Defend from hackers using computer networking fundamentals

As developers, we all know the importance of computer networking for security purposes, but it is such a dense topic, full of complexities and acronyms that scare us and we prefer to leave most of that work to the DevOps team. The objective of this article is to change this paradigm and enlighten developers and IT specialists to look at computer networking with a different mindset. We will dive into the OSI Model (Open Systems Interconnection Model) and explain how each layer works and how we can attack and protect them after giving a brief overview of each of them.

OSI Model

The same questions were the ones asked by the International Organization for Standardization (ISO) on the late 1970s. There were efforts from many enterprises to build computer networks, and each one of them had different protocols and technologies, some of those were not compatible with others and required lots of integration effort. The Open System Interconnection Model, OSI Model for short, was created as an abstract model consisting of 7 layers, each one of them dealt with different aspects of systems interconnection. Why on earth is that so important? Because when we approach computer networking with offensive hacking in mind, we tend to scan each and every one of those layers looking for vulnerabilities, and that mindset should be the same when we defend. Without further ado, let’s embrace those layers and describe each one of them.


Layer 1: The Physical Layer

The main tools in this layer apart from the material engineering theory that explains how each medium acts upon the signal, are the concepts of signal and systems which include noise calculations (e.g. Johnson-Nyquist theorem, Shannon-Hartley theorem), modulation and multiplexing.

This is the act of listening stealthily to information without the consent from data stakeholders. This means that if an attacker is able to include a device that sniffs the electrical impulses in a cable or radio frequency from wireless transmissions, he might be able to know more than you want him to know. The best way to protect against this kind of attack is by only sending encrypted information and to protect your cables from physical contact by strangers.

I know, it might sound absurd to refer to locks when dealing with computer networks, but since we are talking about the physical layer, the only way a hacker can access your system is with physical access. That means he could cut your wires and destroy your switches if he got access to where you store your network components. How to protect? Good physical protection: fences, perimeter intrusion detection and assessment systems (PIDAS), Closed-circuit television (CCTV), good quality locks, identification and authorization devices like finger scan systems and security guards. A great way to think about this is to think of the 3 D’s when planning: Deter, Delay and Detect [2].

Access Card Cloning
Just like lockpicking, access card clones are a threat to security. If the attacker is able to steal your card, retrieve and tamper the information, he might gain access to places he should have not. The solution to this problem is to use smart card security. Smart cards [3] are able to identify when data is being tampered and stop working once and for all. Though it may sound great, you have to make sure you are always with the latest technologies as hackers keep improving their abilities and tools as not to get caught.

Tempest Hacking
Though still very hi-tech and uncommon unless you are the NSA, tempest hacking is a researched type of vulnerability that transforms signal emanation, such as screens radiation, into intelligible data. That means that people can know what you are seeing on your screen if they are able to add a receiver in your room. Below is an example of tempest hacking in action in a Security and Cryptography lab in Switzerland [4]:

Layer 2: The Data Link Layer

The most known component of the data link layer is the Medium Access Control protocol, or for short, the MAC protocol. This protocol is a set of rules that define how computers get access to the data and permission to transmit it. One of the components of this protocol is the MAC address, which is a globally unique identifier that is the main piece for defining the communication between nodes in a network, it works as a guarantee that the two nodes that are being linked are who they should be.


MAC Spoofing
As we read previously, the MAC address is a globally unique identifier, but many drivers allow the MAC address to be spoofed such that you become somebody else. MAC spoofing is a vulnerability that cannot be prevented and it is advised to enterprises to use methods with authentication mechanisms, such as 802.1x with EAP-TLS. The reason for that is that MAC addresses do not guarantee authentication safety and by using strategies such as EAP-TLS we are allowed to use certificates and do this process of authentication with cryptography included.

CAM Overflow
Switches operate internally by building a reference table of MAC addresses so that they can know to which ports they should forward the frames to. This reference table is called “content addressable memory table” and is the target of a common overflow technique. In this type of overflow exploit, hackers may connect to one or more switch ports and mimic thousands of random MAC address until the capacity of the CAM table is filled and consequently, it starts to flood all traffic to all ports of the switch. Some common defence countermeasures are limiting the number of connections to a single port of the switch, packet filtering through an AAA server in 802.1x networks and MAC filtering [5].

