Transport Layer Session Establishment: How It Is Done

You already know the fundamentals of TCP. Understanding the role of port numbers will help you to grasp the details of the TCP communication process. In this topic, you will also learn about the TCP three-way handshake and session termination processes.

Each application process running on a server is configured to use a port number. The port number is either automatically assigned or configured manually by a system administrator.

An individual server cannot have two services assigned to the same port number within the same transport layer services. For example, a host running a web server application and a file transfer application cannot have both configured to use the same port, such as TCP port 80.

An active server application assigned to a specific port is considered open, which means that the transport layer accepts, and processes segments addressed to that port. Any incoming client request addressed to the correct socket is accepted, and the data is passed to the server application. There can be many ports open simultaneously on a server, one for each active server application.

Clients Sending TCP Requests
Client 1 is requesting web services and Client 2 is requesting email service of the same server.

TCP Connection Establishment

In some cultures, when two persons meet, they often greet each other by shaking hands. Both parties understand the act of shaking hands as a signal for a friendly greeting. Connections on the network are similar.

In TCP connections, the host client establishes the connection with the server using the three-way handshake process.

Click each button for more information about each TCP connection establishment step.

Step 1. SYN

Step 2. ACK and SYN

Step 3. ACK

Step 1. SYN
The initiating client requests a client-to-server communication session with the server.

The three-way handshake validates that the destination host is available to communicate. In this example, host A has validated that host B is available.

Session Termination

To close a connection, the Finish (FIN) control flag must be set in the segment header. To end each one-way TCP session, a two-way handshake, consisting of a FIN segment and an Acknowledgment (ACK) segment, is used.

Therefore, to terminate a single conversation supported by TCP, four exchanges are needed to end both sessions. Either the client or the server can initiate the termination.

In the example, the terms client and server are used as a reference for simplicity, but any two hosts that have an open session can initiate the termination process.

Click each button for more information about the session termination steps.

Step 1. FIN

Step 2. ACK

Step 3. FIN

Step 4. ACK

Step 1. FIN
When the client has no more data to send in the stream, it sends a segment with the FIN flag set.

When all segments have been acknowledged, the session is closed.

TCP Three-way Handshake Analysis

Hosts maintain state, track each data segment within a session, and exchange information about what data is received using the information in the TCP header. TCP is a full-duplex protocol, where each connection represents two one-way communication sessions.

To establish the connection, the hosts perform a three-way handshake. As shown in the figure, control bits in the TCP header indicate the progress and status of the connection.
These are the functions of the three-way handshake:

It establishes that the destination device is present on the network.
It verifies that the destination device has an active service and is accepting requests on the destination port number that the initiating client intends to use.
It informs the destination device that the source client intends to establish a communication session on that port number.

After the communication is completed the sessions are closed, and the connection is terminated. The connection and session mechanisms enable TCP reliability function.

Control Bits Field

The six bits in the Control Bits field of the TCP segment header are also known as flags. A flag is a bit that is set to either on or off.

The six control bits flags are as follows:

URG – Urgent pointer field significant
ACK – Acknowledgment flag used in connection establishment and session termination
PSH – Push function
RST – Reset the connection when an error or timeout occurs
SYN – Synchronize sequence numbers used in connection establishment
FIN – No more data from sender and used in session termination

Search the internet to learn more about the PSH and URG flags.

Action Point
PS: If you would like to have an online course on any of the courses that you found on this blog, I will be glad to do that on an individual and corporate level, I will be very glad to do that because I have trained several individuals and groups and they are doing well in their various fields of endeavour. Some of those that I have trained include staff of Dangote Refinery, FCMB, Zenith Bank, and New Horizons Nigeria among others. Please come on Whatsapp and let’s talk about your training. You can reach me on Whatsapp HERE. Please note that I will be using Microsoft Team to facilitate the training.

I know you might agree with some of the points that I have raised in this article. You might not agree with some of the issues raised. Let me know your views about the topic discussed. We will appreciate it if you can drop your comment. Thanks in anticipation.

READ THIS Perilous Times. RCCG Sunday School Manual. 27/07/2021

Fact Check Policy

CRMNIGERIA is committed to fact-checking in a fair, transparent and non-partisan manner. Therefore, if you’ve found an error in any of our reports, be it factual, editorial, or an outdated post, please contact us to tell us about it.

Fact Check Policy

Understanding Dynamic Host Configuration Protocol

Leave a reply

The Dynamic Host Configuration Protocol (DHCP) for IPv4 service automates the assignment of IPv4 addresses, subnet masks, gateways, and other IPv4 networking parameters. This is referred to as dynamic addressing.

The alternative to dynamic addressing is static addressing. When using static addressing, the network administrator manually enters IP address information on hosts.

When a host connects to the network, the DHCP server is contacted, and an address is requested. The DHCP server chooses an address from a configured range of addresses called a pool and assigns (leases) it to the host.

On larger networks, or where the user population changes frequently, DHCP is preferred for address assignment. New users may arrive and need connections; others may have new computers that must be connected.

Rather than use static addressing for each connection, it is more efficient to have IPv4 addresses assigned automatically using DHCP.

DHCP can allocate IP addresses for a configurable period of time, called a lease period. The lease period is an important DHCP setting, When the lease period expires or the DHCP server gets a DHCPRELEASE message the address is returned to the DHCP pool for reuse.

Users can freely move from location to location and easily re-establish network connections through DHCP.

Various types of devices can be DHCP servers. The DHCP server in most medium-to-large networks is usually a local, dedicated PC-based server. With home networks, the DHCP server is usually located on the local router that connects the home network to the ISP.

Many networks use both DHCP and static addressing. DHCP is used for general-purpose hosts, such as end-user devices. Static addressing is used for network devices, such as gateway routers, switches, servers, and printers.

DHCP for IPv6 (DHCPv6) provides similar services for IPv6 clients. One important difference is that DHCPv6 does not provide a default gateway address. This can only be obtained dynamically from the Router Advertisement message of the router.

DHCP Operation

As shown in the figure, when an IPv4, DHCP-configured device boots up or connects to the network, the client broadcasts a DHCP discover (DHCPDISCOVER) message to identify any available DHCP servers on the network.

A DHCP server replies with a DHCP offer (DHCPOFFER) message, which offers a lease to the client. The offer message contains the IPv4 address and subnet mask to be assigned, the IPv4 address of the DNS server, and the IPv4 address of the default gateway. The lease offer also includes the duration of the lease.

The client may receive multiple DHCPOFFER messages if there is more than one DHCP server on the local network. Therefore, it must choose between them and sends a DHCP request (DHCPREQUEST) message that identifies the explicit server and leases offer that the client is accepting. A client may also choose to request an address that it had previously been allocated by the server.

Assuming that the IPv4 address requested by the client, or offered by the server, is still available, the server returns a DHCP acknowledgement (DHCPACK) message that acknowledges to the client that the lease has been finalized. If the offer is no longer valid, then the selected server responds with a DHCP negative acknowledgement (DHCPNAK) message.

If a DHCPNAK message is returned, then the selection process must begin again with a new DHCPDISCOVER message being transmitted. After the client has the lease, it must be renewed prior to the lease expiration through another DHCPREQUEST message.

The DHCP server ensures that all IP addresses are unique (the same IP address cannot be assigned to two different network devices simultaneously). Most ISPs use DHCP to allocate addresses to their customers.

DHCPv6 has a set of messages that is similar to those for DHCPv4. The DHCPv6 messages are SOLICIT, ADVERTISE, INFORMATION REQUEST, and REPLY.

DHCP Message Format

The DHCPv4 message format is used for all DHCPv4 transactions. DHCPv4 messages are encapsulated within the UDP transport protocol. DHCPv4 messages that are sent from the client use UDP source port 68 and destination port 67. DHCPv4 messages sent from the server to the client use UDP source port 67 and destination port 68. The structure of the DHCPv4 message is shown below.

8 OP Code (1)	16 Hardware Type (1)	24 Hardware Address Length (1)	32 Hops (1)
Transaction Identifier
Seconds – 2 bytes		Flags – 2 bytes
Client IP Address (CIADDR) – 4 bytes
Your IP Address (YIADDR) – 4 bytes
Server IP Address (SIADDR) – 4 bytes
Gateway IP Address (GIADDR) – 4 bytes
Client Hardware Address (CHADDR) – 16 bytes
Server Name (SNAME) – 64 bytes
Boot Filename – 128 bytes
DHCP Options – variable

The fields are explained here:

Operation (OP) Code – Specifies the general type of message. A value of 1 indicates a request message; a value of 2 is a reply message.
Hardware Type – Identifies the type of hardware used in the network. For example, 1 is Ethernet, 15 is Frame Relay, and 20 is a serial line. These are the same codes used in ARP messages.
Hardware Address Length – Specifies the length of the address.
Hops – Controls the forwarding of messages. Set to 0 by a client before transmitting a request.
Transaction Identifier – Used by the client to match the request with replies received from DHCPv4 servers.
Seconds – Identifies the number of seconds elapsed since a client began attempting to acquire or renew a lease. Used by DHCPv4 servers to prioritize replies when multiple client requests are outstanding.
Flags – Used by a client that does not know its IPv4 address when it sends a request. Only one of the 16 bits is used, which is the broadcast flag. A value of 1 in this field tells the DHCPv4 server or relay agent receiving the request that the reply should be sent as a broadcast.
Client IP Address – Used by a client during lease renewal when the address of the client is valid and usable, not during the process of acquiring an address. The client puts its own IPv4 address in this field if and only if it has a valid IPv4 address while in the bound state; otherwise, it sets the field to 0.
Your IP Address – Used by the server to assign an IPv4 address to the client.
Server IP Address – Used by the server to identify the address of the server that the client should use for the next step in the bootstrap process, which may or may not be the server sending this reply. The sending server always includes its own IPv4 address in a special field called the Server Identifier DHCPv4 option.
Gateway IP Address – Routes DHCPv4 messages when DHCPv4 relay agents are involved. The gateway address facilitates communications of DHCPv4 requests and replies between the client and a server that are on different subnets or networks.
Client Hardware Address – Specifies the physical layer of the client.
Server Name – Used by the server sending a DHCPOFFER or DHCPACK message. The server may optionally put its name in this field. This can be a simple text nickname or a DNS domain name, such as dhcpserver.netacad.net.
Boot Filename – Optionally used by a client to request a particular type of boot file in a DHCPDISCOVER message. Used by a server in a DHCPOFFER to fully specify a boot file directory and filename.
DHCP Options – Holds DHCP options, including several parameters required for basic DHCP operation. This field is variable in length. Both client and server may use this field.

Action Point
PS: If you would like to have an online course on any of the courses that you found on this blog, I will be glad to do that on an individual and corporate level, I will be very glad to do that because I have trainned several individuals and groups and they are doing well in their various fields of endeavour. Some of those that I have trainned include staff of Dangote Refinery, FCMB, Zenith Bank, and New Horizons Nigeria among others. Please come on Whatsapp and let’s talk about your training. You can reach me on Whatsapp HERE. Please note that I will be using Microsoft Team to facilitate the training.

Fact Check Policy

TECHMANIA is committed to fact-checking in a fair, transparent and non-partisan manner. Therefore, if you’ve found an error in any of our reports, be it factual, editorial, or an outdated post, please contact us to tell us about it.

The Truth About Domain Name Service

Leave a reply

The webservers that we so often connect to using names like www⋅cisco⋅com, are actually reached by assigning IP addresses to packets.

On the internet, these domain names are much easier for people to remember than an IP address such as 74.163.4.161. If Cisco decides to change the numeric address of www⋅cisco⋅com, it is transparent to the user because the domain name remains the same. The new address is simply linked to the existing domain name and connectivity is maintained.

The Domain Name System (DNS) was developed to provide a reliable means of managing and providing domain names and their associated IP addresses.

The DNS system consists of a global hierarchy of distributed servers that contain databases of name to IP address mappings. The client computer in the figure will send a request to the DNS server to get the IP address for www⋅cisco⋅com so that it can address packets to that server.

A recent analysis of network security threats discovered that over 90% of malicious software exploits use the DNS system to carry out network attack campaigns.

A cybersecurity analyst should have a thorough understanding of the DNS system and the ways in which malicious DNS traffic can be detected through protocol analysis and the inspection of DNS monitoring information. In addition, malware frequently contacts command-and-control servers by using DNS.

This makes the server URLs indicators of compromise for specific exploits.

DNS Resolves Names to IP Addresses

The DNS Domain Hierarchy

The DNS consists of a hierarchy of generic top-level domains (gTLD) which consist of .com, .net, .org, .gov, .edu, and numerous country-level domains, such as .br (Brazil), .es (Spain), .uk (United Kingdom), etc. At the next level of the DNS hierarchy are second-level domains. These are represented by a domain name that is followed by a top-level domain.

