Skip to main content

3.1 Network Vulnerabilities and Attacks

Topic 3.1: Network Vulnerabilities and Attacks

Networks are the connective tissue of modern organizations, but they also present a broad surface for attacks. Adversaries can exploit vulnerabilities in network protocols and devices to intercept data, disrupt services, or gain unauthorized access to internal systems.

One common technique is an on-path attack (also known as a man-in-the-middle attack), where an adversary secretly intercepts and potentially alters the communication between two parties. A frequent method for this is ARP poisoning. The Address Resolution Protocol (ARP) is used on local networks to map a device's logical IP address to its physical MAC address. In an ARP poisoning attack, an adversary sends falsified ARP messages to a network's default gateway. This corrupts the gateway's ARP table, causing it to associate the adversary's MAC address with the IP address of a legitimate device. As a result, network traffic intended for the victim is sent to the adversary's machine instead. This act of faking a MAC address is called MAC spoofing.

Switches, the devices that manage traffic within a local network, are also targets. A MAC flooding attack occurs when an adversary bombards a switch with a large number of Ethernet frames, each with a different, fake source MAC address. This can overwhelm the switch's memory table that tracks which MAC address is on which port. When this table is full, the switch may enter a "fail-open" mode, where it broadcasts all incoming frames to every port on the network. This allows the adversary to capture all network traffic, a form of eavesdropping or sniffing.

The Domain Name System (DNS), which translates human-readable domain names into IP addresses, is another critical service that can be attacked. In a DNS poisoning attack, an adversary compromises a DNS server and injects a fake DNS record. This record redirects users trying to access a legitimate website to a malicious site controlled by the adversary. Often, this malicious site is a replica of the real one, designed for credential harvesting. Unsuspecting users enter their username and password, which are then captured by the adversary.

Adversaries also seek to disrupt network availability through denial-of-service (DoS) attacks. A smurf attack is a type of DoS attack that uses the Internet Control Message Protocol (ICMP). The adversary sends a large number of ICMP echo requests to a network's broadcast address, but spoofs the source IP address to be that of the victim. Every device on the network then replies to the victim, flooding it with traffic and making it unavailable. When multiple attacking machines are used to overwhelm a single target, it is known as a distributed denial-of-service (DDoS) attack.

Exploiting these vulnerabilities can lead to significant risk, impacting the confidentiality, integrity, and availability of an organization's data and services. A high-risk scenario could involve a single, unsegmented internal network with weak wireless encryption, where an attacker could easily capture sensitive traffic. A moderate risk might be a firewall that fails to block external ICMP traffic, allowing an attacker to map the internal network. Automated vulnerability scanners can help identify these weaknesses, producing reports that detail the vulnerabilities, their severity, and recommendations for mitigation.