Security Threats and Response
Security Threats and Response¶
Overview¶
Network security threats continuously evolve. This chapter covers major network attack types, operating principles, and effective response strategies.
Difficulty: ββββ
Learning Objectives: - Understand major network attack types and principles - Identify sniffing, spoofing, and DoS/DDoS attacks - Learn web security threat concepts (SQL Injection, XSS) - Understand Intrusion Detection/Prevention Systems (IDS/IPS) - Establish effective security response strategies
Table of Contents¶
- Network Security Threat Types
- Sniffing
- Spoofing
- DoS/DDoS Attacks
- MITM Attacks
- Web Security Threats
- Intrusion Detection Systems
- Security Response Strategies
- Practice Problems
- Next Steps
- References
1. Network Security Threat Types¶
Threat Classification System¶
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Security Threat Classification β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β Attack Types β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€ β
β β β β
β β Passive Attacks β β
β β ββ Eavesdropping, sniffing, traffic analysis β β
β β (Gathering information without data modification) β β
β β β β
β β Active Attacks β β
β β ββ Modification, forgery, denial of service β β
β β (Directly affecting data or systems) β β
β β β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β Classification by Attack Target β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€ β
β β β β
β β Network Layer Attacks β β
β β ββ IP spoofing, ICMP flooding, routing attacks β β
β β β β
β β Transport Layer Attacks β β
β β ββ TCP SYN Flood, UDP Flood, session hijacking β β
β β β β
β β Application Layer Attacks β β
β β ββ SQL Injection, XSS, CSRF β β
β β β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Major Attack Types Summary¶
| Attack Type | Target | CIA Threat | Layer |
|---|---|---|---|
| Sniffing | Information gathering | Confidentiality | L2-L7 |
| Spoofing | Trust exploitation | Integrity, Authentication | L2-L4 |
| DoS/DDoS | Service disruption | Availability | L3-L7 |
| MITM | Interception | Confidentiality, Integrity | L2-L7 |
| SQL Injection | Data theft | Confidentiality, Integrity | L7 |
| XSS | User attack | Confidentiality | L7 |
2. Sniffing¶
Sniffing Overview¶
Sniffing is a passive attack that intercepts network traffic to gather information.
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Sniffing Attack β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β Normal communication: β
β β
β [Client] βββββββββββββββββββββββββββββββββΆ [Server] β
β "User: admin, Password: 1234" β
β β
β Sniffing attack: β
β β
β [Client] βββββββββββββββββββββββββββββββββΆ [Server] β
β "User: admin, Password: 1234" β
β β β
β β Eavesdropping β
β βΌ β
β [Attacker] β
β "Credentials obtained!" β
β β
β Obtainable information: β
β - User account credentials β
β - Email content β
β - Financial information β
β - Session tokens β
β β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Sniffing Types¶
1. Passive Sniffing (Hub Environment)¶
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Hub Environment Sniffing β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β Hub broadcasts packets to all ports β
β β
β ββββββββββββββββββββββββββββββββββ β
β β Hub β β
β β (Sends packets to all ports) β β
β βββ¬βββββββ¬βββββββ¬βββββββ¬βββββββββ β
β β β β β β
β βΌ βΌ βΌ βΌ β
β ββββ ββββ ββββ βββββββββ β
β βPCβ βPCβ βPCβ βAttackerβ β
β βA β βB β βC β β D β β
β ββββ ββββ ββββ βββββββββ β
β β β
β Can receive β
β all traffic β
β β
β * Hubs are rarely used today β
β β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
2. Active Sniffing (Switch Environment)¶
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Switch Environment Sniffing Techniques β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β Switches use MAC address table to send to destination port onlyβ
β β Additional techniques required β
β β
β 1. ARP Spoofing/Poisoning β
β - Manipulate MAC table with fake ARP responses β
β - Induce traffic to pass through attacker β
β β
β 2. MAC Flooding β
β - Overflow switch table with fake MAC addresses β
β - Switch acts like a hub β
β β
β 3. SPAN/Mirror Port β
β - Abuse switch monitoring port (insider threat) β
β β
β 4. DHCP Spoofing β
