Showing posts with label Networking. Show all posts
Showing posts with label Networking. Show all posts

Friday, March 29, 2013

The DDoS That Almost Broke the Internet

Tag :
The New York Times this morning published a story about the Spamhaus DDoS attack and how CloudFlare helped mitigate it and keep the site online. The Times calls the attack the largest known DDoS attack ever on the Internet. We wrote about the attack last week. At the time, it was a large attack, sending 85Gbps of traffic. Since then, the attack got much worse. Here are some of the technical details of what we've seen.
Growth Spurt
On Monday, March 18, 2013 Spamhaus contacted CloudFlare regarding an attack they were seeing against their website spamhaus.org. They signed up for CloudFlare and we quickly mitigated the attack. The attack, initially, was approximately 10Gbps generated largely from open DNS recursors. On March 19, the attack increased in size, peaking at approximately 90Gbps. The attack fluctuated between 90Gbps and 30Gbps until 01:15 UTC on on March 21.
The attackers were quiet for a day. Then, on March 22 at 18:00 UTC, the attack resumed, peaking at 120Gbps of traffic hitting our network. As we discussed in the previous blog post, CloudFlare uses Anycast technology which spreads the load of a distributed attack across all our data centers. This allowed us to mitigate the attack without it affecting Spamhaus or any of our other customers. The attackers ceased their attack against the Spamhaus website four hours after it started.
Other than the scale, which was already among the largest DDoS attacks we've seen, there was nothing particularly unusual about the attack to this point. Then the attackers changed their tactics. Rather than attacking our customers directly, they started going after the network providers CloudFlare uses for bandwidth. More on that in a second, first a bit about how the Internet works.
Peering on the Internet
The "inter" in Internet refers to the fact that it is a collection of independent networks connected together. CloudFlare runs a network, Google runs a network, and bandwidth providers like Level3, AT&T, and Cogent run networks. These networks then interconnect through what are known as peering relationships.
When you surf the web, your browser sends and receives packets of information. These packets are sent from one network to another. You can see this by running a traceroute. Here's one from Stanford University's network to the New York Times' website (nytimes.com):
1  rtr-servcore1-serv01-webserv.slac.stanford.edu (134.79.197.130)  0.572 ms
 2  rtr-core1-p2p-servcore1.slac.stanford.edu (134.79.252.166)  0.796 ms
 3  rtr-border1-p2p-core1.slac.stanford.edu (134.79.252.133)  0.536 ms
 4  slac-mr2-p2p-rtr-border1.slac.stanford.edu (192.68.191.245)  25.636 ms
 5  sunncr5-ip-a-slacmr2.es.net (134.55.36.21)  3.306 ms
 6  eqxsjrt1-te-sunncr5.es.net (134.55.38.146)  1.384 ms
 7  xe-0-3-0.cr1.sjc2.us.above.net (64.125.24.1)  2.722 ms
 8  xe-0-1-0.mpr1.sea1.us.above.net (64.125.31.17)  20.812 ms
 9  209.249.122.125 (209.249.122.125)  21.385 ms
There are three networks in the above traceroute: stanford.edu, es.net, and above.net. The request starts at Stanford. Between lines 4 and 5 it passes from Stanford's network to their peer es.net. Then, between lines 6 and 7, it passes from es.net to above.net, which appears to provide hosting for the New York Times. This means Stanford has a peering relationship with ES.net. ES.net has a peering relationship with Above.net. And Above.net provides connectivity for the New York Times.
CloudFlare connects to a large number of networks. You can get a sense of some, although not all, of the networks we peer with through a tool like Hurricane Electric's BGP looking glass. CloudFlare connects to peers in two ways. First, we connect directly to certain large carriers and other networks to which we send a large amount of traffic. In this case, we connect our router directly to the router at the border of the other network, usually with a piece of fiber optic cable. Second, we connect to what are known as Internet Exchanges, IXs for short, where a number of networks meet in a central point.
Most major cities have an IX. The model for IXs are different in different parts of the world. Europe runs some of the most robust IXs, and CloudFlare connects to several of them including LINX (the London Internet Exchange), AMS-IX (the Amsterdam Internet Exchange), and DE-CIX (the Frankfurt Internet Exchange), among others. The major networks that make up the Internet --Google, Facebook Yahoo, etc. -- connect to these same exchanges to pass traffic between each other efficiently. When the Spamhaus attacker realized he couldn't go after CloudFlare directly, he began targeting our upstream peers and exchanges.
Headwaters
Once the attackers realized they couldn't knock CloudFlare itself offline even with more than 100Gbps of DDoS traffic, they went after our direct peers. In this case, they attacked the providers from whom CloudFlare buys bandwidth. We, primarily, contract with what are known as Tier 2 providers for CloudFlare's paid bandwidth. These companies peer with other providers and also buy bandwidth from so-called Tier 1 providers.
Peer_pressure
There are approximately a dozen Tier 1 providers on the Internet. The nature of these providers is that they don't buy bandwidth from anyone. Instead, they engage in what is known as settlement-free peering with the other Tier 1 providers. Tier 2 providers interconnect with each other and then buy bandwidth from the Tier 1 providers in order to ensure they can connect to every other point on the Internet. At the core of the Internet, if all else fails, it is these Tier 1 providers that ensure that every network is connected to every other network. If one of them fails, it's a big deal.
Anycast means that if the attacker attacked the last step in the traceroute then their attack would be spread across CloudFlare's worldwide network, so instead they attacked the second to last step which concentrated the attack on one single point. This wouldn't cause a network-wide outage, but it could potentially cause regional problems.
We carefully select our bandwidth providers to ensure they have the ability to deal with attacks like this. Our direct peers quickly filtered attack traffic at their edge. This pushed the attack upstream to their direct peers, largely Tier 1 networks. Tier 1 networks don't buy bandwidth from anyone, so the majority of the weight of the attack ended up being carried by them. While we don't have direct visibility into the traffic loads they saw, we have been told by one major Tier 1 provider that they saw more than 300Gbps of attack traffic related to this attack. That would make this attack one of the largest ever reported.
The challenge with attacks at this scale is they risk overwhelming the systems that link together the Internet itself. The largest routers that you can buy have, at most, 100Gbps ports. It is possible to bond more than one of these ports together to create capacity that is greater than 100Gbps however, at some point, there are limits to how much these routers can handle. If that limit is exceeded then the network becomes congested and slows down.
Over the last few days, as these attacks have increased, we've seen congestion across several major Tier 1s, primarily in Europe where most of the attacks were concentrated, that would have affected hundreds of millions of people even as they surfed sites unrelated to Spamhaus or CloudFlare. If the Internet felt a bit more sluggish for you over the last few days in Europe, this may be part of the reason why.
Attacks on the IXs
In addition to CloudFlare's direct peers, we also connect with other networks over the so-called Internet Exchanges (IXs). These IXs are, at their most basic level, switches into which multiple networks connect and can then pass bandwidth. In Europe, these IXs are run as non-profit entities and are considered critical infrastructure. They interconnect hundreds of the world's largest networks including CloudFlare, Google, Facebook, and just about every other major Internet company.
Beyond attacking CloudFlare's direct peers, the attackers also attacked the core IX infrastructure on the London Internet Exchange (LINX), the Amsterdam Internet Exchange (AMS-IX), the Frankfurt Internet Exchange (DE-CIX), and the Hong Kong Internet Exchange (HKIX). From our perspective, the attacks had the largest effect on LINX which caused impact over the exchange and LINX's systems that monitor the exchange, as visible through the drop in traffic recorded by their monitoring systems. (Corrected: see below for original phrasing.)
The congestion impacted many of the networks on the IXs, including CloudFlare's. As problems were detected on the IX, we would route traffic around them. However, several London-based CloudFlare users reported intermittent issues over the last several days. This is the root cause of those problems.
The attacks also exposed some vulnerabilities in the architecture of some IXs. We, along with many other network security experts, worked with the team at LINX to better secure themselves. In doing so, we developed a list of best practices for any IX in order to make them less vulnerable to attacks.
Two specific suggestions to limit attacks like this involve making it more difficult to attack the IP addresses that members of the IX use to interchange traffic between each other. We are working with IXs to ensure that: 1) these IP addresses should not be announced as routable across the public Internet; and 2) packets destined to these IP addresses should only be permitted from other IX IP addresses. We've been very impressed with the team at LINX and how quickly they've worked to implement these changes and add additional security to their IX and are hopeful other IXs will quickly follow their lead.
The Full Impact of the Open Recursor Problem
At the bottom of this attack we once again find the problem of open DNS recursors. The attackers were able to generate more than 300Gbps of traffic likely with a network of their own that only had access 1/100th of that amount of traffic themselves. We've written about how these mis-configured DNS recursors as a bomb waiting to go off that literally threatens the stability of the Internet itself. We've now seen an attack that begins to illustrate the full extent of the problem.
While lists of open recursors have been passed around on network security lists for the last few years, on Monday the full extent of the problem was, for the first time, made public. The Open Resolver Project made available the full list of the 21.7 million open resolvers online in an effort to shut them down.
We'd debated doing the same thing ourselves for some time but worried about the collateral damage of what would happen if such a list fell into the hands of the bad guys. The last five days have made clear that the bad guys have the list of open resolvers and they are getting increasingly brazen in the attacks they are willing to launch. We are in full support of the Open Resolver Project and believe it is incumbent on all network providers to work with their customers to close any open resolvers running on their networks.

