Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

MODULE 16 - Attacking the Foundation CERTIFICATION CYBER OPS ASSOCIATE > MODULE 16 - CERTIFICATION CYBER OPS ASSOCIATE > Flashcards

MODULE 16 - CERTIFICATION CYBER OPS ASSOCIATE Flashcards

1
Q

IP PDU Details IPv4 and IPv6 IP was designed as a Layer 3 connectionless protocol.

It provides the necessary functions to deliver a packet from a source host to a destination host over an interconnected system of networks.

The protocol was not designed to track and manage the flow of packets.

These functions, if required, are performed primarily by TCP at Layer 4.

A

IP makes no effort to validate whether the source IP address contained in a packet actually came from that source.

For this reason, threat actors can send packets using a spoofed source IP address.

In addition, threat actors can tamper with the other fields in the IP header to carry out their attacks.

Therefore, it is important for security analysts to understand the different fields in both the IPv4 and IPv6 headers.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

The IPv4 Packet Header

The fields in the IPv4 packet header are shown in the figure.

https://snipboard.io/2ZIMJA.jpg

A

The IPv4 Packet Header

The fields in the IPv4 packet header are shown in the figure.

https://snipboard.io/2ZIMJA.jpg

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

The IPv4 Packet Header

The fields in the IPv4 packet header are shown in the figure.

https://snipboard.io/2ZIMJA.jpg

– Version

– Internet Header length

– Differentiated Services or DiffServ (DS)

– Total length

– Identification, Flag, and Fragment offset

– Time-to-Live (TTL)

– Protocol

– Header checksum

– Source IPv4 Address

– Destination IPv4 Address

– Options and Padding

A

Version :

Contains a 4-bit binary value set to 0100 that identifies this as an IPv4 packet.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

The IPv4 Packet Header

The fields in the IPv4 packet header are shown in the figure.

https://snipboard.io/2ZIMJA.jpg

– Version

– Internet Header length

– Differentiated Services or DiffServ (DS)

– Total length

– Identification, Flag, and Fragment offset

– Time-to-Live (TTL)

– Protocol

– Header checksum

– Source IPv4 Address

– Destination IPv4 Address

– Options and Padding

A

Internet Header length :

A 4-bit field containing the length of the IP header.

The minimum length of an IP header is 20 bytes.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

The IPv4 Packet Header

The fields in the IPv4 packet header are shown in the figure.

https://snipboard.io/2ZIMJA.jpg

– Version

– Internet Header length

– Differentiated Services or DiffServ (DS)

– Total length

– Identification, Flag, and Fragment offset

– Time-to-Live (TTL)

– Protocol

– Header checksum

– Source IPv4 Address

– Destination IPv4 Address

– Options and Padding

A

Differentiated Services or DiffServ (DS) :

Formerly called the Type of Service (ToS) field, the DS field is an 8-bit field used to determine the priority of each packet.

The six most significant bits of the DiffServ field are the Differentiated Services Code Point (DSCP).

The last two bits are the Explicit Congestion Notification (ECN) bits.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

The IPv4 Packet Header

The fields in the IPv4 packet header are shown in the figure.

https://snipboard.io/2ZIMJA.jpg

– Version

– Internet Header length

– Differentiated Services or DiffServ (DS)

– Total length

– Identification, Flag, and Fragment offset

– Time-to-Live (TTL)

– Protocol

– Header checksum

– Source IPv4 Address

– Destination IPv4 Address

– Options and Padding

A

Total length :

Specifies the length of the IP packet including the IP header and the user data.

The total length field is 2 bytes, so the maximum size of an IP packet is 65,535 bytes however packets are much smaller in practice.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

The IPv4 Packet Header

The fields in the IPv4 packet header are shown in the figure.

https://snipboard.io/2ZIMJA.jpg

– Version

– Internet Header length

– Differentiated Services or DiffServ (DS)

– Total length

– Identification, Flag, and Fragment offset

– Time-to-Live (TTL)

– Protocol

– Header checksum

– Source IPv4 Address

– Destination IPv4 Address

– Options and Padding

A

Identification, Flag, and Fragment offset :

As an IP packet moves through the internet, it might need to cross a route that cannot handle the size of the packet.