β - Manipulate gateway with fake DHCP server β
β β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
ARP Spoofing Detail¶
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β ARP Spoofing Attack β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β Normal state: β
β β
β [Victim PC] [Gateway] β
β IP: 192.168.1.10 IP: 192.168.1.1 β
β MAC: AA:AA:AA MAC: BB:BB:BB β
β β β β
β βββββββββ Normal communication βββββββΆβ β
β β
β After ARP spoofing: β
β β
β [Victim PC] [Attacker] [Gateway] β
β 192.168.1.10 192.168.1.100 192.168.1.1 β
β AA:AA:AA CC:CC:CC BB:BB:BB β
β β β β β
β β β β β
β ARP Table: Send fake ARP: ARP Table: β
β βββββββββββββ "192.168.1.1's βββββββββββββ β
β β192.168.1.1β MAC is CC:CC:CC" β192.168.1.10β β
β ββ CC:CC:CC β "192.168.1.10's ββ CC:CC:CC β β
β βββββββββββββ MAC is CC:CC:CC" βββββββββββββ β
β β β β β
β β β β β
β βββββββββΆ Attacker ββββββββββββββββββ β
β (Relay and eavesdrop) β
β β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Sniffing Countermeasures¶
| Countermeasure | Description |
|---|---|
| Use encryption | HTTPS, SSH, VPN encrypted communication |
| Dynamic ARP Inspection (DAI) | Verify ARP packets on switch |
| Static ARP table | Fix ARP entries for critical servers |
| 802.1X | Port-based network access control |
| Network segregation | Isolate sensitive traffic with VLANs |
| IDS/IPS | Detect abnormal ARP traffic |
3. Spoofing¶
Spoofing Overview¶
Spoofing is an attack that forges identity to exploit trust.
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Spoofing Types β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β Spoofing Attacks β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€ β
β β β β
β β IP Spoofing β β
β β ββ Forge source IP address β β
β β β β
β β MAC Spoofing β β
β β ββ Forge source MAC address β β
β β β β
β β ARP Spoofing β β
β β ββ Manipulate IP-MAC mapping with fake ARP responses β β
β β β β
β β DNS Spoofing β β
β β ββ Redirect to malicious server with fake DNS responses β β
β β β β
β β Email Spoofing β β
β β ββ Forge sender address β β
β β β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
IP Spoofing¶
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β IP Spoofing β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β [Attacker] [Server] β
β Real IP: 10.0.0.100 192.168.1.1 β
β β β β
β β Forged packet β β
β β βββββββββββββββββββββββββββ β β
β β β Source: 192.168.1.50 β β β
β β β (Forged, trusted IP) β β β
β β β Dest: 192.168.1.1 β β β
β β βββββββββββββββββββββββββββ β β
β β β β
β βββββββββββββββββββββββββββββββββββββββββββββΆ β
β β β
β Response goes to forged IP β β
β [Victim]ββββββββββββββββββββββββββββββββββββββββββ β
β 192.168.1.50 β
β β
β Use cases: β
β - DoS attacks (reflection attacks) β
β - Bypass access control β
β - Evade logging β
β β
β Limitations: β
β - Difficult to establish TCP connection (3-way handshake) β
β - Cannot receive responses β
β β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
DNS Spoofing¶
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β DNS Spoofing β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β Normal DNS lookup: β
β β
β [User] [DNS Server] [bank.com] β
β β β IP: 1.2.3.4 β
β βββ"bank.com?"ββββΆβ β β
β β βββββ Query βββββββββΆβ β
β βββ"1.2.3.4"βββββββ β β
β β β β
β ββββββββββ Normal access ββββββββββββββββΆβ β
β β
β DNS spoofing attack: β
β β
β [User] [Attacker] [DNS Server] [bank.com] [Malicious]β
β β β β β IP:9.9.9.9 β
β βββ"bank.com?"ββββββββββΆβ β β β
β β β β β β β
β βββ"9.9.9.9"ββ β β β β
β β (Fake response) β β β β
β β (Faster response) β β
β β β β
β ββββββββββββββββββ Access malicious server ββββββββββΆβ β
β (Phishing site) β
β β
β Attack methods: β
β 1. Manipulate DNS responses after ARP spoofing β
β 2. DNS cache poisoning β
β 3. Modify local hosts file β
β 4. Rogue DNS server (combined with DHCP spoofing) β
β β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Spoofing Countermeasures¶
| Spoofing Type | Countermeasure |
|---|---|
| IP Spoofing | Ingress/egress filtering, BCP38 |
| MAC Spoofing | 802.1X, port security |
| ARP Spoofing | DAI, static ARP, ARP watch |
| DNS Spoofing | DNSSEC, DoH/DoT, DNS monitoring |
| Email Spoofing | SPF, DKIM, DMARC |
4. DoS/DDoS Attacks¶
DoS Overview¶
DoS (Denial of Service) attacks disrupt normal services by exhausting system or network resources.