Unlike traditional botnets which could only generate limited traffic because of the modest Internet connections and home PCs they typically run on, these open resolvers are typically running on big servers with fat pipes. They are like bazookas and the events of the last week have shown the damage they can cause. What's troubling is that, compared with what is possible, this attack may prove to be relatively modest.
As someone in charge of DDoS mitigation at one of the Internet giants emailed me this weekend: "I've often said we don't have to prepare for the largest-possible attack, we just have to prepare for the largest attack the Internet can send without causing massive collateral damage to others. It looks like you've reached that point, so... congratulations!"
At CloudFlare one of our goals is to make DDoS something you only read about in the history books. We're proud of how our network held up under such a massive attack and are working with our peers and partners to ensure that the Internet overall can stand up to the threats it faces.
Correction: The original sentence about the impact on LINX was "From our perspective, the attacks had the largest effect on LINX which for a little over an hour on March 23 saw the infrastructure serving more than half of the usual 1.5Tbps of peak traffic fail." That was not well phrased, and has been edited, with notation in place.

Spamhaus’ attackers turned DNS into a weapon of mass destruction

Tag :


A little more than a year ago, details emerged about an effort by some members of the hacktivist group Anonymous to build a new weapon to replace their aging denial-of-service arsenal. The new weapon would use the Internet's Domain Name Service as a force-multiplier to bring the servers of those who offended the group to their metaphorical knees. Around the same time, an alleged plan for an Anonymous operation, "Operation Global Blackout" (later dismissed by some security experts and Anonymous members as a "massive troll"), sought to use the DNS service against the very core of the Internet itself in protest against the Stop Online Piracy Act.
This week, an attack using the technique proposed for use in that attack tool and operation—both of which failed to materialize—was at the heart of an ongoing denial-of-service assault on Spamhaus, the anti-spam clearing house organization. And while it hasn't brought the Internet itself down, it has caused major slowdowns in the Internet's core networks.
DNS Amplification (or DNS Reflection) remains possible after years of security expert warnings. Its power is a testament to how hard it is to get organizations to make simple changes that would prevent even recognized threats. Some network providers have made tweaks that prevent botnets or "volunteer" systems within their networks to stage such attacks. But thanks to public cloud services, "bulletproof" hosting services, and other services that allow attackers to spawn and then reap hundreds of attacking systems, DNS amplification attacks can still be launched at the whim of a deep-pocketed attacker—like, for example, the cyber-criminals running the spam networks that Spamhaus tries to shut down.

Hello, operator?

The Domain Name Service is the Internet's directory assistance line. It allows computers to get the numerical Internet Protocol (IP) address for a remote server or other network-attached device based on its human-readable host and domain name. DNS is organized in a hierarchy; each top-level domain name (such as .com, .edu, .gov, .net, and so on) has a "root" DNS server keeping a list of each of the "authoritative" DNS servers for each domain registered with them. If you've ever bought a domain through a domain registrar, you've created (either directly or indirectly) an authoritative DNS address for that domain by selecting the primary and secondary DNS servers that go with it.
When you type "arstechnica.com" into your browser's address bar and hit the return key, your browser checks with a DNS resolver—your personal Internet 411 service— to determine where to send the Web request. For some requests, the resolver may be on your PC. (For example, this happens if you've requested a host name that's in a local "hosts" table for servers within your network, or one that's stored in your computer's local cache of DNS addresses you've already looked up.) But if it's the first time you've tried to connect to a computer by its host and domain name, the resolver for the request is probably running on the DNS server configured for your network—within your corporate network, at an Internet provider, or through a public DNS service such as Google's Public DNS.
There are two ways for a resolver to get the authoritative IP address for a domain name that isn't in its cache: an iterative request and a recursive request. In an iterative request, the resolver pings the top-level domain's DNS servers for the authoritative DNS for the destination domain, then it sends a DNS request for the full hostname to that authoritative server. If the computer that the request is seeking is in a subdomain or "zone" within a larger domain—such as www.subdomain.domain.com—it may tell the resolver to go ask that zone's DNS server. The resolver "iterates" the request down through the hierarchy of DNS servers until it gets an answer.
But on some networks, the DNS resolver closest to the requesting application doesn't handle all that work. Instead, it sends a "recursive" request to the next DNS server up and lets that server handle all of the walking through the DNS hierarchy for it. Once all the data is collected from the root, domain, and subdomain DNS servers for the requested address, the resolver then pumps the answer back to its client.







