UNIT 5

NETWORK ATTACKS

Network Attacks in Computer Network

Many people rely on the Internet for many of their professional, social and personal
activities. But there are also people who attempt to damage our Internet-connected
computers, violate our privacy and render inoperable the Internet services.

Given the frequency and variety of existing attacks as well as the threat of new and more
destructive future attacks, network security has become a central topic in the field of
computer networking.

How are computer networks vulnerable? What are some of the more prevalent types of
attacks today?

Malware – short for malicious software which is specifically designed to disrupt, damage, or
gain authorized access to a computer system. Much of the malware out there today is self-
replicating: once it infects one host, from that host it seeks entry into other hosts over the
Internet, and from the newly infected hosts, it seeks entry into yet more hosts. In this manner,
self-replicating malware can spread exponentially fast.

Virus – A malware which requires some form of user’s interaction to infect the user’s device.
The classic example is an e-mail attachment containing malicious executable code. If a user
receives and opens such an attachment, the user inadvertently runs the malware on the
device.

Worm – A malware which can enter a device without any explicit user interaction. For
example, a user may be running a vulnerable network application to which an attacker can
send malware. In some cases, without any user intervention, the application may accept the
malware from the Internet and run it, creating a worm.

Botnet – A network of private computers infected with malicious software and controlled as a
group without the owners’ knowledge, e.g. to send spam.

DoS (Denial of Service) – A DoS attack renders a network, host, or other pieces of
infrastructure unusable by legitimate users. Most Internet DoS attacks fall into one of three
categories :

• Vulnerability attack: This involves sending a few well-crafted messages to a vulnerable

application or operating system running on a targeted host. If the right sequence of packets is
sent to a vulnerable application or operating system, the service can stop or, worse, the host
can crash.

• Bandwidth flooding: The attacker sends a deluge of packets to the targeted host—so many
packets that the target’s access link becomes clogged, preventing legitimate packets from
reaching the server.

• Connection flooding: The attacker establishes a large number of half-open or fully open
TCP connections at the target host. The host can become so bogged down with these bogus
connections that it stops accepting legitimate connections.

DDoS (Distributed DoS) – DDoS is a type of DOS attack where multiple compromised
systems, are used to target a single system causing a Denial of Service (DoS) attack. DDoS
attacks leveraging botnets with thousands of comprised hosts are a common occurrence
today. DDoS attacks are much harder to detect and defend against than a DoS attack from a
single host.

Packet sniffer – A passive receiver that records a copy of every packet that flies by is called
a packet sniffer. By placing a passive receiver in the vicinity of the wireless transmitter, that
receiver can obtain a copy of every packet that is transmitted! These packets can contain all
kinds of sensitive information, including passwords, social security numbers, trade secrets,
and private personal messages. some of the best defenses against packet sniffing involve
cryptography.

IP Spoofing – The ability to inject packets into the Internet with a false source address is
known as IP spoofing, and is but one of many ways in which one user can masquerade as
another user. To solve this problem, we will need end-point authentication, that is, a
mechanism that will allow us to determine with certainty if a message originates from where
we think it does.

Man-in-the-Middle Attack – As the name indicates, a man-in-the-middle attack occurs

when someone between you and the person with whom you are communicating is actively
monitoring, capturing, and controlling your communication transparently. For example, the
attacker can re-route a data exchange. When computers are communicating at low levels of
the network layer, the computers might not be able to determine with whom they are
exchanging data.

Compromised-Key Attack – A key is a secret code or number necessary to interpret secured

information. Although obtaining a key is a difficult and resource-intensive process for an
attacker, it is possible. After an attacker obtains a key, that key is referred to as a
compromised key. An attacker uses the compromised key to gain access to a secured
communication without the sender or receiver being aware of the attack.

Phishing – The fraudulent practice of sending emails purporting to be from reputable

companies in order to induce individuals to reveal personal information, such as passwords
and credit card numbers.

DNS spoofing – Also referred to as DNS cache poisoning, is a form of computer security
hacking in which corrupt Domain Name System data is introduced into the DNS resolver’s
cache, causing the name server to return an incorrect IP address.

Rootkit – Rootkits are stealthy packages designed to benefit administrative rights and get the
right of entry to a community tool. Once installed, hackers have complete and unrestricted get
right of entry to the tool and can, therefore, execute any movement including spying on
customers or stealing exclusive data with no hindrance.

Find out about Organization Assaults:

There’s something else to find out about network assaults.

Zeus Malware: Variations, Techniques and History:

Zeus, otherwise called Zbot, is a malware bundle that utilizes a client/server model.
Programmers utilize the Zeus malware to make gigantic botnets. The primary reason for Zeus
is to assist programmers with acquiring unapproved admittance to monetary frameworks by
taking accreditations, banking data and monetary information. The penetrated information is
then sent back to the assailants through the Zeus Order and Control (C&C) server.

Zeus has tainted north of 3 million PCs in the USA, and has compromised significant
associations like NASA and the Bank of America.

Cobalt Strike: White Cap Programmer Force to be reckoned with in Some unacceptable
Hands
Cobalt Strike is a business infiltration testing instrument. This instrument empowers security
analysers admittance to a huge assortment of assault capacities. You can utilize Cobalt Strike
to execute stick phishing and gain unapproved admittance to frameworks. It can likewise
recreate an assortment of malware and other high level danger strategies.

While Cobalt Strike is a real instrument utilized by moral programmers, some digital
hoodlums get the preliminary rendition and break its product insurance, or even get
admittance to a business duplicate of the product.

FTCode Ransomware: Dispersion, Life systems and Assurance

FTCode is a kind of ransomware, intended to encode information and power casualties to pay
a payoff for a decoding key. The code is written in PowerShell, implying that it can scramble
records on a Windows gadget without downloading some other parts. FTCode loads its
executable code just into memory, without saving it to plate, to forestall location by antivirus.
The FTCode ransomware is conveyed through spam messages containing a contaminated
Word layout in Italian.

Mimikatz: World’s Most Perilous Secret Word Taking Stage

Mimikatz is an open-source instrument at first created by moral programmer Benjamin

Delpy, to exhibit a blemish in Microsoft’s confirmation conventions. As such, the apparatus
takes passwords. It is conveyed on Windows and empowers clients to extricate Kerberos
tickets and other validation tokens from the machine. A portion of the more significant
assaults worked with by Mimikatz incorporate Pass-the-Hash, Kerberos Brilliant Ticket, Pass
the Key, and Pass-the-Ticket.

Understand more: Mimikatz: World’s Most Risky Secret key Taking Stage

Grasping Honor Acceleration and 5 Normal Assault Strategies

Honor heightening is a typical technique for acquiring unapproved admittance to frameworks.

