed, as compared to a conventional firewall which is normally
installed on a designated interface between two or more networks, such as a router or proxy server. Hence,
personal firewalls allow a security policy to be defined for individual computers, whereas a conventional
firewall controls the policy between the networks that it connects.

Common personal firewall features:

• Block or alert the user about all unauthorized inbound or outbound connection attempts.
• Allows the user to control which programs can and cannot access the local network and/or Internet
and provide the user with information about an application that makes a connection attempt.
• Hide the computer from port scans by not responding to unsolicited network traffic.
• Monitor applications that are listening for incoming connections.
• Monitor and regulate all incoming and outgoing Internet users.
• Prevent unwanted network traffic from locally installed applications.
 • Provide information about the destination server with which an application is attempting to
communicate.
• Track recent incoming events, outgoing events, and intrusion events to see who has accessed or tried
to access your computer.
• Blocks and prevents hacking attempt or attack from hackers.

Next Generation Firewalls (NGFW):

Next Generation Firewalls are being deployed these days to stop modern security breaches like advance
malware attacks and application-layer attacks. NGFW consists of Deep Packet Inspection, Application
Inspection, SSL/SSH inspection and many functionalities to protect the network from these modern threats.

Some common features of next-generation firewall architectures include deep-packet inspection (checking
the actual contents of the data packet), TCP handshake checks, and surface-level packet inspection. Next-
generation firewalls may include other technologies as well, such as intrusion prevention systems (IPSs) that
work to automatically stop attacks against your network.

LIMITATIONS OF FIREWALLS

A firewall may be a pivotal component of securing your organization and is planned to address the issues of
information integrity or activity verification (through stateful inspection firewalls) and secrecy of your inner
network (through application proxies). Although there are some inherent limitations of the firewalls as
mentioned below:

1) Viruses: Not all firewalls have full protection against computer viruses because viruses use different
encoding techniques to encode files and transfer them over internet.

2) Architecture: Firewall architecture depends upon single security mechanism failure. If that security
mechanism has a single point of failure, it will affect the entire firewall program which opens the loopholes
to the intruders.
3) Configuration: Firewalls doesn’t have a mechanism to tell administrators about any incorrect
configuration. Only trained professionals in the field of network security can configure a firewall properly.

4) Monitoring: Firewalls doesn’t give notifications about hacking. It will notify only about threat
occurrences.

5) Masquerading: Firewalls can’t stop hackers who steal login information of authentic users to gain access
to a secure network. Once the attacker gains complete access to the entire network, he/she can delete or
change the network policies of the organization.

…………………………………………………………………………………………………………………..
ROUGH WORK
 What is an IDS?

Compiled by - Asst. Prof. Sridhar Iyer

An intrusion detection system (IDS) is a software application or hardware appliance that

monitors traffic moving on networks and through systems to search for suspicious activity
and known threats, sending up alerts when it finds such items.

The overall purpose of an IDS is to inform IT personnel that a network intrusion may be
taking place. Alerting information will generally include information about the source
address of the intrusion, the target/victim address, and type of attack that is suspected.

Each IDS is programmed to analyze traffic and identify patterns in that traffic that may
indicate a cyber attack of various sorts. An IDS can identify “traffic that could be considered
universally malicious or noteworthy,”

How do intrusion detection systems work?

Intrusion detection systems are used to detect anomalies with the aim of catching hackers
before they do real damage to a network. They can be either network- or host-based. A
host-based intrusion detection system is installed on the client computer, while a network-
based intrusion detection system resides on the network.

Intrusion detection systems work by either looking for signatures of known attacks or
deviations from normal activity. These deviations or anomalies are pushed up the stack and
examined at the protocol and application layer. They can effectively detect events such as
Christmas tree scans and domain name system (DNS) poisonings.

An IDS may be implemented as a software application running on customer hardware or as

a network security appliance. Cloud-based intrusion detection systems are also available to
protect data and systems in cloud deployments.

An IDS can be contrasted with an intrusion prevention system (IPS), which monitors
network packets for potentially damaging network traffic, like an IDS, but has the primary
goal of preventing threats once detected, as opposed to primarily detecting and recording
threats.
 Different types of intrusion detection systems

IDSes come in different flavors and detect suspicious activities using different methods,
including the following:

1. A network intrusion detection system (NIDS) is deployed at a strategic point or points

within the network, where it can monitor inbound and outbound traffic to and from all the
devices on the network.

2. A host intrusion detection system (HIDS) runs on all computers or devices in the
network with direct access to both the internet and the enterprise's internal network. A
HIDS has an advantage over a NIDS in that it may be able to detect anomalous network
packets that originate from inside the organization or malicious traffic that a NIDS has failed
to detect. A HIDS may also be able to identify malicious traffic that originates from the host
itself, such as when the host has been infected with malware and is attempting to spread to
other systems.

