Section 3

Research and Analysis

Requirements

  1. Research four attacks; one at each layer of the TCP/IP stack.
  2. Do not use any of the attacks that you have researched from previous assignments.
  3. Answer the following questions for each of these attacks:
    • What was the attack? Provide what layer the attack typically occurs at and description of what the attack does.
    • How is the attack carried out?
    • What does the attack hope to achieve? Relate this to the CIA triad.
    • What network vulnerability does the attack take advantage of?
    • What recommendations would you make to senior management? (i.e. What can be done to mitigate the attack?)
  4. For each of the four attacks use a different source for a minimum of four cited sources.
  5. Use academic resources such as peer-reviewed journals, scholarly articles, textbooks, etc.

In

this section, four attacks that effect each layer of the Transmission Control Protocol/Internet Protocol (TCP/IP) stack will be thoroughly discussed. The four layers of the TCP/IP model are: Application Layer, Transport Layer, Internet Layer, and Network Interface (Guru99, n.d.). Due to their construction and unique purposes, TCP/IP layers are susceptible in different ways to distinct attacks. In this section of the paper, an exploration of one attack per layer will be discussed. For the Application Layer, a Low and Slow attack will be covered, while a SYN Flood attack on the Transport Layer will be examined. Following those analyses, a Wormhole attack of the Internet Layer will take place. Finally, a special kind of Man in the Middle (MitM) attack called an Address Resolution Protocol (ARP) Spoofing attack of the Network Interface will be examined.

Application Layer

            The TCP/IP Application Layer is Layer 7 of the Open Systems Interconnection (OSI) model and provides service for an application program (Rouse, 2018). At this level, programs communicate back and forth to each other but not all communication can be trusted. According to Imperva, one commonly used Application Layer attack is called a Low and Slow attack, sometimes referred to as a slow-rate attack (n.d.). During this attack, the malicious actor targets a server resource at a slow rate making the attack difficult to decipher (Netscout, n.d.). This attack is achieved by connecting to a server, then slowly transmitting partial HTTP header, forcing the server to keep an open connection, in some cases indefinitely (PureVPN, n.d.). Another way of thinking about this operation works is imagine a man holding up the line at the bank while faking a horrible studder. This causes the real customers to have to wait while nonsense is happening at the front of the line which affects the availability aspect of the Confidentiality, Integrity, and Availability (CIA) Triad for smooth network operations (Walkowski, 2019). Just as the bank teller must provide service for every customer, thread-based web servers must wait for entire HTTP headers to be received before releasing the open connection. Therefore, this attack sets out to open as many non-genuine connections in order to tie up as many resources as possible (Muscat, 2019). The best mitigation recommendation to senior level members for a low and slow attack is to utilize reverse proxy-based protection (Cloudflare, n.d.).

Transport Layer

            The TCP/IP Transport Layer is Layer 4 of the OSI model and provides the transparent transfer of data between end users (Infoblox, n.d.). Layer 4 attacks rely upon high volumes, or floods, of data to slow down web server performance in what are called Distributed Denial of Service (DDoS) attacks. The intent behind this kind of attack is to consume bandwidth in order to impact the availability aspect of the CIA Triad (Arturai. n.d.). These flood attacks are referred to as SYN Flood attacks (Ghahrai, 2019). SYN Floods occur when a TCP connection is established in a 3-way handshake; then, the malicious application will begin sending data using a Layer 7 or application layer protocol, such as HTTP (MacVittie, 2008). According to Wesley Eddy, of the Internet Engineering Task Force, SYN Floods take advantage of the “state retention TCP performs for some time after receiving a SYN segment to a port that has been put into the LISTEN state” (2007). Mitigation recommendations for SYN Flooding attacks might include the use of hashed SYN cookies as well as proxy connections and varied sources of threat intelligence, including statistical anomaly detection, customizable threshold alerts and fingerprints of known or emerging threats (Netscout, n.d.).

Internet Layer

            The TCP/IP Internet layer is Layer 3 of the OSI model and is also referred to as the Network Layer and is responsible for logical transmission of data packets over the internet (Tutorialspoint, n.d.). One method of Layer 3 attacks is known as a Wormhole attack. In this type of attack, an attacker records packets at one network location and retransmits the data to another location (Wang, Bhargava, Lu, & Wu, 2006). A Wormhole attack operates by using two colluding attackers with a high-speed link between them. To begin, one attacker tunnels the received packets to another attacker node which in turn retransmits the packets to the network. The tunnel between these attacking nodes is called a wormhole, which is where the name is derived. Because this information is being retransmitted, the Integrity aspect of the CIA Triad is affected in this type of attack (Adefemi Alimi eta al., 2020). Wormhole attacks are more apt to occur within ad hoc networks because they broadcast in the license free frequency band making them popular options. In ad hoc networks, Wormholes exploit the absence of infrastructure, wireless links between nodes, limited physical protection, and the lack of a centralized monitoring or management, as well as resource constraints (Azer et al., 2009). A mitigation recommendation for Wormhole attacks is use of coordinator algorithms. Establishing this mitigation effort involves successful selection of a coordinator, verification of no other network, and sending a message to all other nodes in the network. In response, all the other nodes send an acknowledgment which includes routing path information, and the coordinator examines this information. Next, the coordinator sends empty packets to two nodes of the tunnel and waits for acknowledgement and if a confirmation is received then the routing path is shared with all other nodes in the network (Prakash et al., 2018).