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β DoS vs DDoS β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β DoS (Single source) DDoS (Distributed sources) β
β β
β [Attacker] [Attacker] β
β β β β
β β ββββββββΌβββββββ β
β β β β β β
β βΌ βΌ βΌ βΌ β
β [Target] [Bot] [Bot] [Bot] [Bot] β
β β β β β
β ββββββββΌβββββββ β
β β β
β βΌ β
β [Target] β
β β
β Features: Features: β
β - Can defend by blocking single IP - Multiple sources, difficult to blockβ
β - Bandwidth limitation - Uses botnets β
β - Generates large traffic β
β β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
DoS Attack Types¶
1. TCP SYN Flood¶
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β TCP SYN Flood β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β Normal TCP 3-way Handshake: β
β β
β [Client] [Server] β
β β β β
β βββββ SYN βββββββββββββββββββββββββββββΆ β β
β β β Wait for β
β βββββ SYN-ACK ββββββββββββββββββββββββ β connection β
β β β (allocate β
β βββββ ACK βββββββββββββββββββββββββββββΆ β resources) β
β β β Connection β
β β
β SYN Flood attack: β
β β
β [Attacker] [Server] β
β β β β
β βββββ SYN (forged IP) βββββββββββββββββββΆβ β
β βββββ SYN (forged IP) βββββββββββββββββββΆβ Half-open β
β βββββ SYN (forged IP) βββββββββββββββββββΆβ connections β
β βββββ SYN (forged IP) βββββββββββββββββββΆβ accumulate β
β : Γ1000 β Resources β
β β exhausted β
β βββββββ΄ββββββ β
β β Connectionβ β
β β table fullβ β
β β β β
β β Normal β β
β β connectionsβ β
β β impossibleβ β
β βββββββββββββ β
β β
β Countermeasures: SYN Cookies, connection limits, firewall filteringβ
β β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
2. UDP Flood¶
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β UDP Flood β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β [Attacker/Botnet] β
β β β
β β Large volume of UDP packets β
β β (random ports) β
β βΌ β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β Target Server β β
β β β β
β β Check UDP port β No service β Generate ICMP response β β
β β β β
β β Repeated processing exhausts CPU/bandwidth β β
β β β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β
β Features: β
β - Exploits connectionless protocol β
β - Bandwidth saturation β
β - Source IP spoofing easy β
β β
β Countermeasures: Rate limiting, blackhole routing, minimize UDP servicesβ
β β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
3. Amplification Attacks¶
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Amplification Attacks (DNS, NTP) β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β DNS Amplification: β
β β
β [Attacker] β
β β β
β β Small request (60 bytes) β
β β Source: Victim IP (spoofed) β
β βΌ β
β βββββββββββ β
β β Open β Large response (3000 bytes) β
β β DNS ββββββββββββββββββββββββββββββββΆ [Victim] β
β β Server β Amplification ratio: 50x β
β βββββββββββ β
β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β β Protocol β Amplification β Used Port ββ
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€β
β β DNS β 28-54x β UDP 53 ββ
β β NTP β 556x β UDP 123 ββ
β β SSDP β 30x β UDP 1900 ββ
β β Memcached β 51,000x β UDP 11211 ββ
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β β
β Countermeasures: β
β - Block open resolvers β
β - BCP38 (ingress filtering) β
β - Response Rate Limiting (RRL) β
β β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
DDoS Attack Response¶
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β DDoS Defense Strategy β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β Layered defense: β
β β
β [Internet] β
β β β
β βΌ β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β 1. CDN/Cloud-based protection β β
β β - Cloudflare, AWS Shield, Akamai β β
β β - Distributed processing, bandwidth absorption β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β β
β βΌ β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β 2. ISP Level filtering β β
