WK3 Malicious Packet Sniffing Flashcards
Packet Sniffing
Packet sniffing is the practice of using software tools to observe data as it moves across a network.
As a security analyst, you may use packet sniffing to analyze and capture packets when investigating ongoing incidents or debugging network issues.
Malicious Actors and Packet Sniffing
Malicious actors may also use packet sniffing to look at data that has not been sent to them. This is a little bit like opening somebody else’s mail.
Malicious actors may insert themselves in the middle of an authorized connection between two devices. Then they can use packet sniffing to spy on every data packet as it comes across their device. The goal is to find valuable information in the data packets that they can then use to their advantage.
Attackers can use software applications or a hardware device to look into data packets. Malicious actors can access a network packet with a packet sniffer and make changes to the data. They may change the information in the body of the packet, like altering a recipient’s bank account number.
Packet Sniffing can be Passive or Active
Passive Packet Sniffing
Passive packet sniffing is a type of attack where data packets are read in transit.
Since all the traffic on a network is visible to any host on the hub, malicious actors can view all the information going in and out of the device they are targeting. Thinking back to the example of a letter being delivered, we can compare a passive packet sniffing attack to a postal delivery person maliciously reading somebody’s mail. The postal worker, or packet sniffer, has the right to deliver the mail, but not the right to read the information inside.
Packet Sniffing can be Passive or Active
Active Packet Sniffing
Active packet sniffing is a type of attack where data packets are manipulated in transit. This may include injecting internet protocols to redirect the packets to an unintended port or changing the information the packet contains.
Active packet sniffing attack would be like a neighbor telling the delivery person “I’ll deliver that mail for you,” and then reading the mail or changing the letter before putting it in your mailbox. Even though your neighbor knows you and even if they deliver it to the correct house, they are actively going out of their way to engage in malicious behavior.
How to prevent Packet Sniffing
VPN Encryption
One way to protect against malicious packet sniffing is to use a VPN to encrypt and protect data as it travels across the network.
When you use a VPN, hackers might interfere with your traffic, but they won’t be able to decode it to read it and read your private information
How to prevent Packet Sniffing
HTTPS
Another way to add a layer of protection against packet sniffing is to make sure that websites you have use HTTPS at the beginning of the domain address. Previously, we discussed how HTTPS uses SSL/TLS to encrypt data and prevent eavesdropping when malicious actors spy on network transmissions.
How to prevent Packet Sniffing
Unprotected wifi
Avoid using unprotected WiFi. You usually find unprotected WiFi in public places like coffee shops, restaurants, or airports. These networks don’t use encryption. This means that anyone on the network can access all of the data traveling to and from your device. One precaution you can take is avoiding free public WiFi unless you have a VPN service already installed on your device.
IP Spoofing
IP spoofing is a network attack performed when an attacker changes the source IP of a data packet to impersonate an authorized system and gain access to a network. In this kind of attack, the hacker is pretending to be someone they are not so they can communicate over the network with the target computer and get past firewall rules that may prevent outside traffic. Some common IP spoofing attacks are on-path attacks, replay attacks, and smurf attacks.
IP Spoofing:
On-path attack
An on-path attack is an attack where the malicious actor places themselves in the middle of an authorized connection and intercepts or alters the data in transit. On-path attackers gain access to the network and put themselves between two devices, like a web browser and a web server. Then they sniff the packet information to learn the IP and MAC addresses to devices that are communicating with each other. After they have this information, they can pretend to be either of these devices.
IP Spoofing:
Replay attack
Another type of attack is a replay attack. A replay attack is a network attack performed when a malicious actor intercepts a data packet in transit and delays it or repeats it at another time. A delayed packet can cause connection issues between target computers, or a malicious actor may take a network transmission that was sent by an authorized user and repeat it at a later time to impersonate the authorized user.
IP Spoofing:
Smurf attack
A smurf attack is a combination of a DDoS attack and an IP spoofing attack. The attacker sniffs an authorized user’s IP address and floods it with packets. This overwhelms the target computer and can bring down a server or the entire network.
How to protect a network from IP spoofing
As you previously learned, encryption should always be implemented so that the data in your network transfers can’t be read by malicious actors. Firewalls can be configured to protect against IP spoofing. IP spoofing makes it seem like the malicious actor is an authorized user by changing the sender’s address of the data packet to match the target network’s address.
So if a firewall receives a data packet from the internet where the sender’s IP address is the same as the private network, then the firewall will deny the transmission since all the devices with that IP address should already be on the local network. You can make sure that your firewalls configure correctly by creating a rule to reject all incoming traffic that has the same IP address as the local network.
