List of cyber-attack threat trends is presented in the order of sophistication which generally

corresponds to the chronology of computer network used between the 1990s till date.

Internet social engineering attacks

Network sniffers

Packet spoofing

Session-hijacking

Cyber-threats & bullying (not illegal in all jurisdictions)

Automated probes and scans

GUI  intrusion tools

Automated widespread attacks

Widespread, distributed denial-of-service attacks

Industrial espionage

Executable code attacks (against browsers)

Analysis of vulnerabilities in compiled software without source code

Widespread attacks on DNS infrastructure

Widespread attacks using NNTP to distribute attack

"Stealth" and other advanced scanning techniques

Windows-based remote access trojans (Back Orifice)

Email propagation of malicious code

Wide-scale trojan distribution

Distributed attack tools

Targeting of specific users

Anti-forensic techniques

Wide-scale use of worms

Sophisticated botnet command and control attacks

Session hijackingIn computer science, session hijacking, sometimes also known as cookie hijacking is the exploitation

of a valid computer session—sometimes also called a session key—to gain unauthorized access to

information or services in a computer system. In particular, it is used to refer to the theft of a magic

cookie used to authenticate a user to a remote server. It has particular relevance to web developers, as

the HTTP cookies used to maintain a session on many web sites can be easily stolen by an attacker

using an intermediary computer or with access to the saved cookies on the victim's computer (see HTTP

cookie theft).

A popular method is using source-routed IP packets. This allows a hacker at point A on the network to

participate in a conversation between B and C by encouraging the IP packets to pass through its

machine.

If source-routing is turned off, the hacker can use "blind" hijacking, whereby it guesses the responses of

the two machines. Thus, the hacker can send a command, but can never see the response. However, a

common command would be to set a password allowing access from somewhere else on the net.

A hacker can also be "inline" between B and C using a sniffing program to watch the conversation. This is

known as a "man-in-the-middle attack".

History

Session hijacking was not possible with early versions of HTTP.

HTTP protocol versions 0.8 and 0.9 lacked cookies and other features necessary for session hijacking.

Version 0.9beta of Mosaic Netscape, released on October 13, 1994, supported cookies.

Early versions of HTTP 1.0 did have some security weaknesses relating to session hijacking, but they

were difficult to exploit due to the vagaries of most early HTTP 1.0 servers and browsers. As HTTP 1.0

has been designated as a fallback for HTTP 1.1 since the early 2000s—and as HTTP 1.0 servers are all

essentially HTTP 1.1 servers the session hijacking problem has evolved into a nearly permanent security

risk.

The introduction of supercookies and other features with the modernized HTTP 1.1 has allowed for the

hijacking problem to become an ongoing security problem. Webserver and browser state machine

standardization has contributed to this ongoing security problem.

Methods

There are four main methods used to perpetrate a session hijack. These are:

Session fixation , where the attacker sets a user's session id to one known to him, for example

by sending the user an email with a link that contains a particular session id. The attacker now only

has to wait until the user logs in.

Session sidejacking, where the attacker uses packet sniffing to read network traffic between two

parties to steal the session cookie. Many web sites use SSL encryption for login pages to prevent

attackers from seeing the password, but do not use encryption for the rest of the site

once authenticated. This allows attackers that can read the network traffic to intercept all the data

that is submitted to the server or web pages viewed by the client. Since this data includes the

session cookie, it allows him to impersonate the victim, even if the password itself is not

compromised.Unsecured Wi-Fi hotspots are particularly vulnerable, as anyone sharing the network

will generally be able to read most of the web traffic between other nodes and the access point.

Alternatively, an attacker with physical access can simply attempt to steal the session key by, for

example, obtaining the file or memory contents of the appropriate part of either the user's computer

or the server.

Cross-site scripting , where the attacker tricks the user's computer into running code which is

treated as trustworthy because it appears to belong to the server, allowing the attacker to obtain a

copy of the cookie or perform other operations.

Prevention

Methods to prevent session hijacking include:

Encryption of the data traffic passed between the parties; in particular the session key, though

ideally all traffic for the entire session by using SSL/TLS. This technique is widely relied-upon by web-

based banks and other e-commerce services, because it completely prevents sniffing-style attacks.

However, it could still be possible to perform some other kind of session hijack. In response,

scientists from the Radboud University Nijmegen proposed in 2013 a way to prevent session

hijacking by correlating the application session with the SSL/TLS credentials

Use of a long random number or string as the session key. This reduces the risk that an attacker

could simply guess a valid session key through trial and error or brute force attacks.

Regenerating the session id after a successful login. This prevents session fixation because the

attacker does not know the session id of the user after s/he has logged in.

