Module 3 - 03-2 Flashcards
Secure networks against Denial of Service (DoS) attacks
What does DoS stand for?
Denial of Service (DoS)
Define DoS attack
An attack that targets a network or server and floods it with network traffic
What is the objective of a DoS attack?
The objective is to disrupt normal business operations by overloading an organization’s network.
The goal of the attack is to send so much information to a network device that it crashes or is unable to respond to legitimate users. This means that the organization won’t be able to conduct their normal business operations, which can cost them money and time. A network crash can also leave them vulnerable to other security threats and attacks.
What does DDoS stand for?
Distributed Denial of Service (DDOS)
Define DDoS attack
A type of denial of service attack that uses multiple devices or servers in different locations to flood the target network with unwanted traffic
What are three common network level DoS attacks that target network bandwidth to slow traffic?
- SYN flood attack
- Internet Control Message Protocol flood
- Ping of death
What does SYN stand for?
Synchronize
Define SYN flood attack
A type of DoS attack that simulates the TCP connection and floods the server with SYN packets
Malicious actors can take advantage of the protocol by flooding a server with SYN packet requests for the first part of the handshake. But if the number of SYN requests is larger than the number of available ports on the server, then the server will be overwhelmed and become unable to function.
SYN (synchronize) flood and ICMP flood, take advantage of communication protocols by sending an overwhelming number of requests.
Explain the TCP handshake process
1) The first step in the handshake is for the device to send a SYN, or synchronize, request to the server.
2) Then, the server responds with a SYN/ACK packet to acknowledge the receipt of the device’s request and leaves a port open for the final step of the handshake.
3) Once the server receives the final ACK packet from the device, a TCP connection is established.
What does ICMP stand for?
Internet Control Message Protocol (ICMP)
Define ICMP
An internet protocol used by devices to tell each other about data transmission errors across the network.
Think of ICMP like a request for a status update from a device. The device will return error messages if there is a network concern. You can think of this like the ICMP request checking in with the device to make sure that all is well.
Define ICMP flood
A type of DoS attack performed by an attacker repeatedly sending ICMP packets to a network server.
This forces the server to send an ICMP packet. This eventually uses up all the bandwidth for incoming and outgoing traffic and causes the server to crash.
SYN (synchronize) flood and ICMP flood, take advantage of communication protocols by sending an overwhelming number of requests.
Define Ping of death
A type of DoS attack that is caused when a hacker pings a system by sending it an oversized ICMP packet that is bigger than 64 kilobytes, the maximum size for a correctly formed ICMP packet.
Pinging a vulnerable network server with an oversized ICMP packet will overload the system and cause it to crash.
A _____ attack happens when an attacker sends a device or system oversized ICMP packets that are bigger than 64KB.
- Ping of death
- Internet Control Message Protocol (ICMP) Flood
- Distributed denial of service (DDoS)
- SYN (synchronize) flood
Ping of death
A ping of death attack is a type of DOS attack caused when a hacker pings a system by sending it an oversized ICMP packet that is bigger than 64KB.
What is a Network Protocol Analyzer sometimes called?
A Packet Sniffer or a Packet Analyzer
What is a network protocol analyzer and how is it commonly used?
It is a tool designed to capture and analyze data traffic within a network.
They are commonly used as investigative tools to monitor networks and identify suspicious activity.
What are some common network protocol analyzers (5)?
- SolarWinds NetFlow Traffic Analyzer
- ManageEngine OpManager
- Azure Network Watcher
- Wireshark
- tcpdump
What is a tcpdump?
A command-line network protocol analyzer.
It is popular, lightweight–meaning it uses little memory and has a low CPU usage–and uses the open-source libpcap library. tcpdump is text based, meaning all commands in tcpdump are executed in the terminal. It can also be installed on other Unix-based operating systems, such as macOS®. It is preinstalled on many Linux distributions.
tcpdump provides a brief packet analysis and converts key information about network traffic into formats easily read by humans. It prints information about each packet directly into your terminal. tcpdump also displays the source IP address, destination IP addresses, and the port numbers being used in the communications.
What does tcpdump provide?
tcpdump prints the output of the command as the sniffed packets in the command line, and optionally to a log file, after a command is executed. The output of a packet capture contains many pieces of important information about the network traffic.
What are some information you receive from a packet capture?
- Timestamp: The output begins with the timestamp, formatted as hours, minutes, seconds, and fractions of a second.
- Source IP: The packet’s origin is provided by its source IP address.
- Source port: This port number is where the packet originated.
- Destination IP: The destination IP address is where the packet is being transmitted to.
- Destination port: This port number is where the packet is being transmitted to.
Note: By default, tcpdump will attempt to resolve host addresses to hostnames. It’ll also replace port numbers with commonly associated services that use these ports.
What are tcpdump and other network protocol analyzers are commonly used for?
They are used to capture and view network communications and to collect statistics about the network, such as troubleshooting network performance issues.
They can also be used to:
* Establish a baseline for network traffic patterns and network utilization metrics.
* Detect and identify malicious traffic
* Create customized alerts to send the right notifications when network issues or security threats arise.
* Locate unauthorized instant messaging (IM), traffic, or wireless access points.
Define botnet
A collection of computers infected by malware that are under the control of a single threat actor, known as the “bot-herder.”
Each computer in the botnet can be remotely controlled to send a data packet to a target system.
In a botnet attack, cyber criminals instruct all the bots on the botnet to send data packets to the target system at the same time, resulting in a DDoS attack.
What type of attack uses multiple devices or servers in different locations to flood the target network with unwanted traffic?
- Distributed Denial of Service (DDoS) attack
- Denial of Service (DoS) attack
- Tailgating attack
- Phishing attack
Denial of Service (DoS) attack
A DDoS attack uses multiple devices or servers in different locations to flood the target network with unwanted traffic.
What type of attack poses as a TCP connection and floods a server with packets simulating the first step of the TCP handshake?
- ICMP flood
- SYN flood attack
- SYN-ACK flood attack
- On-path attack
SYN flood attack
A SYN flood attack poses as a TCP connection and floods a server with packets simulating the first step of the TCP handshake. This overwhelms the server, making it unable to function.
Which types of attacks take advantage of communication protocols by sending an overwhelming number of requests to a server? Select all that apply.
- SYN flood attack
- TCP connection attack
- Tailgating attack
- ICMP flood attack
- SYN flood attack
- ICMP flood attack
ICMP flood and SYN flood attacks take advantage of communication protocols by sending an overwhelming number of requests to a server.
The Denial of Service (DoS) attack _____ is caused when a hacker sends a system an ICMP packet that is bigger than 64KB.
- Ping of Death
- ICMP flood
- SYN flood
- On-path
Ping of Death
The DoS attack Ping of Death is caused when a hacker sends a system an ICMP packet that is bigger than 64KB.