β β - Blackhole routing β β
β β - Upstream filtering β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β β
β βΌ β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β 3. On-premise equipment β β
β β - DDoS mitigation appliances β β
β β - Firewall/IPS β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β β
β βΌ β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β 4. Application level β β
β β - Rate limiting β β
β β - CAPTCHA β β
β β - WAF β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
5. MITM Attacks¶
MITM Overview¶
MITM (Man-in-the-Middle) attacks intercept communication between two parties to eavesdrop or modify.
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β MITM Attack β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β Normal communication: β
β β
β [Client] βββββββββββββββββββββββββββββββββΆ [Server] β
β Direct communication β
β β
β MITM attack: β
β β
β [Client] [Attacker] [Server] β
β β β β β
β βββββββββββββββββββββββββββββββββββ β
β β Fake connectionβ Fake connectionβ β
β β β β β
β βββ"Transfer"ββββΆβ β β
β β βββ"Transfer"ββββΆβ β
β β β(Content can be modified) β
β β β β β
β β ββββ"Done"βββββββ β
β ββββ"Done"βββββββ β β
β β
β Attacker capabilities: β
β - Eavesdrop on all communication β
β - Modify data β
β - Session hijacking β
β β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
MITM Attack Techniques¶
1. SSL Stripping¶
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β SSL Stripping β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β Downgrade HTTPS connection to HTTP β
β β
β [Client] [Attacker] [Server] β
β β β β β
β βββHTTP requestββΆβ β β
β β βββHTTPSββββββββΆβ β
β β β β β
β ββββHTTP responseββββHTTPSβββββββββ β
β β (Plaintext) β (Encrypted) β β
β β β β β
β β Unencrypted β Maintain both β β
β β communication β connections β β
β β β Relay and eavesdrop β
β β
β Countermeasures: β
β - HSTS (HTTP Strict Transport Security) β
β - HTTPS Everywhere β
β - Check for padlock icon in address bar β
β β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
2. Wi-Fi MITM (Evil Twin)¶
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Evil Twin Attack β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β [Real AP] [Evil Twin] [Victim] β
β SSID: CafeWiFi SSID: CafeWiFi Smartphone β
β Signal: Weak Signal: Strong β β
β β β β β
β β βββββββββββββββββββββ β
β β β Connect to strongβ β
β β β signal β β
β β ββββββββββββΌβββββββββββ β β
β β β Attacker laptop β β β
β β β - Packet capture β β β
β β β - DNS spoofing β β β
β β β - Phishing pages β β β
β β ββββββββββββΌβββββββββββ β β
β β β β β
β ββββββββββββββββββββββββ β β
β Internet connection β
β β
β Countermeasures: β
β - Use VPN β
β - Be cautious with public Wi-Fi β
β - 802.1X authentication β
β β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
MITM Countermeasures¶
| Countermeasure | Description |
|---|---|
| Use TLS/SSL | End-to-end encryption prevents eavesdropping |
| Certificate validation | Verify server certificate validity |
| HSTS | Force HTTPS usage |
| Certificate Pinning | Allow only specific certificates |
| VPN | Use tunnels on public networks |
| 2FA | Prevent credential theft |
6. Web Security Threats¶
SQL Injection¶
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β SQL Injection β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β Vulnerable code example: β
β β
β query = "SELECT * FROM users WHERE id = '" + user_input + "'" β
β β
β Normal input: β
β user_input = "123" β
β query = "SELECT * FROM users WHERE id = '123'" β
β β
β Malicious input: β
β user_input = "' OR '1'='1" β
β query = "SELECT * FROM users WHERE id = '' OR '1'='1'" β
β β Expose all user information β
β β
β More dangerous attack: β
β user_input = "'; DROP TABLE users;--" β
β query = "SELECT * FROM users WHERE id = ''; DROP TABLE users;--"β
