Network Attacks and Preventions

Distributed Denial of Service (DDoS) attack

Unlike Denial of Service (DoS) attack, which originates from a single source, a DDoS attacks involves multiple sources, often geographically distributed. These sources send an overwhelming amount of traffic to the target server, which can include a variety of traffic types such as HTTP requests, SYN packets, DNS queries, etc. The targeted server’s resource is exhausted, network bandwidth, server CPU, and memory resources are consumed, services and websites become unavailable to legitimate users.

DDoS defence

• Traffic filtering
  • Use firewalls, analyse and filter network traffic at the IP level based on the protocol used (e.g. TCP, UDP, ICMP). Rules are defined to allow or block packets depending on their protocol, source IP, destination IP, port number, and other header information.
  • It is effective against DDoS attacks that use specific protocols or port numbers (e.g. SYN floods, UDP floods)
  • However, protocol-based filtering may not be effective against sophisticated attacks, and this method may block legitimate traffic or malicious traffic may slip through if it mimics normal traffic pattern.
  • Cloudflare provides a modern comprehensive DDoS mitigation services by routing all incoming traffic through its data centres. It uses advanced algorithms and machine learning to scan and analyse traffic patterns to identify and block malicious traffic.
• Proof of Work (PoW) shield
  • PoW involves requiring client to solve computational puzzles before their requests are processed.
  • This method is used to filter out malicious traffic at the application layer by making it computationally expensive for attackers to flood the server.
  • The legitimate users can solve the puzzles relatively easily, while the cost for attackers to solve a large numbers of puzzles become prohibitive.
• Distributed system
  • Distributed systems, with their inherent scalability, redundancy, and failover capabilities are will suited to withstand DDoS attack. (more on Scalability and High Availability in Cloud Computing)
  • Load balancing: load balancers distribute incoming traffic across multiple servers or data centres. By distributing the load evenly, the system can prevent any server from being overwhelmed by a surge traffic.
  • Vertical scalability: The vertical scalability allows distributed system to add more memory and CPU powers to servers to handle increased traffic.
  • Horizontal scalability: When experiencing high volume traffic, the distributed system can employ more servers to distribute the traffic loads.
  • Failover mechanism: Distributed system ensures fault tolerance by deploy servers across multiple geographic regions to minimise regional outages.

Replay attack

Replay attack is a form of network attack in which an attacker captures a valid network transmission and then retransmit it later to the receiver to trick them into performing an unintended action, such as baiting clients to send duplicate transactions.

Same session replay attack

During a replay attack, the attacker cannot breach the confidentiality, integrity, and authentication of the communication due to the TLS characteristics. The attacker then trying to use the replay attack, by duplicating one or more messages in the transmission channel. For example, if a client, such as a bank branch, sends a message to the bank HQ indicating a deposit of $100intoanaccount,anattackercouldinterceptthismessageandcreatethreecopies.IftheserverattheHQprocessesallthreemessages,itmighterroneouslycredittheaccountwith$300 instead of $100.

Mitigation in TLS

In TLS, sequence numbers are used to prevent such attacks. Each message exchanged between the client and the server is assigned a unique sequence number. When the server receives a message, it logs the message along with its sequence number. If duplicate sequence numbers are detected, the server ignores the messages with repeated sequence numbers.

Cross session replay attack

Imagine that Alice is trying to log into her online banking account using a secure web connection. When she enters her login credentials and clicks the submit button, the login request is sent to the bank server over the TLS connection. An attacker is monitoring the network and captures the login request as it is transmitted. The attacker then waits until Alice has logged out of her account and retransmits the captured login request to the bank server. Because the login request is valid, the server might mistakenly accept it and grant the attacker access to Alice’s account.

Mitigation in TLS

In TLS, timestamps and nonce (number used once) are used together to prevent such attack. Nonces are random values generated by the server and included in messages exchanged during the TLS handshake. They are combined with timestamps to create unique values as identifiers for each message. It ensures each message exchanged is unique and not replayed. The server sends a random nonce to the client along with the message, the nonces values are combined with timestamps to create unique identifiers for each message. The recipient checks if there is a duplicate nonce to prevent replay attack.

---

Back to parent page: Network Security and Cryptography

Cyber_SecurityNetwork_SecurityINFO2222Network_AttacksDDoSReplay_Attack