What is a cyber attack？
Cyber attack refers to the behavior of attacking the software and hardware of the network system and its system data by exploiting the loopholes and security flaws in the network. As the basic network protocol, the TCP/IP protocol did not consider that the network would face many threats from the beginning of its design, resulting in many attack methods. Furthermore, since all communications in the network originate from data packets, network attacks can be quickly discovered and traced through the automatic collection, decoding, and analysis of data packets.
The TCP/IP protocol is the primary network protocol. The protocol stack is usually divided into four layers: the link layer, the network layer, the transport layer, and the application layer. Each layer is assigned a different function.
- Application layer: The primary function is to handle the application's logic, provide data to the user, plus coding and dialog control, such as file transfer, name lookup, network management, etc;
- Transport layer: Provides end-to-end communication for applications between hosts. This layer defines two protocols, TCP and UDP, to support communication between different devices through different networks;
- Internet layer: IP protocol is the core of the entire protocol stack. Its primary function is to select and forward data packets, realize Internet interconnection, and determine the best path through the network;
- Link layer: Control the hardware devices and media that make up the network, mainly used to process data transmission on physical media (such as Ethernet, Token Ring, etc.), and implement network drivers for network card interfaces;
Common types of cyber attacks
Since the TCP/IP protocol has four layers, and each layer has different functions and protocols, there are also many other methods for cyber attacks.
[Attacks on the link layer]
Attacks on the link layer are mainly physical damage to network hardware and infrastructure or forcibly changing router routes, such as disconnecting a company's egress line so it cannot access the external network.
[Attacks on the transport layer]
Since the TCP protocol and the UDP protocol are the two most important protocols in the transport layer, there are many attacks against the transport layer.
- TCP spoofing
The establishment of a TCP connection requires three steps, each of which connects the sender and receiver at the same time, commonly known as a "three-way handshake":
The sender sends an SYN packet and enters the SYN_SENT state, indicating the server port and initial sequence number to be connected to, waiting for the receiver to confirm. The receiver receives the SYN packet, sends an SYN_ACK, verifies the sender, and enters the SYN_RECV state. The sender gets the SYN_ACK packet, sends ACK to the receiver, and completes the connection between the two parties.
Each host's IP address may change once the Internet is surfed, an attacker can use this vulnerability to disrupt the TCP connection between the two devices.
- Dos Attack
The primary purpose of a DoS (Denial of Service) attack is to make the user's host or network unable to receive or process external requests.
SYN flood attacks are the most common type of DoS attack. The attacker disguises its IP source address and sends a TCP connection request to the local system. The local system replies SYN-ACK to the hidden address so that the local system cannot receive the RST message and cannot receive the ACK response and will remain in a semi-connected state until Resources are exhausted.
Attackers can send connection requests faster than TCP timeouts to release resources. The local service cannot receive other connections by using repeated connection requests.
- ARP virus attack
The working principle of the ARP virus attack is to forge the IP address or MAC address of one end of the communication so that the other end mistakenly thinks that the host is the correct host to achieve the purpose of deception.
[Attack on the Internet layer]
- DDOS attack
Create a large number of useless data packets and launch attacks on the target server or host, causing the target to deny service to the outside world.
- IP spoofing
IP spoofing attacks refer to attacks that generate IP packets with forged source IP addresses in order to impersonate other systems or the sender's identity. The attacker borrows the IP address of another machine and pretends to be an identity to talk to the server.
The Smurf program achieves its purpose by exploiting vulnerabilities in the Internet Protocol (IP) and Internet Control Message Protocol (ICMP).
[Attack on the application layer]
- DNS spoofing
Attacks on the application layer are commonly heard, such as DNS spoofing.
When a computer sends a request to a DNS server, the DNS server sends a response back to the computer. However, there is a lag between sending a request and receiving a response. Therefore, a cyber attack would forge a false reaction to the computer before receiving the message, which would then be the wrong IP address.
- RIP attack
RIP（Routing Information Protocol）is based on the UDP protocol for transmission, and UDP is an unreliable transport layer protocol that does not require connection establishment. Therefore, a router running the RIP protocol will unconditionally accept any packets from the network, including some illegal routing table update packets.
When the router receives these packets, it will change its own routing table without executing the routing table update command. As a result, the routing table of the router is disordered, and it may even affect the adjacent routers of the router, thereby causing the entire network to be paralyzed, bringing serious consequences.