Network Security : Ping Attacks , Vulnerabilities and Password Cracking

 

This blog entry seeks to describe several known issues when considering network security. Attacks, vulnerabilities are discussed. Suggestions for improvement and best practice are included.

PING ATTACKS

There are a number of attacks that can be associated with ping commands. “Denial of service (DoS) attacks prevent access to resources by users authorized to use those resources. An attacker may attempt to bring down an e-commerce website to prevent or deny usage by legitimate customers. DoS attacks are common on the Internet, where they have hit large companies such as Amazon, Microsoft, and AT&T. .. In a DoS attack on an application, the attack may bring down a website while the communications and systems continue to operate…. A common DoS attack involves opening as many TCP sessions as possible; this type of attack is called a TCP SYN flood DoS attack. Two of the most common types of DoS attacks are the Ping of Death and the Buffer Overflow Attack. The ping of death crashes a system by sending Internet Control Message Protocol (ICMP) packets (think echoes) that are larger than the system can handle.” (Pastore, 2004)

“Hackers can use this technique for these kinds of denial-of-service hacks or “smurf“ attacks. They use whole networks of computers to direct an overwhelming amount of traffic to a victim's machine.” (Gibbs, 1999)

“Buffer overflow attacks, as the name implies, attempt to put more data (usually long input strings) into the buffer than it can hold.  A Distributed Denial of Service (DDoS) attack is similar to a DoS attack. This type of attack amplifies the concepts of a DoS by using multiple computer systems to conduct the attack against a single organization. These attacks exploit the inherent weaknesses of dedicated networks such as DSL and cable. “ (Pastore, 2004)

SECURITY HOLES/VULNERABILITIES

Computer systems lie exposed on the internet. Security holes and vulnerabilities are natural,  in a matter of speaking,  as software engineers create code to accomplish their software tasks asked of them. There are always unsavory elements that will seek to intrude, rob or disturb this software or take advantage of the information the code provides. Hence the need to protect this software from harm and exploitation falls on the shoulders of developers that create security, such as in the form of firewalls or other means.  Security holes (as the name implies), are the vulnerabilities or weaknesses in software that could allow a targeted piece of code or technique to infiltrate and penetrate the system.

Two suggestions to be made to more effectively patch these holes in the system are software defined networks and security scanners.  Security Scanners can help protect up to 60% more than the most secure standalone software.(Lerida, 1999). Software Defined Networks, or SDNS, are a fairly recent development that come with their own issues, but are much more cost-effective than some other measures on a large scale at least.  “Network functions virtualization  (NFV) leverages virtualization to deploy Network Functions (NFs) on high-volume servers. This will enable innovations and opportunity for industry and academia. In contrast with traditional networks, NFV reduces the capital expenditure (CAPEX) and operating expenses (OPEX). However, its security becomes crucial. Specifically, virtualized network functions (VNFs) are an important part of NFV.”(Aljuhani, 2017)

PASSWORD CRACKING:

Passwords are our keys for logging into our devices, log into websites where we transact , log into social media  - plus a host of other needs. They are the single personal means by which we grant ourselves access to our 21st Century lives. But there are those elements out there who want those passwords for their own nefarious purposes. As Users of systems, our job is to protect those passwords. For others, their job is to crack the code. “Security issues in text-based password authentication are rarely caused by technical issues, but rather by the limitations of human memory, and human perceptions together with their consequential responses.”(Yildirim, 2019)  We should take these kinds of threats very seriously. “Passwords are considered one of the most significant risk factors in terms of security in information systems as they are vulnerable to attacks [8]. This vulnerability is mainly due to user behaviors and practices and not related to the password system itself. The main problem arises from the memorability issue which ultimately causes the other problems related to passwords such as reusing, sharing and choosing weak passwords. These problems are well known, and they are called the human factor problems’ by researchers in the password authentication domain. “ (Herley, 2009) 

The challenges are how to create passwords simple enough to remember and difficult enough to keep others from guessing them.  Is there a universal answer? According to the experts, it’s like chasing a rabbit down a hole.  How can we now and in the future be relatively sure our passwords will remain secure? It’s a numbers game, because there are growing numbers of hackers with super-fast algorithms that can guess passwords easily – if given the time do it. One very reasonable solution is the use of a professional password management system. There are many on the market available and keeping very long and complex passwords secure is a very good idea.(Kamat, 20018)  How do we create these highly valuable passwords? Make them long and complex, such as through password generation software. (Yildirim, 2019, p. 756)

 

 

References

Aljuhani, A., & Alharbi, T. (2017). Virtualized Network Functions security attacks and vulnerabilities. 2017 IEEE 7th Annual Computing and Communication Workshop and Conference (CCWC), Computing and Communication Workshop and Conference (CCWC), 2017 IEEE 7th Annual, 1–4. https://doi.org/10.1109/CCWC.2017.7868478.

Connolly, P. J. (2001, October 15). SECURITY ADVISER: Tomorrow is too late - SANS Institute’s Top 10 security holes expands to Top 20; it’s never too early to fight common vulnerabilities. InfoWorld, 23(42).