3. A signature-based intrusion detection system (SIDS) monitors all the packets traversing
the network and compares them against a database of attack signatures or attributes of
known malicious threats, much like antivirus software.
4. An anomaly-based intrusion detection system (AIDS) monitors network traffic and
compares it against an established baseline to determine what is considered normal for the
network with respect to bandwidth, protocols, ports and other devices. This type often uses
machine learning to establish a baseline and accompanying security policy. It then alerts IT
teams to suspicious activity and policy violations. By detecting threats using a broad model
instead of specific signatures and attributes, the anomaly-based detection method
improves upon the limitations of signature-based methods, especially in the detection of
novel threats.

Historically, intrusion detection systems were categorized as passive or active. A passive IDS
that detected malicious activity would generate alert or log entries but would not take
action; an active IDS, sometimes called an intrusion detection and prevention system (IDPS),
would generate alerts and log entries but could also be configured to take actions, like
blocking IP addresses or shutting down access to restricted resources.

Capabilities of intrusion detection systems:

Intrusion detection systems monitor network traffic in order to detect when an attack is
being carried out by unauthorized entities. IDSes do this by providing some -- or all -- of
these functions to security professionals:

1. Monitoring the operation of routers, firewalls, key management servers and files that are
needed by other security controls aimed at detecting, preventing or recovering from
cyberattacks.

2. Providing administrators a way to tune, organize and understand relevant OS audit

trails and other logs that are otherwise difficult to track or parse.

3. providing a user-friendly interface so non expert staff members can assist with managing
system security.

4. Including an extensive attack signature database against which information from the
system can be matched.

5. Recognizing and reporting when the IDS detects that data files have been altered;
generating an alarm and notifying that security has been breached; and
reacting to intruders by blocking them or blocking the server.
 Benefits of intrusion detection systems

Intrusion detection systems offer organizations several benefits, starting with the ability to
identify security incidents. An IDS can be used to help analyze the quantity and types of
attacks; organizations can use this information to change their security systems or
implement more effective controls.

An intrusion detection system can also help companies identify bugs or problems with their
network device configurations. These metrics can then be used to assess future risks.

Intrusion detection systems can also help the enterprise attain regulatory compliance. An
IDS gives companies greater visibility across their networks, making it easier to meet
security regulations. Additionally, businesses can use their IDS logs as part of the
documentation to show they are meeting certain compliance requirements.

Intrusion detection systems can also improve security responses. Since IDS sensors can
detect network hosts and devices, they can also be used to inspect data within the network
packets, as well as identify the OSes of services being used.

Using an IDS to collect this information can be much more efficient than manual censuses
of connected systems.

Challenges of intrusion detection systems

IDSes are prone to false alarms -- or false positives. Consequently, organizations need to
fine-tune their IDS products when they first install them. This includes properly configuring
their intrusion detection systems to recognize what normal traffic on their network looks
like compared to potentially malicious activity.

However, despite the inefficiencies they cause, false positives don't usually cause serious
damage to the actual network and simply lead to configuration improvements. A much
more serious IDS mistake is a false negative, which is when the IDS misses a threat and
mistakes it for legitimate traffic. In a false negative scenario, IT teams have no indication
that an attack is taking place and often don't discover until after the network has been
affected in some way.

It is better for an IDS to be oversensitive to abnormal behaviors and generate false positives
than it is to be undersensitive, generating false negatives.
False negatives are becoming a bigger issue for IDSes -- especially SIDSes -- since malware
is evolving and becoming more sophisticated. It's becoming harder to detect a suspected
intrusion because new malware may not display the previously detected patterns of
suspicious behavior that IDSes are typically designed to detect. As a result, there is an
increasing need for IDSes to detect new behavior and proactively identify novel threats and
their evasion techniques as soon as possible.
 Honeypots
What is a honeypot?
.
Honeypots are decoy systems or servers deployed alongside production systems within your network. When
deployed as enticing targets for attackers, honeypots can add security monitoring opportunities for blue teams and
misdirect the adversary from their true target. Honeypots come in a variety of complexities depending on the
needs of your organization and can be a significant line of defense when it comes to flagging attacks early. This
page will get into more detail on what honeypots are, how they are used, and the benefits of implementing them.

Honeypot basics

There are many applications and use cases for honeypots, as they work to divert malicious traffic away from
important systems, get an early warning of a current attack before critical systems are hit, and gather information
about attackers and their methods. If the honeypots don’t actually contain confidential data and are well -
monitored, you can get insight on attacker tools, tactics, and procedures (TTPs) and gather forensic and legal
evidence without putting the rest of your network at risk.

