Input Validation Attacks

Input Validations Attacks are when an attacker purposefully sends strange inputs to confuse a web
application. Input validation routines serve as the first line of defence for such attacks. Examples of
input validation attacks include buffer overflow, directory traversal, cross-site scripting and SQL
injection.

Input validation, also known as data validation, is the proper testing of any input supplied by a

user or application. Input validation prevents improperly formed data from entering an

information system. Because it is difficult to detect a malicious user who is trying to attack

software, applications should check and validate all input entered into a system. Input

validation should occur when data is received from an external party, especially if the data is

from untrusted sources. Incorrect input validation can lead to injection attacks, memory

leakage, and compromised systems. While input validation can be either whitelisted or

blacklisted, it is preferable to whitelist data. Whitelisting only passes expected data. In contrast,

blacklisting relies on programmers predicting all unexpected data. As a result, programs make

mistakes more easily with blacklisting.

• By entering any 1000 random characters as the password, you can automatically gain
root/administrator privileges irrespective of the actual password.
 Enter the path of the password file in the search or input box on a website and get access
to the password file itself.
 Create an extraordinarily long input box in your website by use of HTML and crash the
browser of every client to visit your website.

 SQL injection

SQL injection, also known as SQLI, is a common attack vector that uses malicious SQL code for
backend database manipulation to access information that was not intended to be displayed.
This information may include any number of items, including sensitive company data, user lists
or private customer details.
 The impact SQL injection can have on a business is far-reaching. A successful attack may result
in the unauthorized viewing of user lists, the deletion of entire tables and, in certain cases, the
attacker gaining administrative rights to a database, all of which are highly detrimental to a
business.

When calculating the potential cost of an SQLi, it’s important to consider the loss of customer
trust should personal information such as phone numbers, addresses, and credit card details
be stolen.

While this vector can be used to attack any SQL database, websites are the most frequent
targets.

SQL is a command in relational databases, such as Oracle, MS SQL Server, MySQL, and so on. Scripting
languages, such as ASP, .NET, and PHP, are commonly used in web development, and the database of the
web application is built on data in a database server. When an attack on SQL Injection login bypass turns
successful, the attacker receives potential control to modify website content and capture sensitive information,
including internal business data and account credentials. The motive of an SQL Injection attack is to
compromise a database that includes collecting data and supporting data structures of usernames, passwords,
text, and so on.

A simple example to understand how it is performed using SQL queries is as follows:

An SQL query: Select * from table_name:

This SQL query uses an asterisk (*) to return the contents of the table. The hack can be executed to
insert information into the database so that this can spread vulnerability.

Insert into users(username,user id) values(“cybercriminal”,”CM123”);

The intention of hacking is not just to compromise the information from the website, but it may be
done intentionally to access the data to modify the website content or to shut down the server.

SQL injection security

SQL injection attacks only work when an application is fooled into executing code because it receives
user input in a form it is not expecting. That means a vital SQL injection security measure is to carry out
data sanitization and validation. This effectively adds an inspection layer to ensure that any submitted
data is not unusual and might pose a SQL injection risk.

Sanitization usually involves running any submitted data through a function (such as MySQL's
mysql_real_escape_string() function) to ensure that any dangerous characters such as ' are not passed
to a SQL query in data.

Validation is slightly different in that it involves adding code that attempts to ensure that any data
submitted is in the form that is expected in that particular instance. At the most basic level this includes
ensuring that email addresses contain an "@" sign, that only digits are supplied when numeric data (such
as a zip code)  is expected, and that the length of a piece of data submitted is not longer than the
maximum expected length (so a social security number should not include more than 9 digits).

Validation is often carried out in two ways: by blacklisting dangerous or unwanted characters and by
whitelisting only those characters that are allowed in a given circumstance, which can involve more work
on the part of the programmer. Although validation may take place on the client side, hackers can modify
or get around this, so it's essential that all data is validated on the server side as well to reduce SQL
injection risk.

 Buffer Overflow attacks

Buffer overflow is an anomaly that occurs when software writing data to a buffer overflows the buffer’s
capacity, resulting in adjacent memory locations being overwritten. In other words, too much information is
being passed into a container that does not have enough space, and that information ends up replacing data
in adjacent containers.

Buffer overflows can be exploited by attackers with a goal of modifying a computer’s memory in order to
undermine or take control of program execution.

A buffer, or data buffer, is an area of physical memory storage used to temporarily store data while it is
being moved from one place to another. These buffers typically live in RAM memory. Computers frequently
use buffers to help improve performance; most modern hard drives take advantage of buffering to efficiently
access data, and many online services also use buffers. For example, buffers are frequently used in online
video streaming to prevent interruption. When a video is streamed, the video player downloads and stores
perhaps 20% of the video at a time in a buffer and then streams from that buffer. This way, minor drops in
connection speed or quick service disruptions won’t affect the video stream performance.
Buffers are designed to contain specific amounts of data. Unless the program utilizing the buffer has built-in
instructions to discard data when too much is sent to the buffer, the program will overwrite data in memory
adjacent to the buffer.