The packet will be divided, or fragmented, into smaller packets and reassembled later.

These fields are used to fragment and reassemble packets.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

The IPv4 Packet Header

The fields in the IPv4 packet header are shown in the figure.

https://snipboard.io/2ZIMJA.jpg

– Version

– Internet Header length

– Differentiated Services or DiffServ (DS)

– Total length

– Identification, Flag, and Fragment offset

– Time-to-Live (TTL)

– Protocol

– Header checksum

– Source IPv4 Address

– Destination IPv4 Address

– Options and Padding

A

Time-to-Live (TTL) :

Contains an 8-bit binary value that is used to limit the lifetime of a packet.

The packet sender sets the initial TTL value, and it is decreased by one each time the packet is processed by a router.

If the TTL field decrements to zero, the router discards the packet and sends an Internet Control Message Protocol (ICMP) Time Exceeded message to the source IP address.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

The IPv4 Packet Header

The fields in the IPv4 packet header are shown in the figure.

https://snipboard.io/2ZIMJA.jpg

– Version

– Internet Header length

– Differentiated Services or DiffServ (DS)

– Total length

– Identification, Flag, and Fragment offset

– Time-to-Live (TTL)

– Protocol

– Header checksum

– Source IPv4 Address

– Destination IPv4 Address

– Options and Padding

A

Protocol :

Field is used to identify the next level protocol.

This 8-bit binary value indicates the data payload type that the packet is carrying, which enables the network layer to pass the data to the appropriate upper-layer protocol.

Common values include ICMP (1), TCP (6), and UDP (17).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

The IPv4 Packet Header

The fields in the IPv4 packet header are shown in the figure.

https://snipboard.io/2ZIMJA.jpg

– Version

– Internet Header length

– Differentiated Services or DiffServ (DS)

– Total length

– Identification, Flag, and Fragment offset

– Time-to-Live (TTL)

– Protocol

– Header checksum

– Source IPv4 Address

– Destination IPv4 Address

– Options and Padding

A

Header checksum :

A value that is calculated based on the contents of the IP header.

Used to determine if any errors have been introduced during transmission.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

The IPv4 Packet Header

The fields in the IPv4 packet header are shown in the figure.

https://snipboard.io/2ZIMJA.jpg

– Version

– Internet Header length

– Differentiated Services or DiffServ (DS)

– Total length

– Identification, Flag, and Fragment offset

– Time-to-Live (TTL)

– Protocol

– Header checksum

– Source IPv4 Address

– Destination IPv4 Address

– Options and Padding

A

Source IPv4 Address :

Contains a 32-bit binary value that represents the source IPv4 address of the packet.

The source IPv4 address is always a unicast address.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

The IPv4 Packet Header

The fields in the IPv4 packet header are shown in the figure.

https://snipboard.io/2ZIMJA.jpg

– Version

– Internet Header length

– Differentiated Services or DiffServ (DS)

– Total length

– Identification, Flag, and Fragment offset

– Time-to-Live (TTL)

– Protocol

– Header checksum

– Source IPv4 Address

– Destination IPv4 Address

– Options and Padding

A

Destination IPv4 Address :

Contains a 32-bit binary value that represents the destination IPv4 address of the packet.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

The IPv4 Packet Header

The fields in the IPv4 packet header are shown in the figure.

https://snipboard.io/2ZIMJA.jpg

– Version

– Internet Header length

– Differentiated Services or DiffServ (DS)

– Total length

– Identification, Flag, and Fragment offset

– Time-to-Live (TTL)

– Protocol

– Header checksum

– Source IPv4 Address

– Destination IPv4 Address

– Options and Padding

A

Options and Padding :

This is a field that varies in length from 0 to a multiple of 32 bits.

