(3) Detecting DoS and DDoS attacks Flashcards
How can a DoS attack from a single device be stopped?
A DoS attack from a single device can easily be stopped by blocking that device from accessing a network by way of a firewall or other device
IPs can also block attack traffic that is known, stopping the attack.
How likely are single system DoS attacks?
Single system DoS attacks are not as likely unless the target is vulnerable to a particular service or app weakness or can be easily overtaken by a single system due to limited resources/bandwidth
When it comes to DDoS attacks, what types of tools and systems are needed or are useful?
When it comes to DDoS attacks, these technologies can be very useful:
Performance monitoring tools
Connection monitoring through local sys or app logs
Network Bandwidth or sys bandwidth monitoring
Dedicated tools like IDSs, IPSs with DoS and DDoS detection turned on
For other less common attacks, what tools are useful?
For other less common attacks, they tools are useful:
-Using an IDS or IPS
-Monitoring flows, SNMP, etc
-Feeding logs from firewalls, routers, switches, and other network devices to a central log analysis/monitoring system
-an SIEM device configured to review and auto alarm problem traffic
-Deploy host level tools such as endpoint detection and response (EDR) to monitor network behavior at endpoints
What are effective ways of detecting rogue devices on the network?
Effective ways of detecting rogue devices include:
-Valid MAC Address checking
-Mac Address Vendor Information Checking
-Network Scanning
-Site Surveys
-Traffic Analysis
Describe Valid MAC address checking, MAC Address Vendor Information Checking, and network scanning in terms of rogue device detection
In terms of rogue device detection:
-Valid MAC Address checking uses hardware MAC Addresses reported to the network to determine if the devices are valid compared to a list of known devices
-MAC address Vendor Information Checking is where one uses the vendor prefix of a MAC Address to determine if the device is valid
Network Scanning uses tools such as nmap to detect unknown devices
In terms of rogue device detection, describe site surveys and traffic analysis
In terms of rogue device detection,
-Site surveys involve physically examining devices on site to verify MAC addresses
-Traffic Analysis involves using tools such as Wireshark to determine if a device belongs on the network
What types of networks are easy targets for wired rogue devices?
These types of networks or situations are easy targets for wired rogue devices:
-Networks that don’t have access controls like port security
-Networks that don’t use Network Access Control (NAC) technology
What are the most like types of wired rogue devices?
The most likely types of rogue devices are these:
-An employee or well known member of an org connects a device without permission of IT
-An attacker has connected a device to a network
How can bad actors overcome security that is based on MAC addresses to connected a wired device to a network?
Bad actors can overcome MAC address based security tools by engaging in MAC Address spoofing, whereby the attacker replaced their MAC Address with a known good MAC address
What is the challenge with wireless rogue devices and how is it overcome?
The challenge with wireless rogue devices is that one can’t easily physically locate them.
This limitation can be overcome by using signal strength measures and mapping the area where the rogue is or:
if the wireless rogue does physically connect, one can use operating system identification to locate the device