Buffer overflows can be exploited by attackers to corrupt software. Despite being well-understood, buffer
overflow attacks are still a major security problem that torment cyber-security teams. In 2014 a threat
known as ‘heartbleed’ exposed hundreds of millions of users to attack because of a buffer overflow
vulnerability in SSL software.

How do attackers exploit buffer overflows?

An attacker can deliberately feed a carefully crafted input into a program that will cause the program to try
and store that input in a buffer that isn’t large enough, overwriting portions of memory connected to the
buffer space. If the memory layout of the program is well-defined, the attacker can deliberately overwrite
areas known to contain executable code. The attacker can then replace this code with his own executable
code, which can drastically change how the program is intended to work.

For example if the overwritten part in memory contains a pointer (an object that points to another place in
memory) the attacker’s code could replace that code with another pointer that points to an exploit payload.
This can transfer control of the whole program over to the attacker’s code.

Certain coding languages are more susceptible to buffer overflow than others. C and C++ are two popular
languages with high vulnerability, since they contain no built-in protections against accessing or overwriting
data in their memory. Windows, Mac OSX, and Linux all contain code written in one or both of these
languages.

More modern languages like Java, PERL, and C# have built-in features that help reduce the chances of buffer
overflow, but cannot prevent it altogether.

Protection against buffer overflow attacks

Luckily, modern operating systems have runtime protections which help mitigate buffer overflow attacks.
Let’s explore 2 common protections that help mitigate the risk of exploitation:

 Address space randomization - Randomly rearranges the address space locations of key data areas
of a process. Buffer overflow attacks generally rely on knowing the exact location of important
executable code, randomization of address spaces makes that nearly impossible.
 Data execution prevention - Marks certain areas of memory either executable or non-executable,
preventing an exploit from running code found in a non-executable area.
Software developers can also take precautions against buffer overflow vulnerabilities by writing in languages
that have built-in protections or using special security procedures in their code.

Despite precautions, new buffer overflow vulnerabilities continue to be discovered by developers,

sometimes in the wake of a successful exploitation. When new vulnerabilities are discovered, engineers
need to patch the affected software and ensure that users of the software get access to the patch.

Different types of buffer overflow attacks

There are a number of different buffer overflow attacks which employ different strategies and target
different pieces of code. Below are a few of the most well-known.

 Stack overflow attack - This is the most common type of buffer overflow attack and involves
overflowing a buffer on the call stack*.
 Heap overflow attack - This type of attack targets data in the open memory pool known as the
heap*.
 Integer overflow attack - In an integer overflow, an arithmetic operation results in an integer (whole
number) that is too large for the integer type meant to store it; this can result in a buffer overflow.
 Unicode overflow - A unicode overflow creates a buffer overflow by inserting unicode characters
into an input that expect ASCII characters. (ASCII and unicode are encoding standards that let
computers represent text. For example the letter ‘a’ is represented by the number 97 in ASCII. While
ASCII codes only cover characters from Western languages, unicode can create characters for almost
every written language on earth. Because there are so many more characters available in unicode,
many unicode characters are larger than the largest ASCII character.)

Privacy Attacks

1.Trojan :- Trojan is a Remote Administration Tool (RAT) which enable attacker to execute various software
and hardware instructions on the target system.

Trojans are non-replication programs; they don’t reproduce their own codes by attaching
themselves to other executable codes. They operate without the permissions or knowledge of the
computer users.

Trojans hide themselves in healthy processes. However we should underline that Trojans infect
outside machines only with the assistance of a computer user, like clicking a file that comes
attached with email from an unknown person, plugging USB without scanning, opening unsafe
URLs.
Trojans have several malicious functions −

 They create backdoors to a system. Hackers can use these backdoors to access a victim system and its
files. A hacker can use Trojans to edit and delete the files present on a victim system, or to observe the
activities of the victim.

 Trojans can steal all your financial data like bank accounts, transaction details, PayPal related
information, etc. These are called Trojan-Banker.

 Trojans can use the victim computer to attack other systems using Denial of Services.

 Trojans can encrypt all your files and the hacker may thereafter demand money to decrypt them. These
are Ransomware Trojans.

 They can use your phones to send SMS to third parties. These are called SMS Trojans.

Most trojans consist of two parts -

a) The Server Part :- It has to be installed on the the victim's computer.
b) The Client Part :- It is installed on attacker's system. This part gives attacker complete control over target
computer.
Netbus, Girlfriend, sub7, Beast, Back Orifice are some of the popular trojans.