How DNS queries are supposed to work—when they're not being used as weapons.
To save time, DNS requests don't use the "three-way handshake" of the Transmission Control Protocol (TCP) to make all these queries. Instead, DNS typically uses the User Datagram Protocol (UDP)—a "connectionless" protocol that lets the server fire and forget requests.

Pump up the volume

That makes the sending of requests and responses quicker—but it also opens up a door to abuse of DNS that DNS amplification uses to wreak havoc on a target. All the attacker has to do is find a DNS server open to requests from any client and send it requests forged as being from the target of the attack. And there are millions of them.
The "amplification" in DNS amplification attacks comes from the size of those responses. While a DNS lookup request itself is fairly small, the resulting response of a recursive DNS lookup can be much larger. A relatively small number of attacking systems sending a trickle of forged UDP packets to open DNS servers can result in a firehose of data being blasted at the attackers' victim.
DNS amplification attacks wouldn't be nearly as amplified if it weren't for the "open" DNS servers they use to fuel the attacks. These servers have been configured (or misconfigured) to answer queries from addresses outside of their network. The volume of traffic that can be generated by such open DNS servers is huge. Last year, Ars reported on a paper presented by Randal Vaughan of Baylor University and Israeli security consultant Gadi Evron at the 2006 DefCon security conference. The authors documented a series of DNS amplification attacks in late 2005 and early 2006 that generated massive traffic loads for the routers of their victims. In one case, the traffic was "as high as 10Gbps and used as many as 140,000 exploited name servers," Vaughan and Evron reported. "A DNS query consisting of a 60 byte request can be answered with responses of over 4000 bytes, amplifying the response packet by a factor of 60."
But even if you can't find an open DNS server to blast recursive responses from, you can still depend on the heart of the Internet for a respectable hail of packet projectiles. A "root hint" request—sending a request for name servers for the "." domain—results in a response 20 times larger than the packet the request came in. That's in part thanks to DNS-SEC, the standard adopted to make it harder to spoof DNS responses, since now the response includes certificate data from the responding server.







A comparison of a "root hint" query and the response delivered by the DNS server. Not all data shown.
Sean Gallagher
In the case of the attack on Spamhaus, the organization was able to turn to the content delivery network CloudFlare for help. CloudFlare hid Spamhaus behind its CDN, which uses the Anycast feature of the Border Gateway Protocol to cause packets destined for the antispam provider's site to be routed to the closest CloudFlare point of presence. This spread out the volume of the attack. And CloudFlare was able to then shut off amplified attacks aimed at Spamhaus with routing filters that blocked aggregated DNS responses matching the pattern of the attack.
But that traffic still had to get to Cloudflare before it could be blocked. And that resulted in a traffic jam in the core of the Internet, slowing connections for the Internet as a whole.

No fix on the horizon

The simplest way to prevent DNS amplification and reflection attacks would be to prevent forged DNS requests from being sent along in the first place. But that "simple" fix isn't exactly easy—or at least easy to get everyone who needs to participate to do.
There's been a proposal on the books to fix the problem for nearly 13 years—the Internet Engineering Task Force's BCP 38, an approach to "ingress filtering" of packets. First pitched in 2000  1998 as part of RFC 2267 , the proposal has gone nowhere. And while the problem would be greatly reduced if zone and domain DNS servers simply were configured not to return recursive or even "root hint" responses received from outside their own networks, that would require action by the owners of the network. It's an action that doesn't have a direct monetary or security benefit to them associated with it.
ISPs generally do "egress filtering"—they check outbound traffic to make sure it's coming from IP addresses within their network.  This prevents them from filling up their peering connections with bad traffic.  But "ingress" filtering would check to make sure that requests coming in through a router were coming from the proper direction based on their advertised IP source.
Another possible solution that would eliminate the problem entirely is to make DNS use TCP for everything—reducing the risk of forged packets.  DNS already uses TCP for tasks like zone transfers. But that would require a change to DNS itself, so it's unlikely that would ever happen, considering that you can't even convince people to properly configure their DNS servers to begin with.
Maybe the attack on Spamhaus will change that, and core network providers will move to do more to filter DNS traffic that doesn't seem to match up with known DNS servers. Maybe just maybe, BCP 38 will get some traction. And maybe pigs will fly.

Tuesday, March 26, 2013

The OSI Reference Model In brief

Tag :
One of the greatest functions of the OSI specifications is to assist in data transfer between disparate
hosts—meaning, for example, that they enable us to transfer data between a Unix host
and a PC or a Mac.
The OSI isn’t a physical model, though. Rather, it’s a set of guidelines that application
developers can use to create and implement applications that run on a network. It also provides
a framework for creating and implementing networking standards, devices, and internetworking
schemes.
The OSI has seven different layers, divided into two groups. The top three layers define how
the applications within the end stations will communicate with each other and with users. The
bottom four layers define how data is transmitted end to end. Figure 1.6 shows the three upper
layers and their functions, and Figure 1.7 shows the four lower layers and their functions.
FIGURE 1 . 6 The upper layers
• Provides a user interface
• Presents data
• Handles processing such as encryption
• Keeps different applications’
• data separate
Application
Presentation
Session
Transport
Network
Data Link
Physical










