In: Computer Science
what is transport layer? what are the typical attacks in transport layer? what are the controls that are employed in the layer to minimize the attack or vulnerability that leads to the attack? cite references
Transport Layer:-
In computer networking, the transport layer is a conceptual division of methods in the layered architecture of protocols in the network stack in the Internet Protocol Suite and the Open Systems Interconnection (OSI). The protocols of the layerprovide host-to-host communication services for applications.
Typical attacks in transport layer:-
1. SESSION HIJACKING: Session Hijacking is commonly known as TCP session Hijacking is a way of taking over a secure/ unsecure web user session by secretly obtaining user’s session ID and pretending to be the authorized user for accessing the data. How it works and types: Session hijacking works by taking advantage of the fact that most communications are protected (by providing credentials) at session setup, but not thereafter. These attacks generally fall into three categories: Man-in-the-middle (MITM), Blind Hijack, and Session Theft. In MITM attacks, an attacker intercepts all communications between two hosts. With communications between a client and server now flowing through the attacker, he or she is free to modify their content. Protocols that rely on the exchange of public keys to protect communications are often the target of these types of attacks. In blind hijacking, an attacker injects data such as malicious commands into intercepted communications between two hosts commands like “net.exe local group administrators /add Evil Attacker”. This is called blind hijacking because the attacker can only inject data into the communications stream; he or she cannot see the response to that data (such as “The command completed successfully.”) Essentially, the blind hijack attacker is shooting data in the dark, but as you will see shortly, this method of hijacking is still very effective. In a session theft attack, the attacker neither intercepts nor injects data into existing communications between two hosts. Instead, the attacker creates new sessions or uses old ones. This type of session hijacking is most common at the application level, especially Web applications. Main features are: -URL (Uniform resource locator) -Cookies -Session ID The cookies stores the previous records of the users and the URL logs can give the current visited site, a hacker take benefits from it and hacks user’s session ID through it, after doing that it pretends to be the authorized user and accesses the data. A cookie usually is a piece of text sent by a server to the web client and sent back unchanged by the client, each time it access the data. 1.1 Methods used to perform session hijacking: 1.1.1IP Spoofing: It basically means taking identity of someone else to perform some task, in this the attacker pretends to be the authorized user and access some confidential information, not only this, the attacker can even send some packets with malicious content to its target machine. 1.1.2 Session Side jacking: In Session side jacking the attacker reads the network traffic between the two parties, through packet sniffing method. The packet sniffing method is nothing but unethically viewing the packet data. Usually many websites use the SSL encryption for the login purposes; this prevents the attacker from attacking those login details. But this encryption method is not continued in the rest of the page therefore allowing the attacker to attack and view the network traffic and get access to the data. 1.1.3 Session Fixation: In this method the attacker changes the session ID of the user before the user login, thereby eliminating the need to hack the session ID. 1.1.4 Cross-site Scripting: A hacker creates a hyperlink which contains malicious content. Then this hyperlink is sent to the web application, so when the targeted user clicks on that web site this infected link is generated and when the user click on this link the malicious link is generated an infects user’s data. 1.2 Methods to prevent Session Hijacking:- • Regenerating Session ID after successful Login. • Using a long random number or characters or string as session key. • Encryption of data passed between the parties.
2. TCP Land Attack:
In this attack the attacker sends a SYN packet to the host server which usually has an open TCP port. Now the main question which might strike your mind is that, how the server fails to identify the attacker and provides service to it instead. Well this is because the attacker spoofs the source IP address and present itself as an authorized user.
3. UDP Flooding Attack:-
UDP is a connectionless protocol and it mainly effects the server by flooding the server machine with countless requests, this makes the machine to think that the attacker (who pretends to be the authorized user) really needs service urgently and the server machine starts providing the services to the attacker, due to this the users who actually needs the service are often overlooked.
4. TCP & UDP Port Scanning Technique:
Here the attacker performs the port scanning of various tools of the host machine in order to find the open ports on the machine. Once these ports are identified by the attacker, it starts attacking the machine.
5. BIND DNS:
BIND stands for ‘Berkley internet name domain’ it is a popular DNS server. There are times when a particular BIND DNS server doesn’t have the required data in such cases it communicates with other BIND DNS server and takes the information, but in such cases it does not filter the packets received from other servers. This gives the attacker chance to send some malicious content in the network, which can cause harm to the user and to the network as well. Also there are times when the attacker itself acts as the server, which misguides the user again.
6. Mail Transport System:-
It is the most common protocol used to send the e-mails. By default the SMTP port is 25, usually this port is used by the internet connections to receive e-mails. The attacker attacks this port to retrieve the needed information, and as it is a general port the packets which enter this port are generally no filtered, this also enables the user to send some malicious content.