Subdomains are found at the next level of the DNS hierarchy and represent some division of the second-level domain. Finally, a fourth level can represent a host in a subdomain.

Each element of a domain specification is sometimes called a label. The labels move from the top of the hierarchy downward from right to left. A dot (“.“) at the end of a domain name represents the root server at the top of the hierarchy. The figure illustrates this DNS domain hierarchy.

The different top-level domains represent either the type of organization or the country of origin. Examples of top-level domains are the following:

.com – a business or industry
.org – a non-profit organization
.au – Australia
.co – Colombia

The DNS Lookup Process

To understand DNS, cybersecurity analysts should be familiar with the following terms:

Resolver – A DNS client that sends DNS messages to obtain information about the requested domain name space.
Recursion – The action taken when a DNS server is asked to query on behalf of a DNS resolver.
Authoritative Server – A DNS server that responds to query messages with information stored in Resource Records (RRs) for a domain name space stored on the server.
Recursive Resolver – A DNS server that recursively queries for the information asked in the DNS query.
FQDN – A Fully Qualified Domain Name is the absolute name of a device within the distributed DNS database.
RR – A Resource Record is a format used in DNS messages that is composed of the following fields: NAME, TYPE, CLASS, TTL, RDLENGTH, and RDATA.
Zone – A database that contains information about the domain name space stored on an authoritative server.

When attempting to resolve a name to an IP address, a user host, known in the system as a resolver, will first check its local DNS cache. If the mapping is not found there, a query will be issued to the DNS server or servers that are configured in the network addressing properties for the resolver.

These servers may be present at an enterprise or ISP. If the mapping is not found there, the DNS server will query other higher-level DNS servers that are authoritative for the top-level domain in order to find the mapping. These are known as recursive queries.

Because of the potential burden on authoritative top-level domain servers, some DNS servers in the hierarchy maintain caches of all DNS records that they have resolved for a period of time.

These caching DNS servers can resolve recursive queries without forwarding the queries to higher-level servers. If a server requires data for a zone, it will request a transfer of that data from an authoritative server for that zone. The process of transferring blocks of DNS data between servers is known as a zone transfer.

Step 1
The user types an FQDN into a browser application Address field.

DNS Message Format

DNS uses UDP port 53 for DNS queries and responses. DNS queries originate at a client and responses are issued from DNS servers. If a DNS response exceeds 512 bytes, such as when Dynamic DNS (DDNS) is used, TCP port 53 is used to handle the message.

It includes the format for queries, responses, and data. The DNS protocol communications use a single format called a message. This message format shown in the figure is used for all types of client queries and server responses, error messages, and the transfer of resource record information between servers.

The DNS server stores different types of RRs used to resolve names. These records contain the name, address, and type of record. Here is a list of some of these record types:

A – An end device IPv4 address
NS – An authoritative name server
AAAA – An end device IPv6 address (pronounced quad-A)
MX – A mail exchange record

When a client makes a query, the server’s DNS process first looks at its own records to resolve the name. If it is unable to resolve the name using its stored records, it contacts other servers to resolve the name.

After a match is found and returned to the original requesting server, the server temporarily stores the numbered address in the event that the same name is requested again.

The DNS Client service on Windows PCs also stores previously resolved names in memory. The ipconfig /displaydns command displays all of the cached DNS entries.

As shown in the figure, DNS uses the same message format between servers, consisting of a question, answer, authority, and additional information for all types of client queries and server responses, error messages, and transfer of resource record information. The table describes each section.

DNS message section	Description
Question	The question for the server. It contains the domain name to be resolved, the class of domain, and the query type.
Answer	The DNS resource record, or RR, for the query including the resolved IP address depending on the RR type.
Authority	Contains the RRs for the domain authority.
Additional	Relevant to query responses only. Consists of RRs that hold additional information that will make query resolution more efficient

Dynamic DNS

DNS requires registrars to accept and distribute DNS mappings from organizations that wish to register domain names and IP address mappings. After the initial mapping has been created, a process that can take 24 hours or more, changes to the IP address that is mapped to the domain name can be made by contacting the registrar or using an online form to make the change.

However, because of the time it takes for this process to occur and the new mapping to be distributed in the domain name system, the change can take hours before the new mapping is available to resolvers.

In situations in which an ISP is using DHCP to provide addresses to a domain, it is possible that the address that is mapped to the domain could expire and a new address be granted by the ISP. This would result in a disruption of connectivity to the domain through DNS. A new approach was necessary to allow organizations to make fast changes to the IP address that is mapped to a domain.

Dynamic DNS (DDNS) allows a user or organization to register an IP address with a domain name as in DNS. However, when the IP address of the mapping changes, the new mapping can be propagated through the DNS almost instantaneously.

For this to occur, a user obtains a subdomain from a DDNS provider. That subdomain is mapped to the IP address of the user’s server, or home router connected to the internet. Client software runs on either the router or a host PC that detects a change in the internet IP address of the user.

When a change is detected, the DDNS provider is immediately informed of the change and the mapping between the user’s subdomain and the internet IP address is immediately updated, as shown in the figure. DDNS does not use a true DNS entry for a user’s IP address. Instead, it acts as an intermediary.

The DDNS provider’s domain is registered with the DNS, but the subdomain is mapped to a totally different IP address. The DDNS provider service supplies that IP address to the resolver’s second-level DNS server. That DNS server, either at the organization or ISP, provides the DDNS IP address to the resolver.

Dynamic DNS can be abused by threat actors in various ways. Free DDNS services are especially useful to threat actors. DDNS can be used to facilitate the rapid change of IP address for malware command-and-control servers after the current IP address has become widely blocked. In this way, the malware can be coded with a URL rather than a static IP address.

DDNS can also be used as a way to exfiltrate data from inside a network because DNS traffic is very common and is frequently considered to be benign. DDNS itself is not malignant, however monitoring DNS traffic that is going to known DDNS services, especially free ones, is very useful for the detection of exploits.

The WHOIS Protocol

WHOIS is a TCP-based protocol that is used to identify the owners of internet domains through the DNS system. When an internet domain is registered and mapped to an IP address for the DNS system, the registrant must supply information regarding who is registering the domain.

The WHOIS application uses a query, in the form of a FQDN. The query is issued through a WHOIS service or application. The official ownership registration record is returned to the user by the WHOIS service. This can be useful for identifying the destinations that have been accessed by hosts on a network. WHOIS has limitations, and hackers have ways of hiding their identities.

However, WHOIS is a starting point for identifying potentially dangerous internet locations that may have been reached through the network. An internet-based WHOIS service is called ICANN Lookup can be used to obtain the registration record a URL. Other WHOIS services are maintained by regional internet registries such as RIPE and APNIC.

Action Point
PS: If you would like to have an online course on any of the courses that you found on this blog, I will be glad to do that on an individual and corporate level, I will be very glad to do that I have trained several individuals and groups and they are doing well in their various fields of endeavour. Some of those that I have trained include staff of Dangote Refinery, FCMB, Zenith Bank, and New Horizons Nigeria among others. Please come on Whatsapp and let’s talk about your training. You can reach me on Whatsapp HERE. Please note that I will be using Microsoft Team to facilitate the training.

Fact Check Policy

Roles Of End Devices In The Network Process

Leave a reply

The network devices that people are most familiar with are end devices. To distinguish one end device from another, each end device on a network has an address. When an end device initiates communication, it uses the address of the destination end device to specify where to deliver the message.

An end device is either the source or destination of a message transmitted over the network.

Click Play in the figure to see an animation of data flowing through a network.

Routers

Routers are devices that operate at the OSI network layer (Layer 3). As shown in the figure, routers are used to interconnect remote sites. They use the process of routing to forward data packets between networks.

The routing process uses network routing tables, protocols, and algorithms to determine the most efficient path for forwarding an IP packet. Routers gather routing information and update other routers about changes in the network. Routers increase the scalability of networks by segmenting broadcast domains.

The Router Connection

Routers have two primary functions: path determination and packet forwarding. To perform path determination, each router builds and maintains a routing table which is a database of known networks and how to reach them. The routing table can be built manually and contain static routes or can be built using a dynamic routing protocol.

Packet forwarding is accomplished by using a switching function. Switching is the process used by a router to accept a packet on one interface and forward it out of another interface. A primary responsibility of the switching function is to encapsulate packets in the appropriate data link frame type for the outgoing data link.

Play the animation of routers R1 and R2 receiving a packet from one network and forwarding the packet toward the destination network.

After the router has determined the exit interface using the path determination function, the router must encapsulate the packet into the data link frame of the outgoing interface.
What does a router do with a packet received from one network and destined for another network? The router performs the following three major steps:1. It de-encapsulates the Layer 2 frame header and trailer to expose the Layer 3 packet.
2. It examines the destination IP address of the IP packet to find the best path in the routing table.
3. If the router finds a path to the destination, it encapsulates the Layer 3 packet into a new Layer 2 frame and forwards that frame out the exit interface.

As shown in the figure, devices have Layer 3 IPv4 addresses, while Ethernet interfaces have Layer 2 data-link addresses. The MAC addresses are shortened to simplify the illustration. For example, PC1 is configured with IPv4 address 192.168.1.10 and an example MAC address of 0A-10.

As a packet travels from the source device to the final destination device, the Layer 3 IP addresses do not change. This is because the Layer 3 PDU does not change. However, the Layer 2 data link addresses change at every router on the path to the destination, as the packet is de-encapsulated and re-encapsulated in a new Layer 2 frame.

Action Point
PS: If you would like to have an online course on any of the courses that you found on this blog, I will be glad to do that on an individual and corporate level, I will be very glad to do that I have trained several individuals and groups and they are doing well in their various fields of endeavour. Some of those that I have trained include staffs of Dangote Refinery, FCMB, Zenith Bank, New Horizons Nigeria among others. Please come on Whatsapp and let’s talk about your training. You can reach me on Whatsapp HERE. Please note that I will be using Microsoft Team to facilitate the training.

Fact Check Policy

Insight Into Packet Forwarding Decision Process

Leave a reply

Now that the router has determined the best path for a packet based on the longest match, it must determine how to encapsulate the packet and forward it out to the correct egress interface.

The figure explains how a router determines the best path to use to forward a packet.

Data Link Header

The router examines the destination IP address in the packet header and consults its IP routing table.
The router finds the longest matching prefix in the routing table.
The router encapsulates the packet in a data link frame and forwards it out the egress interface. The destination could be a device connected to the network or a next-hop router.
However, if there is no matching route entry the packet is dropped.

Forwards the Packet to a Device on a Directly Connected Network
If the route entry indicates that the egress interface is a directly connected network, this means that the destination IP address of the packet belongs to a device on the directly connected network. Therefore, the packet can be forwarded directly to the destination device.

The destination device is typically an end device on an Ethernet LAN, which means the packet must be encapsulated in an Ethernet frame.

To encapsulate the packet in the Ethernet frame, the router needs to determine the destination MAC address associated with the destination IP address of the packet. The process varies based on whether the packet is an IPv4 or IPv6 packet:

IPv4 packet – The router checks its ARP table for the destination IPv4 address and an associated Ethernet MAC address. If there is no match, the router sends an ARP Request. The destination device will return an ARP Reply with its MAC address. The router can now forward the IPv4 packet in an Ethernet frame with the proper destination MAC address.
IPv6 packet – The router checks its neighbor cache for the destination IPv6 address and an associated Ethernet MAC address. If there is no match, the router sends an ICMPv6 Neighbor Solicitation (NS) message. The destination device will return an ICMPv6 Neighbor Advertisement (NA) message with its MAC address. The router can now forward the IPv6 packet in an Ethernet frame with the proper destination MAC address.

Routing Information

The routing table of a router stores the following information:

Directly connected routes – These routes come from the active router interfaces. Routers add a directly connected route when an interface is configured with an IP address and is activated.
Remote routes – These are remote networks connected to other routers. Routes to these networks can either be statically configured or dynamically learned through dynamic routing protocols.

Specifically, a routing table is a data file in RAM that is used to store route information about directly connected and remote networks. The routing table contains network or next hop associations.

These associations tell a router that a particular destination can be optimally reached by sending the packet to a specific router that represents the next hop on the way to the final destination. The next hop association can also be the outgoing or exit interface to the next destination.

Directly Connected and Remote Network Routes

The destination network entries in the routing table can be added in several ways:

Local Route interfaces – These are added when an interface is configured and active. This entry is only displayed in IOS 15 or newer for IPv4 routes, and all IOS releases for IPv6 routes.
Directly connected interfaces – These are added to the routing table when an interface is configured and active.
Static routes – These are added when a route is manually configured and the exit interface is active.
Dynamic routing protocol – This is added when routing protocols that dynamically learn about the network, such as EIGRP or OSPF, are implemented and networks are identified.