Trojans are designed to target the weaknesses in the most popular security software, but
by combining multiple security programs as well as using personal smarts, you will more
likely be able to combat the potential Trojans as well as other malware.

Trojan Defenses

 Make sure all of your programs are up to date. These updates patch any weaknesses that have
been detected in a particular software. Even infrequently used programs are important to update as
these are some of the weak areas used for intrusion.
 Nowadays anti-virus, anti-Trojan, anti-spyware, etc., programs are usually all integrated into one
program like anti-virus or anti-malware software. Make sure you are using one or multiple software
programs which are designed to detect all malware and delete Trojans.
 Make sure your firewall is up and running. Firewalls prevent unknown traffic from entering your
computer, therefore blocking a potential Trojan. If your computer is already infected, an outbound-
blocking firewall prevents any unauthorized programs from connecting to the Internet.
  Make sure your ISP has proper and effective security measures in place. Monitoring of the Internet
traffic before it reaches your computer adds another layer of protection against potential intruders.
Ask yourself, what is my ISP doing to protect my computer and are the security measures sufficient?.
 Encrypting your email helps protect you in many ways, one of which is disguising your IP address,
which the Trojan needs to infect you. If an unencrypted email is intercepted –which can easily be
done– your IP address is in the header of the message, visible to whoever is reading it. However with
an encrypted email your IP is disguised, and cannot be read in any form.
 Filter your email attachments. Trojans sent in emails are disguised in attachments, however these
attachments have known extensions such as .com, .bat, .exe, .vba, .scr, .vbs, .dot. Customize your
anti-virus software to disable or delete such attachments, or make sure you are aware of what type
of extension an attachment has before opening it.
 Back up all of your data. If your computer is infected with a Trojan, often times the process of
removing them can result in file damage and loss of data. Always back up your hard drive in the
event that your data is damaged by a Trojan or in the process of removing one.

2) Keylogger :- Keyloggers are the tools which enable attacker to record all the keystrokes made by victim
and send it's logs secretly to the attacker's e-mail address which is previously set by him.
Almost all the Trojans have keylogging function.

The passwords and credit card numbers you type, the webpages you visit, all by logging your keyboard
strokes. The software is installed on your computer, which records everything you type. Then it sends this
log file to a server, where cybercriminals are waiting to make use of all this sensitive information.

How keyloggers work

Keyloggers collect information and send it back to a third party – whether that is a criminal, law enforcement or IT
department. The amount of information collected by keylogger software can vary. The most basic forms may only
collect the information typed into a single website or application. More sophisticated ones may record everything
you type no matter the application, including information you copy and paste. Some variants of keyloggers –
especially those targeting mobile devices – go further and record information such as calls (both call history and
the audio), information from messaging applications, GPS location, screen grabs, and even microphone and
camera capture.

Keyloggers can hardware- or software-based. Hardware-based ones can simply nestle between the keyboard
connector and the computer’s port. Software-based ones can be whole applications or tools knowingly used or
downloaded, or malware unknowingly infecting a device.
Data captured by keyloggers can be sent back to attackers via email or uploading log data to predefined websites,
databases, or FTP servers. If the keylogger comes bundled within a large attack, actors might simply remotely log
into a machine to download keystroke data.

Ways to Protect Yourself Against Keyloggers

 Use a Firewall In most instances, the keylogger has to transmit its information back to the
attacker for it to do any harm. The keylogger must send data out from your computer via the
internet. As data passes through a firewall it will detect chances of leakage of data.
 Update Your System  Keep in mind that it is the security vulnerability in a system’s firmware
or OS that leads to successful cyber attacks. In fact, hackers and other cybercriminals are
always on the lookout for zero-day exploits for successful security breaches and, thus, data
theft.The only way you can prevent cyber attacks related to security exploits is by keeping the
firmware or the OS of your device up-to-date. The manufacturer of a device’s firmware or the
OS developer periodically roll out security patches to help users and their devices from being
exploited.
• Always use an antivirus to prevent suspicious apps from being installed on your
computer without your knowledge. 

• Use a reliable password manager to access your accounts quickly and safely, without
having to type in your details every time. This way keyloggers won’t be able to steal your
login info.

3) Spyware :- Spyware utilities are the malicious programs that spy on the activities of victim, and covertly
pass on the recorded information to the attacker without the victim's consent. Most spyware utilities
monitor and record the victim's internet-surfing habits. Typically, a spyware tool is built into a host .exe file
or utility. If a victim downloads and executes an infected .exe file, then the spyware becomes active on the
victim's system.
Spyware tools can be hidden both in .exe files an even ordinary cookie files.
Most spyware tools are created and released on the internet with the aim of collecting useful information
about a large number of Internet users for marketing and advertising purposes. On many occasions, attacker
also use spyware tools for corporate espionage and spying purposes.