Programmers start honor heightening by tracking down weak focuses in an association’s
guards and accessing a framework. Typically, the primary place of infiltration won’t concede
aggressors with the fundamental degree of access or information. They will go on with honor
heightening to acquire authorizations or get admittance to extra, more delicate frameworks.

Active and Passive attacks in Information Security

It’s important to the distinction between active and passive attacks can be blurry, and some
attacks may involve elements of both. Additionally, not all attacks are technical in nature;
social engineering attacks, where an attacker manipulates or deceives users in order to gain
access to sensitive information, are also a common form of attack.

Active attacks:

Active attacks are a type of cybersecurity attack in which an attacker attempts to alter,
destroy, or disrupt the normal operation of a system or network. Active attacks involve the
attacker taking direct action against the target system or network, and can be more dangerous
than passive attacks, which involve simply monitoring or eavesdropping on a system or
network.
Types of active attacks are as follows:
 Masquerade
 Modification of messages
 Repudiation
 Replay
 Denial of Service
Masquerade

Masquerade is a type of cybersecurity attack in which an attacker pretends to be someone

else in order to gain access to systems or data. This can involve impersonating a legitimate
user or system to trick other users or systems into providing sensitive information or granting
access to restricted areas.

There are several types of masquerade attacks, including:

 Username and password masquerade: In a username and password masquerade attack,

an attacker uses stolen or forged credentials to log into a system or application as a
legitimate user.

 IP address masquerade: In an IP address masquerade attack, an attacker spoofs or

forges their IP address to make it appear as though they are accessing a system or
application from a trusted source.

 Website masquerade: In a website masquerade attack, an attacker creates a fake

website that appears to be legitimate in order to trick users into providing sensitive
information or downloading malware.

 Email masquerade: In an email masquerade attack, an attacker sends an email that

appears to be from a trusted source, such as a bank or government agency, in order to
trick the recipient into providing sensitive information or downloading malware.

Modification of messages –

It means that some portion of a message is altered or that message is delayed or reordered to
produce an unauthorized effect. Modification is an attack on the integrity of the original data.
It basically means that unauthorized parties not only gain access to data but also spoof the
data by triggering denial-of-service attacks, such as altering transmitted data packets or
flooding the network with fake data. Manufacturing is an attack on authentication. For
example, a message meaning “Allow JOHN to read confidential file X” is modified as
“Allow Smith to read confidential file X”.

Repudiation –

Repudiation attacks are a type of cybersecurity attack in which an attacker attempts to deny
or repudiate actions that they have taken, such as making a transaction or sending a message.
These attacks can be a serious problem because they can make it difficult to track down the
source of the attack or determine who is responsible for a particular action.

There are several types of repudiation attacks, including:

 Message repudiation attacks: In a message repudiation attack, an attacker sends a

message and then later denies having sent it. This can be done by using spoofed or
falsified headers or by exploiting vulnerabilities in the messaging system.

 Transaction repudiation attacks: In a transaction repudiation attack, an attacker

makes a transaction, such as a financial transaction, and then later denies having made
it. This can be done by exploiting vulnerabilities in the transaction processing system
or by using stolen or falsified credentials.

 Data repudiation attacks: In a data repudiation attack, an attacker modifies or

deletes data and then later denies having done so. This can be done by exploiting
vulnerabilities in the data storage system or by using stolen or falsified credentials.

Replay –

It involves the passive capture of a message and its subsequent transmission to produce an
authorized effect. In this attack, the basic aim of the attacker is to save a copy of the data
originally present on that particular network and later on use this data for personal uses. Once
the data is corrupted or leaked it is insecure and unsafe for the users.

Denial of Service –

Denial of Service (DoS) is a type of cybersecurity attack that is designed to make a system
or network unavailable to its intended users by overwhelming it with traffic or requests. In a
DoS attack, an attacker floods a target system or network with traffic or requests in order to
consume its resources, such as bandwidth, CPU cycles, or memory, and prevent legitimate
users from accessing it.

There are several types of DoS attacks, including:

 Flood attacks: In a flood attack, an attacker sends a large number of packets or

requests to a target system or network in order to overwhelm its resources.

 Amplification attacks: In an amplification attack, an attacker uses a third-party system

or network to amplify their attack traffic and direct it towards the target system or
network, making the attack more effective.

To prevent DoS attacks, organizations can implement several measures, such as:

1.Using firewalls and intrusion detection systems to monitor network traffic and block
suspicious activity.

2.Limiting the number of requests or connections that can be made to a system or network.
 3.Using load balancers and distributed systems to distribute traffic across multiple servers
or networks.

4.Implementing network segmentation and access controls to limit the impact of a DoS
attack.

Passive attacks:

A Passive attack attempts to learn or make use of information from the system but does not
affect system resources. Passive Attacks are in the nature of eavesdropping on or monitoring
transmission. The goal of the opponent is to obtain information that is being transmitted.
Passive attacks involve an attacker passively monitoring or collecting data without altering or
destroying it. Examples of passive attacks include eavesdropping, where an attacker listens in
on network traffic to collect sensitive information, and sniffing, where an attacker captures
and analyses data packets to steal sensitive information.

Types of Passive attacks are as follows:

 The release of message content

 Traffic analysis

The release of message content –

Telephonic conversation, an electronic mail message, or a transferred file may contain

sensitive or confidential information. We would like to prevent an opponent from learning the
contents of these transmissions.

Traffic analysis –

Suppose that we had a way of masking (encryption) information, so that the attacker even if
captured the message could not extract any information from the message.
The opponent could determine the location and identity of communicating host and could
observe the frequency and length of messages being exchanged. This information might be
useful in guessing the nature of the communication that was taking place.
The most useful protection against traffic analysis is encryption of SIP traffic. To do this, an
attacker would have to access the SIP proxy (or its call log) to determine who made the call.
 DIFFERENCE BETWEEN ACTIVE ATTACK AND PASSIVE ATTACK

In the field of cybersecurity, attacks on networks and systems are broadly classified into two
categories: Active and Passive attacks. It is, therefore, important to understand the differences
between these two types of attacks so that adequate security measures can be formulated.
Active attacks call for the attacker to be involved in other actions with a view of interfering,
modifying, or deleting the systems or data. On the other hand, Passive means the attack is
going on silently without interfering with the system and the chief aim is to gather as much
information as possible. In this context, this article aims to provide an analysis of Active and
Passive attacks and the consequences they can provoke as well as measures that should be
adopted to prevent them.

What is Active Attack?

Active attacks are the type of attacks in which, the attacker efforts to change or modify the
content of messages. Active Attack is dangerous to Integrity as well as availability. Due to
active attack system is always damaged and System resources can be changed. The most
important thing is that, In an active attack, Victim gets informed about the attack.

Advantages of Active Attack (during the process by the attacker)

 Immediate Impact: By definition, active attacks are also much quicker in that they
can immediately and visibly bring about conditions such as system halts, loss of data,
and the like.