When you study Figure 1.6, understand that the user interfaces with the computer at the
Application layer and also that the upper layers are responsible for applications communicating
between hosts. Remember that none of the upper layers knows anything about networking
or network addresses. That’s the responsibility of the four bottom layers.
In Figure 1.7, you can see that it’s the four bottom layers that define how data is transferred
through a physical wire or through switches and routers. These bottom layers also determine
how to rebuild a data stream from a transmitting host to a destination host’s application.
FIGURE 1 . 7 The lower layers
The following network devices operate at all seven layers of the OSI model:
Network management stations (NMSs)
Web and application servers
Gateways (not default gateways)
Network hosts
Basically, the ISO is pretty much the Emily Post of the network protocol world. Just as Ms.
Post wrote the book setting the standards—or protocols—for human social interaction, the
ISO developed the OSI reference model as the precedent and guide for an open network protocol
set. Defining the etiquette of communication models, it remains today the most popular
means of comparison for protocol suites.
The OSI reference model has seven layers:
Application layer (layer 7)
Presentation layer (layer 6)
Session layer (layer 5)
Transport layer (layer 4)
Network layer (layer 3)
Data Link layer (layer 2)
Physical layer (layer 1)










The Application Layer
The Application layer of the OSI model marks the spot where users actually communicate to
the computer. This layer only comes into play when it’s apparent that access to the network
is going to be needed soon. Take the case of Internet Explorer (IE). You could uninstall every
trace of networking components from a system, such as TCP/IP, NIC card, and so on, and you
could still use IE to view a local HTML document—no problem. But things would definitely
get messy if you tried to do something like view an HTML document that must be retrieved
using HTTP or nab a file with FTP or TFTP. That’s because IE will respond to requests such
as those by attempting to access the Application layer. And what’s happening is that the Application
layer is acting as an interface between the actual application program—which isn’t at
all a part of the layered structure—and the next layer down by providing ways for the application
to send information down through the protocol stack. In other words, IE doesn’t truly
reside within the Application layer—it interfaces with Application layer protocols when it
needs to deal with remote resources.
The Application layer is also responsible for identifying and establishing the availability of
the intended communication partner and determining whether sufficient resources for the
intended communication exist.
These tasks are important because computer applications sometimes require more than
only desktop resources. Often, they’ll unite communicating components from more than one
network application. Prime examples are file transfers and email, as well as enabling remote
access, network management activities, client/server processes, and information location.
Many network applications provide services for communication over enterprise networks, but
for present and future internetworking, the need is fast developing to reach beyond the limits
of current physical networking.












The Presentation Layer
The Presentation layer gets its name from its purpose: It presents data to the Application layer
and is responsible for data translation and code formatting.
This layer is essentially a translator and provides coding and conversion functions. A successful
data-transfer technique is to adapt the data into a standard format before transmission.
Computers are configured to receive this generically formatted data and then convert the data
back into its native format for actual reading (for example, EBCDIC to ASCII). By providing
translation services, the Presentation layer ensures that data transferred from the Application
layer of one system can be read by the Application layer of another one.
The OSI has protocol standards that define how standard data should be formatted. Tasks
like data compression, decompression, encryption, and decryption are associated with this
layer. Some Presentation layer standards are involved in multimedia operations too.
The Session Layer
The Session layer is responsible for setting up, managing, and then tearing down sessions
between Presentation layer entities. This layer also provides dialog control between
devices, or nodes. It coordinates communication between systems and serves to organize
their communication by offering three different modes: simplex, half duplex, and full
duplex. To sum up, the Session layer basically keeps different applications’ data separate
from other applications’ data.
The Transport Layer
The Transport layer segments and reassembles data into a data stream. Services located in the
Transport layer segment and reassemble data from upper-layer applications and unite it into
the same data stream. They provide end-to-end data transport services and can establish a
logical connection between the sending host and destination host on an internetwork.
Some of you are probably familiar with TCP and UDP already. (But if you’re not, no worries—
I’ll tell you all about them in Chapter 2.) If so, you know that both work at the Transport
layer and that TCP is a reliable service and UDP is not. This means that application developers
have more options because they have a choice between the two protocols when working with
TCP/IP protocols.




The Network Layer
The Network layer (also called layer 3) manages device addressing, tracks the location of devices
on the network, and determines the best way to move data, which means that the Network layer
must transport traffic between devices that aren’t locally attached. Routers (layer 3 devices) are
specified at the Network layer and provide the routing services within an internetwork.
It happens like this: First, when a packet is received on a router interface, the destination IP
address is checked. If the packet isn’t destined for that particular router, it will look up the destination
network address in the routing table. Once the router chooses an exit interface, the packet
will be sent to that interface to be framed and sent out on the local network. If the router can’t find
an entry for the packet’s destination network in the routing table, the router drops the packet.
Two types of packets are used at the Network layer: data and route updates.
Data packets Used to transport user data through the internetwork. Protocols used to support
data traffic are called routed protocols; examples of routed protocols are IP and IPv6.
You’ll learn about IP addressing in Chapters 2 and 3 and IPv6 in Chapter 13 .
Route update packets Used to update neighboring routers about the networks connected to
all routers within the internetwork. Protocols that send route update packets are called routing
protocols; examples of some common ones are RIP, RIPv2, EIGRP, and OSPF. Route update
packets are used to help build and maintain routing tables on each router.
In Figure 1.13, I’ve given you an example of a routing table. The routing table used in a
router includes the following information:
Network addresses Protocol-specific network addresses. A router must maintain a routing table
for individual routing protocols because each routing protocol keeps track of a network with a different
addressing scheme (IP, IPv6, and IPX, for example). Think of it as a street sign in each of the
different languages spoken by the residents that live on a particular street. So, if there were American,
Spanish, and French folks on a street named Cat, the sign would read Cat/Gato/Chat.
The Data Link Layer
The Data Link layer provides the physical transmission of the data and handles error
notification, network topology, and flow control. This means that the Data Link layer
will ensure that messages are delivered to the proper device on a LAN using hardware
addresses and will translate messages from the Network layer into bits for the Physical
layer to transmit.
The Data Link layer formats the message into pieces, each called a data frame, and adds a customized
header containing the hardware destination and source address. This added information
forms a sort of capsule that surrounds the original message in much the same way that engines,
navigational devices, and other tools were attached to the lunar modules of the Apollo project.
These various pieces of equipment were useful only during certain stages of space flight and were
stripped off the module and discarded when their designated stage was complete. Data traveling
through networks is similar.
Figure 1.15 shows the Data Link layer with the Ethernet and IEEE specifications. When you
check it out, notice that the IEEE 802.2 standard is used in conjunction with and adds functionality
to the other IEEE standards.
FIGURE 1 . 1 5 Data Link layer
It’s important for you to understand that routers, which work at the Network layer, don’t
care at all about where a particular host is located. They’re only concerned about where networks
are located and the best way to reach them—including remote ones. Routers are totally
obsessive when it comes to networks. And for once, this is a good thing! It’s the Data Link
layer that’s responsible for the actual unique identification of each device that resides on a
local network.
For a host to send packets to individual hosts on a local network as well as transmit packets
between routers, the Data Link layer uses hardware addressing. Each time a packet is sent between
routers, it’s framed with control information at the Data Link layer, but that information is
stripped off at the receiving router and only the original packet is left completely intact. This framing
of the packet continues for each hop until the packet is finally delivered to the correct receiving
host. It’s really important to understand that the packet itself is never altered along the route; it’s
only encapsulated with the type of control information required for it to be properly passed on to
the different media types.