4) Sniffer :- Sniffers were originally developed as a tool for debugging/troubleshooting network problems.
The Ethernet based sniffer works with network interface card (NIC) to capture interpret and save the data
packets sent across the network.
Sniffer can turn out to be quite dangerous. If an attacker manages to install a sniffer on your system or the
router of your network, then all data including passwords, private messages, company secrets, etc. get
captured.

TCP/IP

The Internet Protocol (IP) is the address system of the Internet and has the core function of delivering
packets of information from a source device to a target device. IP is the primary way in which network
connections are made, and it establishes the basis of the Internet. IP does not handle packet ordering or
error checking. Such functionality requires another protocol, typically TCP.

IP is a connectionless protocol, which means that each unit of data is individually addressed and routed from
the source device to the target device, and the target does not send an acknowledgement back to the
source. That’s where protocols such as the Transmission Control Protocol (TCP) come in. TCP is used in
conjunction with IP in order to maintain a connection between the sender and the target and to ensure
packet order.

For example, when an email is sent over TCP, a connection is established and a 3-way handshake is made.
First, the source send an SYN “initial request” packet to the target server in order to start the dialogue. Then
the target server then sends a SYN-ACK packet to agree to the process. Lastly, the source sends an ACK
packet to the target to confirm the process, after which the message contents can be sent. The email
message is ultimately broken down into packets before each packet is sent out into the Internet, where it
traverses a series of gateways before arriving at the target device where the group of packets are
reassembled by TCP into the original contents of the email.
The primary version of IP used on the Internet today is Internet Protocol Version 4 (IPv4). Due to size
constraints with the total number of possible addresses in IPv4, a newer protocol was developed. The newer
protocol is called IPv6 and it makes many more addresses available and is increasing in adoption.

Checksum

Checksum is a calculated value that is used to determine the integrity of data. Checksum serves
as a unique identifier for the data (a file, a text string, or a hexadecimal string). If the data
changes then so does the checksum value. This makes it easy to verify the integrity of the data.

To test data integrity, the sender of the data calculates checksum value by taking the sum of
the binary data transmitted. When receiving the data, the receiver can perform the same
calculation on the data and compare it with the checksum value provided by the sender. If the
two values match, the receiver has a high degree of confidence that the data was received
correctly.

Checksum value is also called hash value. The data that is calculated can be a file, a text string,
or a hexadecimal string.

The most commonly used checksum is MD5 (Message-Digest algorithm 5) hash. MD5 was
designed by Professor Ronald L. Rivest in 1991 to replace an earlier hash function, MD4. MD5
checksum is a 128-bit hash value (32 characters).

IP Spoofing:

IP spoofing is the creation of Internet Protocol (IP) packets which have a modified source address in order to
either hide the identity of the sender, to impersonate another computer system, or both. It is a technique
often used by bad actors to invoke DDoS attacks against a target device or the surrounding infrastructure.

It is also known as address forgery and is a hijacking technique in which attacker impersonated as a trusted
host to hijack websites or gain access to a network. The attacker obtains the IP address of another host and
alters the packet details or headers so that this host appears to be the source.
Sending and receiving IP packets is a primary way in which networked computers and other devices
communicate, and constitutes the basis of the modern internet. All IP packets contain a header which
precedes the body of the packet and contains important routing information, including the source address.
In a normal packet, the source IP address is the address of the sender of the packet. If the packet has been
spoofed, the source address will be forged.

IP Spoofing is analogous to an attacker sending a package to someone with the wrong return address listed.
If the person receiving the package wants to stop the sender from sending packages, blocking all packages
from the bogus address will do little good, as the return address is easily changed. Relatedly, if the receiver
wants to respond to the return address, their response package will go somewhere other than to the real
sender. The ability to spoof the addresses of packets is a core vulnerability exploited by many DDoS attacks.

DDoS attacks will often utilize spoofing with a goal of overwhelming a target with traffic while masking the
identity of the malicious source, preventing mitigation efforts. If the source IP address is falsified and
continuously randomized, blocking malicious requests becomes difficult. IP spoofing also makes it tough for
law enforcement and cyber security teams to track down the perpetrator of the attack.

Spoofing is also used to masquerade as another device so that responses are sent to that targeted device
instead

Port scanning

Port scanning is a method of determining which ports on a network are open and could be receiving or
sending data. It is also a process for sending packets to specific ports on a host and analyzing responses to
identify vulnerabilities. This scanning process can’t take place without identifying a list of active hosts and
mapping those hosts to their IP addresses. After a thorough network scan is complete and a host list is
compiled, a proper port scan can take place. The organization of IP addresses, hosts, and ports allows the
scanner to properly identify open or vulnerable server locations with the goal of diagnosing security levels.