 Potential for Data Manipulation: Hackers may corrupt or compromise data, and
data integrity problems may arise that may cause significant and prolonged
implications for organizations.

 Disruption of Services: Active attacks, again, can be a great threat to services as they
intend at attacking key systems or networks.

Disadvantages of Active Attack

 Higher Risk of Detection: Based on the fact that active attacks imply the wavelength
or disruption, it is easier for them to be identified by security systems and
administrators.
  Legal Consequences: There is only passive attack and it is unlawful and if the
attacker is apprehended, he will face legal repercussions.

 Resource Intensive: An active attack is normally more resourceful, technical and

needs more tools and skills than those typical of passive attacks.

What is Passive Attacks?

Passive Attacks are the type of attacks in which, the attacker observes the content of
messages or copies the content of messages. Passive Attack is a danger to Confidentiality.
Due to passive attack, there is no harm to the system. The most important thing is that In a
passive attack, Victim does not get informed about the attack.

Advantages of Passive Attack (from the attacker’s perspective)

 Low Risk of Detection: Passive attack are hidden in the sense that they do not attempt
to modify or destroy the data or the systems and as such, they are more difficult to
recognize.

 Information Gathering: Such attacks make it possible for the attackers to obtain useful
information which can be useful in future active attacks or other vices.

 Minimal Resources Required: Passive attack types can be accomplished using less
means, and less skills, and are therefore available to a larger set of potential attackers.

Disadvantages of Passive Attack (from the attacker’s perspective)

 No Immediate Impact: Compared to active attacks passive attacks are not able to
directly affect system resources, this may reduce their applicability in some cases.

 Reliance on Future Actions: The information obtained in passive attacks have to be

utilized at some point in time to fulfil the attacker’s goals – and this entails additional
measures.

 Limited to Information Gathering: Passive attacks do not let the attacker to

manipulate or destroy data and is usually confined to the collection of data.

DIFFERENCE BETWEEN ACTIVE ATTACK AND PASSIVE ATTACK

Active Attack Passive Attack
In an active attack, Modification in While in a passive attack, Modification in
information takes place. the information does not take place.
Active Attack is a danger to Integrity as Passive Attack is a danger
well as availability to Confidentiality.
In an active attack, attention is on While in passive attack attention is on
 prevention. detection.
Due to active attacks, the execution system While due to passive attack, there is
is always damaged. no harm to the system.
In an active attack, Victim gets informed While in a passive attack, Victim does not
about the attack. get informed about the attack.
In an active attack, System resources can be While in passive attack, System resources
changed are not changing.
Active attack influences the services of the While in a passive attack, information and
system. messages in the system or network are
acquired.
In an active attack, information collected While passive attacks are performed by
through passive attacks is used during collecting information such as passwords,
execution. and messages by themselves.
An active attack is tough to restrict from Passive Attack is easy to prohibit in
entering systems or networks comparison to active attack.

can be easily detected. Very difficult to detect.

The purpose of an active attack is to harm The purpose of a passive attack is to learn
the ecosystem about the ecosystem.
In an active attack, the original information In passive attack original information is
is modified. Unaffected.
The duration of an active attack is short. The duration of a passive attack is long.
The prevention possibility of active attack is The prevention possibility of passive attack
High is low.
Complexity is High Complexity is low

1.WORMS ATTACKS
What Is a Worm?
A worm is a type of malware or malicious software that can replicate rapidly and
spread across devices within a network. As it spreads, a worm consumes bandwidth,
overloading infected systems and making them unreliable or unavailable. Worms can also
change and delete files or introduce other malware.
Is a worm a virus?
No. A worm is not a virus, although like a virus, it can severely disrupt IT operations
and cause data loss. A worm is actually much more serious than a virus because once it
infects a vulnerable machine, it can “self-replicate” and spread automatically across multiple
devices.
How do worms infect computers?
Software vulnerabilities provide a path for worms to infect machines. Spam email or
instant message (IM) attachments are also a delivery method. The messages use social
engineering to get users to think the malicious files are safe to open. Removable drives, like
USB drives, can also deliver worms.
How do worms spread?
Worms self-replicate automatically. They spread by using automatic file sending and
receiving features that have been enabled, intentionally or not, on network computers. Once a
worm has infected a computer, it installs itself in the device’s memory and can then transfer
itself to other machines.

Steps of a worm attack

The 3 stages of a worm attack
Step 1: Enabling vulnerability
The initial phase of a worm attack occurs when the worm is first installed on a vulnerable
machine. The worm may have been transmitted through a software vulnerability. Or, it may
have arrived through a malicious email or IM attachment or a compromised removable drive.
Step 2: Automatic replication
Once a worm is installed on a vulnerable device or system, it begins to self-replicate
automatically. Through propagation, the worm makes its way to other new targets in the
network—consuming bandwidth and hard-drive space and undermining device and system
performance as it spreads.
Step 3: Payload delivery
In the last stage of a worm attack, the malicious actor behind the campaign tries to increase
their level of access to the targeted system. Over time, they could gain access rights
equivalent to those of a system administrator. From there, the adversary can cause significant
damage, including data theft, and potentially gain access to multiple systems.

Repeating the process

Once a worm has propagated throughout a device or system, it continues to spread

automatically, using vulnerabilities in other systems attached to the system initially targeted.
This is how malicious actors gain access to multiple systems. Some cyber criminals will even
go on to use these systems in a botnet—a network of infected computers that can send spam,
steal data, and more.

Steps to worm mitigation

4 steps to respond to a worm attack

Step 1: Containment
The first step in mitigating a worm attack is to move swiftly to contain the spread of the
worm and determine which machines are infected, and whether these devices are patched or
unpatched. Infected machines must be isolated from machines that are not yet infected.
Step 2: Inoculation
Once it is clear which parts of the network the worm has infected, and those parts have been
contained, other vulnerable systems must be scanned and patched. Patching the
vulnerabilities the worm is using to spread will help contain the attack.
Step 3: Quarantine
In this third step of worm mitigation, infected machines are isolated and then disconnected
and removed from the network. If removal is not possible, then the infected machines need to
be blocked from connecting to and accessing the network.
Step 4: Treat
This last step in the worm mitigation process involves remediating from the attack as well as
addressing any other necessary patching of machines and systems. Depending on the severity
of the attack, infected systems may need to be reinstalled entirely to ensure a thorough
cleanup from the event.

Reaction time is critical, so have a plan

Containing worm attacks requires coordination among everyone responsible for network
management. Without a coordinated response, mitigating worm attacks can be even more
challenging—if not impossible. Even very small small IT teams should have a clear,
systematic plan in place for mitigating worm attacks.