 The Physical Layer
Finally arriving at the bottom, we find that the Physical layer does two things: It sends bits and
receives bits. Bits come only in values of 1 or 0—a Morse code with numerical values. The
Physical layer communicates directly with the various types of actual communication media.
Different kinds of media represent these bit values in different ways. Some use audio tones,
while others employ state transitions—changes in voltage from high to low and low to high.
Specific protocols are needed for each type of media to describe the proper bit patterns to be
used, how data is encoded into media signals, and the various qualities of the physical media’s
attachment interface.
The Physical layer specifies the electrical, mechanical, procedural, and functional requirements
for activating, maintaining, and deactivating a physical link between end systems. This
layer is also where you identify the interface between the data terminal equipment (DTE) and
the data communication equipment (DCE). (Some old phone-company employees still call
DCE data circuit-terminating equipment.) The DCE is usually located at the service provider,
while the DTE is the attached device. The services available to the DTE are most often accessed
via a modem or channel service unit/data service unit (CSU/DSU).
The Physical layer’s connectors and different physical topologies are defined by the OSI as
standards, allowing disparate systems to communicate. The CCNA objectives are only interested
in the IEEE Ethernet standards.
Hubs at the Physical Layer
A hub is really a multiple-port repeater. A repeater receives a digital signal and reamplifies or
regenerates that signal and then forwards the digital signal out all active ports without looking
at any data. An active hub does the same thing. Any digital signal received from a segment on
a hub port is regenerated or reamplified and transmitted out all ports on the hub. This means
all devices plugged into a hub are in the same collision domain as well as in the same broadcast
domain.












Ethernet Networking
Ethernet is a contention media access method that allows all hosts on a network to share the
same bandwidth of a link. Ethernet is popular because it’s readily scalable, meaning that it’s
comparatively easy to integrate new technologies, such as Fast Ethernet and Gigabit Ethernet,
into an existing network infrastructure. It’s also relatively simple to implement in the first
place, and with it, troubleshooting is reasonably straightforward. Ethernet uses both Data
Link and Physical layer specifications, and this section of the chapter will give you both the
Data Link layer and Physical layer information you need to effectively implement, troubleshoot,
and maintain an Ethernet network.
Ethernet networking uses Carrier Sense Multiple Access with Collision Detection (CSMA/CD),
a protocol that helps devices share the bandwidth evenly without having two devices transmit at
the same time on the network medium. CSMA/CD was created to overcome the problem of those
collisions that occur when packets are transmitted simultaneously from different nodes. And trust
me—good collision management is crucial, because when a node transmits in a CSMA/CD network,
all the other nodes on the network receive and examine that transmission. Only bridges and
routers can effectively prevent a transmission from propagating throughout the entire network!







Half- and Full-Duplex Ethernet
Half-duplex Ethernet is defined in the original 802.3 Ethernet; Cisco says it uses only one wire
pair with a digital signal running in both directions on the wire. Certainly, the IEEE specifications
discuss the process of half duplex somewhat differently, but what Cisco is talking
about is a general sense of what is happening here with Ethernet.
It also uses the CSMA/CD protocol to help prevent collisions and to permit retransmitting
if a collision does occur. If a hub is attached to a switch, it must operate in half-duplex mode
because the end stations must be able to detect collisions. Half-duplex Ethernet—typically
10BaseT—is only about 30 to 40 percent efficient as Cisco sees it because a large 10BaseT network
will usually only give you 3 to 4Mbps, at most.
But full-duplex Ethernet uses two pairs of wires instead of one wire pair like half duplex.
And full duplex uses a point-to-point connection between the transmitter of the transmitting
device and the receiver of the receiving device. This means that with full-duplex data transfer,
you get a faster data transfer compared to half duplex. And because the transmitted data is
sent on a different set of wires than the received data, no collisions will occur.
The reason you don’t need to worry about collisions is because now it’s like a freeway with
multiple lanes instead of the single-lane road provided by half duplex. Full-duplex Ethernet is
supposed to offer 100 percent efficiency in both directions—for example, you can get 20Mbps
with a 10Mbps Ethernet running full duplex or 200Mbps for Fast Ethernet. But this rate is
something known as an aggregate rate, which translates as “you’re supposed to get” 100 percent
efficiency. No guarantees, in networking as in life.
Full-duplex Ethernet can be used in three situations:
With a connection from a switch to a host
With a connection from a switch to a switch
With a connection from a host to a host using a crossover cable

Saturday, February 23, 2013

Facebook for iOS updated, now offers free calls to US and Canada

Tag :
Facebook has just issued an update to its iOS application. Facebook for iOS, which is one of the prominent applications in the App Store now comes with several new features and enhanced user experience.


Facebook 5.5 for iOS offers improved buttons to like, comment and share posts. The share button also allows you to re-post stories to your news feed and is available in all languages. Furthermore, you can now make free calls to US and Canada right from your iOS application. Of course, free calling uses your data plan, so make sure you have one.
You can download the latest version of the application for your iPhones and iPads from the App Store.
Source

Tuesday, February 19, 2013

TCP/IP Utilities

Tag :
The following are the IP utilities available in Windows that help in finding out the information about IP Hosts and domains. These are the basic IP commands that every beginner in the field of hacking must know!
Please note that the the term Host used in this article may also be assumed as a Website for simple understanding purpose.

1. PING

PING is a simple application (command) used to determine whether a host is online and available. PING command sends one or more ICMP “Echo message” to a specified host requesting a reply. The receiver (Target Host) responds to this ICMP “Echo message” and returns it back to the sender. This confirms that the host is online and available. Otherwise the host is said to be unavailable.
Syntax:
C:\>ping gohacking.com

2. TELNET

Telnet command is used to connect to a desired host on a specified port number. Just like a house having several doors, a host or a server has different ports running different services. For example port 80 runs HTTP, port 23 runs TELNET while port 25 SMTP. Like this there are several ports on a server through which it is possible for a remote client to establish a connection.
For a connection to be established, the port has to be open. For example, in the following command, we are trying to establish a connection with the Yahoo server on port 25.:
Syntax:
C:\>telnet yahoo.com 25
C:\>telnet yahoo.com
The default port number is 23. When the port number is not specified the default number is assumed.
NOTE: If you are using Vista or Windows 7, Telnet feature may not be available by default. To enable it, you can refer my other post: How to enable Telnet feature in Vista and Windows 7?.