The general protocols used for port scanning are TCP (transmission control protocol) and UDP (user
datagram protocol). They are both data transmission methods for the internet, but have different
mechanisms. TCP is a reliable, two way connection-based transmission of data that relies on the
destination’s status in order to complete a successful send. UDP is connectionless and unreliable. The data is
sent without concern for the destination; therefore, it is not guaranteed that the data will even make it. 

Port scans report back to the user revealing the status of the network or server, described in one of three
categories: open, closed, or filtered.

Open ports indicate:

 The target server or network is actively accepting connections or datagrams and responded with a
packet that indicates it is listening. It also indicates that the service used for the scan (typically TCP
or UDP) is in use as well. Finding open ports is typically the overall goal of port scanning and a victory
for a cyber criminal looking for an attack avenue. Administrators attempt to barricade these ports by
installing firewalls to protect them without limiting access for legitimate users.

Closed ports indicate:

 The server or network received the request but there is no service “listening” on that port. A closed
port is still accessible and can be useful in showing that a host is on an IP address. These ports should
still be monitored, as they can open up and create vulnerabilities. Admins should consider blocking
them with a firewall, where they would then become “filtered” ports.

Filtered ports indicate:

 That a request packet was sent, but the host did not respond and is not listening. This usually means
that a request packet was filtered out and/or blocked by a firewall. Packets do not reach their target
location, and therefore attackers cannot find out more information. They often respond with error
messages reading “destination unreachable” or “communication prohibited.”

There are several different port scanning techniques that send packets to destinations for various reasons.
Listed below are a few of the many techniques and how they work:
  The simplest port scans are called ping scans. These are internet control message protocol (ICMP)
requests. Ping scans send out an automated blast of several ICMP requests to different servers to
bait responses. Administrators may use this technique to troubleshoot, or disable the ping by using a
firewall - which makes it impossible for bad actors to find the network through pings.
 A half-open scan, or “SYN” scan, only sends a SYN (short for synchronize) message and doesn’t
complete the connection, leaving the target hanging. It’s a quick and sneaky technique aimed at
finding potential open ports on target devices.

Domain Name System (DNS) spoofing

Domain Name Server (DNS) spoofing (a.k.a. DNS cache poisoning) is an attack in which altered DNS
records are used to redirect online traffic to a fraudulent website that resembles its intended
destination.

Once there, users are prompted to login into (what they believe to be) their account, giving the
perpetrator the opportunity to steal their access credentials and other types of sensitive
information. Furthermore, the malicious website is often used to install worms or viruses on a
user’s computer, giving the perpetrator long-term access to it and the data it stores.

Methods for executing a DNS spoofing attack include:

 Man in the middle (MITM) – The interception of communications between users and a DNS server
in order to route users to a different/malicious IP address.

 DNS server compromise – The direct hijacking of a DNS server, which is configured to return a
malicious IP address.
DNS server compromise attack.

Denial-of-Service attack

A denial-of-service (DoS) attack is a type of cyber attack in which a malicious actor aims to render a
computer or other device unavailable to its intended users by interrupting the device's normal functioning.
DoS attacks typically function by overwhelming or flooding a targeted machine with requests until normal
traffic is unable to be processed, resulting in denial-of-service to addition users. A DoS attack is characterized
by using a single computer to launch the attack.

A distributed denial-of-service (DDoS) attack is a type of DoS attack that comes from many distributed
sources, such as a botnet DDoS attack.

How does a DoS attack work?

The primary focus of a DoS attack is to oversaturate the capacity of a targeted machine, resulting in denial-
of-service to additional requests. The multiple attack vectors of DoS attacks can be grouped by their
similarities.

DoS attacks typically fall in 2 categories:

 Buffer overflow attacks

An attack type in which a memory buffer overflow can cause a machine to consume all available hard disk
space, memory, or CPU time. This form of exploit often results in sluggish behavior, system crashes, or other
deleterious server behaviors, resulting in denial-of-service.

 Flood attacks
By saturating a targeted server with an overwhelming amount of packets, a malicious actor is able to
oversaturate server capacity, resulting in denial-of-service. In order for most DoS flood attacks to be
successful, the malicious actor must have more available bandwidth than the target.

A few common historic DoS attacks include:

Smurf attack - a previously exploited DoS attack in which a malicious actor utilizes the broadcast address of
vulnerable network by sending spoofed packets, resulting in the flooding of a targeted IP address.

Ping flood - this simple denial-of-service attack is based on overwhelming a target with ICMP (ping) packets.
By inundating a target with more pings than it is able to respond to efficiently, denial-of-service can occur.
This attack can also be used as a DDoS attack.

Ping of Death - often conflated with a ping flood attack, a ping of death attack involves sending a malformed
packet to a targeted machine, resulting in deleterious behavior such as system crashes.

SYN attack

A SYN attack is a type of denial-of-service (DoS) attack in which an attacker utilizes the
communication protocol of the Internet, TCP/IP, to bombard a target system with SYN requests in
an attempt to overwhelm connection queues and force a system to become unresponsive to
legitimate requests.

