TCP/IP is the protocol suite that controls communications on the Internet. Unfortunately, some features of TCP/IP can be manipulated, resulting in network vulnerabilities.
Denial of Service
DoS is a form of attack that prevents users from accessing normal services, such as email or a web server, because the system is busy responding to abnormally large amounts of requests. DoS works by sending so many requests for a system resource that the requested service is overloaded and ceases to operate, as shown in Figure 1.
A DDoS attack uses many infected computers, called zombies or botnets, to launch an attack. The intent is to obstruct or overwhelm access to the targeted server, as shown in Figure 2. Zombie computers located at different geographical locations make it difficult to trace the origin of the attack.
A SYN request is the initial communication sent to establish a TCP connection. A SYN flood attack randomly opens TCP ports at the source of the attack and ties up the network equipment or computer with a large amount of false SYN requests. This causes sessions to be denied to others, as shown in Figure 3. A SYN flood attack is a type of DoS attack.
In a spoofing attack, a computer pretends to be a trusted computer to gain access to resources. The computer uses a forged IP or MAC address to impersonate a computer that is trusted on the network.
An attacker performs a Man-in-the-middle attack by intercepting communications between computers to steal information transiting through the network. A Man-in-the-middle attack could also be used to manipulate messages and relay false information between hosts, as shown in Figure 4, because the hosts are unaware that the messages have been modified.
To perform a replay attack, data transmissions are intercepted and recorded by an attacker. These transmissions are then replayed to the destination computer. The destination computer handles these replayed transmissions as authentic and sent by the original source. This is how the attacker gains unauthorized entry into a system or network.
DNS records on a system are changed to point to imposter servers. The user attempts to access a legitimate site, but traffic is diverted to an imposter site. The imposter site is used to capture confidential information, such as usernames and passwords. An attacker can then retrieve the data from that location.