3. NSLOOKUP

Many times, we think about finding out the IP address of a given site. Say for example google.com, yahoo.com, microsoft.com etc. But how to do this? There are several websites out there that can be used to find out the IP address of any given website. However, in the Windows operating itself, we have an inbuilt tool to do this job for us. It is called “nslookup”.
This tool can be used for resolving a given domain name into it’s IP address (determine the IP of a given site name). Not only this, it can also be used for reverse IP lookup. That is, if the IP address is given it determines the corresponding domain name for that IP address.
Syntax:
C:\>nslookup google.com

4. NETSTAT

The netstat command can be used to display the current TCP/IP network connections. For example, the following “netstat” command displays all the currently established connections and their corresponding listening port numbers on your computer.
Syntax:
C:\>netstat -a
Type “Ctrl+Z” to exit.
This command can be used to determine the IP address/Host names of all the applications connected to your computer. If a hacker is connected to your system even the hacker’s IP is displayed. So, the “netstat” command can be used to get an idea of all the active connections of a given system.

Internet Control Message Protocol (ICMP)

Tag :
The Internet Control Message Protocol (ICMP) is one of the core protocols of the Internet Protocol Suite. It is chiefly used by the operating systems of networked computers to send error messages indicating, for example, that a requested service is not available or that a host or router could not be reached. ICMP can also be used to relay query messages.[1] It is assigned protocol number 1.[2]
ICMP[3] differs from transport protocols such as TCP and UDP in that it is not typically used to exchange data between systems, nor is it regularly employed by end-user network applications (with the exception of some diagnostic tools like ping and traceroute).
ICMP for Internet Protocol version 4 (IPv4) is also known as ICMPv4. IPv6 has a similar protocol, ICMPv6.

Technical details

The Internet Control Message Protocol is part of the Internet Protocol Suite, as defined in RFC 792. ICMP messages are typically used for diagnostic or control purposes or generated in response to errors in IP operations (as specified in RFC 1122). ICMP errors are directed to the source IP address of the originating packet.[1]
For example, every device (such as an intermediate router) forwarding an IP datagram first decrements the time to live (TTL) field in the IP header by one. If the resulting TTL is 0, the packet is discarded and an ICMP Time To Live exceeded in transit message is sent to the datagram's source address.
Although ICMP messages are contained within standard IP datagrams, ICMP messages are usually processed as a special case, distinguished from normal IP processing, rather than processed as a normal sub-protocol of IP. In many cases, it is necessary to inspect the contents of the ICMP message and deliver the appropriate error message to the application that generated the original IP packet, the one that prompted the sending of the ICMP message.
Many commonly used network utilities are based on ICMP messages. The tracert (traceroute), Pathping commands are implemented by transmitting UDP datagrams with specially set IP TTL header fields, and looking for ICMP Time to live exceeded in transit (above) and "Destination unreachable" messages generated in response. The related ping utility is implemented using the ICMP "Echo request" and "Echo reply" messages.

ICMP segment structure

Header

The ICMP header starts after the IPv4 header and is identified by protocol number '1'. All ICMP packets will have an 8-byte header and variable-sized data section. The first 4 bytes of the header will be consistent. The first byte is for the ICMP type. The second byte is for the ICMP code. The third and fourth bytes are a checksum of the entire ICMP message. The contents of the remaining 4 bytes of the header will vary based on the ICMP type and code.[1]
ICMP error messages contain a data section that includes the entire IP header plus the first 8 bytes of data from the IP datagram that caused the error message. The ICMP datagram is then encapsulated in a new IP datagram.[1]
Bits 0–7 8–15 16–23 24–31
0 Type Code Checksum
32 Rest of Header
  • Type – ICMP type as specified below.
  • Code – Subtype to the given type.
  • Checksum – Error checking data. Calculated from the ICMP header+data, with value 0 for this field. The checksum algorithm is specified in RFC 1071.
  • Rest of Header – Four byte field. Will vary based on the ICMP type and code.

Control messages

Notable control messages[4][5]
Type Code Description
0 – Echo Reply[3]:14 0 Echo reply (used to ping)
1 and 2
Reserved
3 – Destination Unreachable[3]:4 0 Destination network unreachable
1 Destination host unreachable
2 Destination protocol unreachable
3 Destination port unreachable
4 Fragmentation required, and DF flag set
5 Source route failed
6 Destination network unknown
7 Destination host unknown
8 Source host isolated
9 Network administratively prohibited
10 Host administratively prohibited
11 Network unreachable for TOS
12 Host unreachable for TOS
13 Communication administratively prohibited
14 Host Precedence Violation
15 Precedence cutoff in effect
4 – Source Quench 0 Source quench (congestion control)
5 – Redirect Message 0 Redirect Datagram for the Network
1 Redirect Datagram for the Host
2 Redirect Datagram for the TOS & network
3 Redirect Datagram for the TOS & host
6
Alternate Host Address
7
Reserved
8 – Echo Request 0 Echo request (used to ping)
9 – Router Advertisement 0 Router Advertisement
10 – Router Solicitation 0 Router discovery/selection/solicitation
11 – Time Exceeded[3]:6 0 TTL expired in transit
1 Fragment reassembly time exceeded
12 – Parameter Problem: Bad IP header 0 Pointer indicates the error
1 Missing a required option
2 Bad length
13 – Timestamp 0 Timestamp
14 – Timestamp Reply 0 Timestamp reply
15 – Information Request 0 Information Request
16 – Information Reply 0 Information Reply
17 – Address Mask Request 0 Address Mask Request
18 – Address Mask Reply 0 Address Mask Reply
19
Reserved for security
20 through 29
Reserved for robustness experiment
30 – Traceroute 0 Information Request
31
Datagram Conversion Error
32
Mobile Host Redirect
33
Where-Are-You (originally meant for IPv6)
34
Here-I-Am (originally meant for IPv6)
35
Mobile Registration Request
36
Mobile Registration Reply
37
Domain Name Request
38
Domain Name Reply
39
SKIP Algorithm Discovery Protocol, Simple Key-Management for Internet Protocol
40
Photuris, Security failures
41
ICMP for experimental mobility protocols such as Seamoby [RFC4065]
42 through 255
Reserved

