restrict a user to the use of strong passwords only.

---

Content 5.2 Mitigating Network Attacks 5.2.6 Trust Exploitation Figure illustrates the concept of trust exploitation. Although not an attack in itself, trust exploitation refers to an individual taking advantage of a trust relationship within a network. An example of when trust exploitation takes place is when a perimeter network is connected to a corporate network. These network segments often contain DNS, Simple Mail Transfer Protocol (SMTP), and HTTP servers. Because these servers all reside on the same segment, a compromise of one system can lead to the compromise of other systems if those other systems also trust systems that are attached to the same network. Another example of trust exploitation is a Demilitarized Zone (DMZ) host that has a trust relationship with an inside host that is connected to the inside firewall interface. The inside host trusts the DMZ host. When the DMZ host is compromised, the attacker can leverage that trust relationship to attack the inside host. Note
A DMZ is a dedicated part of a network designed to secure communications between the inside and outside network. Trust Exploitation Attack Mitigation
You can mitigate trust exploitation-based attacks through tight constraints on trust levels within a network as shown in Figure . Systems that are inside a firewall should never absolutely trust systems that are outside a firewall. Absolute trust should be limited to specific protocols and, where possible, should be validated by something other than an IP address. In the DMZ example in the introduction to this topic, the hacker connected to the Internet has already exploited some vulnerability of the DMZ host connected to the DMZ interface of the firewall. The hacker controls the entire DMZ host. The hacker’s next goal is to compromise the inside host that is connected to the inside (trusted) interface of the firewall. To attack the inside host from the DMZ host, the hacker needs to find the protocols that are permitted from the DMZ to the inside interface. Once the protocols are known, the attacker searches for vulnerabilities on the inside host. You can stop this attack if your firewall allows only minimum or no connectivity from the DMZ to the inside interface. Port Redirection
A port redirection attack is a type of trust exploitation attack that uses a compromised host to pass traffic through a firewall that would otherwise have been dropped. Port redirection bypasses the firewall rule sets by changing the normal source port for a type of network traffic. Figure shows a firewall with three interfaces and a host on each interface. The host outside the network can reach the host on the public services segment (Host A), but not the host on the inside (Host B). The host on the public services segment can reach the host on both the outside and the inside. If hackers are able to compromise the public services segment host, they can install software to redirect traffic from the outside host directly to the inside host. Though neither communication violates the rules that are implemented in the firewall, the outside host has now achieved connectivity to the inside host through the port redirection process on the public services host. An example of an application that provides that type of access is Netcat. You can mitigate port redirection by using proper trust models that are network-specific. Assuming a system is under attack, an IPS can help detect a hacker and prevent installation of such utilities on a host. Man-in-the-Middle Attacks
Man-in-the-middle attacks have these purposes:

• Theft of information
• Hijacking of an ongoing session to gain access to your internal network resources
• Traffic analysis to obtain information about your network and network users
• DoS
• Corruption of transmitted data
• Introduction of new information into network sessions

An example of a man-in-the-middle attack is when someone working for your ISP gains access to all network packets that transfer between your network and any other network. Man-in-the-middle attackers can keep from disrupting the traffic and can thereby keep from setting off alarms. These attackers use their position to stealthily extract information from the network. You can mitigate man-in-the-middle attacks by encrypting traffic in a VPN tunnel. Encryption allows the hacker to see only cipher text.

---

Content 5.2 Mitigating Network Attacks 5.2.7 DoS and DDoS Attacks and Mitigation A DDoS attack and the simpler version of a DoS attack on a server, send extremely large numbers of requests over a network or the Internet. These many requests cause the target server to run well below optimum speeds. Consequently, the attacked server becomes unavailable for legitimate access and use. By overloading system resources, DoS and DDoS attacks crash applications and processes by executing exploits or a combination of exploits. DoS and DDoS attacks are the most publicized form of attack and are among the most difficult to completely eliminate. The hacker community regards DoS attacks as trivial and considers them unsophisticated because the attack requires so little effort to execute. Nevertheless, because of this attack’s ease of implementation and potentially significant damage, DoS attacks deserve special attention from security administrators. DoS attacks can target various vulnerabilities. A common type of DoS attack is DDoS using a spoofed source IP address. Figure summarizes the characteristics of DoS and DDoS attacks. DDoS Attack Risks
Figure lists some of the risks associated with DoS attacks:

• Downtime and productivity loss.
• Revenue loss from sales and support services during the outage: Companies that use websites for commerce, vital support services, or the core business, such as a news service or search engine, stand to lose the most from a DDoS attack.
• Lost customer loyalty: If a customer uses a competitor’s website during the preferred supplier’s DDoS-related outage, the customer might transfer his or her loyalty to the competitor, resulting in ongoing revenue loss.
• Theft of information: Hackers sometimes launch DDoS attacks as a diversion while they snoop through confidential customer or company information, such as credit card numbers or intellectual property.
• Extortion: Attackers offer to stop (or not initiate) a DDoS attack for a cash payment.
• Stock price manipulation: For certain types of businesses, an unavailable website sends the stock price down. Attackers can launch a DDoS attack to profit from day trading.
• Malicious competition: Attackers can launch DDoS attacks against competitors.

DoS and DDoS attacks are different from most other attacks because they do not target access to your network or the information on your network. These attacks focus on making a service unavailable for normal use. Exhausting some resource limitation on the network or within an operating system or application accomplishes the desired result. These attacks require little effort to execute because the attacks typically take advantage of protocol weaknesses or because the attacks emulate traffic that would normally be allowed into a network. DoS and DDoS attacks are among the most difficult to completely eliminate because of the way these attacks use protocol weaknesses and native or legitimate traffic in order to attack a network. For all known DoS and DDoS attacks, there are software fixes that you can install to limit the damage that the attacks cause. However, as with viruses, hackers are constantly developing new DoS and DDoS attacks. DDoS Example
DDoS attacks are the next generation of DoS attacks on the Internet, though this type of attack is not new. UDP and TCP SYN flooding (sending large numbers of UDP segments or TCP SYN packets to the target