If the option values are not a multiple of 32 bits, 0s are added or padded to ensure that this field contains a multiple of 32 bits.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

The IPv6 Packet Header here are eight fields in the IPv6 packet header, as shown in the figure.

https://snipboard.io/LF7QiG.jpg

A

The IPv6 Packet Header here are eight fields in the IPv6 packet header, as shown in the figure.

https://snipboard.io/LF7QiG.jpg

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

The IPv6 Packet Header here are eight fields in the IPv6 packet header, as shown in the figure.

https://snipboard.io/LF7QiG.jpg

– Version

– Traffic Class

– Flow Label

– Payload Length

– Next Header

– Hop Limit

– Source IPv6 Address

– Destination IPv6 Address

A

Version :

This field contains a 4-bit binary value set to 0110 that identifies this as an IPv6 packet.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

The IPv6 Packet Header here are eight fields in the IPv6 packet header, as shown in the figure.

https://snipboard.io/LF7QiG.jpg

– Version

– Traffic Class

– Flow Label

– Payload Length

– Next Header

– Hop Limit

– Source IPv6 Address

– Destination IPv6 Address

A

Traffic Class :

This 8-bit field is equivalent to the IPv4 Differentiated Services (DS) field.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

The IPv6 Packet Header here are eight fields in the IPv6 packet header, as shown in the figure.

https://snipboard.io/LF7QiG.jpg

– Version

– Traffic Class

– Flow Label

– Payload Length

– Next Header

– Hop Limit

– Source IPv6 Address

– Destination IPv6 Address

A

Flow Label :

This 20-bit field suggests that all packets with the same flow label receive the same type of handling by routers.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

The IPv6 Packet Header here are eight fields in the IPv6 packet header, as shown in the figure.

https://snipboard.io/LF7QiG.jpg

– Version

– Traffic Class

– Flow Label

– Payload Length

– Next Header

– Hop Limit

– Source IPv6 Address

– Destination IPv6 Address

A

Payload Length :

This 16-bit field indicates the length of the data portion or payload of the IPv6 packet.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

The IPv6 Packet Header here are eight fields in the IPv6 packet header, as shown in the figure.

https://snipboard.io/LF7QiG.jpg

– Version

– Traffic Class

– Flow Label

– Payload Length

– Next Header

– Hop Limit

– Source IPv6 Address

– Destination IPv6 Address

A

Next Header :

This 8-bit field is equivalent to the IPv4 Protocol field.

It indicates the data payload type that the packet is carrying, enabling the network layer to pass the data to the appropriate upper-layer protocol.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

The IPv6 Packet Header here are eight fields in the IPv6 packet header, as shown in the figure.

https://snipboard.io/LF7QiG.jpg

– Version

– Traffic Class

– Flow Label

– Payload Length

– Next Header

– Hop Limit

– Source IPv6 Address

– Destination IPv6 Address

A

Hop Limit :

This 8-bit field replaces the IPv4 TTL field.

This value is decremented by a value of 1 by each router that forwards the packet.

When the counter reaches 0, the packet is discarded, and an ICMPv6 Time Exceeded message is forwarded to the sending host, indicating that the packet did not reach its destination because the hop limit was exceeded.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

The IPv6 Packet Header here are eight fields in the IPv6 packet header, as shown in the figure.

https://snipboard.io/LF7QiG.jpg

– Version

– Traffic Class

– Flow Label

– Payload Length

– Next Header

– Hop Limit

– Source IPv6 Address

– Destination IPv6 Address

A

Source IPv6 Address :

This 128-bit field identifies the IPv6 address of the sending host.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

The IPv6 Packet Header here are eight fields in the IPv6 packet header, as shown in the figure.

https://snipboard.io/LF7QiG.jpg

– Version

– Traffic Class

– Flow Label

– Payload Length

– Next Header

– Hop Limit

– Source IPv6 Address

– Destination IPv6 Address

A

Destination IPv6 Address :

This 128-bit field identifies the IPv6 address of the receiving host.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

An IPv6 packet may also contain extension headers (EH) that provide optional network layer information.

Extension headers are optional and are placed between the IPv6 header and the payload.

EHs are used for fragmentation, security, to support mobility, and more.

Unlike IPv4, routers do not fragment routed IPv6 packets.