Network Interface

            Attacks carried out at the TCP/IP Network Interface layer must be accomplished within the local network. At this level, the packet of information being placed on the wire is known as the frame, which is comprised of: the header, the payload, and the Frame Check Sequence (FCS) (Flylib, n.d.). A common MitM Network Interface attack is called Address Resolution Protocol (ARP) Spoofing. ARP translates IP addresses to a Media Access Control (MAC) address, and vice versa. Moreover, ARP was not designed with security in mind, so, it trusts all information it receives (Imperva, n.d.). When ARP Spoofing occurs, the attacker determines the IP address of a target device on the network, then masks his own device as the target through broadcasting false ARP information. The transmitting of faux ARP information causes the hacker device to be included in the two-way conversation (Flylib, n.d.). Because ARP Spoofing allows interception of messages it affects both confidentiality and integrity aspects of the CIA Triad. The best practices available to mitigate ARP Spoofing include using a VPN, a static ARP, packet filtering, and last but not least, running an ARP Spoof attack on the network to learn where the flaws exist (Imperva, n.d.).

References

Adefemi Alimi, K. O., Ouahada, K., Abu-Mahfouz, A. M., & Rimer, S. (2020). A Survey on the Security of Low Power Wide Area Networks: Threats, Challenges, and Potential Solutions. Sensors (Basel, Switzerland), 20(20), 5800. https://doi.org/10.3390/s20205800.

Arturai. (n.d.). TYPES OF DDOS ATTACKS An explanation of many types of DDoS attacks. Retrieved November 21, 2020, from https://www.arturai.com/en/support/faqs/types-of-ddos-attacks.

Azer, M., El-Kassas, S., & El-Soudani, M. (2009). A Full Image of the Wormhole Attacks Towards Introducing Complex Wormhole Attacks in wireless Ad Hoc Networks. International Journal of Computer Science and Information Security, 1(1), 41-52. Retrieved November 21, 2020, from https://arxiv.org/pdf/0906.1245.pdf.

Cloudflare, Inc. (n.d.). How Do Layer 3 DDoS Attacks Work? | L3 DDoS. Retrieved November 21, 2020, from https://www.cloudflare.com/learning/ddos/layer-3-ddos-attacks/.

Cloudflare, Inc. (n.d.). What is a Low and Slow Attack? Retrieved November 21, 2020, from https://www.cloudflare.com/learning/ddos/ddos-low-and-slow-attack/.

Eddy, W. (2007, August). RFC 4987 – TCP SYN Flooding. Retrieved November 21, 2020, from https://tools.ietf.org/html/rfc4987.

Flashfxp. (n.d.). Flashfxp. Retrieved November 23, 2020, from https://www.flashfxp.com/.

Flylib. (n.d.). Lesson 2: TCPIP Layers and Vulnerabilities. Retrieved November 23, 2020, from https://flylib.com/books/en/2.902.1.13/1/.

Ghahrai, A. (2019, June 24). Confidentiality, Integrity and Availability. Retrieved November 21, 2020, from https://devqa.io/confidentiality-integrity-availability/.

Guru99. (n.d.). TCP/IP Model: Layers & Protocol | What is TCP IP Stack? Retrieved November 21, 2020, from https://www.guru99.com/tcp-ip-model.html.

Imperva. (n.d.). ARP Spoofing. Retrieved November 23, 2020, from https://www.imperva.com/learn/application-security/arp-spoofing/.

Imperva. (n.d.). DDoS Attacks. Retrieved November 21, 2020, from https://www.imperva.com/learn/ddos/ddos-attacks/.

Infoblox. (n.d.). What is Layer 4 of the OSI Model: Transport Layer? Retrieved November 23, 2020, from https://www.infoblox.com/glossary/layer-4-of-the-osi-model-transport-layer/.

MacVittie, L. (2008, July 08). Layer 4 vs Layer 7 DoS Attack. Retrieved November 21, 2020, from https://devcentral.f5.com/s/articles/layer-4-vs-layer-7-dos-attack.

Muscat, I. (2019, June 06). Mitigate Slow HTTP GET/POST Vulnerabilities in the Apache HTTP Server. Retrieved November 21, 2020, from https://www.acunetix.com/blog/articles/slow-http-dos-attacks-mitigate-apache-http-server/.

Netscout. (n.d.). Low and Slow DDoS Attacks. Retrieved November 21, 2020, from https://www.netscout.com/what-is-ddos/low-slow-attack.

Netscout. (n.d.). SYN Flood DDoS Attacks. Retrieved November 21, 2020, from https://www.netscout.com/what-is-ddos/syn-flood-attacks.

Prakash, R. A., Salem Jeyaseelan, W. R., & Jayasankar, T. (2018). Detection, Prevention and Mitigation of Wormhole Attack in Wireless Adhoc Network by Coordinator. Applied Mathematics & Information Sciences, 12(1), 233-237. doi:10.18576/amis/120123.

PureVPN. (n.d.). What is a Low and Slow Attack? Retrieved November 21, 2020, from https://www.purevpn.com/ddos/low-and-slow-attack.

Rouse, M. (2018, March). Application layer. Retrieved November 23, 2020, from https://searchnetworking.techtarget.com/definition/Application-layer.

Tutorialspoint. (n.d.). The Internet Layer in the TCP/IP Model. Retrieved November 21, 2020, from https://www.tutorialspoint.com/The-Internet-Layer-in-the-TCP-IP-Model.

Wang, W., Bhargava, B., Lu, Y., & Wu, X. (2006). Defending against wormhole attacks in mobile ad hoc networks. WIRELESS COMMUNICATIONS AND MOBILE COMPUTING, 6, 483-503. doi:10.1002/wcm.292.