Types of response methodologies

Helpful practices: 6 response methodologies

Preparation
Businesses of all sizes should be prepared to respond to a worm attack. According to
Cisco network consulting engineers, preparation includes taking inventory of all primary
business and IT resources as well as determining who will authorize business decisions
throughout an incident.
Preparation for a worm attack also includes establishing open lines of communication
and compiling a list of key contacts. It is also important to maintain updated contact details
for relevant ISPs (Internet service providers).

Identification and Classification

Identification is about confirming that the incident is, in fact, a worm attack. And
classification involves categorizing the worm—for example, is the worm an Internet worm or
an email worm.
Traceback
This refers to a type of reverse engineering process for tracing the source of the worm.
Reaction
Reacting to a worm attack involves isolating and repairing targeted systems.
Post-mortem
After a worm attack, the entire process used to respond to and recover from the event
should be documented and analysed.

The worm attack post-mortem is a step that is frequently forgotten or overlooked. But it is
critical to both preventing exposure to and defending effectively against future worm attacks,
making it well worth the time and effort.

2. SPYWARE ATTACKS
Spyware is malicious software that enters a user’s computer, gathers data from the
device and user, and sends it to third parties without their consent. A commonly
accepted spyware definition is a strand of malware designed to access and damage a device
without the user’s consent.
Spyware collects personal and sensitive information that it sends to advertisers, data
collection firms, or malicious actors for a profit. Attackers use it to track, steal, and sell user
data, such as internet usage, credit card, and bank account details, or steal user credentials to
spoof their identities.
Spyware is one of the most commonly used cyberattack methods that can be difficult
for users and businesses to identify and can-do serious harm to networks. It also leaves
businesses vulnerable to data breaches and data misuse, often affects device and network
performance, and slows down user activity.

The term "spyware" first emerged in online discussions in the 1990s, but only in the
early 2000s did cybersecurity firms use it to describe unwanted software that spied on their
user and computer activity. The first anti-spyware software was released in June 2000, then
four years later, scans showed that around 80% of internet users had their systems affected by
spyware, according to research by America Online and the National Cyber Security Alliance.
However, 89% of users were unaware of the spyware’s existence and 95% had not granted
permission for it to be installed.

Types of spyware

Attackers use various types of spyware to infect users’ computers and devices. Each
spyware variety gathers data for the attacker, with the lesser types monitoring and sending
data to a third party. But more advanced and dangerous spyware types will also make
modifications to a user’s system that results in them being exposed to further threats.

Some of the most commonly used types of spyware include:

 1. Adware: This sits on a device and monitors users’ activity then sells their data to
advertisers and malicious actors or serves up malicious ads.

2. Infostealer: This is a type of spyware that collects information from devices. It scans
them for specific data and instant messaging conversations.

3. Keyloggers: Also known as keystroke loggers, keyloggers are a type of infostealer

spyware. They record the keystrokes that a user makes on their infected device, then
save the data into an encrypted log file. This spyware method collects all of the
information that the user types into their devices, such as email data, passwords, text
messages, and usernames.

4. Rootkits: These enable attackers to deeply infiltrate devices by exploiting security

vulnerabilities or logging into machines as an administrator. Rootkits are often
difficult and even impossible to detect.

5. Red Shell: This spyware installs itself onto a device while a user is installing specific
PC games, then tracks their online activity. It is generally used by developers to
enhance their games and improve their marketing campaigns.

6. System monitors: These also track user activity on their computer, capturing
information like emails sent, social media and other sites visited, and keystrokes.

7. Tracking cookies: Tracking cookies are dropped onto a device by a website and then
used to follow the user’s online activity.

8. Trojan Horse Virus: This brand of spyware enters a device through Trojan malware,
which is responsible for delivering the spyware program.

Most spyware targets Windows computers and laptops, but attackers are increasingly
targeting other forms of devices.

1. Apple device spyware: Malware targeting Apple devices, particularly its Mac
computers, has increased rapidly in the last few years. Mac spyware is similar in
behaviour to those targeting Windows operating systems but are typically password-
stealing or backdoor types of spyware. They frequently see the attacker attempt
attacks such as keylogging, password phishing, remote code execution, and screen
captures.

2. Mobile spyware: Spyware targeting mobile devices steals data such as call logs,
browser history, contact lists, photos, and short message service (SMS) messages.
Certain types will log user keystrokes, record using the device’s microphone, take
photos, and track location using Global Positioning System (GPS) trackers. Others
take control of devices through commands sent from SMS messages, data transfers,
and remote servers. Hackers can also use mobile spyware to breach an organization
through mobile device vulnerabilities, which may not be detected by the security
team.

What Does Spyware Do?

All types of spyware sit on a user’s device and spy on their activity, the sites they visit,
and the data they share. They do this with the objective of monitoring user activity,
tracking login and password details, and detecting sensitive data.

Other spyware strands are also capable of installing further software on the user’s device,
which enables the attacker to make changes to the device. But spyware typically follows a
three-step process from being installed on a device to sending or selling the information it
has stolen.
1. Step 1—Infiltrate: Spyware is installed onto a device through the use of an
application installation package, a malicious website, or as a file attachment.

2. Step 2—Monitor and capture: Once installed, the spyware gets to work following
the user around the internet, capturing the data they use, and stealing their credentials,
login information, and passwords. It does this through screen captures, keystroke
technology, and tracking codes.

3. Step 3—Send or sell: With data and information captured, the attacker will either use
the data amassed or sell it to a third party. If they use the data, they could take the user
credentials to spoof their identity or use them as part of a larger cyberattack on a
business. If they sell, they could use the data for a profit with data organizations, other
hackers, or put it on the dark web.

Through this process, the attacker can collect and sell highly sensitive information, such
as the user’s email addresses and passwords, internet usage information and browsing
habits, financial details, and account personal identification number (PIN) codes.

How Spyware Attacks Your System

Attackers carefully disguise spyware to infiltrate and infect devices without being
discovered. They do this by obscuring the malicious files within regular downloads and
websites, which encourages users to open them, often without realizing it. The malware
will sit alongside trusted programs and websites through code vulnerabilities or in
custom-made fraudulent applications and websites.

One common method for delivering spyware is bundleware. This is a bundle of

software packages that attaches itself to other programs that a user downloaded or
installed. As a result, it will install without the user knowing about it. Other bundleware
packages force the user to agree to download a full software bundle, with no idea that
they have voluntarily infected their device. Spyware can also infiltrate a computer
through the same routes as other forms of malware, such as compromised or spoofed
websites and malicious email attachments.

Mobile spyware typically attacks mobile devices through three methods:

1. Flaws in operating systems: Attackers can exploit flaws in mobile operating systems
that are typically opened up by holes in updates.

2. Malicious applications: These typically lurk within legitimate applications that users
download from websites rather than app stores.
3. Unsecured free Wi-Fi networks: Wi-Fi networks in public places like airports and
cafes are often free and simple to sign in to, which makes them a serious security risk.
Attackers can use these networks to spy on what connected users are doing.

