Module 3 - 03-3 Flashcards
Network attack tactics and defense
What are common network intrusion attacks (4)?
- Malware
- Spoofing
- Packet sniffing
- Packet flooding
How is an organization harmed by attacks (4)?
- Leaking valuable or confidential information
- Damaging an organization’s reputation
- Impact customer retention
- Cost money and time.
Which of the following are common network attacks? Select all that apply.
- Malware
- Proxy servers
- Spoofing
- Packet flooding
- Spoofing, packet flooding, and malware are all common network attacks.
- Malware
- Spoofing
- Packet flooding
- Spoofing, packet flooding, and malware are all common network attacks.
How do Network interception attacks work?
Network interception attacks work by intercepting network traffic and stealing valuable information or interfering with the transmission in some way.
What are attacks that intercept data packets as they travel across a network called?
Interception attacks
What are two types of attacks that are used in network attacks?
- Packet sniffing
- IP spoofing
What is referred to as using hardware or software tools to capture and inspect data in transit?
Packet sniffing
What is a Backdoor attack?
In cybersecurity, backdoors are weaknesses intentionally left by programmers or system and network administrators that bypass normal access control mechanisms.
Backdoors are intended to help programmers conduct troubleshooting or administrative tasks.
However, backdoors can also be installed by attackers after they’ve compromised an organization to ensure they have persistent access.
Once the hacker has entered an insecure network through a backdoor, they can cause extensive damage: installing malware, performing a denial of service (DoS) attack, stealing private information or changing other security settings that leaves the system vulnerable to other attacks.
What are are potential consequences of network attacks on an organization?
- Financial: When a system is taken offline with a DoS attack or some other tactic, they prevent a company from performing tasks that generate revenue. Depending on the size of an organization, interrupted operations can cost millions of dollars. Reparation costs to rebuild software infrastructure and to pay large sums associated with potential ransomware can be financially difficult. In addition, if a malicious actor gets access to the personal information of the company’s clients or customers, the company may face heavy litigation and settlement costs if customers seek legal recourse.
- Reputation: Attacks can also have a negative impact on the reputation of an organization. If it becomes public knowledge that a company has experienced a cyber attack, the public may become concerned about the security practices of the organization. They may stop trusting the company with their personal information and choose a competitor to fulfill their needs.
- Public safety: If an attack occurs on a government network, this can potentially impact the safety and welfare of the citizens of a country. In recent years, defense agencies across the globe are investing heavily in combating cyber warfare tactics. If a malicious actor gained access to a power grid, a public water system, or even a military defense communication system, the public could face physical harm due to a network intrusion attack.
What does DoS stand for?
Denial of Service (DoS)
Define DoS attack?
An attack that targets a network or server and floods it with network traffic.
What is the objective of a denial of service attack, or a DoS attack?
To disrupt normal business operations by overloading an organization’s network.
The goal of the attack is to send so much information to a network device that it crashes or is unable to respond to legitimate users. This means that the organization won’t be able to conduct their normal business operations, which can cost them money and time. A network crash can also leave them vulnerable to other security threats and attacks.
A class of attacks where the attacker prevents the compromised system from performing legitimate activity or responding to legitimate traffic.
Unlike IP spoofing, however, the attacker will not receive a response from the targeted host. Everything about the data packet is authorized including the IP address in the header of the packet. In IP spoofing attacks, the malicious actor uses IP packets containing fake IP addresses. The attackers keep sending IP packets containing fake IP addresses until the network server crashes.
What doe DDoS stand for?
Distributed Denial of Service Attack (DDoS)
Define DDoS attack?
A kind of DoS attack that uses multiple devices or servers in different locations to flood the target network with unwanted traffic.
Use of numerous devices makes it more likely that the total amount of traffic sent will overwhelm the target server.
Remember, DoS stands for denial of service. So it doesn’t matter what part of the network the attacker overloads; if they overload anything, they win.
What is the focus of network level DoS attacks?
To target network bandwidth to slow traffic
What are three common network level DoS attacks?
- SYN flood attack
- ICMP flood attack
- Ping of death
What does SYN stand for?
Synchronize
Define SYN flood attack
A type of DoS attack that simulates the TCP connection and floods the server with SYN packets.
Explain the TCP handshake process to establish a connection between a device and a server
The first step in the handshake is for the device to send a SYN, or synchronize, request to the server.