Dynamic routing protocols exchange network reachability information between routers and dynamically adapt to network changes.

Each routing protocol uses routing algorithms to determine the best paths between different segments in the network, and updates routing tables with these paths.
Dynamic routing protocols have been used in networks since the late 1980s. One of the first routing protocols was RIP. RIPv1 was released in 1988. As networks evolved and became more complex, new routing protocols emerged.

The RIP protocol was updated to RIPv2 to accommodate growth in the network environment. However, RIPv2 still does not scale to the larger network implementations of today.

To address the needs of larger networks, two advanced routing protocols were developed: Open Shortest Path First (OSPF) and Intermediate System-to-Intermediate System (IS-IS). Cisco developed the Interior Gateway Routing Protocol (IGRP) and Enhanced IGRP (EIGRP), which also scales well in larger network implementations.

Additionally, there was the need to connect different internetworks and provide routing between them. The Border Gateway Protocol (BGP) is now used between Internet Service Providers (ISPs). BGP is also used between ISPs and their larger private clients to exchange routing information.

The table classifies the protocols. Routers configured with these protocols will periodically send messages to other routers. As a cybersecurity analyst, you will see these messages in various logs and packet captures.

Protocol	Interior Gateway Protocols				Exterior Gateway Protocols
	Distance Vector		Link State		Path Vector
IPv4	RIPv2	EIGRP	OSPFv2	IS-IS	BGP-4
IPv6	RIPng	EIGRP for IPv6	OSPFv3	IS-IS for IPv6	BGP-MP

End-to-End Packet Forwarding

The primary responsibility of the packet forwarding function is to encapsulate packets in the appropriate data link frame type for the outgoing interface. For example, the data link frame format for a serial link could be Point-to-Point (PPP) protocol, High-Level Data Link Control (HDLC) protocol, or some other Layer 2 protocol.

Click each button and play the animations of PC1 sending a packet to PC2. Notice how the contents and format of the data link frame change at each hop.

PC1 Sends Packet to PC2
In the first animation, PC1 sends a packet to PC2. Since PC2 is on a different network, PC1 will forward the packet to its default gateway. PC1 will look in its ARP cache for the MAC address of the default gateway and add the indicated frame information.

Note: If an ARP entry does not exist in the ARP table for the default gateway of 192.168.1.1, PC1 sends an ARP request. Router R1 would then return an ARP reply with its MAC address.

Action Point
PS: If you would like to have an online course on any of the courses that you found on this blog, I will be glad to do that on an individual and corporate level, I will be very glad to do that I have trained several individuals and groups and they are doing well in their various fields of endeavour. Some of those that I have trained includes staffs of Dangote Refinery, FCMB, Zenith Bank, New Horizons Nigeria among others. Please come on Whatsapp and let’s talk about your training. You can reach me on Whatsapp HERE. Please note that I will be using Microsoft Team to facilitate the training.

Fact Check Policy

8 General Security Practices For Home Networking

Leave a reply

When it comes to general security breaches, home networks are the most susceptible to attacks. The reason is that home network users always have the mindset that they have nothing that the hacker will be interested in. That is why most times, they do not always take the security of their devices serious. In this article, I want to talk about some general security practices for home networking. Follow me as we will look at that together in this article.

#1 Use Anti-Virus

One of the very first things that home network users can do to safeguard their devices is to use an up-to-date anti-virus on their device. They have to make sure that anti-virus is installed and they are updated regularly. if it happens that you cannot afford to buy one, you can actually go to the manufacturer’s website and download good anti-virus software.

#2 Turn off unused ports

One of the easiest ways that hackers can have access to devices is when there are open ports on the devices. When you have a switch or a router and there are ports that are not used presently, it is preferable to turn off such ports so that hackers will not be able to login to those ports and used them to attack devices.

#3 Use Personal Firewall

A part of the personal security measures for home users. they should always learn to use personal firewalls. The use of a firewall will enable them to create rules that will determine what type of traffics are allowed or disallowed on a network. This can also make it difficult for hackers to penetrate into a network as well.

#4 Turn off Java

Also, turning off Java, Javascript, and ActiveX will prevent the user from being vulnerable to malicious scripts. This will prevent scripts that can damage devices from running on a network at every point in time.

#5 No to Email Attachments

One other way that home network users can protect themselves is to be wary of email attachments. They should never open any attachment that comes with mail without scanning such attachments. Such attachments at times can contain malware that can damage devices. That is why you have to make sure that email attachments are scanned for viruses before you open such attachments on your device.

#6 Backup

No matter how secured your device is, you never can tell what will happen at any point in time. That is why you have to cultivate the habit of backing up critical data that are very essential. You have to choose a backup strategy that is convenient for you. If possible you can automate the backup process in order to avoid human errors along the line as well.

#7 No untrusted Application

When it comes to running applications on your device, you have to make sure that you do not run applications that you cannot vouch for. That is why you have to avoid a situation where you just go to the internet and download anyhow application. If you have to download any application. make sure you are downloading from the manufacturer’s website.

#8 Hide File Extensions

Also, the Windows Operating System contains an option to “Hide FIle Extensions: for known file types. You have to disable this option in order to have file extensions displayed by Windows.

#9 Update Patches

You also have to make sure that you are always updating patches for Operating Systems. Most times, software developers do not always take time to complete their work before the software is released. That is why they always release patches in order to cover up for these lapses discovered. You need to make sure that you are always updating patches as they are released in order not to fall victim to hackers.

#10 Make a boot disk

Above all, you need to make a boot disk to recover the system when it is damaged or compromised. You can actually do this yourself if you have taken the time to learn it. If you do not know how to do a clean installation for Operating System, you can always engage the service of an Expert.

Action Point
PS: If you would like to have an online course on any of the courses that you found on this blog, I will be glad to do that on an individual and corporate level, I will be delighted to do that because I have trained several individuals and groups and they are doing well in their various fields of endeavour. Some of those that I have trained include the staff of Dangote Refinery, FCMB, Zenith Bank, and New Horizons Nigeria among others. Please come on Whatsapp and let’s talk about your training. You can reach me on Whatsapp HERE. Please note that I will be using Microsoft Team to facilitate the training.

Fact Check Policy

Understanding IP PDU Details For IPV4 And IPV6

Leave a reply

IP was designed as a Layer 3 connectionless protocol. It provides the necessary functions to deliver a packet from a source host to a destination host over an interconnected system of networks. The protocol was not designed to track and manage the flow of packets. These functions, if required, are performed primarily by TCP at Layer 4.

IP makes no effort to validate whether the source IP address contained in a packet actually came from that source. For this reason, threat actors can send packets using a spoofed source IP address. In addition, threat actors can tamper with the other fields in the IP header to carry out their attacks. Therefore, it is important for security analysts to understand the different fields in both the IPv4 and IPv6 headers.

The IPv4 Packet Header

The fields in the IPv4 packet header are shown in the figure.

IPv4 Packet Header

The table describes the IPv4 header fields.

IPv4 Header Field	Description
Version	Contains a 4-bit binary value set to 0100 that identifies this as an IPv4 packet.
Internet Header length	A 4-bit field containing the length of the IP header. The minimum length of an IP header is 20 bytes.
Differentiated Services or DiffServ (DS)	Formerly called the Type of Service (ToS) field, the DS field is an 8-bit field used to determine the priority of each packet. The six most significant bits of the DiffServ field are the Differentiated Services Code Point (DSCP). The last two bits are the Explicit Congestion Notification (ECN) bits.
Total length	Specifies the length of the IP packet including the IP header and the user data. The total length field is 2 bytes, so the maximum size of an IP packet is 65,535 bytes however packets are much smaller in practice.
Identification, Flag, and Fragment offset	As an IP packet moves through the internet, it might need to cross a route that cannot handle the size of the packet. The packet will be divided, or fragmented, into smaller packets and reassembled later. These fields are used to fragment and reassemble packets.
Time-to-Live (TTL)	Contains an 8-bit binary value that is used to limit the lifetime of a packet. The packet sender sets the initial TTL value, and it is decreased by one each time the packet is processed by a router. If the TTL field decrements to zero, the router discards the packet and sends an Internet Control Message Protocol (ICMP) Time Exceeded message to the source IP address.
Protocol	Field is used to identify the next level protocol. This 8-bit binary value indicates the data payload type that the packet is carrying, which enables the network layer to pass the data to the appropriate upper-layer protocol. Common values include ICMP (1), TCP (6), and UDP (17).
Header checksum	A value that is calculated based on the contents of the IP header. Used to determine if any errors have been introduced during transmission.
Source IPv4 Address	Contains a 32-bit binary value that represents the source IPv4 address of the packet. The source IPv4 address is always a unicast address.
Destination IPv4 Address	Contains a 32-bit binary value that represents the destination IPv4 address of the packet.
Options and Padding	This is a field that varies in length from 0 to a multiple of 32 bits. If the option values are not a multiple of 32 bits, 0s are added or padded to ensure that this field contains a multiple of 32 bits.

The IPv6 Packet Header

There are eight fields in the IPv6 packet header, as shown in the figure.

IPv6 Packet Header

The table describes the IPv6 header fields.

IPv6 Header Field	Description
Version	This field contains a 4-bit binary value set to 0110 that identifies this as an IPv6 packet.
Traffic Class	This 8-bit field is equivalent to the IPv4 Differentiated Services (DS) field.
Flow Label	This 20-bit field suggests that all packets with the same flow label receive the same type of handling by routers.
Payload Length	This 16-bit field indicates the length of the data portion or payload of the IPv6 packet.
Next Header	This 8-bit field is equivalent to the IPv4 Protocol field. It indicates the data payload type that the packet is carrying, enabling the network layer to pass the data to the appropriate upper-layer protocol.
Hop Limit	This 8-bit field replaces the IPv4 TTL field. This value is decremented by a value of 1 by each router that forwards the packet. When the counter reaches 0, the packet is discarded, and an ICMPv6 Time Exceeded message is forwarded to the sending host, indicating that the packet did not reach its destination because the hop limit was exceeded.
Source IPv6 Address	This 128-bit field identifies the IPv6 address of the sending host.
Destination IPv6 Address	This 128-bit field identifies the IPv6 address of the receiving host.

An IPv6 packet may also contain extension headers (EH) that provide optional network layer information. Extension headers are optional and are placed between the IPv6 header and the payload. EHs are used for fragmentation, security, to support mobility, and more.
Unlike IPv4, routers do not fragment routed IPv6 packets.

Fact Check Policy

Highlighting Various Network Security Monitoring Tool

Leave a reply

In this article, I want to look at common network security monitoring tools in cybersecurity. Follow me as we look at this together in this article.
Common tools that are used for network security monitoring include:

Network protocol analyzers such as Wireshark and Tcpdump
NetFlow
Security Information and Event Management Systems (SIEM)

It is also common for security analysts to rely on log files and Simple Network Management Protocol (SNMP) for network behaviour discovery.

Practically all systems generate log files to record and communicate their operations. By closely monitoring log files, a security analyst can gather extremely valuable information.

SNMP allows analysts to request and receive information about the operation of network devices. It is another good tool for monitoring the behaviour of a network.
Security analysts must be familiar with all of these tools.

Common Network Security Monitoring Tools

Network Protocol Analyzers

Network protocol analyzers (or “packet sniffer” applications) are programs used to capture traffic. Protocol analyzers show what is happening on the network, often through a graphical user interface. Analysts can use these applications to see network exchanges down to the packet level.

If a computer has been infected with malware and is currently attacking other computers in the network, the analyst can see that clearly by capturing real-time network traffic and analyzing the packets.

Not only are network protocol analyzers used for security analysis. They are also very useful for network troubleshooting, software and protocol development, and education. For instance, in security forensics, a security analyst may attempt to reconstruct an incident from relevant packet captures.

Wireshark, shown in the figure, is a very popular network protocol analyzer tool that is used in Windows, Linux, and Mac OS environments. Wireshark is free software that can be downloaded and used by anyone. It is a very useful tool for learning about network protocol communications. Network protocol analyzer skills are essential for cybersecurity analysts.

Frames that are captured by Wireshark are saved in a PCAP file. PCAP files contain the frame information, interface information, packet length, time stamps, and even entire binary files that are sent across the network.

Performing a long-term packet capture produces large PCAP files.
Wireshark can also open files that contain captured traffic from other software such as the tcpdump utility. Popular among UNIX-like systems such as Linux, tcpdump is a powerful utility with numerous command-line options. The example in the command output displays a sample tcpdump capture of ping packets.