A SYN attack is also known as a TCP SYN attack or a SYN flood.

An attacker would send an initial request (a SYN) asking for acknowledgment from the receiving
server (an ACK). The receiving server would place this in a queue with identifying information, using
a small amount of memory and resources to do so. The server would expect a quick return from its
acknowledgment but the attacker would not do so - or simply not respond. The server would wait
for a pre-defined timeout period to discard the connection request.

In the meantime, if a large number of these requests had been hitting the server, it would
eventually become overwhelmed and unresponsive.

UDP flood attack

A UDP flood is a type of denial-of-service attack in which a large number of User Datagram Protocol
(UDP) packets are sent to a targeted server with the aim of overwhelming that device’s ability to process and
respond. The firewall protecting the targeted server can also become exhausted as a result of UDP flooding,
resulting in a denial-of-service to legitimate traffic.
How does a UDP flood attack work?

A UDP flood works primarily by exploiting the steps that a server takes when it responds to a UDP packet
sent to one of it’s ports. Under normal conditions, when a server receives a UDP packet at a particular port,
it goes through two steps in response:

The server first checks to see if any programs are running which are presently listening for requests at the
specified port.

If no programs are receiving packets at that port, the server responds with a ICMP (ping) packet to inform
the sender that the destination was unreachable.

A UDP flood can be thought of in the context of a hotel receptionist routing calls. First, the receptionist
receives a phone call where the caller asks to be connected to a specific room. The receptionist then needs
to look through the list of all rooms to make sure that the guest is available in the room and willing to take
the call. Once the receptionist realizes that the guest is not taking any calls, they have to pick the phone back
up and tell the caller that the guest will not be taking the call. If suddenly all the phone lines light up
simultaneously with similar requests then they will quickly become overwhelmed.

As each new UDP packet is received by the server, it goes through steps in order to process the request,
utilizing server resources in the process. When UDP packets are transmitted, each packet will include the  IP
address of the source device. During this type of DDoS attack, an attacker will generally not use their own
real IP address, but will instead spoof the source IP address of the UDP packets, impeding the attacker’s true
location from being exposed and potentially saturated with the response packets from the targeted server.

As a result of the targeted server utilizing resources to check and then respond to each received UDP packet,
the target’s resources can become quickly exhausted when a large flood of UDP packets are received,
resulting in denial-of-service to normal traffic.
How is a UDP flood attack mitigated?

Most operating systems limit the response rate of ICMP packets in part to disrupt DDoS attacks that require
ICMP response. One drawback of this type of mitigation is that during an attack legitimate packets may also
be filtered in the process. If the UDP flood has a volume high enough to saturate the state table of the
targeted server’s firewall, any mitigation that occurs at the server level will be insufficient as the bottleneck
will occur upstream from the targeted device.

Smurf attack

A Smurf attack is a distributed denial-of-service (DDoS) attack in which an attacker attempts to flood a
targeted server with Internet Control Message Protocol (ICMP) packets. By making requests with
the spoofed IP address of the targeted device to one or more computer networks, the computer networks
then respond to the targeted server, amplifying the initial attack traffic and potentially overwhelming the
target, rendering it inaccessible. This attack vector is generally considered a solved vulnerability and is no
longer prevalent.

How Smurf attack works

While ICMP packets can be utilized in a DDoS attack, normally they serve valuable functions in network
administration. The ping application, which utilizes ICMP packets, is used by network administrators to test
networked hardware devices such as computers, printers or routers. A ping is commonly used to see if a
device is operational, and to track the amount of time it takes for the message to go round trip from the
source device to the target and back to the source. Unfortunately, because the ICMP protocol does not
include a handshake, hardware devices receiving requests are unable to verify if the request is legitimate.

This type of DDoS attack can be thought of metaphorically as a prankster calling an office manager and
pretending to be the company’s CEO. The prankster asks the manager to tell each employee to call the
executive back on his private number and give him an update on how they’re doing. The prankster gives the
callback number of a targeted victim, who then receives as many unwanted phone calls as there are people
in the office.

Here's How a Smurf attack works:

First the Smurf malware builds a spoofed packet that has its source address set to the real IP address of the
targeted victim.

The packet is then sent to an IP broadcast address of a router or firewall, which in turn sends requests to
every host device address inside the broadcasting network, increasing the number of requests by the
number of networked devices on the network.

Each device inside the network receives the request from the broadcaster and then responds to the spoofed
address of the target with an ICMP Echo Reply packet.

The target victim then receives a deluge of ICMP Echo Reply packets, potentially becoming overwhelmed
and resulting in denial-of-service to legitimate traffic.

How can a Smurf attack be mitigated?

