CISSP考试指南笔记：4.15 网络攻击

Denial of  Service

---

A denial-of-service (DoS) attack can take many forms, but at its essence is a compromise to the availability leg of the AIC triad.

Malformed Packets

Protocol implementations such as IP and ICMP were in their infancy and there was no shortage of vulnerabilities to be found and exploited. Perhaps the most famous of these (and certainly the one with the most colorful name) was the Ping of Death. This attack sent a single ICMP Echo Request to a computer, which resulted in the “death” of its network stack until it was restarted. This attack exploited the fact that many early networking stacks did not enforce the maximum length for an ICMP packet, which is 65,536 bytes. If an attacker sent a ping that was bigger than that, many common operating systems would become unstable and ultimately freeze or crash.

The single most important countermeasure here is to keep your systems patched.

If you are able to respond promptly, you can reconfigure your firewalls to block the attack before it is effective.

Flooding

Attackers today have another technique that does not require them to figure out an implementation error that results in the opportunity to use a malformed packet to get their work done. This approach is simply to overwhelm the target computer with packets until it is unable to process legitimate user requests. An illustrative example of this technique is called SYN flooding, which is an attack that exploits the three-way handshake that TCP uses to establish connections.

Distributed Denial of Service

A distributed denial-of-service (DDoS) attack is identical to a DoS attack except the volume is much greater. The attacker chooses the flooding technique they want to employ (SYN, ICMP, DNS) and then instruct an army of hijacked or zombie computers to attack at a specific time.

One of the best, though costliest, approaches is to leverage a content distribution network (CDN).

if the attack is fairly simple and you can isolate the IP addresses of the malicious traffic, then you can block those addresses at your firewall.

if the attack happens to be a SYN flood, you can configure your servers to use a technique known as delayed binding in which the half-open connection is not allowed to tie up (or bind to) a socket until the three-way handshake is completed.

Ransomware

In the case of ransomware, the attacker encrypts all user files on the target. The victim receives a message stating that if they want their files back they have to pay a certain amount.

The following list of standard practices is a very solid starting point:

• Keep your software’s security patches up to date. Ideally, all your software gets patched automatically.

• Use host-based antimalware software and ensure the signatures are up to date.

• Use spam filters for your e-mail.

• Never open attachments from unknown sources.

• Before clicking a link in an e-mail, float your mouse over it (or right-click the link) to see where it will actually take you. If in doubt (and you trust the site), type the URL in the web browser yourself rather than clicking the link.

• Be very careful about visiting unfamiliar or shady websites.

 

剩余内容请看本人公众号debugeeker, 链接为CISSP考试指南笔记：4.15 网络攻击