For a honeypot to work, the system should appear to be legitimate. It should run processes a production system is
expected to run, and contain seemingly important dummy files. The honeypot can be any system that has been set
up with proper sniffing and logging capabilities. It’s also a good idea to place a honeypot behind your corporate
firewall—not only does it provide important logging and alerting capabilities, but you can block outgoing traffic
so that a compromised honeypot cannot be used to pivot toward other internal assets.

In terms of objectives, there are two types of honeypots: research and production honeypots. Research honeypots
gather information about attacks and are used specifically for studying malicious behavior out in the wild.
Looking at both your environment and the wider world, they gather information about attacker trends, malware
strains, and vulnerabilities that are actively being targeted by adversaries. This can inform your preventative
defenses, patch prioritization, and future investments.

Production honeypots, on the other hand, are focused on identifying active compromise on your internal network
and tricking the attacker. Information gathering is still a priority, as honeypots give you additional monitoring
opportunities and fill in common detection gaps around identifying network scans and lateral movement.
Production honeypots sit with the rest of your production servers and run services that would typically run in your
environment. Research honeypots tend to be more complex and store more types of data than production
honeypots.
 Honeypot complexity varies

Within production and research honeypots, there are also differing tiers depending on the level of complexity your
organization needs:

Pure honeypot: This is a full-scale, completely production-mimicking system that runs on various servers. It
contains “confidential” data and user information, and is full of sensors. Though these can be complex and
difficult to maintain, the information they provide is invaluable.

High-interaction honeypot: This is similar to a pure honeypot in that it runs a lot of services, but it is not as
complex and does not hold as much data. High-interaction honeypots are not meant to mimic a full-scale
production system, but they do run (or appear to run) all the services that a production system would run,
including a proper operating system. This type of honeypot allows the deploying organization to see attacker
behaviors and techniques. High-interaction honeypots are resource-intensive and come with maintenance
challenges, but the findings can be worth the squeeze.

Mid-interaction honeypot: These emulate aspects of the application layer but do not have their own operating
system. They work to stall or confuse attackers so that organizations have more time to figure out how to properly
react to an attack.

Low-interaction honeypot: This type of honeypot is the most commonly deployed in a production environment.
Low-interaction honeypots run a handful of services and serve as an early warning detection mechanism more than
anything. They are easy to deploy and maintain, with many security teams deploying multiple honeypots across
different segments of their network.

Different types of honeypots

Several honeypot technologies in use include the following:

Malware honeypots: These use known replication and attack vectors to detect malware. For example, honeypots
(e.g., Ghost) have been crafted to emulate as a USB storage device. If a machine is infected by malware that
spreads via USB, the honeypot will trick the malware to infect the emulated device.
Spam honeypots: These are used to emulate open mail relays and open proxies. Spammers will test the open mail
relay by sending themselves an email first. If they succeed, they then send out large quantities of spam. This type
of honeypot can detect and recognize this test and successfully block the massive volume of spam that follows.
Database honeypot: Activities such as SQL injections can often go undetected by firewalls, so some
organizations will use a database firewall, which can provide honeypot support to create decoy da tabases.
Client honeypots: Most honeypots are servers listening for connections. Client honeypots actively seek out
malicious servers that attack clients, monitoring for suspicious and unexpected modifications to the honeypot.
These systems generally run on virtualization technology and have a containment strategy to minimize risk to the
research team.
Honeynets: Rather than being a single system, a honeynet is a network that can consist of multiple honeypots.
Honeynets aim to strategically track the methods and motives of an attacker while containing all inbound and
outbound traffic.

Benefits of a honeypot

Honeypots offer plenty of security benefits to organizations that choose to implement them, including the
following:

They break the attacker kill chain and slow attackers down

As attackers move throughout your environment, they conduct reconnaissance, scan your network, and seek
misconfigured and vulnerable devices. At this stage, they are likely to trip your honeypot, alerting you t o
investigate and contain attacker access. This allows you to respond before an attacker has the chance to
successfully exfiltrate data from your environment. Malicious actors can also spend a significant amount of time
trying to work on the honeypot instead of going after areas that have real data. Diverting their attack to a useless
system wastes cycles and gives you early warning of an attack in progress.

They are straightforward and low-maintenance

Modern honeypots are not only easy to download and install, but can provide accurate alerts around dangerous
misconfigurations and attacker behavior. In some cases, your team might even forget that a honeypot was ever
deployed until someone starts poking around your internal network. Unlike intrusion detection systems, honeypots
do not require known-bad attack signatures and fresh threat intel to be useful.

They help you test your incident response processes

Honeypots are a low-cost way to help you increase your security maturity, as they test whether your team knows
what to do if a honeypot reveals unexpected activity. Can your team investigate the alert and take appropriate
countermeasures?

Honeypots shouldn’t be your entire threat detection strategy, but they are another layer of security that can be
helpful in discovering attacks early. They are one of the few methods available to security practitioners to study