Problems caused by spyware

The effects of spyware are wide-ranging. Some could go unseen, with users not knowing
they have been affected for months or even years. Others might just cause an
inconvenience that users may not realize is the result of being hacked. Some forms of
spyware are capable of causing reputational and financial damage.

Common problems that spyware can result in include:

1. Data theft: One of the most common problems caused by spyware is data theft.
Spyware is used to steal users’ personal data, which can then be sold to third-party
organizations, malicious actors, or hacking groups.

2. Identity fraud: If spyware harvests enough data, then it can be used for identity
fraud. This sees the attacker amass data like browsing history, login credentials for
email accounts, online banking, social networks, and other websites to spoof or
imitate the user’s identity.

3. Device damage: Some spyware will be poorly designed, which ends up having a
negative effect on the computer it attaches itself to. This can end up draining system
performance and eating up huge amounts of internet bandwidth, memory, and
processing power. Even worse, spyware can cause operating systems to crash, disable
internet security software, and make computers overheat, which can cause permanent
damage to the computer.

4. Browsing disruption: Some spyware can take control of the user’s search engine to
serve up harmful, fraudulent, or unwanted websites. They can also change homepages
and alter computer settings, as well as repeatedly push pop-up ads.

How do I get spyware?

Spyware can increasingly affect any device, from computers and laptops to mobile
phones and tablets. Devices that run Windows operating systems are typically the most
susceptible to an attack, but cyber criminals are increasingly devising methods that afflict
Apple and mobile devices.
Some of the most prominent causes of spyware infiltrating a device or system include:
1. Misleading marketing: Spyware authors will often disguise their malicious software
as a legitimate tool, such as a hard disk cleaner, download manager, or new web
browser.
2. Phishing or spoofing: Phishing occurs when an attacker encourages a recipient to
click on a malicious link or attachment in an email, then steals their credentials. They
often use spoofed websites that appear to be a legitimate site that steal users’
passwords and personal information.
3. Security vulnerabilities: Attackers often target code and hardware vulnerabilities to
gain unauthorized access to devices and systems and plant their spyware.
4. Software bundles: Bundleware sees users unknowingly install spyware within a
bundle of software they believe to be legitimate.
5. Trojans: A Trojan is a type of malware that pretends to be another piece of software.
Cyber criminals use Trojans as a method for delivering malware strains, such as
spyware, cryptojackers, and viruses, onto devices.
A device can also become infected with spyware as a result of a user’s actions, such as:
 Accepting cookie consent requests from insecure websites
 Accepting pop-ups from untrusted sites
 Clicking on malicious links
 Opening malicious attachments
 Downloading games, movies, or music from pirated or spoofed websites
 Downloading malicious mobile apps

How to Tell if You Have Spyware

Despite spyware being designed to go undetected, there are several telltale signs that
could be indicators of a device being infiltrated. These include:
 Negative hardware performance, such as:
o A device running slower than usual
o Devices suffering frequent crashes and freezes
 A drop in application or browser performance, such as:
o Pop-up ads repeatedly appear in browsers
o Unusual error messages
o Unexpected browser changes
o New icons appearing in the taskbar
o Browser searches redirect to new search engines
Note that these symptoms are also indicative of the presence of other malware, not just
spyware, so it is important to dig deeper into issues and scan devices to discover the root
of the problem.

Spyware Removal
If a device is showing signs of spyware, then it is important to get the device and any
connected systems cleaned up and protected again. The removal of spyware is possible
through solutions that can identify and remove malicious files.
The first step in removing spyware is to ensure the system is cleared of infection. This
will prevent new password changes and future logins from also being stolen. It is also
important to purchase robust cybersecurity software that offers comprehensive spyware
removal, deep cleans devices affected by spyware, and repairs any files or systems that
may have been infected.
With the system cleaned up, financial services need to be advised that potentially
fraudulent activity has occurred that could affect bank accounts and credit cards. If the
spyware has affected an organization, then legal and regulatory violations need to be
reported to the appropriate law enforcement agency.
Spyware Protection
Spyware and other malicious attack methods are a constant threat to any device
connected to the internet. Therefore, the first line of defense against spyware is to deploy
an internet security solution that includes proactive anti-malware and antivirus detection.
In addition, tools like antispam filters, cloud-based detection, and virtual encrypted
keyboards are useful to eliminate potentially malicious risks.
Some spyware types are also able to install software and modify the settings on a
user’s device. This means it is also vital for users to use secure passwords, not recycle
their credentials on multiple applications and websites, and use processes like multi-factor
authentication (MFA) to keep their identity secure and their devices updated.
In addition to software, there are several steps that can be taken to protect devices and
systems:
1. Cookie consent: It can be easy for users to simply click "accept" on the cookie
consent pop-ups that appear on nearly every website they visit. However, they need to
be careful about issuing their consent every time and only accept cookies from
websites they trust.
2. Browser extensions: Users can also install anti-tracking extensions that prevent the
relentless online tracking of their activity on web browsers. These extensions can
block activity tracking by both reputable sources and malicious actors, keeping users’
data private when they access the internet.
3. Security updates: Updating software with the latest versions is vital to preventing
spyware and other types of malwares. Spyware typically makes its way onto devices
through gaps in code or vulnerabilities in operating systems. So it is important to
constantly patch potential issues and fix vulnerabilities immediately.
4. Avoid free software: It can be appealing to download free software, but doing so can
have costly ramifications for users and their organizations. The free software may be
insecure and the creator can make a profit from users’ data.
5. Use secure networks: Unsecured Wi-Fi networks are an easy resource for hackers to
breach devices. Avoid using free Wi-Fi networks, and only connect to trusted, secure
networks.

6. Best practice and behaviour: Practicing good cybersecurity behaviour is crucial to

avoiding spyware. All users need to be aware of the security risks they face, avoid
opening emails or downloading files from people they do not know, and make it a
habit to hover over links to check if they are reputable before clicking on them.
Computer and laptop users can follow steps to keep their devices secure. These
include enabling and downloading pop-up blockers on their desktops and limiting
allowed applications and permissions. All users should also avoid clicking links or
opening attachments in all emails, even those purporting to be from trusted senders, as
this is a prime delivery method for spyware and other malicious attacks.
There are also steps that can be taken to specifically protect mobile devices from
spyware. These include:
1. Only download apps from the official store of the operating system, such as the
Google Play Store, Apple’s App Store, and official publishers.
2. Be careful about giving permission to apps that track data or location and take control
of cameras or microphones.
3. Avoid clicking links in emails and SMS messages. Instead, only enter trusted Uniform
Resource Locators (URLs) directly into the browser address bar.
Be aware of unexpected warning messages, especially those that cannot be verified by the
server

3.TROJAN HORSE
A Trojan Horse Virus is a type of malware that downloads onto a computer
disguised as a legitimate program. The delivery method typically sees an attacker
use social engineering to hide malicious code within legitimate software to try and gain
users' system access with their software.
It is a type of malware that typically gets hidden as an attachment in an email or a
free-to-download file, then transfers onto the user’s device. Once downloaded, the
malicious code will execute the task the attacker designed it for, such as gain backdoor
access to corporate systems, spy on users’ online activity, or steal sensitive data.
Indications of a Trojan being active on a device include unusual activity such as computer
settings being changed unexpectedly.

