Types of Web Server Attacks and Countermeasures
Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Video Transcription
00:00
>> Hey everyone, welcome back to the course.
00:00
In this video we're going to talk about
00:00
some different types of web server attacks,
00:00
as well as some of the countermeasures
00:00
we can do against them.
00:00
We've got many different types of attacks.
00:00
We've got DDoS and denial of service attacks.
00:00
We've got DNS hijacking,
00:00
DNS amplification directory traversal,
00:00
men in the middle and we'll talk
00:00
about each one of these a little bit.
00:00
We've got phishing attacks,
00:00
misconfigurations, defacement attacks,
00:00
web cache poisoning,
00:00
SSH attacks and password cracking attacks.
00:00
Let's talk about a denial of
00:00
service and the DDoS attacks.
00:00
This is basically where the attacker
00:00
is going to send a large volume of
00:00
requests to that single server.
00:00
The whole goal here is to eat up
00:00
bandwidth to overwhelm that server with requests,
00:00
so it affects the availability of
00:00
that server or applications
00:00
to the user that actually needs them.
00:00
It eats up the memory it eats the network bandwidth.
00:00
Essentially the whole goal is to take
00:00
that server offline so it can't actually be used.
00:00
We have DNS server hijacking.
00:00
This is where the attacker compromises
00:00
a DNS server and actually changes the settings.
00:00
For example, if I'm trying to go to
00:00
my favorite Thai restaurant website,
00:00
the attackers actually compromise as a DNS.
00:00
So when I type in, let's just say Thairestaurant.com,
00:00
it redirects me to
00:00
a website that looks similar to the real one,
00:00
but that websites actually on the attacker's server,
00:00
so it's a malicious site.
00:00
I enter my login credentials for
00:00
the site and the attacker has my login.
00:00
A better example, there's probably a bank.
00:00
A bank website I go,
00:00
I think I'm logging into my bank website and in fact
00:00
I'm actually logging into the attacker's website.
00:00
Now they know my username and password for the bank.
00:00
They go in, they login,
00:00
they clean out my account and I don't even know anything
00:00
until the next day when
00:00
my mortgage payment doesn't go through.
00:00
DNS amplification attack.
00:00
This is basically where the attacker is taking
00:00
advantage of DNS recursive methods.
00:00
Essentially they're spoofing IP addresses,
00:00
and then they're redirecting to amplify that attack.
00:00
Directory traversal attack.
00:00
For the CEH exam,
00:00
you're going to want to just be
00:00
familiar with all of these.
00:00
Having taken the Version 11,
00:00
which is a new one coming out in January of 2020,
00:00
taking that Beta test,
00:00
I can tell you that you do want to just be familiar
00:00
with the different types of attacks here.
00:00
I can't tell you specifically which ones,
00:00
but just know you want to be familiar with
00:00
these a little bit going into that exam.
00:00
Directory traversal attack.
00:00
Essentially just using this attack
00:00
to access directories that
00:00
the attacker shouldn't be able to
00:00
access on that web server.
00:00
Man-in-the-middle attacks.
00:00
Again, just injecting themselves in-between
00:00
that session of the client and the web server.
00:00
Early in the course, we talked about an example
00:00
of throwing a football to our friend.
00:00
I throw the football to my friend and
00:00
you jump in-between and catch the football.
00:00
We're talking about American football here.
00:00
You catch a football, you're
00:00
that man in the middle essentially.
00:00
You're capturing that data packet
00:00
and then you're throwing it to
00:00
my friend and completing
00:00
the transaction there or the three-way handshake.
00:00
You're basically taking over that session.
00:00
You're jumping in between
00:00
the session and looking
00:00
at the data that's flowing through it.
00:00
We've got phishing attacks.
00:00
This is where the attacker
00:00
might be using that fake websites.
00:00
They redirect, for example,
00:00
to that fake web website.
00:00
They fake banking website and
00:00
the goal there is stealing the credentials.
00:00
Now they can log into your banking account
00:00
and they could steal all of your money.
00:00
Misconfigurations of the web server.
00:00
We might be using default credentials and so
00:00
the attacker is able to gain access. Also error messages.
00:00
As you're sending queries to the site,
00:00
it's giving them very verbose error messages,
00:00
telling them information about that back-end database,
00:00
and also misconfigured security certificates.
00:00
The attacker is able to exploit that and
00:00
they're able to downgrade our site to an insecure site,
00:00
as well as running things like
00:00
unnecessary services on that web server.
00:00
Lastly, enabling remote admin functions
00:00
or not disabling them if we don't actually need them.
00:00
Web cache poisoning attacks.
00:00
This is basically where the attacker is going to flush
00:00
the web server cache and then send
00:00
their own information into the cache.