[root@secOps analyst]# tcpdump -i hl-eth0 -n
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on hl-eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
10:42:19.841549 IP 10.0.0.12 > 10.0.0.11: ICMP echo request, id 2279, seq 5, length 64
10:42:19.841570 IP 10.0.0.11 > 10.0.0.12: ICMP echo reply, id 2279, seq 5, length 64
10:42:19.854287 IP 10.0.0.12 > 10.0.0.11: ICMP echo request, id 2279, seq 6, length 64
10:42:19.854304 IP 10.0.0.11 > 10.0.0.12: ICMP echo reply, id 2279, seq 6, length 64
10:42:19.867446 IP 10.0.0.12 > 10.0.0.11: ICMP echo request, id 2279, seq 7, length 64
10:42:19.867468 IP 10.0.0.11 > 10.0.0.12: ICMP echo reply, id 2279, seq 7, length 64
^C
6 packets captured
6 packets received by filter
0 packets dropped by kernel
[root@secOps analyst]#

Note: windump is a Microsoft Windows variant of tcpdump. tshark is a Wireshark command-line tool that is similar to tcpdump.

NetFlow

NetFlow is a Cisco IOS technology that provides 24×7 statistics on packets that flow through a Cisco router or multilayer switch. NetFlow is the standard for collecting IP operational data in IP networks. NetFlow is now supported on non-Cisco platforms. IP Flow Information Export (IPFIX) is a version of NetFlow that is an IETF standard protocol.

NetFlow can be used for network and security monitoring, network planning, and traffic analysis. It provides a complete audit trail of basic information about every IP flow forwarded on a device.

This information includes the source and destination device IP information, the time of the communication, and the amount of data transferred. NetFlow does not capture the actual content on the flow. NetFlow functionality is often compared to a telephone bill. The bill identifies the destination number, the time and the duration of the call. However, it does not display the content of the telephone conversation.

Although NetFlow stores flow information in a local cache on the device, it should always be configured to forward data to a NetFlow collector which store the NetFlow data. There are a number of third-party tools for the analysis of NetFlow data.

For example, in the figure, PC1 connects to PC2 using an application such as HTTPS.

NetFlow in the Network

NetFlow can monitor that application connection by tracking byte and packet counts for that individual application flow. It then pushes the statistics over to an external server called a NetFlow collector.

For example, Cisco Stealthwatch collects NetFlow statistics to perform advanced functions including:

Flow stitching – It groups individual entries into flows.
Flow deduplication – It filters duplicate incoming entries from multiple NetFlow clients.
NAT stitching – It simplifies flows with NAT entries.

There is a Cisco Stealthwatch channel on YouTube that provides many details about Stealthwatch and its uses.

SIEM and SOAR

Network security analysts must quickly and accurately assess the significance of any security event and answer the following critical questions:

Who is associated with this event?
Does the user have access to other sensitive resources?
Does this event represent a potential compliance issue?
Does the user have access to intellectual property or sensitive information?
Is the user authorized to access that resource?

To help answer these questions, security analysts use:

Security Information Event Management (SIEM)
Security orchestration, automation, and response (SOAR)

SOAR

Security Information Event Management (SIEM) is a technology used in enterprise organizations to provide real-time reporting and long-term analysis of security events.
Network devices including firewall, IPSs, ESAs, WSAs, routers, switches, servers, and hosts are configured to send log events to the SIEM software. The SIEM software correlates the millions of events using machine learning and special analytics software to identify traffic that should be investigated.
SIEM systems include the following essential functions:

Forensic analysis – The ability to search logs and event records from sources throughout the organization. It provides more complete information for forensic analysis.
Correlation – Examines logs and events from different systems or applications, speeding detection of and reaction to security threats.
Aggregation – Aggregation reduces the volume of event data by consolidating duplicate event records.
Reporting – Reporting presents the correlated and aggregated event data in real-time monitoring and long-term summaries.

SIEM provides details on the source of suspicious activity:

User information such as username, authentication status, location.
Device information such as manufacturer, model, OS version, MAC address, network connection method, and location.
Posture information such as whether the device is compliant with the security policy has up-to-date antivirus files and is updated with the latest OS patches.

SOAR

Security orchestration, automation, and response (SOAR) enhances SIEM. It helps security teams investigate security incidents and adds enhanced data gathering and a number of functionalities that aid in security incident response.
SOAR solutions:

Provides case management tools that allow cybersecurity personnel to research and investigate incidents, frequently by integrating threat intelligence into the network security platform.
Use artificial intelligence to detect incidents and aid in incident analysis and response.
Automate complex incident response procedures and investigations, which are potentially labor intensive tasks that are performed security operations center (SOC ) staff by executing run books. These are playbooks that perform actions such as accessing and analyzing relevant data, taking steps to isolate compromised systems, and researching threats to validate alerts and execute an incident response.
Offers dashboards and reports to document incident response to improve SOC key performance indicators and can greatly enhance network security for organizations.

SIEM helps sound the alarm for malicious activity. Analysts will have to act on the threat. SOAR helps analysts respond to the threat.

SIEM Systems

Several SIEM systems exist. SolarWinds Security Event Manager and Splunk Enterprise Security are two of the more popular proprietary SIEM systems used by SOCs. Search the internet to learn more about these products.
In this course, we will use an open-source product called Security Onion that includes the ELK suite for SIEM functionality. ELK is an acronym for three products from Elastic:

Elasticsearch – Document-oriented full-text search engine
Logstash – Pipeline processing system that connects “inputs” to “outputs” with optional “filters” in-between
Kibana – Browser-based analytics and search dashboard for Elasticsearch

Search the internet to learn more about Elastic. co and its suite of products.

Fact Check Policy

Analysing Network Security Topology In Cybersecurity

Leave a reply

“All networks are targets” is a common adage used to describe the current landscape of network security. Therefore, to mitigate threats, all networks must be secured and protected. This article will look at network security topology in Cybersecurity.

This requires a defence-in-depth approach. It requires using proven methods and a security infrastructure consisting of firewalls, intrusion detection systems (IDS), intrusion prevention systems (IPS), and endpoint security software.

These methods and technologies are used to introduce automated monitoring to the network, create security alerts, or automatically block offensive devices when something goes wrong.

However, for large networks, an extra layer of protection must be added. Devices such as firewalls and IPS operate based on pre-configured rules. They monitor traffic and compare it against the configured rules.

If there is a match, the traffic is handled according to the rule. This works relatively seamlessly. However, sometimes legitimate traffic is mistaken for unauthorized traffic. Called false positives, these situations require human eyes to see and evaluate them before they can be validated.

An important part of the job of the cybersecurity analyst is to review all alerts generated by network devices and determine their validity of the alerts. Was that file that was downloaded by user X really malware?

Is that website that was visited by user Y really malicious? Is the printer on the third floor really compromised because it is trying to connect to a server that is out on the internet? These are questions that are commonly asked by security analysts daily. It is their job to determine the correct answers.

Network Monitoring Methods

The day-to-day operation of a network consists of common patterns of traffic flow, bandwidth usage, and resource access. Together, these patterns identify normal network behaviour. Security analysts must be intimately familiar with normal network behaviour because abnormal network behaviour typically indicates a problem.

To determine normal network behaviour, network monitoring must be implemented. Various tools are used to help discover normal network behaviour including IDS, packet analyzers, SNMP, NetFlow, and others.

Some of these tools require captured network data. There are two common methods used to capture traffic and send it to network monitoring devices:

Network taps, sometimes known as test access points (TAPs)
Traffic mirroring using Switch Port Analyzer (SPAN) or other port mirroring.

Network Taps

A network tap is typically a passive splitting device implemented inline between a device of interest and the network. A tap forwards all traffic, including physical layer errors, to an analysis device, while also allowing the traffic to reach its intended destination.

Notice how the tap simultaneously sends both the transmit (TX) data stream from the internal router and the receive (RX) data stream to the internal router on separate, dedicated channels. This ensures that all data arrives at the monitoring device in real-time.

Therefore, network performance is not affected or degraded by monitoring the connection.

Taps are also typically fail-safe, which means if a tap fails or loses power, traffic between the firewall and internal router is not affected.

Search the internet for information on NetScout Taps for copper UTP Ethernet, fibre Ethernet, and serial links.

Traffic Mirroring and SPAN

Network switches segment the network by design. This limits the amount of traffic that is visible to network monitoring devices. Because capturing data for network monitoring requires all traffic to be captured, special techniques must be employed to bypass the network segmentation imposed by network switches.

Port mirroring is one of these techniques. Supported by many enterprise switches, port mirroring enables the switch to copy frames that are received on one or more ports to a Switch Port Analyzer (SPAN) port that is connected to an analysis device.

The table identifies and describes terms used by the SPAN feature.

SPAN Term	Description
Ingress traffic	Traffic that enters the switch.
Egress traffic	Traffic that leaves the switch.
Source (SPAN) port	Source ports are monitored as traffic entering them is replicated (mirrored) to the destination ports.
Destination (SPAN) port	A port that mirrors source ports. Destination SPAN ports often connect to analysis devices such as a packet analyzer or an IDS.

The figure shows a switch that interconnects two hosts and mirrors traffic to an intrusion detection device (IDS) and network management server.

SPAN

The switch will forward ingress traffic on F0/1 and egress traffic on F0/2 to the destination SPAN port G0/1 that connects to an IDS.

The association between source ports and a destination port is called a SPAN session. In a single session, one or multiple ports can be monitored. On some Cisco switches, session traffic can be copied to more than one destination port. Alternatively, a source VLAN can be specified in which all ports in the source VLAN become sources of SPAN traffic. Each SPAN session can have ports or VLANs as sources, but not both.

Note: A variation of SPAN called Remote SPAN (RSPAN) enables a network administrator to use the flexibility of VLANs to monitor traffic on remote switches.

Fact Check Policy

Analysing Denial Of Service Attack In Cybersecurity

Leave a reply

A Denial of Service (DoS) attack creates some sort of interruption of network services to users, devices, or applications. In this article, I want to discuss all that you need to know about the Denial Of Service attack in Cybersecurity, Follow me as we will look at that in this article.
There are two major types of DoS attacks:

Overwhelming Quantity of Traffic – The threat actor sends an enormous quantity of data at a rate that the network, host, or application cannot handle. This causes transmission and response times to slow down. It can also crash a device or service.
Maliciously Formatted Packets – The threat actor sends a maliciously formatted packet to a host or application and the receiver is unable to handle it. This causes the receiving device to run very slowly or crash.

Click each button for an illustration and explanation of DoS and DDoS attacks.

DoS attacks are a major risk because they interrupt communication and cause significant loss of time and money. These attacks are relatively simple to conduct, even by an unskilled threat actor.

Components of DDoS Attacks

If threat actors can compromise many hosts, they can perform a Distributed DoS Attack (DDoS). DDoS attacks are similar in intent to DoS attacks, except that a DDoS attack increases in magnitude because it originates from multiple, coordinated sources, as shown in the figure. A DDoS attack can use hundreds or thousands of sources, as in IoT-based DDoS attacks.

The following terms are used to describe components of a DDoS attack:

Component	Description
zombies	This refers to a group of compromised hosts (i.e., agents). These hosts run malicious code referred to as robots (i.e., bots). The zombie malware continually attempts to self-propagate like a worm.
bots	Bots are malware that is designed to infect a host and communicate with a handler system. Bots can also log keystrokes, gather passwords, capture and analyze packets, and more.
botnet	This refers to a group of zombies that have been infected using self-propagating malware (i.e., bots) and are controlled by handlers.
handlers	This refers to a master command-and-control (CnC or C2) server controlling groups of zombies. The originator of a botnet can use Internet Relay Chat (IRC) or a web server on the C2 server to remotely control the zombies.
botmaster	This is the threat actor who is in control of the botnet and handlers.

Note: There is an underground economy where botnets can be bought (and sold) for a nominal fee. This can provide threat actors with botnets of infected hosts ready to launch a DDoS attack against the target of choice.

Video – Mirai Botnet

Mirai is malware that targeted IoT devices that are configured with default login information. Closed-circuit television (CCTV) cameras made up the majority of Mirai’s targets. Using a brute force dictionary attack, Mirai ran through a list of default usernames and passwords that were widely known on the internet.

root/default
root/1111
root/54321
admin/admin1234
admin1/password
guest/12345
tech/tech
support/support

After gaining successful access, Mirai targeted the Linux-based BusyBox utilities that run on these devices. These utilities were used to turn the devices into bots that could be remotely controlled as part of a botnet. The botnet was then used as part of a distributed denial of service (DDoS) attack.

In September 2016, a Mirai botnet of over 152,000 CCTVs and digital video recorders (DVRs) was responsible for the largest DDoS attack known until that time. With peak traffic of over 1 Tb/s, it took down the hosting services of a France-based web hosting company.

In October 2016 the services of Dyn, a domain name service (DNS) provider, were attacked, causing internet outages for millions of users in the United States and Europe.