β β Delete table β
β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β β Attack types ββ
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€β
β β In-band SQLi : Results directly displayed on screen ββ
β β Blind SQLi : Extract information via true/false responsesββ
β β Out-of-band SQLi: Send results via different channel ββ
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β β
β Countermeasures: β
β - Use Prepared Statements (parameterized queries) β
β - Input validation and escaping β
β - Least privilege DB accounts β
β - Use WAF β
β β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Safe Code Examples¶
# Vulnerable code (Python)
cursor.execute("SELECT * FROM users WHERE id = '%s'" % user_id)
# Safe code (Prepared Statement)
cursor.execute("SELECT * FROM users WHERE id = %s", (user_id,))
// Vulnerable code (Java)
String query = "SELECT * FROM users WHERE id = '" + userId + "'";
Statement stmt = conn.createStatement();
ResultSet rs = stmt.executeQuery(query);
// Safe code (PreparedStatement)
String query = "SELECT * FROM users WHERE id = ?";
PreparedStatement pstmt = conn.prepareStatement(query);
pstmt.setString(1, userId);
ResultSet rs = pstmt.executeQuery();
XSS (Cross-Site Scripting)¶
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β XSS Attack β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β Stored XSS β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€ β
β β β β
β β 1. [Attacker] ββPost malicious scriptβββΆ [Web Server DB]β β
β β Post: <script>malicious code</script> β β
β β β β
β β 2. [Victim] ββRequest pageβββΆ [Web Server] β β
β β β β
β β 3. [Victim] βββResponse with malicious scriptββ β β
β β Script executes in browser β β
β β β Cookie theft, session hijacking β β
β β β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β Reflected XSS β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€ β
β β β β
β β Attack URL: β β
β β http://example.com/search?q=<script>malicious</script>β β
β β β β
β β 1. [Attacker] ββSend malicious URLβββΆ [Victim] β β
β β 2. [Victim] ββClick URLβββΆ [Web Server] β β
β β 3. [Web Server] ββReturn search term as-isβββΆ [Victim] β β
β β Script executes in browser β β
β β β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β
β Countermeasures: β
β - Output encoding (HTML Entity) β
β - Input validation β
β - CSP (Content Security Policy) β
β - HttpOnly cookies β
β β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
CSRF (Cross-Site Request Forgery)¶
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β CSRF Attack β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β Exploit user's logged-in state to execute unwanted requests β
β β
β [Victim] [Malicious Site] [Bank] β
β (Logged into bank) β bank.com β
β β β β β
β βββVisit maliciousβββΆβ β β
β β page β β β
β β β β β
β β Hidden request triggered: β β
β β <img src="http://bank.com/transfer?to=attacker& β
β β amount=10000"> β β
β β β β β
β ββββββββββββββββββββββββββββββββββββββββΆβ β
β β Request with session cookie β β
β β (Bank sees as legitimate request) β β
β β β β β
β β β ββββββββββββ΄ββββββββββββ β
β β β β Transfer to attacker β β
β β β β account complete β β
β β β ββββββββββββββββββββββββ β
β β
β Countermeasures: β
β - CSRF tokens β
β - SameSite cookies β
β - Referer validation β
β - Re-authentication for critical actions β
β β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
7. Intrusion Detection Systems¶
IDS/IPS Overview¶
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β IDS vs IPS β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β IDS (Intrusion Detection System) - Detection β
β βββββββββββββββββββββββββββββββββββββ β
β β
β [Internet] βββββββββββββββΆ [Firewall] βββββββββββββββΆ [Internal]β
β β β
β β Mirroring β
β βΌ β
β [IDS] β
β Detection and alerting β
β β
β IPS (Intrusion Prevention System) - Detection + Blocking β