A

An IPv6 packet may also contain extension headers (EH) that provide optional network layer information.

Extension headers are optional and are placed between the IPv6 header and the payload.

EHs are used for fragmentation, security, to support mobility, and more.

Unlike IPv4, routers do not fragment routed IPv6 packets.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

IP Vulnerabilities

There are different types of attacks that target IP.

The table lists some of the more common IP-related attacks.

– ICMP attacks

– Denial-of-Service (DoS) attacks

– Distributed Denial-of-Service (DDoS) attacks

– Address spoofing attacks

– Man-in-the-middle attack (MiTM)

– Session hijacking

A

ICMP attacks :

Threat actors use Internet Control Message Protocol (ICMP) echo packets (pings) to discover subnets and hosts on a protected network, to generate DoS flood attacks, and to alter host routing tables.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

IP Vulnerabilities

There are different types of attacks that target IP.

The table lists some of the more common IP-related attacks.

– ICMP attacks

– Denial-of-Service (DoS) attacks

– Distributed Denial-of-Service (DDoS) attacks

– Address spoofing attacks

– Man-in-the-middle attack (MiTM)

– Session hijacking

A

Denial-of-Service (DoS) attacks :

Threat actors attempt to prevent legitimate users from accessing information or services.

26
Q

IP Vulnerabilities

There are different types of attacks that target IP.

The table lists some of the more common IP-related attacks.

– ICMP attacks

– Denial-of-Service (DoS) attacks

– Distributed Denial-of-Service (DDoS) attacks

– Address spoofing attacks

– Man-in-the-middle attack (MiTM)

– Session hijacking

A

Distributed Denial-of-Service (DDoS) attacks :

Similar to a DoS attack, but features a simultaneous, coordinated attack from multiple source machines.

27
Q

IP Vulnerabilities

There are different types of attacks that target IP.

The table lists some of the more common IP-related attacks.

– ICMP attacks

– Denial-of-Service (DoS) attacks

– Distributed Denial-of-Service (DDoS) attacks

– Address spoofing attacks

– Man-in-the-middle attack (MiTM)

– Session hijacking

A

Address spoofing attacks :

Threat actors spoof the source IP address in an attempt to perform blind spoofing or non-blind spoofing.

28
Q

IP Vulnerabilities

There are different types of attacks that target IP.

The table lists some of the more common IP-related attacks.

– ICMP attacks

– Denial-of-Service (DoS) attacks

– Distributed Denial-of-Service (DDoS) attacks

– Address spoofing attacks

– Man-in-the-middle attack (MiTM)

– Session hijacking

A

Man-in-the-middle attack (MiTM) :

Threat actors position themselves between a source and destination to transparently monitor, capture, and control the communication.

They could simply eavesdrop by inspecting captured packets or alter packets and forward them to their original destination.

29
Q

IP Vulnerabilities

There are different types of attacks that target IP.

The table lists some of the more common IP-related attacks.

– ICMP attacks

– Denial-of-Service (DoS) attacks

– Distributed Denial-of-Service (DDoS) attacks

– Address spoofing attacks

– Man-in-the-middle attack (MiTM)

– Session hijacking

A

Session hijacking :

Threat actors gain access to the physical network, and then use an MiTM attack to hijack a session.

30
Q

ICMP Attacks ICMP was developed to carry diagnostic messages and to report error conditions when routes, hosts, and ports are unavailable.

ICMP messages are generated by devices when a network error or outage occurs.

The ping command is a user-generated ICMP message, called an echo request, that is used to verify connectivity to a destination.

A

Threat actors use ICMP for reconnaissance and scanning attacks.

This enables them to launch information-gathering attacks to map out a network topology, discover which hosts are active (reachable), identify the host operating system (OS fingerprinting), and determine the state of a firewall.

31
Q

Threat actors use ICMP for reconnaissance and scanning attacks.

This enables them to launch information-gathering attacks to map out a network topology, discover which hosts are active (reachable), identify the host operating system (OS fingerprinting), and determine the state of a firewall.