Note: In December 2017, three American threat actors pleaded guilty to conspiring to “conduct DDoS attacks against websites and web hosting companies located in the United States and abroad.” The three felons face up to 10 years in prison and $250,000 in fines.

Buffer Overflow Attack

The goal of a threat actor when using a buffer overflow DoS attack is to find a system memory-related flaw on a server and exploit it. Exploiting the buffer memory by overwhelming it with unexpected values usually renders the system inoperable, creating a DoS attack.

For example, a threat actor enters input that is larger than expected by the application running on a server. The application accepts a large amount of input and stores it in memory. The result is that it may consume the associated memory buffer and potentially overwrite adjacent memory, eventually corrupting the system and causing it to crash.

An early example of using malformed packets was the Ping of Death. In this legacy attack, the threat actor sent a ping of death, which was an echo request in an IP packet larger than the maximum packet size of 65,535 bytes. The receiving host would not be able to handle a packet of that size and it would crash.

Buffer overflow attacks are continually evolving. For instance, remote denial of service attack vulnerability was recently discovered in Microsoft Windows 10. Specifically, a threat actor created malicious code to access out-of-scope memory.

When this code is accessed by the Windows AHCACHE.SYS process, attempts to trigger a system crash, denying service to the user. Search the Internet on the “TALOS-2016-0191 blog” to go to the Cisco Talos threat intelligence website and read a description of such an attack.

Note: It is estimated that one-third of malicious attacks are the result of buffer overflows.

Evasion Methods

Threat actors learned long ago that “to hide is to thrive”. This means their malware and attack methods are most effective when they are undetected. For this reason, many attacks use stealthy evasion techniques to disguise an attack payload. Their goal is to prevent detection by evading network and host defences.

Some of the evasion methods used by threat actors include:

Evasion Method	Description
Encryption and tunnelling	This evasion technique uses tunnelling to hide, or encryption to scramble malware files. This makes it difficult for many security detection techniques to detect and identify malware. Tunnelling can mean hiding stolen data inside of legitimate packets.
Resource exhaustion	This evasion technique makes the target host too busy to properly use security detection techniques.
Traffic fragmentation	This evasion technique splits a malicious payload into smaller packets to bypass network security detection. After the fragmented packets bypass the security detection system, the malware is reassembled and may begin sending sensitive data out of the network.
Protocol-level misinterpretation	This evasion technique occurs when network defences do not properly handle features of a PDU like a checksum or TTL value. This can trick a firewall into ignoring packets that it should check.
Traffic substitution	In this evasion technique, the threat actor attempts to trick an IPS by obfuscating the data in the payload. This is done by encoding it in a different format. For example, the threat actor could use encoded traffic in Unicode instead of ASCII. The IPS does not recognize the true meaning of the data, but the target end system can read the data.
Traffic insertion	Similar to traffic substitution, but the threat actor inserts extra bytes of data in a malicious sequence of data. The IPS rules miss the malicious data, accepting the full sequence of data.
Pivoting	This technique assumes the threat actor has compromised an inside host and wants to expand their access further into the compromised network. An example is a threat actor who has gained access to the administrator password on a compromised host and is attempting to login to another host using the same credentials.
Rootkits	A rootkit is a complex attacker tool used by experienced threat actors. It integrates with the lowest levels of the operating system. When a program attempts to list files, processes, or network connections, the rootkit presents a sanitized version of the output, eliminating any incriminating output. The goal of the rootkit is to completely hide the activities of the attacker on the local system.
Proxies	Network traffic can be redirected through intermediate systems in order to hide the ultimate destination for stolen data. In this way, known command-and-control not be blocked by an enterprise because the proxy destination appears benign. Additionally, if data is being stolen, the destination for the stolen data can be distributed among many proxies, thus not drawing attention to the fact that a single unknown destination is serving as the destination for large amounts of network traffic.

New attack methods are constantly being developed. Network security personnel must be aware of the latest attack methods in order to detect them.

Action Point
PS: If you would like to have an online course on any of the courses that you found on this blog, I will be glad to do that on an individual and corporate level, I will be very glad to do that because I have trained several individuals and groups and they are doing well in their various fields of endeavour. Some of those that I have trained include the staff of Dangote Refinery, FCMB, Zenith Bank, and New Horizons Nigeria among others. Please come on Whatsapp and let’s talk about your training. You can reach me on Whatsapp HERE. Please note that I will be using Microsoft Team to facilitate the training.

Fact Check Policy

Reconnaissance Attacks In Networking: How It Works

Leave a reply

Reconnaissance is information gathering. It is analogous to a thief surveying a neighbourhood by going door-to-door pretending to sell something.

What the thief is actually doing is looking for vulnerable homes to break into, such as unoccupied residences, residences with easy-to-open doors or windows, and those residences without security systems or security cameras.

Threat actors use reconnaissance (or recon) attacks to do unauthorized discovery and mapping of systems, services, or vulnerabilities. Recon attacks precede access attacks or DoS attacks.

Some of the techniques used by malicious threat actors to conduct reconnaissance attacks are described in the table.

Technique	Description
Perform an information query of a target	The threat actor is looking for initial information about a target. Various tools can be used, including Google search, organizations website, whois, and more.
Initiate a ping sweep of the target network	The information query usually reveals the target’s network address. The threat actor can now initiate a ping sweep to determine which IP addresses are active.
Initiate a port scan of active IP addresses	This is used to determine which ports or services are available. Examples of port scanners include Nmap, SuperScan, Angry IP Scanner, and NetScanTools.
Run vulnerability scanners	This is to query the identified ports to determine the type and version of the application and operating system that is running on the host. Examples of tools include Nipper, Secuna PSI, Core Impact, Nessus v6, SAINT, and Open VAS.
Run exploitation tools	The threat actor now attempts to discover vulnerable services that can be exploited. A variety of vulnerability exploitation tools exist including Metasploit, Core Impact, Sqlmap, Social-Engineer Toolkit, and Netsparker.

Performing Port Scans

Click Play in the figure to view an animation of a threat actor using the whois command to find information about a target.

Access Attacks

Access attacks exploit known vulnerabilities in authentication services, FTP services, and web services. The purpose of this type of attack is to gain entry to web accounts, confidential databases, and other sensitive information.

Threat actors use access attacks on network devices and computers to retrieve data, gain access, or escalate access privileges to administrator status.

Password Attacks

In a password attack, the threat actor attempts to discover critical system passwords using various methods. Password attacks are very common and can be launched using a variety of password cracking tools.

Spoofing Attacks

In spoofing attacks, the threat actor device attempts to pose as another device by falsifying data. Common spoofing attacks include IP spoofing, MAC spoofing, and DHCP spoofing. These spoofing attacks will be discussed in more detail later in this module
Other Access attacks include:

Trust exploitations
Port redirections
Man-in-the-middle attacks
Buffer overflow attacks

Social Engineering Attacks

Social engineering is an access attack that attempts to manipulate individuals into performing actions or divulging confidential information. Some social engineering techniques are performed in person while others may use the telephone or internet.
Social engineers often rely on people’s willingness to be helpful.

They also prey on people’s weaknesses. For example, a threat actor could call an authorized employee with an urgent problem that requires immediate network access. The threat actor could appeal to the employee’s vanity, invoke authority using name-dropping techniques, or appeal to the employee’s greed.

Information about social engineering techniques is shown in the table.

Social Engineering Attack	Description
Pretexting	A threat actor pretends to need personal or financial data to confirm the identity of the recipient.
Phishing	A threat actor sends a fraudulent email that is disguised as being from a legitimate, trusted source to trick the recipient into installing malware on their device, or sharing personal or financial information.
Spear phishing	A threat actor creates a targeted phishing attack tailored for a specific individual or organization.
Spam	Also known as junk mail, this is an unsolicited email that often contains harmful links, malware, or deceptive content.
Something for Something	Sometimes called “Quid pro quo”, this is when a threat actor requests personal information from a party in exchange for something such as a gift.
Baiting	A threat actor leaves a malware-infected flash drive in a public location. A victim finds the drive and unsuspectingly inserts it into their laptop, unintentionally installing malware.
Impersonation	In this type of attack, a threat actor pretends to be someone else to gain the trust of a victim.
Tailgating	This is where a threat actor quickly follows an authorized person into a secure location to gain access to the secure area.
Shoulder surfing	This is where a threat actor inconspicuously looks over someone’s shoulder to steal their passwords or other information.
Dumpster diving	This is where a threat actor rummages through trash bins to discover confidential documents.

The Social-Engineer Toolkit (SET) was designed to help white hat hackers and other network security professionals create social engineering attacks to test their own networks. It is a set of menu-based tools that help launch social engineering attacks. The SET is for educational purposes only. It is freely available on the internet.

Enterprises must educate their users about the risks of social engineering, and develop strategies to validate identities over the phone, via email, or in person.

Recommended Social Engineering Protection Practices

Strengthening the Weakest Link

Cybersecurity is only as strong as its weakest link. Since computers and other internet-connected devices have become an essential part of our lives, they no longer seem new or different. People have become very casual in their use of these devices and rarely think about network security.

The weakest link in cybersecurity can be the personnel within an organization, and social engineering is a major security threat. Because of this, one of the most effective security measures that an organization can take is to train its personnel and create a “security-aware culture.”

Action Point

Fact Check Policy

Action Point
PS: If you would like to have an online course on any of the courses that you found on this blog, I will be glad to do that on an individual and corporate level, I will be very glad to do that because I have trained several individuals and groups and they are doing well in their various fields of endeavour. Some of those that I have trained include the staff of Dangote Refinery, FCMB, Zenith Bank, and New Horizons Nigeria among others. Please come on Whatsapp and let’s talk about your training. You can reach me on Whatsapp HERE. Please note that I will be using Microsoft Team to facilitate the training.

Fact Check Policy

Understanding The Evolution Of Security Tools

Leave a reply

Ethical hacking involves using many different types of tools to test the network and end devices. To validate the security of a network and its systems, many network penetration testing tools have been developed.

However, many of these tools can also be used by threat actors for exploitation. In this article, I am going to talk about some of the evolutions of security tools. Follow me as we are going to do that in this article.

Threat actors have also created various hacking tools. These tools are explicitly written for nefarious reasons. Cybersecurity personnel must also know how to use these tools when performing network penetration tests.

Explore the categories of common network penetration testing tools. Notice how some tools are used by white hats and black hats. Keep in mind that the list is not exhaustive as new tools are continually being developed.

Note: Many of these tools are UNIX or Linux based; therefore, a security professional should have a strong UNIX and Linux background.

Categories of Tools	Description
password crackers	Passwords are the most vulnerable security threat. Password cracking tools are often referred to as password recovery tools and can be used to crack or recover the password. This is accomplished either by removing the original password, after bypassing the data encryption or by the outright discovery of the password. Password crackers repeatedly make guesses in order to crack the password and access the system. Examples of password cracking tools include John the Ripper, Ophcrack, L0phtCrack, THC Hydra, RainbowCrack, and Medusa.
wireless hacking tools	Wireless networks are more susceptible to network security threats. Wireless hacking tools are used to intentionally hack into a wireless network to detect security vulnerabilities. Examples of wireless hacking tools include Aircrack-ng, Kismet, InSSIDer, KisMAC, Firesheep, and NetStumbler.
network scanning and hacking tools	Network scanning tools are used to probe network devices, servers, and hosts for open TCP or UDP ports. Examples of scanning tools include Nmap, SuperScan, Angry IP Scanner, and NetScanTools.
packet crafting tools	Packet crafting tools are used to probe and test a firewall’s robustness using specially crafted forged packets. Examples of such tools include Hping, Scapy, Socat, Yersinia, Netcat, Nping, and Nemesis.
packet sniffers	Packet sniffers tools are used to capture and analyze packets within traditional Ethernet LANs or WLANs. Tools include Wireshark, Tcpdump, Ettercap, Dsniff, EtherApe, Paros, Fiddler, Ratproxy, and SSLstrip.
rootkit detectors	A rootkit detector is a directory and file integrity checker used by white hats to detect installed rootkits. Example tools include AIDE, Netfilter, and PF: OpenBSD Packet Filter.
fuzzers to search vulnerabilities	Fuzzers are tools used by threat actors when attempting to discover a computer system’s security vulnerabilities. Examples of fuzzers include Skipfish, Wapiti, and W3af.
forensic tools	White hat hackers use forensic tools to sniff out any trace of evidence existing in a particular computer system. Examples of tools include Sleuth Kit, Helix, Maltego, and Encase.
debuggers	Debugger tools are used by black hats to reverse engineer binary files when writing exploits. They are also used by white hats when analyzing malware. Debugging tools include GDB, WinDbg, IDA Pro, and Immunity Debugger.
hacking operating systems	Hacking operating systems are specially designed operating systems preloaded with tools and technologies optimized for hacking. Examples of specially designed hacking operating systems include Kali Linux, SELinux, Knoppix, Parrot OS, and BackBox Linux.
encryption tools	These tools safeguard the contents of an organization’s data when it is stored or transmitted. Encryption tools use algorithm schemes to encode the data to prevent unauthorized access to the data. Examples of these tools include VeraCrypt, CipherShed, Open SSH, OpenSSL, OpenVPN, and Stunnel.
vulnerability exploitation tools	These tools identify whether a remote host is vulnerable to a security attack. Examples of vulnerability exploitation tools include Metasploit, Core Impact, Sqlmap, Social Engineer Tool Kit, and Netsparker.
vulnerability scanners	These tools scan a network or system to identify open ports. They can also be used to scan for known vulnerabilities and scan VMs, BYOD devices, and client databases. Examples of these tools include Nipper, Securia PSI, Core Impact, Nessus, SAINT, and Open VAS.

