Prevent or Mitigate Network Attacks

By Lawrence C. Miller, Peter H. Gregory

As a Certified Information Systems Security Professional (CISSP), you need to prevent or mitigate attacks against your network. Most attacks against networks are Denial of Service (DoS) or Distributed Denial of Service (DDoS) attacks in which the objective is to consume a network’s bandwidth so that network services become unavailable. But several other types of attacks exist, some of which are discussed here.

Bluejacking and bluesnarfing

With Bluetooth technology becoming wildly popular, several attack methods have evolved, including bluejacking (sending anonymous, unsolicited messages to Bluetooth-enabled devices) and bluesnarfing (stealing personal data, such as contacts, pictures, and calendar information from a Bluetooth-enabled phone). Even worse, in a bluesnarfing attack, information about your cellular phone (such as its serial number) can be downloaded, then used to clone your phone.


A Fraggle attack is a variant of a Smurf attack that uses UDP Echo packets (UDP port 7) rather than ICMP packets. Cisco routers can be configured to disable the TCP and UDP services (known as TCP and UDP small servers) that are most commonly used in Fraggle attacks.


A Smurf attack is a variation of the ICMP flood attack. In a Smurf attack, ICMP Echo Request packets are sent to the broadcast address of a target network by using a spoofed IP address on the target network. The target, or bounce site, then transmits the ICMP Echo Request to all hosts on the network. Each host then responds with an Echo Reply packet, overwhelming the available bandwidth and/or system resources. Countermeasures against Smurf attacks include dropping ICMP packets at the router.

DNS Server Attacks

There are various attacks that can be carried out against DNS servers, which are designed to cause targeted DNS servers to provide erroneous responses to end users, resulting in end users being sent to imposter systems (usually web sites). Defenses against DNS server attacks include DNS server hardening and application firewalls.


A man-in-the-middle (MITM) attack consists of an attacker that attempts to alter communications between two parties through impersonation. A common MITM technique attacks the establishment of a TLS session, so that the attacker will be able to easily decrypt encrypted communications between the two endpoints.

Defenses against MITM attacks include stronger authentication, implementation of Secure DNS extensions, latency examination, and out-of-band verification.

ICMP flood

In an ICMP flood attack, large numbers of ICMP packets (usually Echo Request) are sent to the target network to consume available bandwidth and/or system resources. Because ICMP isn’t required for normal network operations, the easiest defense is to drop ICMP packets at the router or filter them at the firewall.

Session hijacking (spoofing)

IP spoofing involves altering a TCP packet so that it appears to be coming from a known, trusted source, thus giving the attacker access to the network.

Session hijacking (session token interception)

Session hijacking typically involves a Wi-Fi network without encryption, where an attacker is able to intercept another user’s HTTP session cookie. The attacker then uses the same cookie to take over the victim user’s HTTP session. This has been demonstrated with the Firesheep Firefox extension.

SYN flood

In a SYN flood attack, TCP packets with a spoofed source address request a connection (SYN bit set) to the target network. The target responds with a SYN-ACK packet, but the spoofed source never replies. Half-open connections are incomplete communication sessions awaiting completion of the TCP three-way handshake. These connections can quickly overwhelm a system’s resources while the system waits for the half-open connections to time out, which causes the system to crash or otherwise become unusable.

SYN floods are countered on Cisco routers by using two features: TCP Intercept, which effectively proxies for the half-open connections; and Committed Access Rate (CAR), which limits the bandwidth available to certain types of traffic. Checkpoint’s FW-1 firewall has a feature known as SYN Defender that functions in way similar to the Cisco TCP Intercept feature. Other defenses include changing the default maximum number of TCP half-open connections and reducing the timeout period on networked systems.


In a Teardrop attack, the Length and Fragmentation offset fields of sequential IP packets are modified, causing some target systems to become confused and crash.

UDP flood

In a UDP flood attack, large numbers of UDP packets are sent to the target network to consume available bandwidth and/or system resources. UDP floods can generally be countered by dropping unnecessary UDP packets at the router. However, if the attack uses a required UDP port (such as DNS port 53), other countermeasures need to be employed.