β βββββββββββββββββββββββββββββββββββββββββββ β
β β
β [Internet] βββββΆ [Firewall] βββββΆ [IPS] βββββΆ [Internal] β
β β β
β Inline deployment β
β Detection and blocking β
β β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
IDS Types¶
| Type | Description | Pros | Cons |
|---|---|---|---|
| NIDS | Network traffic analysis | Monitor all traffic | Difficult to analyze encrypted traffic |
| HIDS | Host activity analysis | Detailed analysis possible | Must install on each host |
| Signature-based | Match known patterns | Accurately detect known attacks | Cannot detect zero-day |
| Anomaly detection | Detect deviations from normal | Can detect new attacks | High false positives |
IDS/IPS Signature Examples (Snort)¶
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Snort Rule Examples β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β # SQL Injection detection β
β alert tcp any any -> any 80 ( β
β msg:"SQL Injection Attempt"; β
β content:"SELECT"; nocase; β
β content:"FROM"; nocase; β
β content:"WHERE"; nocase; β
β sid:1000001; β
β ) β
β β
β # XSS attack detection β
β alert tcp any any -> any 80 ( β
β msg:"XSS Attack Attempt"; β
β content:"<script>"; nocase; β
β sid:1000002; β
β ) β
β β
β # Port scan detection β
β alert tcp any any -> any any ( β
β msg:"Possible Port Scan"; β
β flags:S; β
β threshold:type threshold, track by_src, count 5, seconds 60; β
β sid:1000003; β
β ) β
β β
β Rule structure: β
β [Action] [Protocol] [Source] [Port] -> [Dest] [Port] (Options)β
β β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
SIEM (Security Information and Event Management)¶
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β SIEM System β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β Log Collection β β
β β βββββββ βββββββ βββββββ βββββββ βββββββ βββββββ β β
β β β FW β βIDS β βSrv β β DB β βApp β β AD β β β
β β ββββ¬βββ ββββ¬βββ ββββ¬βββ ββββ¬βββ ββββ¬βββ ββββ¬βββ β β
β β βββββββββ΄ββββββββ΄ββββββββ΄ββββββββ΄ββββββββ β β
β βββββββββββββββββββββββββββββββ¬ββββββββββββββββββββββββββββ β
β β β
β βΌ β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β SIEM Engine β β
β β βββββββββββββββββββββββββββββββββββββββββββββββββββββ β β
β β β Normalize β Correlate β Anomaly detect β Alert/Dashboardβ β β
β β βββββββββββββββββββββββββββββββββββββββββββββββββββββ β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β β
β βΌ β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β Security Response β β
β β - Real-time alerts β β
β β - Incident investigation β β
β β - Compliance reports β β
β β - Forensic analysis β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β
β Major SIEM products: β
β - Splunk β
β - IBM QRadar β
β - Elastic SIEM β
β - Microsoft Sentinel β
β β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
8. Security Response Strategies¶
Security Operations Cycle¶
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Security Operations Cycle β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β βββββββββββββββ β
β β Identify β β
β β β β
β ββββββββ¬βββββββ β
β β β
β βββββββββββββββββββΌββββββββββββββββββ β
β β β β β
β βΌ β βΌ β
β βββββββββββββββ β βββββββββββββββ β
β β Protect β β β Recover β β
β β β β β β β
β ββββββββ¬βββββββ β ββββββββ¬βββββββ β
β β β β β
β β β β β
β βΌ βΌ βΌ β
β βββββββββββββββ βββββββββββββββ βββββββββββββββ β
β β Detect β β Analyze β β Respond β β
β β ββββΆβ ββββΆβ β β
β βββββββββββββββ βββββββββββββββ βββββββββββββββ β
β β
β Based on NIST Cybersecurity Framework β
β β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Prevention¶
| Area | Countermeasures |
|---|---|
| Network | Firewall, VLAN, network segregation |
| System | Patch management, security configuration, least privilege |
| Application | Secure coding, input validation, WAF |
| User | Security training, phishing drills, MFA |