Categories of Attacks

Threat actors can use the previously mentioned tools or a combination of tools to create various attacks. The table displays common types of attacks. However, the list of attacks is not exhaustive as new ways to attack networks are continually being discovered.

It is important to understand that threat actors use a variety of security tools to carry out these attacks.

Category of Attack	Description
eavesdropping attack	An eavesdropping attack is when a threat actor captures and listens to network traffic. This attack is also referred to as sniffing or snooping.
data modification attack	Data modification attacks occur when a threat actor has captured enterprise traffic and has altered the data in the packets without the knowledge of the sender or receiver.
IP address spoofing attack	An IP address spoofing attack is when a threat actor constructs an IP packet that appears to originate from a valid address inside the corporate intranet.
password-based attacks	Password-based attacks occur when a threat actor obtains the credentials for a valid user account. Threat actors then use that account to obtain lists of other users and network information. They could also change server and network configurations, and modify, reroute, or delete data.
denial-of-service (DoS) attack	A DoS attack prevents normal use of a computer or network by valid users. After gaining access to a network, a DoS attack can crash applications or network services. A DoS attack can also flood a computer or the entire network with traffic until a shutdown occurs because of the overload. A DoS attack can also block traffic, which results in a loss of access to network resources by authorized users.
man-in-the-middle attack (MiTM)	A MiTM attack occurs when threat actors have positioned themselves between a source and a destination. They can now actively monitor, capture, and control the communication transparently.
compromised key attack	A compromised-key attack occurs when a threat actor obtains a secret key. This is referred to as a compromised key. A compromised key can be used to gain access to a secured communication without the sender or receiver being aware of the attack.
sniffer attack	A sniffer is an application or device that can read, monitor, and capture network data exchanges and read network packets. If the packets are not encrypted, a sniffer provides a full view of the data inside the packet. Even encapsulated (tunnelled) packets can be broken open and read unless they are encrypted and the threat actor does not have access to the key.

Fact Check Policy

Differences Between A Hacker And A Threat Actor

Leave a reply

We are under attack and attackers want access to our assets. Assets are anything of value to an organization, such as data and other intellectual property, servers, computers, smartphones, tablets, and more. In this article, we are going to be looking at the differences between a hacker and a threat actor. Follow me as we will look at that together in this article.

To better understand any discussion of network security, it is important to know the following terms:

Term	Explanation
Threat	A potential danger to an asset such as data or the network itself.
Vulnerability	A weakness in a system or its design could be exploited by a threat.
Attack surface	An attack surface is the total sum of the vulnerabilities in a given system that are accessible to an attacker. The attack surface describes different points where an attacker could get into a system, and where they could get data out of the system. For example, your operating system and web browser could both need security patches. They are each vulnerable to attacks and are exposed on the network or the internet. Together, they create an attack surface that the threat actor can exploit.
Exploit	The mechanism that is used to leverage a vulnerability to compromise an asset. Exploits may be remote or local. A remote exploit is one that works over the network without any prior access to the target system. The attacker does not need an account in the end system to exploit the vulnerability. In a local exploit, the threat actor has some type of user or administrative access to the end system. A local exploit does not necessarily mean that the attacker has physical access to the end system.
Risk	The likelihood that a particular threat will exploit a particular vulnerability of an asset and result in an undesirable consequence.

Risk management is the process that balances the operational costs of providing protective measures with the gains achieved by protecting the asset. There are four common ways to manage risk, as shown in the table:

Risk Management Strategy	Explanation
Risk acceptance	This is when the cost of risk management options outweighs the cost of the risk itself. The risk is accepted, and no action is taken.
Risk avoidance	This means avoiding any exposure to the risk by eliminating the activity or device that presents the risk. By eliminating an activity to avoid risk, any benefits that are possible from the activity are also lost.
Risk reduction	This reduces exposure to risk or reducing the impact of risk by taking action to decrease the risk. It is the most commonly used risk mitigation strategy. This strategy requires careful evaluation of the costs of loss, the mitigation strategy, and the benefits gained from the operation or activity that is at risk.
Risk transfer	Some or all of the risk is transferred to a willing third party such as an insurance company.

Other commonly used network security terms include:

Countermeasure – The actions that are taken to protect assets by mitigating a threat or reducing risk.
Impact – The potential damage to the organization that is caused by the threat.

Note: A local exploit requires inside network access such as a user with an account on the network. A remote exploit does not require an account on the network to exploit that network’s vulnerability.

Hacker vs. Threat Actor

As we know, “hacker” is a common term used to describe a threat actor. However, the term “hacker” has a variety of meanings, as follows:

A clever programmer capable of developing new programs and coding changes to existing programs to make them more efficient.
A network professional that uses sophisticated programming skills to ensure that networks are not vulnerable to attack.
A person who tries to gain unauthorized access to devices on the internet.
An individual who run programs to prevent or slow network access to a large number of users, or corrupt or wipe out data on servers.

The terms white hat hacker, black hat hacker, and grey hat hacker are often used to describe hackers.

White hat hackers are ethical hackers who use their programming skills for good, ethical, and legal purposes. They may perform network penetration tests in an attempt to compromise networks and systems by using their knowledge of computer security systems to discover network vulnerabilities. Security vulnerabilities are reported to developers and security personnel who attempt to fix the vulnerability before it can be exploited. Some organizations award prizes or bounties to white hat hackers when they provide information that helps to identify vulnerabilities.
Grey hat hackers are individuals who commit crimes and do arguably unethical things, but not for personal gain or to cause damage. An example would be someone who compromises a network without permission and then discloses the vulnerability publicly. Grey hat hackers may disclose a vulnerability to the affected organization after having compromised their network. This allows the organization to fix the problem.
Black hat hackers are unethical criminals who violate computer and network security for personal gain, or for malicious reasons, such as attacking networks. Black hat hackers exploit vulnerabilities to compromise computer and network systems.

Good or bad, hacking is an important aspect of network security. In this course, the term threat actor is used when referring to those individuals or groups that could be classified as grey or black hat hackers.

Action Point
PS: If you would like to have an online course on any of the courses that you found on this blog, I will be glad to do that on an individual and corporate level, I will be very glad to do that because I have trained several individuals and groups and they are doing well in their various fields of endeavour. Some of those that I have trained include the staff of Dangote Refinery, FCMB, Zenith Bank, and New Horizons Nigeria among others. Please come on Whatsapp and let’s talk about your training. You can reach me on Whatsapp HERE. Please note that I will be using Microsoft Team to facilitate the training.

Fact Check Policy

Use Of Access Control List In Networking

Leave a reply

An Access Control List in networking is a series of commands that control whether a device forwards or drops packets based on information found in the packet header. When configured, ACLs perform the following tasks:

They limit network traffic to increase network performance. For example, if a corporate policy does not allow video traffic on the network, ACLs that block video traffic could be configured and applied. This would greatly reduce the network load and increase network performance.
They provide traffic flow control. ACLs can restrict the delivery of routing updates to ensure that the updates are from a known source.
They provide a basic level of security for network access. ACLs can allow one host to access a part of the network and prevent another host from accessing the same area. For example, access to the Human Resources network can be restricted to authorized users.
They filter traffic based on traffic type. For example, an ACL can permit email traffic but block all Telnet traffic.
The screen hosts permit or deny access to network services. ACLs can permit or deny a user to access file types, such as FTP or HTTP.

In addition to either permitting or denying traffic, ACLs can be used for selecting types of traffic to be analyzed, forwarded, or processed in other ways. For example, ACLs can be used to classify traffic to enable priority processing. This capability is similar to having a VIP pass at a concert or sporting event.

The VIP pass gives selected guests privileges not offered to general admission ticket holders, such as priority entry or being able to enter a restricted area.

What Is an ACL?

ACLs: Important Features

Two types of Cisco IPv4 ACLs are standard and extended. Standard ACLs can be used to permit or deny traffic only from source IPv4 addresses. The destination of the packet and the ports involved are not evaluated.

Extended ACLs filter IPv4 packets based on several attributes that include:

Protocol type
Source IPv4 address
Destination IPv4 address
Source TCP or UDP ports
Destination TCP or UDP ports
Optional protocol type information for finer control

Standard and extended ACLs can be created using either a number or a name to identify the ACL and its list of statements.

Using numbered ACLs is an effective method for determining the ACL type on smaller networks with more homogeneously defined traffic. However, a number does not provide information about the purpose of the ACL. For this reason, a name can be used to identify a Cisco ACL.

By configuring ACL logging, an ACL message can be generated and logged when traffic meets the permit or deny criteria defined in the ACL.

Cisco ACLs can also be configured to only allow TCP traffic that has an ACK or RST bit set, so that only traffic from an established TCP session is permitted. This can be used to deny any TCP traffic from outside the network that is trying to establish a new TCP session.

SNMP

Simple Network Management Protocol (SNMP) allows administrators to manage end devices such as servers, workstations, routers, switches, and security appliances, on an IP network.

It enables network administrators to monitor and manage network performance, find and solve network problems, and plan for network growth.

SNMP is an application layer protocol that provides a message format for communication between managers and agents.
As shown in the figure, the SNMP system consists of two elements.

SNMP manager that runs SNMP management software.
SNMP agents are the nodes being monitored and managed.

The Management Information Base (MIB) is a database on the agents that stores data and operational statistics about the device.

To configure SNMP on a networking device, it is first necessary to define the relationship between the manager and the agent.

The SNMP manager is part of a network management system (NMS). The SNMP manager runs SNMP management software.

As shown in the figure, the SNMP manager can collect information from an SNMP agent by using the “get” action and can change configurations on an agent by using the “set” action. In addition, SNMP agents can forward the information directly to a network manager by using “traps”.

NetFlow

NetFlow is a Cisco IOS technology that provides statistics on packets flowing through a Cisco router or multilayer switch.

While SNMP attempts to provide a very wide range of network management features and options, NetFlow is focused on providing statistics on IP packets flowing through network devices.

NetFlow provides data to enable network and security monitoring, network planning, and traffic analysis to include the identification of network bottlenecks, and IP accounting for billing purposes. For example, in the figure, PC 1 connects to PC 2 using an application such as HTTPS.

NetFlow in the Network

NetFlow can monitor that application connection, tracking byte and packet counts for that individual application flow. It then pushes the statistics over to an external server called a NetFlow collector.

NetFlow technology has seen several generations that provide more sophistication in defining traffic flows, but “original NetFlow” distinguished flows using a combination of seven fields. Should one of these fields vary in value from another packet, the packets could be safely determined to be from different flows:

Source IP address
Destination IP address
Source port number
Destination port number
Layer 3 protocol type
Type of Service (ToS) marking
Input logical interface

The first four of the fields NetFlow uses to identify a flow should be familiar. The source and destination IP addresses, plus the source and destination ports, identify the connection between the source and destination application.

The Layer 3 protocol type identifies the type of header that follows the IP header (usually TCP or UDP, but other options include ICMP). The ToS byte in the IPv4 header holds information about how devices should apply quality of service (QoS) rules to the packets in that flow.

Port Mirroring

A packet analyzer (also known as a packet sniffer or traffic sniffer) is typically software that captures packets entering and exiting the network interface card (NIC). It is not always possible or desirable to have the packet analyzer on the device that is being monitored. Sometimes it is better on a separate station designated to capture the packets.

Because network switches can isolate traffic, traffic sniffers or other network monitors, such as IDS, cannot access all the traffic on a network segment. Port mirroring is a feature that allows a switch to make duplicate copies of traffic passing through a switch, and then send it out to a port with a network monitor attached.

The original traffic is forwarded in the usual manner. An example of port mirroring is illustrated in the figure.

Traffic Sniffing Using a Switch

Syslog Servers

When certain events occur on a network, networking devices have trusted mechanisms to notify the administrator with detailed system messages.