Several mitigation strategies for this attack vector have been developed and implemented over the years,
and the exploit is largely considered solved. On a limited number of legacy systems, mitigation techniques
may still need to be applied. A simple solution is to disable IP broadcasting addresses at each network router
and firewall. Older routers are likely to enable broadcasting by default, while newer routers will likely
already have it disabled.

DDos attacks

A Distributed Denial of Service (DDoS) attack is an attempt to make an online service or a

website unavailable by overloading it with huge floods of traffic generated from multiple
sources.

Unlike a Denial of Service (DoS) attack, in which one computer and one Internet
connection is used to flood a targeted resource with packets, a DDoS attack uses many
computers and many Internet connections, often distributed globally in what is referred to
as a botnet.

A large scale volumetric DDoS attack can generate a traffic measured in tens of Gigabits
(and even hundreds of Gigabits) per second. We are sure your normal network will not be
able to handle such traffic.
What are Botnets?

Attackers build a network of hacked machines which are known as botnets, by spreading
malicious piece of code through emails, websites, and social media. Once these
computers are infected, they can be controlled remotely, without their owners' knowledge,
and used like an army to launch an attack against any target.

A DDoS flood can be generated in multiple ways. For example −

 Botnets can be used for sending more number of connection requests than a server can handle
at a time.

 Attackers can have computers send a victim resource huge amounts of random data to use up
the target's bandwidth.

Due to the distributed nature of these machines, they can be used to generate distributed
high traffic which may be difficult to handle. It finally results in a complete blockage of a
service.

Types of DDoS Attacks

DDoS attacks can be broadly categorized into three categories −

1. Volume-based Attacks

2. Protocol Attacks
 3. Application Layer Attacks

Volume-Based Attacks

Volume-based attacks include TCP floods, UDP floods, ICMP floods, and other
spoofedpacket floods. These are also called Layer 3 & 4 Attacks. Here, an attacker tries
to saturate the bandwidth of the target site. The attack magnitude is measured in  Bits per
Second (bps).

1. UDP Flood − A UDP flood is used to flood random ports on a remote host with numerous UDP
packets, more specifically port number 53. Specialized firewalls can be used to filter out or block
malicious UDP packets.

2. ICMP Flood − This is similar to UDP flood and used to flood a remote host with numerous ICMP
Echo Requests. This type of attack can consume both outgoing and incoming bandwidth and a
high volume of ping requests will result in overall system slowdown.

3. HTTP Flood − The attacker sends HTTP GET and POST requests to a targeted web server in a
large volume which cannot be handled by the server and leads to denial of additional
connections from legitimate clients.

4. Amplification Attack − The attacker makes a request that generates a large response which
includes DNS requests for large TXT records and HTTP GET requests for large files like
images, PDFs, or any other data files.

Protocol Attacks

Protocol attacks include SYN floods, Ping of Death, fragmented packet attacks, Smurf
DDoS, etc. This type of attack consumes actual server resources and other resources like
firewalls and load balancers. The attack magnitude is measured in Packets per Second.

 DNS Flood − DNS floods are used for attacking both the infrastructure and a DNS application to
overwhelm a target system and consume all its available network bandwidth.

 SYN Flood − The attacker sends TCP connection requests faster than the targeted machine
can process them, causing network saturation. Administrators can tweak TCP stacks to mitigate
the effect of SYN floods. To reduce the effect of SYN floods, you can reduce the timeout until a
stack frees memory allocated to a connection, or selectively dropping incoming connections
using a firewall or iptables.

 Ping of Death − The attacker sends malformed or oversized packets using a simple ping
command. IP allows sending 65,535 bytes packets but sending a ping packet larger than
65,535 bytes violates the Internet Protocol and could cause memory overflow on the target
 system and finally crash the system. To avoid Ping of Death attacks and its variants, many sites
block ICMP ping messages altogether at their firewalls.

Application Layer Attacks

Application Layer Attacks include Slowloris, Zero-day DDoS attacks, DDoS attacks that
target Apache, Windows or OpenBSD vulnerabilities and more. Here the goal is to crash
the web server. The attack magnitude is measured in Requests per Second.

 Application Attack − This is also called Layer 7 Attack, where the attacker makes excessive
log-in, database-lookup, or search requests to overload the application. It is really difficult to
detect Layer 7 attacks because they resemble legitimate website traffic.

 Slowloris − The attacker sends huge number of HTTP headers to a targeted web server, but
never completes a request. The targeted server keeps each of these false connections open
and eventually overflows the maximum concurrent connection pool, and leads to denial of
additional connections from legitimate clients.

 NTP Amplification − The attacker exploits publically-accessible Network Time Protocol (NTP)
servers to overwhelm the targeted server with User Datagram Protocol (UDP) traffic.

 Zero-day DDoS Attacks − A zero-day vulnerability is a system or application flaw previously

unknown to the vendor, and has not been fixed or patched. These are new type of attacks
coming into existence day by day, for example, exploiting vulnerabilities for which no patch has
yet been released.