Some services make secondary checks against the identity of the user. For example, a web

server could check with each request made that the IP address of the user matched the one last

used during that session. This does not prevent attacks by somebody who shares the same IP

address, however, and could be frustrating for users whose IP address is liable to change during a

browsing session.

Alternatively, some services will change the value of the cookie with each and every request. This

dramatically reduces the window in which an attacker can operate and makes it easy to identify

whether an attack has taken place, but can cause other technical problems (for example, two

legitimate, closely timed requests from the same client can lead to a token check error on the server).

Users may also wish to log out of websites whenever they are finished using them. However this

will not protect against attacks such as Firesheep.

\

Denial-of-service attackIn computing, a denial-of-service (DoS) or distributed denial-of-service (DDoS) attack is an attempt to

make a machine or network resource unavailable to its intended users. Although the means to carry out,

motives for, and targets of a DoS attack may vary, it generally consists of efforts to temporarily or

indefinitely interrupt or suspend services of a host connected to the Internet. As clarification, DDoS

(Distributed Denial of Service) attacks are sent by two or more persons, or bots. (See botnet) DoS (Denial

of Service) attacks are sent by one person or system.

Perpetrators of DoS attacks typically target sites or services hosted on high-profile web servers such as

banks, credit card payment gateways, and even root nameservers. This technique has now seen

extensive use in certain games, used by server owners, or disgruntled competitors on games, such as

server owners' popular Minecraft servers. Increasingly, DoS attacks have also been used as a form of

resistance. Richard Stallman has stated that DoS is a form of 'Internet Street Protests’.[1] The term is

generally used relating to computer networks, but is not limited to this field; for example, it is also used in

reference to CPU resource management.

One common method of attack involves saturating the target machine with external communications

requests, so much so that it cannot respond to legitimate traffic, or responds so slowly as to be rendered

essentially unavailable. Such attacks usually lead to a server overload. In general terms, DoS attacks are

implemented by either forcing the targeted computer(s) to reset, or consuming its resources so that it can

no longer provide its intended service or obstructing the communication media between the intended

users and the victim so that they can no longer communicate adequately.

Denial-of-service attacks are considered violations of the Internet Architecture Board's Internet proper use

policy, and also violate the acceptable use policies of virtually all Internet service providers. They also

commonly constitute violations of the laws of individual nations.

.

DDoS Stacheldraht Attack diagram.

Symptoms and manifestations

The United States Computer Emergency Readiness Team (US-CERT) defines symptoms of denial-of-

service attacks to include:

Unusually slow network performance (opening files or accessing web sites)

Unavailability of a particular web site

Inability to access any web site

Dramatic increase in the number of spam emails received—(this type of DoS attack is considered

an e-mail bomb)

Disconnection of a wireless or wired internet connection

Long term denial of access to the web or any internet services

Denial-of-service attacks can also lead to problems in the network 'branches' around the actual computer

being attacked. For example, the bandwidth of a router between the Internet and a LANmay be consumed

by an attack, compromising not only the intended computer, but also the entire network or other

computers on the LAN.

If the attack is conducted on a sufficiently large scale, entire geographical regions of Internet connectivity

can be compromised without the attacker's knowledge or intent by incorrectly configured or flimsy network

infrastructure equipment.

Methods of attack

A denial-of-service attack is characterized by an explicit attempt by attackers to prevent legitimate users

of a service from using that service. There are two general forms of DoS attacks: those that crash

services and those that flood services.

A DoS attack can be perpetrated in a number of ways. Attacks can fundamentally be classified into five

families:

1. Consumption of computational resources, such as bandwidth, memory, disk space,

or processor time.

2. Disruption of configuration information, such as routing information.

3. Disruption of state information, such as unsolicited resetting of TCP sessions.

4. Disruption of physical network components.

5. Obstructing the communication media between the intended users and the victim so that they can

no longer communicate adequately.

A DoS attack may include execution of malware intended to:[citation needed]

Max out the processor's usage, preventing any work from occurring.

Trigger errors in the microcode of the machine.

Trigger errors in the sequencing of instructions, so as to force the computer into an unstable state

or lock-up.

Exploit errors in the operating system, causing resource starvation and/or thrashing, i.e. to use up

all available facilities so no real work can be accomplished or it can crash the system itself

Crash the operating system itself.

In most cases DoS attacks involve forging of IP sender addresses (IP address spoofing) so that the

location of the attacking machines cannot easily be identified and to prevent filtering of the packets based

on the source address.

Peer-to-peer attacks

Attackers have found a way to exploit a number of bugs in peer-to-peer servers to initiate DDoS attacks.