These messages can be either non-critical or significant. Network administrators have a variety of options for storing, interpreting, and displaying these messages, and for being alerted to those messages that could have the greatest impact on the network infrastructure.

The most common method of accessing system messages is to use a protocol called Syslog.

Many networking devices support Syslog, including routers, switches, application servers, firewalls, and other network appliances. The Syslog protocol allows networking devices to send their system messages across the network to Syslog servers.

Syslog

The Syslog logging service provides three primary functions:

The ability to gather logging information for monitoring and troubleshooting
The ability to select the type of logging information that is captured
The ability to specify the destination of captured Syslog messages

NTP

It is important to synchronize the time across all devices on the network because all aspects of managing, securing, troubleshooting, and planning networks require accurate and consistent timestamping.

When the time is not synchronized between devices, it will be impossible to determine the order of the events that have occurred in different parts of the network.

Typically, the date and time settings on a network device can be set using one of two methods:

Manual configuration of the date and time
Configuring the Network Time Protocol (NTP)

As a network grows, it becomes difficult to ensure that all infrastructure devices are operating with synchronized time. Even in a smaller network environment, the manual method is not ideal. If a device reboots, how will it get an accurate date and timestamp?

A better solution is to configure the NTP on the network. This protocol allows routers on the network to synchronize their time settings with an NTP server. A group of NTP clients that obtain time and date information from a single source have more consistent time settings.

When NTP is implemented in the network, it can be set up to synchronize to a private master clock or it can synchronize to a publicly available NTP server on the Internet.
NTP networks use a hierarchical system of time sources.

Each level in this hierarchical system is called a stratum. The stratum level is defined as the number of hop counts from the authoritative source. The synchronized time is distributed across the network using NTP. The figure displays a sample NTP network.

NTP Stratum Levels

NTP servers are arranged in three levels known as strata:

Stratum 0 – An NTP network gets the time from authoritative time sources. These authoritative time sources, also referred to as stratum 0 devices, are high-precision timekeeping devices assumed to be accurate and with little or no delay associated with them.
Stratum 1 – The stratum 1 devices are directly connected to the authoritative time sources. They act as the primary network time standard.
Stratum 2 and lower strata – The stratum 2 servers are connected to stratum 1 devices through network connections. Stratum 2 devices, such as NTP clients, synchronize their time using the NTP packets from stratum 1 servers. They could also act as servers for stratum 3 devices.

Smaller stratum numbers indicate that the server is closer to the authorized time source than larger stratum numbers. The larger the stratum number, the lower the stratum level.

The max hop count is 15. Stratum 16, the lowest stratum level, indicates that a device is unsynchronized. Time servers on the same stratum level can be configured to act as a peer with other time servers on the same stratum level for backup or verification of time.

AAA Servers

The table lists the three independent security functions provided by the AAA architectural framework.

AAA Provides	Description
Authentication	Users and administrators must prove that they are who they say they are. Authentication can be established using a username and password combinations, challenge and response questions, token cards, and other methods. AAA authentication provides a centralized way to control access to the network.
Authorization	After the user is authenticated, authorization services determine which resources the user can access and which operations the user is allowed to perform. An example is “User ‘student’ can access host server XYZ using SSH only.”
Accounting	Accounting records what the user does, including what is accessed, the amount of time the resource is accessed, and any changes that were made. Accounting keeps track of how network resources are used. An example is “User ‘student’ accessed host serverXYZ using SSH for 15 minutes.”

Terminal Access Controller Access-Control System Plus (TACACS+) and Remote Authentication Dial-In User Service (RADIUS) are both authentication protocols that are used to communicate with AAA servers. Whether TACACS+ or RADIUS is selected depends on the needs of the organization.

While both protocols can be used to communicate between a router and AAA servers, TACACS+ is considered the more secure protocol. This is because all TACACS+ protocol exchanges are encrypted, while RADIUS only encrypts the user’s password. RADIUS does not encrypt usernames, accounting information, or any other information carried in the RADIUS message.

The table lists the differences between the two protocols.

	TACACS+	RADIUS
Functionality	Separates AAA according to the AAA architecture, allowing modularity of the security server implementation	Combines authentication and authorization but separates accounting, allowing less flexibility in implementation than TACACS+
Standard	Mostly Cisco supported	Open/RFC standard
Transport	TCP	UDP
Protocol CHAP	Bidirectional challenge and response as used in Challenge Handshake Authentication Protocol (CHAP)	Unidirectional challenge and response from the RADIUS security server to the RADIUS client
Confidentiality	Entire packet encrypted	Password encrypted
Customization	Provides authorization of router commands on a per-user or per-group basis	Has no option to authorize router commands on a per-user or per-group basis
Accounting	Limited	Extensive

Virtual Private Network

Instead of using a dedicated physical connection, a VPN uses virtual connections that are routed through the internet from the organization to the remote site. The first VPNs were strictly IP tunnels that did not include authentication or encryption of the data. For example, Generic Routing Encapsulation (GRE) is a tunnelling protocol developed by Cisco that can encapsulate a wide variety of network layer protocol packet types inside IP tunnels. This creates a virtual point-to-point link to Cisco routers at remote points over an IP network.

A VPN is virtual in that it carries information within a private network, but that information is actually transported over a public network. A VPN is private in that the traffic is encrypted to keep the data confidential while it is transported across the public network.

A VPN is a communications environment in which access is strictly controlled to permit peer connections within a defined community of interest. Confidentiality is achieved by encrypting the traffic within the VPN.

Today, a secure implementation of VPN with encryption is what is generally equated with the concept of virtual private networking.

In the simplest sense, a VPN connects two endpoints, such as a remote office to a central office, over a public network, to form a logical connection.

The logical connections can be made at either Layer 2 or Layer 3. Common examples of Layer 3 VPNs are GRE, Multiprotocol Label Switching (MPLS), and IPsec. Layer 3 VPNs can be point-to-point site connections, such as GRE and IPsec, or they can establish any-to-any connectivity to many sites using MPLS.

IPsec is a suite of protocols developed with the backing of the IETF to achieve secure services over IP packet-switched networks.

IPsec services allow for authentication, integrity, access control, and confidentiality. With IPsec, the information exchanged between remote sites can be encrypted and verified. VPNs are commonly deployed in a site-to-site topology to securely connect central sites with remote locations.

They are also deployed in a remote-access topology to provide secure remote access to external users travelling or working from home. Both remote-access and site-to-site VPNs can be deployed using IPsec.

Action Point
PS: If you would like to have an online course on any of the courses that you found on this blog, I will be glad to do that on an individual and corporate level, I will be very glad to do that because I have trained several individuals and groups and they are doing well in their various fields of endeavour. Some of those that I have trained include the staff of Dangote Refinery, FCMB, Zenith Bank, and New Horizons Nigeria among others. Please come on Whatsapp and let’s talk about your training. You can reach me on Whatsapp HERE. Please note that I will be using Microsoft Team to facilitate the training.

Fact Check Policy

Differences Between Wireless And Wired LANs

Leave a reply

WLANs use Radio Frequencies (RF) instead of cables at the physical layer and MAC sublayer of the data link layer. WLANs share a similar origin with Ethernet LANs. The IEEE has adopted the 802 LAN/MAN portfolio of computer network architecture standards. The two dominant 802 working groups are 802.3 Ethernet, which defined Ethernet for wired LANs, and 802.11 which defined Ethernet for WLANs. There are important differences between the two.

WLANs also differ from wired LANs as follows:

WLANs connect clients to the network through a wireless access point (AP) or wireless router, instead of an Ethernet switch.
WLANs connect mobile devices that are often battery-powered, as opposed to plugged-in LAN devices. Wireless NICs tend to reduce the battery life of a mobile device.
WLANs support hosts that contend for access to the RF media (frequency bands). 802.11 prescribes collision avoidance (CSMA/CA) instead of collision-detection (CSMA/CD) for media access to proactively avoid collisions within the media.
WLANs use a different frame format than wired Ethernet LANs. WLANs require additional information in the Layer 2 header of the frame.
WLANs raise more privacy issues because radio frequencies can reach outside the facility.

The table summarizes the differences between wireless and wired LANs.

Characteristic	802.11 Wireless LAN	802.3 Wired Ethernet LANs
Physical Layer	radio frequency (RF)	physical cables
Media Access	collision avoidance	collision detection
Availability	anyone with a wireless NIC in range of an access point	physical cable connection required
Signal Interference	yes	minimal
Regulation	different regulations by country	IEEE standard dictates

Frame Structure

Recall that all Layer 2 frames consist of a header, payload, and Frame Check Sequence (FCS) section. The 802.11 frame format is similar to the Ethernet frame format, except that it contains more fields, as shown in the figure.

All 802.11 wireless frames contain the following fields:

Frame Control – This identifies the type of wireless frame and contains subfields for protocol version, frame type, address type, power management, and security settings.
Duration – This is typically used to indicate the remaining duration needed to receive the next frame transmission.
Address1 – This usually contains the MAC address of the receiving wireless device or AP.
Address2 – This usually contains the MAC address of the transmitting wireless device or AP.
Address3 – This sometimes contains the MAC address of the destination, such as the router interface (default gateway) to which the AP is attached.
Sequence Control – This contains information to control sequencing and fragmented frames.
Address4 – This usually missing because it is used only in ad hoc mode.
Payload – This contains the data for transmission.
FCS – This is used for Layer 2 error control.

CSMA/CA

WLANs are half-duplex, shared media configurations. Half-duplex means that only one client can transmit or receive at any given moment. Shared media means that wireless clients can all transmit and receive on the same radio channel. This creates a problem because a wireless client cannot hear while it is sending, which makes it impossible to detect a collision.
To resolve this problem, WLANs use carrier sense multiple access with collision avoidance (CSMA/CA) as the method to determine how and when to send data on the network. A wireless client does the following:

Listens to the channel to see if it is idle, which means that is senses no other traffic is currently on the channel. The channel is also called the carrier.
Sends a ready to send (RTS) message to the AP to request dedicated access to the network.
Receives a clear to send (CTS) message from the AP granting access to send.
If the wireless client does not receive a CTS message, it waits a random amount of time before restarting the process.
After it receives the CTS, it transmits the data.
All transmissions are acknowledged. If a wireless client does not receive an acknowledgement, it assumes a collision occurred and restarts the process.

Wireless Client and AP Association

For wireless devices to communicate over a network, they must first associate with an AP or wireless router. An important part of the 802.11 processes is discovering a WLAN and subsequently connecting to it. Wireless devices complete the following three-stage process, as shown in the figure:

Discover a wireless AP
Authenticate with AP
Associate with AP

In order to have a successful association, a wireless client and an AP must agree on specific parameters. Parameters must then be configured on the AP and subsequently on the client to enable the negotiation of a successful association.

SSID -The SSID name appears in the list of available wireless networks on a client. In larger organizations that use multiple VLANs to segment traffic, each SSID is mapped to one VLAN. Depending on the network configuration, several APs on a network can share a common SSID.
Password – This is required from the wireless client to authenticate to the AP.
Network mode – This refers to the 802.11a/b/g/n/ac/ad WLAN standards. APs and wireless routers can operate in a Mixed-mode meaning that they can simultaneously support clients connecting via multiple standards.
Security mode – This refers to the security parameter settings, such as WEP, WPA, or WPA2. Always enable the highest security level supported.
Channel settings – This refers to the frequency bands used to transmit wireless data. Wireless routers and APs can scan the radio frequency channels and automatically select an appropriate channel setting. The channel can also be set manually if there is interference with another AP or wireless device.

Passive and Active Discover Mode

Wireless devices must discover and connect to an AP or wireless router. Wireless clients connect to the AP using a scanning (probing) process. This process can be passive or active.

Passive mode

Active mode

In passive mode, the AP openly advertises its service by periodically sending broadcast beacon frames containing the SSID, supported standards, and security settings. The primary purpose of the beacon is to allow wireless clients to learn which networks and APs are available in a given area. This allows the wireless clients to choose which network and AP to use.

Fact Check Policy

Guidelines For Ensuring Credit Card Safety

Leave a reply

In my previous article, I talked about how online shopping has made life easy for people making transactions online. Despite the fact that it is very easy to make transactions online using credit and debit cards, you need to follow some guidelines in order to secure your funds.

In this article, I want to talk about guidelines for ensuring credit card safety. Follow me as we are going to look at that in this article. I will also divide the process into two, I will talk about what you should do before shopping and what you need to do after shopping as well.

Before you shop…

You have to check if the website in question is a known business entity. Is it a popular e-commerce website or you are just stumbling on it for the very first time.
There is a need for you to also check for third-party trust verification. There are reputable websites that are saddled with the responsibility of confirming and verifying websites. If there is no symbol of trust on that website, you need to tread softly. The site has to be verified by Verisign and eTrust among other verification bodies.
You also need to look out for the review of other users. You can Google sites where you can find comments of other users who have visited the site and transact with them at one time or another.
You also need to review the privacy statement of the website. This will give you an idea of the rights that you have under the law.
You need to use only one credit card for all your online transactions.
Keep records of all your online transactions.
Do not share your credit card information with anyone.