Source quench

Source Quench requests that the sender decrease the rate of messages sent to a router or host. This message may be generated if a router or host does not have sufficient buffer space to process the request, or may occur if the router or host buffer is approaching its limit.
Data is sent at a very high speed from a host or from several hosts at the same time to a particular router on a network. Although a router has buffering capabilities, the buffering is limited to within a specified range. The router cannot queue any more data than the capacity of the limited buffering space. Thus if the queue gets filled up, incoming data is discarded until the queue is no longer full. But as no acknowledgement mechanism is present in the network layer, the client does not know whether the data has reached the destination successfully. Hence some remedial measures should be taken by the network layer to avoid these kind of situations. These measures are referred to as source quench. In a source quench mechanism, the router sees that the incoming data rate is much faster than the outgoing data rate, and sends an ICMP message to the clients, informing them that they should slow down their data transfer speeds or wait for a certain amount of time before attempting to send more data. When a client receives this message, it will automatically slow down the outgoing data rate or wait for a sufficient amount of time, which enables the router to empty the queue. Thus the source quench ICMP message acts as flow control in the network layer.
Source quench message[3]:9
00 01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
Type = 4 Code = 0 Header checksum
unused
IP header and first 8 bytes of original datagram's data
Where:
Type must be set to 4
Code must be set to 0
IP header and additional data is used by the sender to match the reply with the associated request

Redirect

Redirect requests data packets be sent on an alternative route. ICMP Redirect is a mechanism for routers to convey routing information to hosts. The message informs a host to update its routing information (to send packets on an alternate route). If a host tries to send data through a router (R1) and R1 sends the data on another router (R2) and a direct path from the host to R2 is available (that is, the host and R2 are on the same Ethernet segment), then R1 will send a redirect message to inform the host that the best route for the destination is via R2. The host should then send packets for the destination directly to R2. The router will still send the original datagram to the intended destination. However, if the datagram contains routing information, this message will not be sent even if a better route is available. RFC1122 states that redirects should only be sent by gateways and should not be sent by Internet hosts.
Redirect message[3]:11
00 01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
Type = 5 Code Header checksum
IP address
IP header and first 8 bytes of original datagram's data
Where:
Type must be set to 5.
Code specifies the reason for the redirection, may be one of the following:
Code Description
0 Redirect for Network
1 Redirect for Host
2 Redirect for Type of Service and Network
3 Redirect for Type of Service and Host
IP address is the 32-bit address of the gateway to which the redirection should be sent.
IP header and additional data is included to allow the host to match the reply with the request that caused the redirection reply.

Time exceeded

Time Exceeded is generated by a gateway to inform the source of a discarded datagram due to the time to live field reaching zero. A time exceeded message may also be sent by a host if it fails to reassemble a fragmented datagram within its time limit.
Time exceeded messages are used by the traceroute utility to identify gateways on the path between two hosts.
Time exceeded message[3]:5
00 01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
Type = 11 Code Header checksum
unused
IP header and first 8 bytes of original datagram's data
Where:
Type must be set to 11
Code specifies the reason for the time exceeded message, include the following:
Code Description
0 Time-to-live exceeded in transit.
1 Fragment reassembly time exceeded.
IP header and first 64 bits of the original payload are used by the source host to match the time exceeded message to the discarded datagram. For higher level protocols such as UDP and TCP the 64 bit payload will include the source and destination ports of the discarded packet.

Timestamp

Timestamp is used for time synchronization. It consists of the originating timestamp.
Timestamp message[3]:15
00 01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
Type = 13 Code = 0 Header checksum
Identifier Sequence number
Originate timestamp
Where:
Type must be set to 13
Code must be set to 0
Identifier and Sequence Number can be used by the client to match the timestamp reply with the timestamp request.
Originate timestamp is the number of milliseconds since midnight Universal Time (UT). If a UT reference is not available the most-significant bit can be set to indicate a non-standard time value.

Timestamp reply

Timestamp Reply replies to a Timestamp message. It consists of the originating timestamp sent by the sender of the Timestamp as well as a receive timestamp and a transmit timestamp.
Timestamp reply message[3]:15
00 01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
Type = 14 Code = 0 Header checksum
Identifier Sequence number
Originate timestamp
Receive timestamp
Transmit timestamp
Where:
Type must be set to 14
Code must be set to 0
Identifier and Sequence number can be used by the client to match the reply with the request that caused the reply.
Originate timestamp is the time the sender last touched the message before sending it.
Receive timestamp is the time the echoer first touched it on receipt.
Transmit timestamp is the time the echoer last touched the message on sending it.
All timestamps are in units of milliseconds since midnight UT. If the time is not available in milliseconds or cannot be provided with respect to midnight UT then any time can be inserted in a timestamp provided the high order bit of the timestamp is also set to indicate this non-standard value.

Address mask request

Address mask request is normally sent by a host to a router in order to obtain an appropriate subnet mask.
Recipients should reply to this message with an Address mask reply message.
Address mask request
00 01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
Type = 17 Code = 0 Header checksum
Identifier Sequence number
Address mask
Where:
Type must be set to 17
Code must be set to 0
Address mask can be set to 0
ICMP Address Mask Request may be used as a part of reconnaissance attack to gather information on the target network, therefore ICMP Address Mask Reply is disabled by default on Cisco IOS.[6]

Address mask reply

Address mask reply is used to reply to an address mask request message with an appropriate subnet mask.
Address mask reply
00 01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
Type = 18 Code = 0 Header checksum
Identifier Sequence number
Address mask
Where:
Type must be set to 18
Code must be set to 0
Address mask should be set to the subnet mask