History of the Trojan Horse

The original story of the Trojan horse can be found in the Aeneid by Virgil and the
Odyssey by Homer. In the story, the enemies of the city of Troy were able to get inside
the city gates using a horse they pretended was a gift. The soldiers hid inside the huge
wooden horse and once inside, they climbed out and let the other soldiers in.

There are a few elements of the story that make the term “Trojan horse” an
appropriate name for these types of cyber-attacks:

 The Trojan horse was a unique solution to the target’s defenses. In the original
story, the attackers had laid siege to the city for 10 years and hadn’t succeeded in
defeating it. The Trojan horse gave them the access they had been wanting for a
 decade. A Trojan virus, similarly, can be a good way to get behind an otherwise tight
set of defences.

 The Trojan horse appeared to be a legitimate gift. In a similar vein, a Trojan virus
looks like legitimate software.

 The soldiers in the Trojan horse controlled the city’s defense system. With a
Trojan virus, the malware takes control of your computer, potentially leaving it
vulnerable to other “invaders.”
How Trojans Work
Unlike computer viruses, a Trojan horse cannot manifest by itself, so it needs a user to
download the server side of the application for it to work. This means the executable
(.exe) file should be implemented and the program installed for the Trojan to attack a
device’s system.
A Trojan virus spreads through legitimate-looking emails and files attached to emails,
which are spammed to reach the inboxes of as many people as possible. When the email
is opened and the malicious attachment is downloaded, the Trojan server will install and
automatically run every time the infected device is turned on.
Devices can also be infected by a Trojan through social engineering tactics, which
cyber criminals use to coerce users into downloading a malicious application. The
malicious file could be hidden in banner advertisements, pop-up advertisements, or links
on websites.
A computer infected by Trojan malware can also spread it to other computers. A
cybercriminal turns the device into a zombie computer, which means they have remote
control of it without the user knowing. Hackers can then use the zombie computer to
continue sharing malware across a network of devices, known as a botnet.
For example, a user might receive an email from someone they know, which includes
an attachment that also looks legitimate. However, the attachment contains malicious code
that executes and installs the Trojan on their device. The user often will not know anything
untoward has occurred, as their computer may continue to work normally with no signs of
it having been infected.
The malware will reside undetected until the user takes a certain action, such as
visiting a certain website or banking app. This will activate the malicious code, and the
Trojan will carry out the hacker’s desired action. Depending on the type of Trojan and
how it was created, the malware may delete itself, return to being dormant, or remain
active on the device.
Trojans can also attack and infect smartphones and tablets using a strand of mobile
malware. This could occur through the attacker redirecting traffic to a device connected to
a Wi-Fi network and then using it to launch cyberattacks.
Most Common Types of Trojan Malware

There are many types of Trojan horse viruses that cyber criminals use to carry out
different actions and different attack methods. The most common types of Trojans used
include:
1. Backdoor Trojan: A backdoor Trojan enables an attacker to gain remote access to a
computer and take control of it using a backdoor. This enables the malicious actor to
do whatever they want on the device, such as deleting files, rebooting the computer,
stealing data, or uploading malware. A backdoor Trojan is frequently used to create a
botnet through a network of zombie computers.
2. Banker Trojan: A banker Trojan is designed to target users’ banking accounts and
financial information. It attempts to steal account data for credit and debit cards, e-
payment systems, and online banking systems.
3. Distributed denial-of-service (DDoS) Trojan: These Trojan programs carry out
attacks that overload a network with traffic. It will send multiple requests from a
computer or a group of computers to overwhelm a target web address and cause a
denial of service.
4. Downloader Trojan: A downloader Trojan targets a computer that has already been
infected by malware, then downloads and installs more malicious programs to it. This
could be additional Trojans or other types of malware like adware.
5. Exploit Trojan: An exploit malware program contains code or data that takes
advantage of specific vulnerabilities within an application or computer system. The
cybercriminal will target users through a method like a phishing attack, then use the
code in the program to exploit a known vulnerability.
6. Fake antivirus Trojan: A fake antivirus Trojan simulates the actions of legitimate
antivirus software. The Trojan is designed to detect and remove threats like a regular
antivirus program, then extort money from users for removing threats that may be
non-existent.
7. Game-thief Trojan: A game-thief Trojan is specifically designed to steal user account
information from people playing online games.
8. Instant messaging (IM) Trojan: This type of Trojan targets IM services to steal
users’ logins and passwords. It targets popular messaging platforms such as AOL
Instant Messenger, ICQ, MSN Messenger, Skype, and Yahoo Pager.
9. Infostealer Trojan: This malware can either be used to install Trojans or prevent the
user from detecting the existence of a malicious program. The components of
infostealer Trojans can make it difficult for antivirus systems to discover them in
scans.
10. Mail finder Trojan: A mail finder Trojan aims to harvest and steal email addresses
that have been stored on a computer.
11. Ransom Trojan: Ransom Trojans seek to impair a computer’s performance or block
data on the device so that the user can no longer access or use it. The attacker will
then hold the user or organization ransom until they pay a ransom fee to undo the
device damage or unlock the affected data.
12. Remote access Trojan: Similar to a backdoor Trojan, this strand of malware gives the
attacker full control of a user’s computer. The cybercriminal maintains access to the
device through a remote network connection, which they use to steal information or
spy on a user.
13. Rootkit Trojan: A rootkit is a type of malware that conceals itself on a user’s
computer. Its purpose is to stop malicious programs from being detected, which
enables malware to remain active on an infected computer for a longer period.
14. Short message service (SMS) Trojan: An SMS Trojan infects mobile devices and is
capable of sending and intercepting text messages. This includes sending messages to
premium-rate phone numbers, which increases the costs on a user’s phone bill.
15. Spy Trojan: Spy Trojans are designed to sit on a user’s computer and spy on their
activity. This includes logging their keyboard actions, taking screenshots, accessing
the applications they use, and tracking login data.
16. SUNBURST: The SUNBURST trojan virus was released on numerous SolarWinds
Orion Platform. Victims were compromised by trepanised versions of a
legitimate SolarWinds digitally signed file named:
SolarWinds.Orion.Core.BusinessLayer.dll. The trepanised file is a backdoor. Once on
a target machine, it remains dormant for a two-week period and will then retrieve
commands that allow it to transfer, execute, perform reconnaissance, reboot and halt
system services. Communication occurs over http to predetermined URI's.
How to Recognize a Trojan Virus
A Trojan horse virus can often remain on a device for months without the user
knowing their computer has been infected. However, telltale signs of the presence of a
Trojan include computer settings suddenly changing, a loss in computer performance, or
unusual activity taking place. The best way to recognize a Trojan is to search a device
using a Trojan scanner or malware-removal software.
Examples of Trojan horse virus attacks
Trojan attacks have been responsible for causing major damage by infecting
computers and stealing user data. Well-known examples of Trojans include:
1. Rakhni Trojan: The Rakhni Trojan delivers ransomware or a cryptojacker tool—
which enables an attacker to use a device to mine cryptocurrency—to infect devices.
2. Tiny Banker: Tiny Banker enables hackers to steal users’ financial details. It was
discovered when it infected at least 20 U.S. banks.
3. Zeus or Zbot: Zeus is a toolkit that targets financial services and enables hackers to
build their own Trojan malware. The source code uses techniques like form grabbing
and keystroke logging to steal user credentials and financial details.
How to protect yourself from Trojan viruses
Practicing good cyber hygiene is always the best first line of defense against Trojan
viruses and other threats. Keep your operating systems updated and patched, run anti-
virus software and allow it to scan your devices regularly, and avoid phishing attacks by
carefully inspecting inbound emails.
While browsing the web, pay attention to the URLs displayed in your browser address
bar. Also, inspect links before you click on them. And install a privacy or security
extension from your browser vendor's extensions store.