00:00
They're going to send their own malicious
00:00
requests into the cache.
00:00
SSH brute force attack.
00:00
This is where the attacker is going to brute
00:00
force SSH to try to get the login credentials.
00:00
Then basically they've got
00:00
an encrypted tunnel, so to speak,
00:00
that they can transmit malware and it's not
00:00
detected by your IDS system.
00:00
Password cracking for the web server.
00:00
Basically, transmission of
00:00
default passwords allows us
00:00
to try to crack those passwords.
00:00
SMTP servers, trying to crack SSH tunnels,
00:00
as well as if we're using
00:00
FTP servers and not secure
00:00
FTP for transmitting that data.
00:00
They do this through a variety of methods.
00:00
It could be guessing it,
00:00
or more likely, dictionary,
00:00
you're brute force attacks.
00:00
Brute force attacking and using dictionary attacks.
00:00
What are some of the things we can do
00:00
against web server attacks?
00:00
Well, we can do things like patching.
00:00
We can also make sure that we're
00:00
focused on only using the protocols that we need.
00:00
We can check the user accounts,
00:00
make sure only the accounts
00:00
that need to be running a running as
00:00
well as making sure we limit
00:00
access to the files and directories.
00:00
Let's talk about each one of those a little bit.
00:00
With our patching and updates,
00:00
we want to identify any vulnerabilities
00:00
that we may have based
00:00
off the operating system and
00:00
applications and news on that web server.
00:00
Before we deploy these patches to production,
00:00
we want to make sure we actually test things,
00:00
see if we're breaking stuff.
00:00
If so, let's identify what the issue is.
00:00
Maybe there's a specific step
00:00
we missed in the process of updating with
00:00
that patch and we have to
00:00
go to the manufacturer's site and
00:00
download it and then update that.
00:00
One area not related to web servers,
00:00
but one area that you might see that
00:00
in ICS networks where we might try to,
00:00
for example, patch our HMI
00:00
and we forget one step in the process.
00:00
Then we have to go to the manufacturer website and
00:00
download that patch and
00:00
then re-install the patch we just did.
00:00
We want to make sure that we test these things
00:00
first before we put them into production.
00:00
We could do this through patch management.
00:00
We can have good patch management in place.
00:00
Also making sure we have backups just
00:00
in case something's wrong with that backup.
00:00
Part of that being making sure we
00:00
have a proper BCP and DRP,
00:00
the business continuity plan,
00:00
as well as the disaster recovery plan.
00:00
What happens if something goes wrong?
00:00
Can we continue business and how do we do so?
00:00
Then disaster recovery plan,
00:00
what happens if there's an actual like
00:00
national disaster how do we recover from that?
00:00
Making sure you update those security certificates.
00:00
Making sure we keep the latest version
00:00
of that certificate on our web server.
00:00
Protocols. Basically let's block unnecessary ports,
00:00
ports that we're not going to be using,
00:00
block ICMP traffic.
00:00
Blocking that ping traffic,
00:00
blocking any unnecessary protocols.
00:00
If we don't need it, let's not
00:00
have it open on our web server.
00:00
That's just all additional areas
00:00
where the attacker can get in.
00:00
Updating the system software and using IPSec policies.
00:00
Using that with insecure protocols like
00:00
FTP and Telnet. Our accounts.
00:00
Again, just making sure that if there's accounts created,
00:00
that our default credentialed accounts,
00:00
we disabled those because we
00:00
don't need those accounts to login.
00:00
Make sure that any accounts that are alive are using
00:00
the concept of least privilege so that way they
00:00
only get access to the information that they need.
00:00
Removing any access to the database.
00:00
If an account on the web server
00:00
doesn't actually need database access,
00:00
we remove that access.
00:00
Removing stored procedures as well
00:00
as unused application extensions.
00:00
Ensuring that we've got strong password policies for
00:00
the accounts that are alive on our web servers.
00:00
Then for our file and directories,
00:00
we want to eliminate any unnecessary.jar files,
00:00
as well as removing
00:00
sensitive configuration information and
00:00
disabling the basically the serving or
00:00
the ability of the attacker
00:00
to see the directory listings,
00:00
as well as eliminating any non
00:00
web files from that web server.
00:00
Just a quick quiz question here for you.
00:00
Default login credentials in use
00:00
are an example of which of the following?
00:00
Is that a defacement attacks,
00:00
misconfigurations or poisoning?
00:00
This one was pretty easy.
00:00
This one is misconfigurations.
00:00
In this video, we just talked about some of
00:00
the different types of web server attacks.
00:00
We also talked about some of the countermeasures we can
00:00
do to help protect against those attacks.
Up Next
Instructed By
Similar Content