Layer 3: The Network Layer


IP Spoofing
As demonstrated in layer 2 explanation, it is possible to impersonate another computing system by spoofing its MAC address. In the network layer, the corresponding computer identity is the IP address, and the good news is you can trick it as well. We can also apply packet filtering strategies to avoid being fooled by IP spoofing, but it is much better to make use of network protocols that do not rely on IP addresses for authentication, such as IPSec. In IPSec, every computer has a credential, and communications only occur after mutual authentication. Unless the credential is compromised, there is no way a hacker can spoof its IP address.

ARP Cache Poisoning / ARP Spoofing
The ARP protocol is a set of components that map physical addresses to logical addresses, and for this job, it requires a reference table called ARP cache, just like the table we’ve mentioned on the CAM overflow example. This attack is a bit different though because the objective is not to overflow, but to control and trick.

The attack sends some packets to the router telling he has the MAC address of the victim. After that, he sends equivalent packets to the victim telling his MAC address is the same as the router. Now the ARP cache is poisoned, and both the router and the victim’s machine are fooled, they will redirect all traffic to the hacker’s computer. There are many ways to defend against this though such as using IPSec or any other protocol that works with certificates, smart packet filters and using VPN tunnels.

Layer 4: The Transport Layer


Port Scanning / OS Fingerprinting
Although not real vulnerabilities, both techniques are extensively used by hackers before exploiting their victims. Fingerprinting is a mandatory step before attacking victims because it is the only way to understand what kind of environment they are dealing with, and that means not only what kind of exploits they will find, but what kind of logs they can leave behind. The best way to defend against reconnaissance is by configuring firewalls and access control lists correctly.

Packet Crafting
After understanding how systems in a network manage the flow of information, a more knowledgeable hacker can craft packets to try to overflow layer 4 management system. Since it is very dependent on the deployed systems, there is no single solution to the problem, unfortunately.

Layer 5: The Session Layer

An example of a typical handshake packet transfer[7]

Cookie Hijacking
For those familiar with the HTTP protocol, there exists a component called “cookie”, which is responsible for storing many session information on client computers. Most modern systems use cookies as the authentication storage unit, which means that all session information is stored there. Since we have hacker intentions in this article, we will apply a technique called “man in the middle”, which is the superset of ARP Spoofing mentioned before, to make sure we will eavesdrop all communication information that travels from the client to the server and vice-versa. Once we do that, we are finally able to hijack the cookie and use it to authenticate on the server impersonating the victim. The best way to protect against most types of session hijack is to use encrypted protocols, in this case, we could have used HTTPS, and we would be safer. There are other types of cookie hijacking, but it is not the intention of this article to describe them all, but to introduce them to a broad public.

Layer 6: The Presentation Layer

This characters made many iphones crash ❤

Data Poisoning
The presentation layer deals with data transformation, and it is correct to assume that this mechanism is the main target of “presentation hacking”. Data poisoning is writing characters that during the encoding/decoding process will be transformed into uncontrolled exceptions. In February of last year, a data poisoning exploit was found on many web and mobile platforms, where a single character of Unicode, the Indian Telugu, made web browsers and smartphones crash. Companies fixed it as soon as possible to guarantee users’ safety. The only way to solve problems like this is to use safe code libraries and filter characters (or sequences of characters) that should be accepted by your software.

Layer 7: The Application Layer


Buffer Overflow
Probably one of the most deadly exploits, the buffer overflow has nothing to do with networking but give hackers unlimited power to victim’s machines. It uses the fact that once a hacker can allocate memory beyond computers stack boundaries, they can send any sequence of assembly commands to be executed. This exploit affects the application layer because it makes apps behave in any desired way, giving the hacker full access to all networking features of the layer.

SQL Injection
To query and modify data on databases, programs send commands to the server. When there are no filters though, attackers can send unwanted commands to make the server behave “better”, such as giving more information than they should. The only way to solve such a problem is to write parameterized queries and to treat inputs to avoid being fooled by smart hackers. This one is all in the hands of good programmers.

Amazonian • Hacker • Former CTO at InvestPro • Cloud solutions expert • Enterprise Architect • Loves his wife, family and maths.