4.DDOS ATTACK

DDoS Attack means "Distributed Denial-of-Service (DDoS) Attack" and it is a

cybercrime in which the attacker floods a server with internet traffic to prevent users from
accessing connected online services and sites.

Motivations for carrying out a DDoS vary widely, as do the types of individuals and
organizations eager to perpetrate this form of cyberattack. Some attacks are carried out by
disgruntled individuals and hacktivists wanting to take down a company's servers simply
to make a statement, have fun by exploiting cyber weakness, or express disapproval.

Other distributed denial-of-service attacks are financially motivated, such as a

competitor disrupting or shutting down another business's online operations to steal
business away in the meantime. Others involve extortion, in which perpetrators attack a
company and install hostageware or ransomware on their servers, then force them to pay
a large financial sum for the damage to be reversed.

DDoS attacks are on the rise, and even some of the largest global companies are not
immune to being "DDoS'ed". The largest attack in history occurred in February 2020 to
none other than Amazon Web Services (AWS), overtaking an earlier attack on GitHub
two years prior. DDoS ramifications include a drop in legitimate traffic, lost business, and
reputation damage.
As the Internet of Things (IoT) continues to proliferate, as do the number of remote
employees working from home, and so will the number of devices connected to a
network. The security of each IoT device may not necessarily keep up, leaving the
network to which it is connected vulnerable to attack. As such, the importance of DDoS
protection and mitigation is crucial.
How DDoS Attacks Work
A DDoS attack aims to overwhelm the devices, services, and network of its intended
target with fake internet traffic, rendering them inaccessible to or useless for legitimate
users.
DoS vs. DDoS
A distributed denial-of-service attack is a subcategory of the more general denial-of-
service (DoS) attack. In a DoS attack, the attacker uses a single internet connection to
barrage a target with fake requests or to try and exploit a cybersecurity vulnerability.
DDoS is larger in scale. It utilizes thousands (even millions) of connected devices to fulfil
its goal. The sheer volume of the devices used makes DDoS much harder to fight.
Botnets
Botnets are the primary way distributed denial-of-service-attacks are carried out. The
attacker will hack into computers or other devices and install a malicious piece of code,
or malware, called a bot. Together, the infected computers form a network called a botnet.
The attacker then instructs the botnet to overwhelm the victim's servers and devices with
more connection requests than they can handle.

What is DDoS Attack: Attack Symptoms and How to Identify

One of the biggest issues with identifying a DDoS attack is that the symptoms are not
unusual. Many of the symptoms are similar to what technology users encounter every
day, including slow upload or download performance speeds, the website becoming
unavailable to view, a dropped internet connection, unusual media and content, or an
excessive amount of spam.

Further, a DDoS attack may last anywhere from a few hours to a few months, and the
degree of attack can vary.

Types of DDoS Attacks

Different attacks target different parts of a network, and they are classified according
to the network connection layers they target. A connection on the internet is comprised of
seven different “layers," as defined by the Open Systems Interconnection (OSI)
model created by the International Organization for Standardization. The model allows
different computer systems to be able to "talk" to each other.

Volume-based or volumetric attacks

This type of attack aims to control all available bandwidth between the victim and the
larger internet. Domain name system (DNS) amplification is an example of a volume-
based attack. In this scenario, the attacker spoofs the target's address, then sends a DNS
name lookup request to an open DNS server with the spoofed address. When the DNS
server sends the DNS record response, it is sent instead to the target, resulting in the
target receiving an amplification of the attacker’s initially small query.

Protocol attacks

Protocol attacks consume all available capacity of web servers or other resources,
such as firewalls. They expose weaknesses in Layers 3 and 4 of the OSI protocol stack to
render the target inaccessible.

A SYN flood is an example of a protocol attack, in which the attacker sends the target
an overwhelming number of transmission control protocol (TCP) handshake requests
with spoofed source Internet Protocol (IP) addresses. The targeted servers attempt to
respond to each connection request, but the final handshake never occurs, overwhelming
the target in the process.

Application-layer attacks

These attacks also aim to exhaust or overwhelm the target's resources but are difficult
to flag as malicious. Often referred to as a Layer 7 DDoS attack—referring to Layer 7 of
the OSI model—an application-layer attack targets the layer where web pages are
generated in response to Hypertext Transfer Protocol (HTTP) requests.

A server runs database queries to generate a web page. In this form of attack, the
attacker forces the victim's server to handle more than it normally does. An HTTP flood is
a type of application-layer attack and is similar to constantly refreshing a web browser on
different computers all at once. In this manner, the excessive number of HTTP requests
overwhelms the server, resulting in a DDoS.

DDoS Attack Prevention

Even if you know what is a DDoS attack, it is extremely difficult to avoid attacks because
detection is a challenge. This is because the symptoms of the attack may not vary much
from typical service issues, such as slow-loading web pages, and the level of
sophistication and complexity of DDoS techniques continues to grow.

Further, many companies welcome a spike in internet traffic, especially if the company
recently launched new products or services or announced market-moving news. As such,
prevention is not always possible, so it is best for an organization to plan a response for
when these attacks occur.

DDoS Mitigation

Once a suspected attack is underway, an organization has several options to mitigate

its effects.