Destination unreachable

Destination unreachable is generated by the host or its inbound gateway][3] to inform the client that the destination is unreachable for some reason. A Destination Unreachable message may be generated as a result of a TCP, UDP or another ICMP transmission. Unreachable TCP ports notably respond with TCP RST rather than a Destination Unreachable type 3 as might be expected.
The error will not be generated if the original datagram has a multicast destination address. Reasons for this message may include: the physical connection to the host does not exist (distance is infinite); the indicated protocol or port is not active; the data must be fragmented but the 'don't fragment' flag is on.
Destination unreachable message[3]:3
00 01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
Type = 3 Code Header checksum
unused Next-hop MTU
IP header and first 8 bytes of original datagram's data
Where:
Type field (bits 0-7) must be set to 3
Code field (bits 8-15) is used to specify the type of error, and can be any of the following:
Code Description
0 Network unreachable error.
1 Host unreachable error.
2 Protocol unreachable error (the designated transport protocol is not supported).
3 Port unreachable error (the designated protocol is unable to inform the host of the incoming message).
4 The datagram is too big. Packet fragmentation is required but the 'don't fragment' (DF) flag is on.
5 Source route failed error.
6 Destination network unknown error.
7 Destination host unknown error.
8 Source host isolated error.
9 The destination network is administratively prohibited.
10 The destination host is administratively prohibited.
11 The network is unreachable for Type Of Service.
12 The host is unreachable for Type Of Service.
13 Communication administratively prohibited (administrative filtering prevents packet from being forwarded).
14 Host precedence violation (indicates the requested precedence is not permitted for the combination of host or network and port).
15 Precedence cutoff in effect (precedence of datagram is below the level set by the network administrators).
Next-hop MTU field (bits 48-63) contains the MTU of the next-hop network if a code 4 error occurs.
IP header and additional data is included to allow the client to match the reply with the request that caused the destination unreachable reply.

Find Unauthorized Activity on Your Email Account

Tag :
Do you suspect that your email account is under attack? Do you want to maintain the security of your email account and make it 100 percent hack proof? Well, Some times our email account might have got hacked and we may not be aware of that. We may believe that our email account is safe, but in reality our private and confidential information may be falling into the hands of a third person.
In this post, I will you will find information on how to find unauthorized activity on your account if any and how to stop them.

Signs of  Unauthorized Activity on an Email Account:

  1. Your new emails are marked as Read even if you’ve not read them.
  2. Your emails are moved to Trash or even permanently deleted without your notice.
  3. Your emails are being forwarded to a third party email address (check your settings-> forwarding).
  4. Your secondary email address or mobile number is changed.
If you come across any of the above activities on your email account, then it is a clear indication that your email account is hacked.

Additional Security Features in Gmail:

Gmail provides an additional security feature to protect your email account through the means of IP address logging. That is, Gmail records your IP address every time you log in to your Gmail account. So, if a third party gets access to your account then even his/her IP is also recorded. To see a list of recorded IP address, scroll down to the bottom of your Gmail account and you’ll see something like this.
You can see from the above figure that Gmail shows the IP address of last login (last account activity). You can click on Details to see the IP address of your last 5 activities. If you find that the IP listed in the logs doesn’t belong to you, then there are chances of unauthorized activity.

Steps to Stop the Unauthorized Activity:

If you feel/suspect that your account is hacked, then you must immediately take the actions mentioned below:
    1. Change your Password
    2. Change your security question.
    3. Remove any third party email address (if any) to which your account is set to forward emails.
    4. Make sure that you can access the email account of your secondary email address.
    5. Also change your secondary email password and security question.
This ensures that your account is safe from future attacks. But I strongly recommend that you read my other post on How to protect your email account? I hope you liked this post. Please pass your comments. :)

How To Protect Your Email and Other Online Accounts from Hackers

Tag :
In this post I will teach you how to protect your email account from getting hacked, in a very simple and easy to understand manner. The tips provided in this post not only applies to your email account, but can also be used to protect any other online account such as your bank logins, Paypal or your social networking account. Nowadays, I get a lot of emails from people where most of them ask me for help on getting back their email accounts. This is because, they have simply fallen victims and have got their email accounts hacked!
Today, it is a common problem for many Internet users to have their email accounts compromised by hackers. But this arises one BIG question in my mind!
“Is it so easy to hack an email account? OR Is it so difficult for people to protect their email account from getting hacked?”.
The single answer to these two questions is “Absolutely NOT!“. It is neither easy to hack an email nor difficult to protect an email account from being hacked.
If this is the case, then what is the reason for many people to lose their accounts?
The answer is very simple. They do not know how to protect themselves from getting hacked! In fact, most of the people who lose their online accounts to hackers are not the victims of hacking but the victims of trapping. They get hacked not because they are hacked by some expert hackers, but because they are fooled to such an extent that they themselves give away their password.
Are you confused? If so continue reading and you’ll come to know…
Now I will mention some of the most common pitfalls by which people often fall victims and get their accounts compromised. In addition to this, I will also give information on how to avoid these pitfalls and stay protected.

1. Website Spoofing (Phishing Scam)

Website spoofing, also known as phishing is the act of creating a fake website with the intention of misleading the visitors. The website will be created by a different person or organization (other than the original) especially for the purpose of cheating. Normally, the website will adopt the design of the target website and sometimes has a similar URL.
For example a spoofed website of Yahoo.com appears exactly same as Yahoo Website. So, most people would believe this as the original site and lose their passwords. The main intention of spoofed websites is to fool users and take away their login details. For this, the spoofed sites offer fake login pages. These fake login pages resemble the original login pages of sites like Yahoo, Gmail or Facebook. Since they resemble the original login page, people believe that it is true and give away their login details to the hackers by trying to login to their accounts.

Solution:

  • Never try to login/access your online account from the sites other than the original site.
  • Always type the URL of the site in the address bar to get into the site. Do not click on a hyperlink to enter the site.

2. By using Keylogger (Spyware)

The other commonly used method to steal password is by using a Keylogger. A Keylogger is nothing but a spyware. If you read this post you’ll come to know that it is too easy to steal the password using a keylogger program. This is because the keylogger records each and every keystroke that you type on the computer’s keyboard.

Solution:

Protecting yourselves from a keylogger scam is very easy. Just install a good anti-spyware program and update it regularly. This keeps your PC secure from a keylogger. For more information, you may read my other post on How to Protect your Computer from keyloggers?

3. Accessing your Email from a Public Place

Do you access your email from public places like cyber cafes? If so, you are definitely under the risk of losing your password. In fact, many people lose their email account in cyber cafes. For the owner of the cyber cafe, it is just a cakewalk to steal your password. For this, all he need to do is install a keylogger program on his computers. So, when you login to your email account from this PC, you give away your password to the cafe owner. Also, there are many Remote Administration Tools (RATs) which can be used to monitor your browsing activities in real time.
This doesn’t mean that you should never use cyber cafes for surfing the Internet. I know, not all the cyber cafe owners will be so wicked. However, it is recommended not to use public places for accessing confidential information. If it comes to the matter of security never trust anyone, not even your friend. I always use my own computer to login to my accounts so as to ensure the safety.
So with this I conclude my post and assume that I have helped my readers to protect their online accounts from being hacked. Please pass your comments. :)
Subscribe to: Posts (Atom)