A

Threat actors also use ICMP for DoS and DDoS attacks, as shown in the ICMP flood attack in the figure.

ICMP Flood :

https://snipboard.io/yBiEeW.jpg

Note: ICMP for IPv4 (ICMPv4) and ICMP for IPv6 (ICMPv6) are susceptible to similar types of attacks.

The table lists common ICMP messages of interest to threat actors.

32
Q

Threat actors also use ICMP for DoS and DDoS attacks, as shown in the ICMP flood attack in the figure.

ICMP Flood :

https://snipboard.io/yBiEeW.jpg

Note: ICMP for IPv4 (ICMPv4) and ICMP for IPv6 (ICMPv6) are susceptible to similar types of attacks.

The table lists common ICMP messages of interest to threat actors.

– ICMP echo request and echo reply

– ICMP unreachable

– ICMP mask reply

– ICMP redirects

– ICMP router discovery

A

ICMP echo request and echo reply :

This is used to perform host verification and DoS attacks.

33
Q

Threat actors also use ICMP for DoS and DDoS attacks, as shown in the ICMP flood attack in the figure.

ICMP Flood :

https://snipboard.io/yBiEeW.jpg

Note: ICMP for IPv4 (ICMPv4) and ICMP for IPv6 (ICMPv6) are susceptible to similar types of attacks.

The table lists common ICMP messages of interest to threat actors.

– ICMP echo request and echo reply

– ICMP unreachable

– ICMP mask reply

– ICMP redirects

– ICMP router discovery

A

ICMP unreachable :

This is used to perform network reconnaissance and scanning attacks.

34
Q

Threat actors also use ICMP for DoS and DDoS attacks, as shown in the ICMP flood attack in the figure.

ICMP Flood :

https://snipboard.io/yBiEeW.jpg

Note: ICMP for IPv4 (ICMPv4) and ICMP for IPv6 (ICMPv6) are susceptible to similar types of attacks.

The table lists common ICMP messages of interest to threat actors.

– ICMP echo request and echo reply

– ICMP unreachable

– ICMP mask reply

– ICMP redirects

– ICMP router discovery

A

ICMP mask reply :

This is used to map an internal IP network.

35
Q

Threat actors also use ICMP for DoS and DDoS attacks, as shown in the ICMP flood attack in the figure.

ICMP Flood :

https://snipboard.io/yBiEeW.jpg

Note: ICMP for IPv4 (ICMPv4) and ICMP for IPv6 (ICMPv6) are susceptible to similar types of attacks.

The table lists common ICMP messages of interest to threat actors.

– ICMP echo request and echo reply

– ICMP unreachable

– ICMP mask reply

– ICMP redirects

– ICMP router discovery

A

ICMP redirects :

This is used to lure a target host into sending all traffic through a compromised device and create a MiTM attack.

36
Q

Threat actors also use ICMP for DoS and DDoS attacks, as shown in the ICMP flood attack in the figure.

ICMP Flood :

https://snipboard.io/yBiEeW.jpg

Note: ICMP for IPv4 (ICMPv4) and ICMP for IPv6 (ICMPv6) are susceptible to similar types of attacks.

The table lists common ICMP messages of interest to threat actors.

– ICMP echo request and echo reply

– ICMP unreachable

– ICMP mask reply

– ICMP redirects

– ICMP router discovery

A

ICMP router discovery :

This is used to inject bogus route entries into the routing table of a target host.

37
Q

Networks should have strict ICMP access control list (ACL) filtering on the network edge to avoid ICMP probing from the internet.

Security analysts should be able to detect ICMP-related attacks by looking at captured traffic and log files.

In the case of large networks, security devices, such as firewalls and intrusion detection systems (IDS), should detect such attacks and generate alerts to the security analysts.

A

Networks should have strict ICMP access control list (ACL) filtering on the network edge to avoid ICMP probing from the internet.

Security analysts should be able to detect ICMP-related attacks by looking at captured traffic and log files.

In the case of large networks, security devices, such as firewalls and intrusion detection systems (IDS), should detect such attacks and generate alerts to the security analysts.