Risk assessment

Organizations should regularly conduct risk assessments and audits on their devices,
servers, and network. While it is impossible to completely avoid a DDoS, a thorough
awareness of both the strengths and vulnerabilities of the organization's hardware and
software assets goes a long way. Knowing the most vulnerable segments of an
organization's network is key to understanding which strategy to implement to lessen the
damage and disruption that a DDoS attack can impose.

Traffic differentiation

If an organization believes it has just been victimized by a DDoS, one of the first
things to do is determine the quality or source of the abnormal traffic. Of course, an
organization cannot shut off traffic altogether, as this would be throwing out the good
with the bad.

As a mitigation strategy, use an Anycast network to scatter the attack traffic across a
network of distributed servers. This is performed so that the traffic is absorbed by the
network and becomes more manageable.

Black hole routing

Another form of defence is black hole routing, in which a network administrator—or

an organization's internet service provider—creates a black hole route and pushes traffic
into that black hole. With this strategy, all traffic, both good and bad, is routed to a null
route and essentially dropped from the network. This can be rather extreme, as legitimate
traffic is also stopped and can lead to business loss.

Rate limiting

Another way to mitigate DDoS attacks is to limit the number of requests a server can
accept within a specific time frame. This alone is generally not sufficient to fight a more
sophisticated attack but might serve as a component of a multipronged approach.

Firewalls

To lessen the impact of an application-layer or Layer 7 attack, some organizations opt

for a Web Application Firewall (WAF). A WAF is an appliance that sits between the
internet and a company's servers and acts as a reverse proxy. As with all firewalls, an
organization can create a set of rules that filter requests. They can start with one set of
rules and then modify them based on what they observe as patterns of suspicious activity
carried out by the DDoS.
DDoS Protection Solution

A fully robust DDoS protection solution includes elements that help an organization
in both defense and monitoring. As the sophistication and complexity level of attacks
continue to evolve, companies need a solution that can assist them with both known
and zero-day attacks. A DDoS protection solution should employ a range of tools that can
defend against every type of DDoS attack and monitor hundreds of thousands of
parameters simultaneously.

5.DOS ATTACK

Denial of Service (DoS) is a cyber-attack on an individual Computer or Website with the

intent to deny services to intended users. Their purpose is to disrupt an organization’s
network operations by denying access to its users. Denial of service is typically
accomplished by flooding the targeted machine or resource with surplus requests in an
attempt to overload systems and prevent some or all legitimate requests from being
fulfilled. For example, if a bank website can handle 10 people a second by clicking the
Login button, an attacker only has to send 10 fake requests per second to make it so no
legitimate users can log in. DoS attacks exploit various weaknesses in computer network
technologies. They may target servers, network routers, or network communication links.
They can cause computers and routers to crash and links to bog down. The most famous
DoS technique is the Ping of Death. The Ping of Death attack works by generating and
sending special network messages (specifically, ICMP packets of non-standard sizes) that
cause problems for systems that receive them. In the early days of the Web, this attack
could cause unprotected Internet servers to crash quickly. It is strongly recommended to
try all described activities on virtual machines rather than in your working
environment.

Following is the command for performing flooding of requests on an IP.

ping ip_address –t -l(65500)

HERE,

 “ping” sends the data packets to the victim.

 “ip_address” is the IP address of the victim.

 “-t” means the data packets should be sent until the program is stopped.

 “-l(65500)” specifies the data load to be sent to the victim.

Other basic types of DoS attacks involve.

 Flooding a network with useless activity so that genuine traffic cannot get through.
The TCP/IP SYN and Smurf attacks are two common examples.

 Remotely overloading a system’s CPU so that valid requests cannot be processed.

 Changing permissions or breaking authorization logic to prevent users from logging

into a system. One common example involves triggering a rapid series of false login
attempts that lockout accounts from being able to log in.

 Deleting or interfering with specific critical applications or services to prevent their

normal operation (even if the system and network overall are functional).

Another variant of the DoS is the Smurf attack. This involves emails with automatic
responses. If someone emails hundreds of email messages with a fake return email
address to hundreds of people in an organization with an autoresponder on in their email,
the initially sent messages can become thousands sent to the fake email address. If that
fake email address belongs to someone, this can overwhelm that person’s account. DoS
attacks can cause the following problems:

 Ineffective services

 Inaccessible services

 Interruption of network traffic

 Connection interference

How Do DoS Attacks Work?

DoS attacks typically exploit vulnerabilities in a target’s network or computer systems.

Attackers can use a variety of methods to generate overwhelming traffic or requests,
including:

1. Flooding the target with a massive amount of data

2. Sending repeated requests to a specific part of the system

3. Exploiting software vulnerabilities to crash the system

Prevention Given that Denial of Service (DoS) attacks are becoming more frequent, it is
a good time to review the basics and how we can fight back.

 Cloud Mitigation Provider – Cloud mitigation providers are experts at providing

DDoS mitigation from the cloud. This means they have built out massive amounts of
network bandwidth and DDoS mitigation capacity at multiple sites around the Internet
that can take in any type of network traffic, whether you use multiple ISP’s, your own
data centre, or any number of cloud providers. They can scrub the traffic for you and
only send “clean” traffic to your data centre.

 Firewall – This is the simplest and least effective method. Python scripts are often
written to filter out malicious traffic, or existing firewalls can be utilized by
enterprises to block such traffic.

 Internet Service Provider (ISP) – Some enterprises use their ISP to provide DDoS
mitigation. These ISPs have more bandwidth than an enterprise would, which can
help with large volumetric attacks.

Features to help mitigate these attacks:

Network Segmentation: Segmenting the network can help prevent a DoS attack from
spreading throughout the entire network. This limits the impact of an attack and helps to
isolate the affected systems.

Implement Firewalls: Firewalls can help prevent DoS attacks by blocking traffic from
known malicious IP addresses or by limiting the amount of traffic allowed from a single
source.

Use Intrusion Detection and Prevention Systems: Intrusion Detection and Prevention
Systems (IDS/IPS) can help to detect and block DoS attacks by analyzing network traffic
and blocking malicious traffic.

Limit Bandwidth: Implementing bandwidth limitations on incoming traffic can help

prevent a DoS attack from overwhelming the network or server.
Implement Content Delivery Network (CDN): A CDN can help to distribute traffic and
reduce the impact of a DoS attack by distributing the load across multiple servers.

Use Anti-Malware Software: Anti-malware software can help to detect and prevent
malware from being used in a DoS attack, such as botnets.

Perform Regular Network Scans: Regular network scans can help identify
vulnerabilities and misconfigurations that can be exploited in a DoS attack. Patching
these vulnerabilities can prevent a DoS attack from being successful.

Develop a Response Plan: Having a DoS response plan in place can help minimize the
impact of an attack. This plan should include steps for identifying the attack, isolating
affected systems, and restoring normal operations.