These are some of the steps that you need to take while you are shopping…

Disclose only required personal information. Be discreet.
Ensure that you are using a secured computer and using a secured site.
Adopt the use of a strong password.
Use one-click shopping continuously.
Check for a confirmation email after an online purchase or transaction.

Action Point
PS: If you would like to have an online course on any of the courses that you found on this blog, I will be glad to do that on an individual and corporate level, I will be delighted to do that because I have trained several individuals and groups and they are doing well in their various fields of endeavour. Some of those that I have trained include the staff of Dangote Refinery, FCMB, Zenith Bank, and New Horizons Nigeria among others. Please come on Whatsapp and let’s talk about your training. You can reach me on Whatsapp HERE. Please note that I will be using Microsoft Team to facilitate the training.

Fact Check Policy

CRMNAIJA is committed to fact-checking in a fair, transparent and non-partisan manner. Therefore, if you’ve found an error in any of our reports, be it factual, editorial, or an outdated post, please contact us to tell us about it.

Some Facts To Know Virtual LANs Generally

Leave a reply

Within a switched internetwork, VLANs provide segmentation and organizational flexibility. VLANs provide a way to group devices within a LAN. A group of devices within a VLAN communicate as if they were connected to the same network segment. VLANs are based on logical connections, instead of physical connections.

VLANs allow an administrator to segment networks based on factors such as function, project team, or application, without regard for the physical location of the user or device, as shown in the figure.

Devices within a VLAN act as if they are in their own independent network, even if they share a common infrastructure with other VLANs. Any switch port can belong to a VLAN.

Unicast, broadcast, and multicast packets are forwarded and flooded only to end devices within the VLAN where the packets are sourced. Each VLAN is considered a separate logical network.

Packets destined for devices that do not belong to the VLAN must be forwarded through a device that supports routing.

A VLAN creates a logical broadcast domain that can span multiple physical LAN segments. VLANs improve network performance by separating large broadcast domains into smaller ones.

If a device in one VLAN sends a broadcast Ethernet frame, all devices in the VLAN receive the frame, but devices in other VLANs do not.

VLANs also prevent users on different VLANs from snooping on each other’s traffic. For example, even though HR and Sales are connected to the same switch in the figure, the switch will not forward traffic between the HR and Sales VLANs.

This allows a router or another device to use access control lists to permit or deny the traffic. Access lists are discussed in more detail later in the chapter. For now, just remember that VLANs can help limit the amount of data visibility on your LANs.

STP

Network redundancy is key to maintaining network reliability. Multiple physical links between devices provide redundant paths.

The network can then continue to operate when a single link or port has failed. Redundant links can also share the traffic load and increase capacity.

Multiple paths need to be managed so that Layer 2 loops are not created. The best paths are chosen, and an alternate path is immediately available should a primary path fail.

The Spanning Tree Protocol is used to maintain one loop-free path in the Layer 2 network, at any time.

Redundancy increases the availability of the network topology by protecting the network from a single point of failure, such as a failed network cable or switch.

When physical redundancy is introduced into a design, loops and duplicate frames occur. Loops and duplicate frames have severe consequences for a switched network. STP was developed to address these issues.

STP ensures that there is only one logical path between all destinations on the network by intentionally blocking redundant paths that could cause a loop.

A port is considered blocked when user data is prevented from entering or leaving that port. This does not include bridge protocol data unit (BPDU) frames that are used by STP to prevent loops.

Blocking the redundant paths is critical to preventing loops on the network. The physical paths still exist to provide redundancy, but these paths are disabled to prevent the loops from occurring.

If the path is ever needed to compensate for a network cable or switch failure, STP recalculates the paths and unblocks the necessary ports to allow the redundant path to become active.

Multilayer Switching

Multilayer switches (also known as Layer 3 switches) not only perform Layer 2 switching but also forward frames based on Layer 3 and 4 information. All Cisco Catalyst multilayer switches support the following types of Layer 3 interfaces:

Routed port – A pure Layer 3 interface similar to a physical interface on a Cisco IOS router.
Switch virtual interface (SVI) – A virtual VLAN interface for inter-VLAN routing. In other words, SVIs are the virtual-routed VLAN interfaces.

Routed Ports
A routed port is a physical port that acts similarly to an interface on a router, as shown in the figure. Unlike an access port, a routed port is not associated with a particular VLAN.

A routed port behaves like a regular router interface. Also, because Layer 2 functionality has been removed, Layer 2 protocols, such as STP, do not function on a routed interface.

However, some protocols, such as LACP and EtherChannel, do function at Layer 3. Unlike Cisco IOS routers, routed ports on a Cisco IOS switch do not support subinterfaces.

Routed Ports

Switch Virtual Interfaces
An SVI is a virtual interface that is configured within a multilayer switch, as shown in the figure. Unlike the basic Layer 2 switches discussed above, a multilayer switch can have multiple SVIs.

An SVI can be created for any VLAN that exists on the switch. An SVI is considered to be virtual because there is no physical port dedicated to the interface.

It can perform the same functions for the VLAN as a router interface would, and can be configured in much the same way as a router interface (i.e., IP address, inbound/outbound ACLs, etc.).

The SVI for the VLAN provides Layer 3 processing for packets to or from all switch ports associated with that VLAN.

Fact Check Policy

Video: How To Concatenate In Microsoft Excel

Leave a reply

[embedyt] https://www.youtube.com/watch?v=omaxRWsrXz4[/embedyt]

Action Point
PS: If you would like to have an online course on any of the courses that you found on this blog, I will be glad to do that on an individual and corporate level, I will be very glad to do that I have trained several individuals and groups and they are doing well in their various fields of endeavour. Some of those that I have trained include staff of Dangote Refinery, FCMB, Zenith Bank, and New Horizons Nigeria among others. Please come on Whatsapp and let’s talk about your training. You can reach me on Whatsapp HERE. Please note that I will be using Microsoft Team to facilitate the training.

Fact Check Policy

Become Part Of our Fan Base on Facebook. Click Here.

READ THIS Be Holy, For You Are The Temple Of Holy Spirit. RCCG House Fellowship 21/03/21

Many Crypto. One place. Use Roqqu

Hi, I now use RavenBank to send, receive and save money. I also pay my bills with ease, you should try it out too

Fact Check Policy

Health Benefits Of Kedi V-CA Tablet

Leave a reply

Kedi V-Ca Tablet is a nutritious way of adding to the body’s supply of Vitamin C and calcium V-Ca drink is a perfect way to start your day. In this article, I want to talk about some of the health benefits of this exciting product.

Health Benefits:

V-Ca facilitates calcium absorption, making it more bio-available to the cells.
V-Ca is important in many other critical functions such as the absorption of iron, simulation of the immune system and as an antioxidant to strengthen the immune system.
V-Ca neutralises potentially harmful reactions in the watery part of the body, such as blood and fluid both inside and sounding cells.
V-Ca may be useful as an immune stimulator and modulator in some circumstances. It promotes resistance to infection through the immunologic activity of leukocytes, the production of interferon and maintaining mucous membrane.
V-Ca increased intake is required to maintain normal plasma levels under acute emotional or environmental stress such as trauma, fever, infection, or elevated environmental temperature.
It helps you replace the Vitamin C loss through colds and flu.

Recommended Daily Intake

Dissolve one tablet in a glass of water (220ml – 300 ml) either warm or ordinary water. Do not exceed the recommended intake.

Fact Check Policy

Understanding IP Vulnerabilities In Networking

Leave a reply

In my previous article, I have talked about some of the facts that you need to know about network security. This article talks about some of the facts that you need to know about IP Vulnerabilities in Networking. Follow me as we are going to look at that in this article.

There are different types of attacks that target IP. The table lists some of the more common IP-related attacks.

IP Attacks	Description
ICMP attacks	Threat actors use Internet Control Message Protocol (ICMP) echo packets (pings) to discover subnets and hosts on a protected network, to generate DoS flood attacks, and alter host routing tables.
Denial-of-Service (DoS) attacks	Threat actors attempt to prevent legitimate users from accessing information or services.
Distributed Denial-of-Service (DDoS) attacks	Similar to a DoS attack, but features a simultaneous, coordinated attack from multiple source machines.
Address spoofing attacks	Threat actors spoof the source IP address in an attempt to perform blind spoofing or non-blind spoofing.
Man-in-the-middle attack (MiTM)	Threat actors position themselves between a source and destination to transparently monitor, capture and control the communication. They could simply eavesdrop by inspecting captured packets or alter packets and forward them to their original destination.
Session hijacking	Threat actors gain access to the physical network, and then use a MiTM attack to hijack a session.

ICMP Attacks

ICMP was developed to carry diagnostic messages and to report error conditions when routes, hosts, and ports are unavailable. ICMP messages are generated by devices when a network error or outage occurs.

The ping command is a user-generated ICMP message, called an echo request, that is used to verify connectivity to a destination.
Threat actors use ICMP for reconnaissance and scanning attacks. This enables them to launch information-gathering attacks to map out a network topology, discover which hosts are active (reachable), identify the host operating system (OS fingerprinting), and determine the state of a firewall.

Threat actors also use ICMP for DoS and DDoS attacks, as shown in the ICMP flood attack in the figure.

ICMP Flood

Note: ICMP for IPv4 (ICMPv4) and ICMP for IPv6 (ICMPv6) are susceptible to similar types of attacks.
The table lists common ICMP messages of interest to threat actors.

ICMP Message	Description
ICMP echo request and echo reply	This is used to perform host verification and DoS attacks.
ICMP unreachable	This is used to perform network reconnaissance and scanning attacks.
ICMP mask reply	This is used to map an internal IP network.
ICMP redirects	This is used to lure a target host into sending all traffic through a compromised device and create a MiTM attack.
ICMP router discovery	This is used to inject bogus route entries into the routing table of a target host.

Networks should have strict ICMP access control list (ACL) filtering on the network edge to avoid ICMP probing from the internet. Security analysts should be able to detect ICMP-related attacks by looking at captured traffic and log files.

In the case of large networks, security devices, such as firewalls and intrusion detection systems (IDS), should detect such attacks and generate alerts to the security analysts.

Amplification and Reflection Attacks

Threat actors often use amplification and reflection techniques to create DoS attacks. The example in the figure illustrates how an amplification and reflection technique called a Smurf attack is used to overwhelm a target host.

Note: Newer forms of amplification and reflection attacks such as DNS-based reflection and amplification attacks and Network Time Protocol (NTP) amplification attacks are now being used.
Threat actors also use resource exhaustion attacks. These attacks consume the resources of a target host to either crash it or consume the resources of a network.

Address Spoofing Attacks

IP address spoofing attacks occur when a threat actor creates packets with false source IP address information to either hide the identity of the sender or to pose as another legitimate user. The threat actor can then gain access to otherwise inaccessible data or circumvent security configurations. Spoofing is usually incorporated into another attack such as a Smurf attack.
Spoofing attacks can be non-blind or blind:

Non-blind spoofing – The threat actor can see the traffic that is being sent between the host and the target. The threat actor uses non-blind spoofing to inspect the reply packet from the target victim. Non-blind spoofing determines the state of a firewall and sequence-number prediction. It can also hijack an authorized session.
Blind spoofing – The threat actor cannot see the traffic that is being sent between the host and the target. Blind spoofing is used in DoS attacks.

MAC address spoofing attacks are used when threat actors have access to the internal network. Threat actors alter the MAC address of their host to match another known MAC address of a target host, as shown in the figure. The attacking host then sends a frame throughout the network with the newly-configured MAC address. When the switch receives the frame, it examines the source MAC address.

Threat Actor Spoofs a Server’s MAC Address

The switch overwrites the current CAM table entry and assigns the MAC address to the new port, as shown in the figure. It then forwards frames destined for the target host to the attacking host.

Action Point
PS: If you would like to have an online course on any of the courses that you found on this blog, I will be glad to do that on an individual and corporate level, I will be very glad to do that I have trained several individuals and groups and they are doing well in their various fields of endeavour. Some of those that I have trained includes staffs of Dangote Refinery, FCMB, Zenith Bank, New Horizons Nigeria among others. Please come on Whatsapp and let’s talk about your training. You can reach me on Whatsapp HERE. Please note that I will be using Microsoft Team to facilitate the training.

Fact Check Policy

CRMNUGGETS is committed to fact-checking in a fair, transparent and non-partisan manner. Therefore, if you’ve found an error in any of our reports, be it factual, editorial, or an outdated post, please contact us to tell us about it.

Fact Check Policy