38
Q

Amplification and Reflection Attacks

Threat actors often use amplification and reflection techniques to create DoS attacks.

The example in the figure illustrates how an amplification and reflection technique called a Smurf attack is used to overwhelm a target host.

https://snipboard.io/bfKrxJ.jpg

– Amplification

– Reflection

A

Amplification :

The threat actor forwards ICMP echo request messages to many hosts.

These messages contain the Source IP address of the victim

39
Q

Amplification and Reflection Attacks

Threat actors often use amplification and reflection techniques to create DoS attacks.

The example in the figure illustrates how an amplification and reflection technique called a Smurf attack is used to overwhelm a target host.

https://snipboard.io/bfKrxJ.jpg

– Amplification

– Reflection

A

Reflection :

These hosts all reply to the spoofed IP address of the victim to overwhelm it.

40
Q

Note: Newer forms of amplification and reflection attacks such as DNS-based reflection and amplification attacks and Network Time Protocol (NTP) amplification attacks are now being used.

Threat actors also use resource exhaustion attacks.

These attacks consume the resources of a target host to either to crash it or to consume the resources of a network.

A

Note: Newer forms of amplification and reflection attacks such as DNS-based reflection and amplification attacks and Network Time Protocol (NTP) amplification attacks are now being used.

Threat actors also use resource exhaustion attacks.

These attacks consume the resources of a target host to either to crash it or to consume the resources of a network.

41
Q

Address Spoofing Attacks IP address spoofing attacks occur when a threat actor creates packets with false source IP address information to either hide the identity of the sender, or to pose as another legitimate user.

The threat actor can then gain access to otherwise inaccessible data or circumvent security configurations.

Spoofing is usually incorporated into another attack such as a Smurf attack.

Spoofing attacks can be non-blind or blind:

– Non-blind spoofing

– Blind spoofing

A

Non-blind spoofing :

The threat actor can see the traffic that is being sent between the host and the target.

The threat actor uses non-blind spoofing to inspect the reply packet from the target victim.

Non-blind spoofing determines the state of a firewall and sequence-number prediction.

It can also hijack an authorized session.

42
Q

Address Spoofing Attacks IP address spoofing attacks occur when a threat actor creates packets with false source IP address information to either hide the identity of the sender, or to pose as another legitimate user.

The threat actor can then gain access to otherwise inaccessible data or circumvent security configurations.

Spoofing is usually incorporated into another attack such as a Smurf attack.

Spoofing attacks can be non-blind or blind:

– Non-blind spoofing

– Blind spoofing

A

Blind spoofing :

The threat actor cannot see the traffic that is being sent between the host and the target.

Blind spoofing is used in DoS attacks.

43
Q

MAC address spoofing attacks are used when threat actors have access to the internal network.

Threat actors alter the MAC address of their host to match another known MAC address of a target host, as shown in the figure.

The attacking host then sends a frame throughout the network with the newly-configured MAC address.

When the switch receives the frame, it examines the source MAC address.

A

MAC address spoofing attacks are used when threat actors have access to the internal network.

Threat actors alter the MAC address of their host to match another known MAC address of a target host, as shown in the figure.

The attacking host then sends a frame throughout the network with the newly-configured MAC address.

When the switch receives the frame, it examines the source MAC address.

44
Q

Threat Actor Spoofs a Server’s MAC Address :

https://snipboard.io/FBGEal.jpg

The switch overwrites the current CAM table entry and assigns the MAC address to the new port, as shown in the figure.

It then forwards frames destined for the target host to the attacking host.

A

Switch Updates CAM Table with Spoofed Address

https://snipboard.io/Z9e0Uo.jpg

Application or service spoofing is another spoofing example.

A threat actor can connect a rogue DHCP server to create an MiTM condition.

45
Q

TCP and UDP Vulnerabilities

TCP Segment Header

While some attacks target IP, this topic discusses attacks that target TCP and UDP.

TCP segment information appears immediately after the IP header.