The most aggressive of these peer-to-peer-DDoS attacks exploits DC++. Peer-to-peer attacks are

different from regular botnet-based attacks. With peer-to-peer there is no botnet and the attacker does not

have to communicate with the clients it subverts. Instead, the attacker acts as a "puppet master,"

instructing clients of large peer-to-peer file sharing hubs to disconnect from their peer-to-peer network and

to connect to the victim's website instead. As a result, several thousand computers may aggressively try

to connect to a target website. While a typical web server can handle a few hundred connections per

second before performance begins to degrade, most web servers fail almost instantly under five or six

thousand connections per second. With a moderately large peer-to-peer attack, a site could potentially be

hit with up to 750,000 connections in short order. The targeted web server will be plugged up by the

incoming connections.

While peer-to-peer attacks are easy to identify with signatures, the large number of IP addresses that

need to be blocked (often over 250,000 during the course of a large-scale attack) means that this type of

attack can overwhelm mitigation defenses. Even if a mitigation device can keep blocking IP addresses,

there are other problems to consider. For instance, there is a brief moment where the connection is

opened on the server side before the signature itself comes through. Only once the connection is opened

to the server can the identifying signature be sent and detected, and the connection torn down. Even

tearing down connections takes server resources and can harm the server.

This method of attack can be prevented by specifying in the peer-to-peer protocol which ports are allowed

or not. If port 80 is not allowed, the possibilities for attack on websites can be very limited.

Reflected / Spoofed attack

A distributed reflected denial of service attack (DRDoS) involves sending forged requests of some type to

a very large number of computers that will reply to the requests. Using Internet Protocol address spoofing,

the source address is set to that of the targeted victim, which means all the replies will go to (and flood)

the target.

ICMP Echo Request attacks (Smurf Attack) can be considered one form of reflected attack, as the

flooding host(s) send Echo Requests to the broadcast addresses of mis-configured networks, thereby

enticing hosts to send Echo Reply packets to the victim. Some early DDoS programs implemented a

distributed form of this attack.

Many services can be exploited to act as reflectors, some harder to block than others.[16] DNS

amplification attacks involve a new mechanism that increased the amplification effect, using a much

larger list of DNS servers than seen earlier.SNMP and NTP can also be exploited as reflector in an

amplification attack.

Teardrop attacks

A teardrop attack involves sending mangled IP fragments with overlapping, over-sized payloads to the

target machine. This can crash various operating systems because of a bug in their TCP/IP fragmentation

re-assembly code. Windows 3.1x, Windows 95 and Windows NT operating systems, as well as versions

of Linux prior to versions 2.0.32 and 2.1.63 are vulnerable to this attack.

Around September 2009, a vulnerability in Windows Vista was referred to as a "teardrop attack", but the

attack targeted SMB2 which is a higher layer than the TCP packets that teardrop used.

Peer-to-peer attacks

Attackers have found a way to exploit a number of bugs in peer-to-peer servers to initiate DDoS attacks.

The most aggressive of these peer-to-peer-DDoS attacks exploits DC++. Peer-to-peer attacks are

different from regular botnet-based attacks. With peer-to-peer there is no botnet and the attacker does not

have to communicate with the clients it subverts. Instead, the attacker acts as a "puppet master,"

instructing clients of large peer-to-peer file sharing hubs to disconnect from their peer-to-peer network and

to connect to the victim's website instead. As a result, several thousand computers may aggressively try

to connect to a target website. While a typical web server can handle a few hundred connections per

second before performance begins to degrade, most web servers fail almost instantly under five or six

thousand connections per second. With a moderately large peer-to-peer attack, a site could potentially be

hit with up to 750,000 connections in short order. The targeted web server will be plugged up by the

incoming connections.

While peer-to-peer attacks are easy to identify with signatures, the large number of IP addresses that

need to be blocked (often over 250,000 during the course of a large-scale attack) means that this type of

attack can overwhelm mitigation defenses. Even if a mitigation device can keep blocking IP addresses,

there are other problems to consider. For instance, there is a brief moment where the connection is

opened on the server side before the signature itself comes through. Only once the connection is opened

to the server can the identifying signature be sent and detected, and the connection torn down. Even

tearing down connections takes server resources and can harm the server.

This method of attack can be prevented by specifying in the peer-to-peer protocol which ports are allowed

or not. If port 80 is not allowed, the possibilities for attack on websites can be very limited.

WhatsApp sniffer attack

An app named "WhatsApp Sniffer" was made available on Google Play in May 2012, able to display

messages from other WhatsApp users connected to the same network as the app user.WhatsApp uses

an XMPP infrastructure with unencrypted, plain-text communication.