Firewalls

A firewall is a network security device that monitors incoming and outgoing network traffic and permits or
blocks data packets based on a set of security rules. Its purpose is to establish a barrier between your
internal network and incoming traffic from external sources (such as the internet) in order to block malicious
traffic like viruses and hackers.

How does a firewall work?

Firewalls carefully analyze incoming traffic based on pre-established rules and filter traffic coming from
unsecured or suspicious sources to prevent attacks. Firewalls guard traffic at a computer’s entry point, called
ports, which is where information is exchanged with external devices. For example, “Source address
172.18.1.1 is allowed to reach destination 172.18.2.1 over port 22."

Firewall is categorized into three basic types −

Packet filter (Stateless & Stateful)

Application-level gateway

Circuit-level gateway

These three categories, however, are not mutually exclusive. Modern firewalls have a mix of abilities that
may place them in more than one of the three categories.

Types of firewalls

Firewalls can either be software or hardware, though it’s best to have both. A software firewall is a program
installed on each computer and regulates traffic through port numbers and applications, while a physical
firewall is a piece of equipment installed between your network and gateway.

Packet-filtering firewalls, the most common type of firewall, examine packets and prohibit them from
passing through if they don’t match an established security rule set. This type of firewall checks the packet’s
source and destination IP addresses. If packets match those of an “allowed” rule on the firewall, then it is
trusted to enter the network.

Packet-filtering firewalls are divided into two categories: stateful and stateless. Stateless firewalls examine
packets independently of one another and lack context, making them easy targets for hackers. In contrast,
stateful firewalls remember information about previously passed packets and are considered much more
secure.

While packet-filtering firewalls can be effective, they ultimately provide very basic protection and can be
very limited—for example, they can't determine if the contents of the request that's being sent will
adversely affect the application it's reaching. If a malicious request that was allowed from a trusted source
address would result in, say, the deletion of a database, the firewall would have no way of knowing that.
Next-generation firewalls and proxy firewalls are more equipped to detect such threats.

The decision can be based on factors other than IP header fields such as ICMP message type, TCP SYN and
ACK bits, etc.

Packet filter rule has two parts −

Selection criteria − It is a used as a condition and pattern matching for decision making.

Action field − This part specifies action to be taken if an IP packet meets the selection criteria. The action
could be either block (deny) or permit (allow) the packet across the firewall.

Packet filtering is generally accomplished by configuring Access Control Lists (ACL) on routers or switches.
ACL is a table of packet filter rules.
As traffic enters or exits an interface, firewall applies ACLs from top to bottom to each incoming packet, finds
matching criteria and either permits or denies the individual packets.

Stateful inspection

Stateful inspection has largely replaced an older technology, static packet filtering. In static packet filtering,
only the headers of packets are checked -- which means that an attacker can sometimes get information
through the firewall simply by indicating "reply" in the header. Stateful inspection, on the other hand,
analyzes packets down to the application layer. By recording session information such as IP addresses and
port numbers, a dynamic packet filter can implement a much tighter security posture than a static packet
filter can.

Stateful inspection monitors communications packets over a period of time and examines both incoming and
outgoing packets. Outgoing packets that request specific types of incoming packets are tracked and only
those incoming packets constituting a proper response are allowed through the firewall.

In a firewall that uses stateful inspection, the network administrator can set the parameters to meet specific
needs. In a typical network, ports are closed unless an incoming packet requests connection to a specific
port and then only that port is opened. This practice prevents port scanning, a well-known hacking
technique.

Application-level Filtering

An application-level proxy gateway, examines and filters individual packets, rather than simply copying them
and blindly forwarding them across the gateway. Application-specific proxies check each packet that passes
through the gateway, verifying the contents of the packet up through the application layer. These proxies
can filter particular kinds of commands or information in the application protocols.

Application gateways can restrict specific actions from being performed. For example, the gateway could be
configured to prevent users from performing the ‘FTP put’ command. This can prevent modification of the
information stored on the server by an attacker.
 Batch File Programming – Introduction

A batch file is an unformatted text file or script file which contains multiple commands to achieve a certain
task. It contains series of command that is executed by command line interpreter.

Extensions:  .bat or .cmd

The instructions in batch files are for automating repetitive command sequences.

Before the implementation of modern GUI’s ( Graphical User Interface ), in the operating system like MS-
DOS, we had to operate every command from command line. Even though we are facilitated with GUI’s,
many major core operations can only be achieved through command line instructions.

So whenever we write instructions or codes in batch files, we are executing command line operations
through our instructions and when we know how to write commands, we can do many powerful things in
the Windows.

For example: We can create a .bat file with instructions of shutting down and whenever clicked in that file,
Windows will automatically shut down.