Detection¶
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Detection Framework β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β Network Monitoring β β
β β - IDS/IPS β β
β β - Network Traffic Analysis (NTA) β β
β β - NetFlow analysis β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β Endpoint Monitoring β β
β β - EDR (Endpoint Detection and Response) β β
β β - Antivirus β β
β β - Host-based IDS (HIDS) β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β Log Analysis β β
β β - SIEM β β
β β - Centralized log management β β
β β - Anomaly detection β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β Threat Intelligence β β
β β - IOC (Indicators of Compromise) β β
β β - Threat feeds β β
β β - Vulnerability information β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Response¶
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Incident Response Process β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β 1. Preparation β
β ββ Develop response plan, form team, prepare tools β
β β
β 2. Identification β
β ββ Detect incident, assess scope, evaluate severity β
β β
β 3. Containment β
β ββ Short-term: Immediate isolation β
β ββ Long-term: Apply temporary fixes β
β β
β 4. Eradication β
β ββ Remove malware, patch vulnerabilities β
β β
β 5. Recovery β
β ββ Restore systems, resume normal operations β
β β
β 6. Lessons Learned β
β ββ Post-incident analysis, derive improvements β
β β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Security Checklist¶
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Basic Security Checklist β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β Network Security β
β β Review and minimize firewall rules β
β β Network segmentation (VLAN) β
β β Block unnecessary ports/services β
β β VPN encrypted communication β
β β Operate IDS/IPS β
β β
β System Security β
β β Apply security patches regularly β
β β Disable unnecessary services β
β β Strong password policy β
β β SSH key-based authentication β
β β Log collection and monitoring β
β β
β Application Security β
β β Input validation β
β β Use Prepared Statements β
β β Output encoding β
β β Apply HTTPS β
β β Configure security headers β
β β
β Data Security β
β β Encrypt critical data β
β β Regular backups β
β β Minimize access permissions β
β β Log retention β
β β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
9. Practice Problems¶
Basic Problems¶
- Sniffing/Spoofing
- Explain the difference between sniffing and spoofing.
-
Explain the operating principle of ARP spoofing.
-
DoS/DDoS
- What's the difference between DoS and DDoS?
-
Explain the principle and countermeasures of SYN Flood attacks.
-
Web Security
- What's the most effective method to prevent SQL Injection?
- What's the difference between Stored XSS and Reflected XSS?
Intermediate Problems¶
- MITM
- Explain SSL Stripping attacks.
-
How does HSTS prevent this attack?
-
IDS/IPS
- Compare pros and cons of signature-based and anomaly detection.
-
Why are IDS and IPS deployed at different locations?
-
Scenario Analysis Suggest possible attacks and countermeasures for these situations: ```
- ARP table abnormally modified in company network
- No padlock icon when accessing web server
- Large volume of SELECT queries executed on database ```
Advanced Problems¶
- Comprehensive Security
-
Identify security vulnerabilities in this architecture:
Internet βββ Web Server βββ DB Server (same network) -
Incident Response
- List the response procedures for ransomware infection in order.
10. Next Steps¶
In 17_Practical_Network_Tools.md, let's learn about practical network tools like ping, traceroute, and Wireshark!
11. References¶
Security Frameworks¶
Tools¶
- Snort/Suricata - Open source IDS/IPS
- Wireshark - Packet analysis
- Burp Suite - Web security testing
- Nmap - Network scanning