The fields of the TCP segment and the flags for the Control Bits field are displayed in the figure.

https://snipboard.io/3aZCne.jpg

A

The following are the six control bits of the TCP Segment :

– URG

– ACK

– PSH

– RST

– SYN

– FIN

46
Q

The following are the six control bits of the TCP Segment :

– URG

– ACK

– PSH

– RST

– SYN

– FIN

A

URG -

Urgent pointer field significant

47
Q

The following are the six control bits of the TCP Segment :

– URG

– ACK

– PSH

– RST

– SYN

– FIN

A

ACK -

Acknowledgement field significant

48
Q

The following are the six control bits of the TCP Segment :

– URG

– ACK

– PSH

– RST

– SYN

– FIN

A

PSH -

Push function

49
Q

The following are the six control bits of the TCP Segment :

– URG

– ACK

– PSH

– RST

– SYN

– FIN

A

RST -

Reset the connection

50
Q

The following are the six control bits of the TCP Segment :

– URG

– ACK

– PSH

– RST

– SYN

– FIN

A

SYN -

Synchronize sequence numbers

51
Q

The following are the six control bits of the TCP Segment :

– URG

– ACK

– PSH

– RST

– SYN

– FIN

A

FIN -

No more data from sender

52
Q

TCP Services TCP provides these services:

– Reliable delivery

– Flow control

– Stateful communication

A

Reliable delivery :

TCP incorporates acknowledgments to guarantee delivery, instead of relying on upper-layer protocols to detect and resolve errors.

If a timely acknowledgment is not received, the sender retransmits the data.

Requiring acknowledgments of received data can cause substantial delays.

Examples of application layer protocols that make use of TCP reliability include HTTP, SSL/TLS, FTP, DNS zone transfers, and others.

53
Q

TCP Services TCP provides these services:

– Reliable delivery

– Flow control

– Stateful communication

A

Flow control :

TCP implements flow control to address this issue.

Rather than acknowledge one segment at a time, multiple segments can be acknowledged with a single acknowledgment segment.

54
Q

TCP Services TCP provides these services:

– Reliable delivery

– Flow control

– Stateful communication

A

Stateful communication :

TCP stateful communication between two parties occurs during the TCP three-way handshake.

Before data can be transferred using TCP, a three-way handshake opens the TCP connection, as shown in the figure.

If both sides agree to the TCP connection, data can be sent and received by both parties using TCP.

55
Q

TCP Three-Way Handshake

https://snipboard.io/S59aCz.jpg

A

A TCP connection is established in 3 steps :

1) The initiating client requests a client-to-server communication session with the server.
2) The server acknowledges the client-to-server communication session and requests a server-to-client communication session.
3) The inittiating client acknowledges the server-to client communication session.

56
Q

TCP Attacks Network applications use TCP or UDP ports.

Threat actors conduct port scans of target devices to discover which services they offer.

A

TCP SYN Flood Attack:

The TCP SYN Flood attack exploits the TCP three-way handshake. The figure shows a threat actor continually sending TCP SYN session request packets with a randomly spoofed source IP address to a target.

The target device replies with a TCP SYN-ACK packet to the spoofed IP address and waits for a TCP ACK packet.

Those responses never arrive.

Eventually the target host is overwhelmed with half-open TCP connections, and TCP services are denied to legitimate users. TCP SYN Flood Attack

https://snipboard.io/xeSp2B.jpg

57
Q

TCP SYN Flood Attack:

The TCP SYN Flood attack exploits the TCP three-way handshake.

The figure shows a threat actor continually sending TCP SYN session request packets with a randomly spoofed source IP address to a target.

The target device replies with a TCP SYN-ACK packet to the spoofed IP address and waits for a TCP ACK packet.

Those responses never arrive. Eventually the target host is overwhelmed with half-open TCP connections, and TCP services are denied to legitimate users. TCP SYN Flood Attack

https://snipboard.io/xeSp2B.jpg

A

TCP SYN Flood Attack

https: //snipboard.io/xeSp2B.jpg
1) The threat actor sends multiple SYN requests to a web server.
2) The web server replies with SYN-ACKs for each SYN request and waits to complete three-way handshake. The threat actor does not respond to the SYN-ACKs
3) A valid user cannot access the web server because the web server has too many half-opened TCP connections.