Stiawan,D.,  Suryani,M., Susanto,I., Aldalaien, M., Alsharif, N.,& Budiarto.R. (2021). Ping Flood Attack Pattern Recognition Using a K-Means Algorithm in an Internet of Things (IoT) Network. IEEE Access, 9, 116475–116484. https://doi.org/10.1109/ACCESS.2021.3105517

Gibbs, M. (1999). Attacked by Smurf. Network World, 16(8), 36. Retrieved from https://www.proquest.com/trade-journals/attacked-smurf/docview/215958615/se-2?accountid=32521

Herley, C., van Oorschot, P., Patrick, A.: Passwords: If we’re so smart, why are we still using them? In: Dingledine, R., Golle, P. (eds.) Financial Cryptography and Data Security, FC 2009. Lecture Notes in Computer Science, vol. 5628, pp. 230–237. Springer, Berlin (2009)

Kamat, C. Tomar, A. Tainwala and S. Akram, Performance analysis and survey on security of password managers and various schemes of p2p models, 2018 3rd IEEE International Conference on Recent Trends in Electronics, Information & Communication Technology (RTEICT), 2018, pp. 23-26, doi: 10.1109/RTEICT42901.2018.9012612.

Kelley, P. G., Komanduri, S., Mazurek, M. L., Shay, R., Vidas, T., Bauer, L., Christin, N., Cranor, L. F., & Lopez, J. (2012). Guess Again (and Again and Again): Measuring Password Strength by Simulating Password-Cracking Algorithms. 2012 IEEE Symposium on Security and Privacy, Security and Privacy (SP), 2012 IEEE Symposium On, 523–537. https://doi.org/10.1109/SP.2012.38

Kerner, S. M. (2019). How HTML5 Ping Is Used in DDoS Attacks. EWeek, N.PAG.

Lerida,J. & Grackzy,S.  A. Vina and J. M. Andujar, Detecting security vulnerabilities in remote TCP/IP networks: an approach using security scanners, Proceedings IEEE 33rd Annual 1999 International Carnahan Conference on Security Technology (Cat. No.99CH36303), 1999, pp. 446-460, doi: 10.1109/CCST.1999.797953.

Liu, E., Nakanishi, A., Golla, M., Cash, D., & Ur, B. (2019). Reasoning Analytically about Password-Cracking Software. 2019 IEEE Symposium on Security and Privacy (SP), Security and Privacy (SP), 2019 IEEE Symposium On, 380–397. https://doi.org/10.1109/SP.2019.00070

Pastore, M. A., & Dulaney, E. A. (2004). Security+ Study Guide : Exam SY0-101: Vol. 2nd ed. Sybex.

Winder, D. (2022). Six security holes you need to plug now. PC Pro, 333, 100–102.

Yihunie, F., Abdelfattah, E., & Odeh, A. (2018). Analysis of ping of death DoS and DDoS attacks. 2018 IEEE Long Island Systems, Applications and Technology Conference (LISAT), Systems, Applications and Technology Conference (LISAT), 2018 IEEE Long Island,1–4. https://doi.org/10.1109/LISAT.2018.8378010

Yıldırım, M., & Mackie, I. (2019). Encouraging users to improve password security and memorability. International Journal of Information Security, 18(6), 741–759. https://doi.org/10.1007/s10207-019-00429-y

Comments

Post a Comment

Popular posts from this blog

Completing My Information Technology Blog - for now

This course is designed to prepare students for their degree program path. The Fundamentals of Information Technology & Literacy course covers concepts to enable fluency in information technology (IT), a fluency that the National Research Council (NRC) considers an important component of the lifelong learning process. This course includes a review of basic concepts needed for the program, including topics such as operating systems and computer components; hardware and software; basics of database programming, and system design; and other concepts that encourage critical thinking. (Course Guide, p.1) My blog accurately represents a course-long project process to break down and to build up a discussion of IT subjects from home and business technology (in the form of research for a budget laptop), to testing pinging and trace routing, to experimentation with unusual programming technique, to organizing a blog. The course, although just a survey, was fast-paced and thorough.  My ch...
Read more

RAM rods

Image
  Determining RAM Throughout my life, I have owned and/or operated many computers of various abilities and styles.   I learned much along the way about the physical attributes and capabilities of the software and hardware of these machines. There have been some surprisingly common factors between all of them. Computer hardware (whether they be desktop, dumb terminal, laptop, smart phone, tablet, hybrid laptop, etc.) all have commonalities like RAM (Random Access Memory) as one of the products to chase. While the “packaging” changes, all computers in the modern age are dependent on software to help drive (hence the name “driver” for software to manage hardware components). Even within the devices (like the speaker, Bluetooth device, network adapters, etc.), there is an ever-expanding need for more and better RAM. I knew the RAM for my Sony Vaio because I requested the 8 GB installation when I ordered it. That was back in 2014 and by today’s standards, it’s just slightly low...
Read more