58
Q

TCP Reset Attack A TCP reset attack can be used to terminate TCP communications between two hosts.

The figure displays how TCP uses a four-way exchange to close the TCP connection using a pair of FIN and ACK segments from each TCP endpoint.

A TCP connection terminates when it receives an RST bit.

This is an abrupt way to tear down the TCP connection and inform the receiving host to immediately stop using the TCP connection.

A threat actor could do a TCP reset attack and send a spoofed packet containing a TCP RST to one or both endpoints. Terminating a TCP Connection :

https://snipboard.io/ais3vU.jpg

A

Terminating a TCP session uses the following 4-way exchange process:

1) When the client has no more data to send in the stream, it sends a segment with the FIN flag set.
2) The server sends an ACK to acknowledge the receipt of the FIN to terminate the session from client to server.
3) The server sends a FIN to the client to terminate the server-to-client session.
4) The client responds with an ACK to acknowledge the FIN from the server.

59
Q

TCP Session Hijacking

TCP session hijacking is another TCP vulnerability.

Although difficult to conduct, a threat actor takes over an already-authenticated host as it communicates with the target.

The threat actor must spoof the IP address of one host, predict the next sequence number, and send an ACK to the other host.

If successful, the threat actor could send, but not receive, data from the target device.

A

TCP Session Hijacking

TCP session hijacking is another TCP vulnerability.

Although difficult to conduct, a threat actor takes over an already-authenticated host as it communicates with the target.

The threat actor must spoof the IP address of one host, predict the next sequence number, and send an ACK to the other host.

If successful, the threat actor could send, but not receive, data from the target device.

60
Q

UDP Segment Header and Operation UDP is commonly used by DNS, DHCP, TFTP, NFS, and SNMP.

It is also used with real-time applications such as media streaming or VoIP. UDP is a connectionless transport layer protocol.

It has much lower overhead than TCP because it is not connection-oriented and does not offer the sophisticated retransmission, sequencing, and flow control mechanisms that provide reliability.

The UDP segment structure, shown in the figure, is much smaller than TCP’s segment structure.

A

Note: UDP actually divides data into datagrams.

However, the generic term “segment” is commonly used

https://snipboard.io/DO46gd.jpg

61
Q

Although UDP is normally called unreliable, in contrast to TCP’s reliability, this does not mean that applications that use UDP are always unreliable, nor does it mean that UDP is an inferior protocol.

It means that these functions are not provided by the transport layer protocol and must be implemented elsewhere if required.

A

The low overhead of UDP makes it very desirable for protocols that make simple request and reply transactions.

For example, using TCP for DHCP would introduce unnecessary network traffic. If no response is received, the device resends the request.

62
Q

UDP Attacks UDP is not protected by any encryption. You can add encryption to UDP, but it is not available by default.

The lack of encryption means that anyone can see the traffic, change it, and send it on to its destination.

Changing the data in the traffic will alter the 16-bit checksum, but the checksum is optional and is not always used.

When the checksum is used, the threat actor can create a new checksum based on the new data payload, and then record it in the header as a new checksum.

The destination device will find that the checksum matches the data without knowing that the data has been altered. This type of attack is not widely used.

A

UDP Flood Attacks :

You are more likely to see a UDP flood attack. In a UDP flood attack, all the resources on a network are consumed.

The threat actor must use a tool like UDP Unicorn or Low Orbit Ion Cannon.

These tools send a flood of UDP packets, often from a spoofed host, to a server on the subnet.

The program will sweep through all the known ports trying to find closed ports.

This will cause the server to reply with an ICMP port unreachable message.

Because there are many closed ports on the server, this creates a lot of traffic on the segment, which uses up most of the bandwidth.

The result is very similar to a DoS attack.

MODULE 16 - Attacking the Foundation CERTIFICATION CYBER OPS ASSOCIATE (1 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2025 Bold Learning Solutions. Terms and Conditions