Then, the server responds with a SYN/ACK packet to acknowledge the receipt of the device’s request and leaves a port open for the final step of the handshake.
Once the server receives the final ACK packet from the device, a TCP connection is established.
How do malicious actors can take advantage of the TCP handshake?
Malicious actors can take advantage of the protocol by flooding a server with SYN packet requests for the first part of the handshake.
But if the number of SYN requests is larger than the number of available ports on the server, then the server will be overwhelmed and become unable to function.
What does ACK stand for?
Acknowledge
What does ICMP stand for?
Internet Control Message Protocol (ICMP)
Define ICMP
An internet protocol used by devices to tell each other about data transmission errors across the network.
Think of ICMP like a request for a status update from a device.
The device will return error messages if there is a network concern.
You can think of this like the ICMP request checking in with the device to make sure that all is well.
Define ICMP flood attack
A type of DoS attack performed by an attacker repeatedly sending ICMP packets to a network server.
This forces the server to send an ICMP packet. This eventually uses up all the bandwidth for incoming and outgoing traffic and causes the server to crash.
What is an attack that can overwhelm the server with one big request?
Ping of death
Define Ping of death attack
A type of DoS attack that is caused when a hacker pings a system by sending it an oversized ICMP packet that is bigger than 64 kilobytes, the maximum size for a correctly formed ICMP packet.
Pinging a vulnerable network server with an oversized ICMP packet will overload the system and cause it to crash.
Think of this like dropping a rock on a small anthill. Each individual ant can carry a certain amount of weight while transporting food to and from the anthill. But if a large rock is dropped on the anthill, then many ants will be crushed, and the colony is unable to function until it rebuilds its operations elsewhere.
What is the maximum size for a correctly formed ICMP packet?
64 kilobytes
A _____ attack happens when an attacker sends a device or system oversized ICMP packets that are bigger than 64KB.
- Ping of death
- Internet Control Message Protocol (ICMP) Flood
- Distributed denial of service (DDoS)
- SYN (synchronize) flood
A ping of death attack is a type of DOS attack caused when a hacker pings a system by sending it an oversized ICMP packet that is bigger than 64KB.
Ping of death
Define tcpdump
tcpdump is a command-line network protocol analyzer.
It is popular, lightweight–meaning it uses little memory and has a low CPU usage–and uses the open-source libpcap library. tcpdump is text based, meaning all commands in tcpdump are executed in the terminal. It can also be installed on other Unix-based operating systems, such as macOS®. It is preinstalled on many Linux distributions.
tcpdump provides a brief packet analysis and converts key information about network traffic into formats easily read by humans. It prints information about each packet directly into your terminal. tcpdump also displays the source IP address, destination IP addresses, and the port numbers being used in the communications.
Network protocol analyzers, like tcpdump, are common tools that can be used to monitor network traffic patterns and investigate suspicious activity. tcpdump is a command-line network protocol analyzer that is compatible with Linux/Unix and macOS®. When you run a tcpdump command, the tool will output packet routing information, like the timestamp, source IP address and port number, and the destination IP address and port number. Unfortunately, attackers can also use network protocol analyzers to capture data packets that contain sensitive information, such as account usernames and passwords.
What are some information you receive from a tcpdump packet capture?
- Timestamp: The output begins with the timestamp, formatted as hours, minutes, seconds, and fractions of a second.
- Source IP: The packet’s origin is provided by its source IP address.
- Source port: This port number is where the packet originated.
- Destination IP: The destination IP address is where the packet is being transmitted to.
- Destination port: This port number is where the packet is being transmitted to.
Note: By default, tcpdump will attempt to resolve host addresses to hostnames. It’ll also replace port numbers with commonly associated services that use these ports.
What does URL stand for?
Uniform Resource Locator (URL)
Define botnet
A collection of computers infected by malware that are under the control of a single threat actor, known as the “bot-herder.”
Each computer in the botnet can be remotely controlled to send a data packet to a target system.
Define botnet attack
In a botnet attack, cyber criminals instruct all the bots on the botnet to send data packets to the target system at the same time, resulting in a DDoS attack.
What type of attack uses multiple devices or servers in different locations to flood the target network with unwanted traffic?
- Distributed Denial of Service (DDoS) attack
- Denial of Service (DoS) attack
- Tailgating attack
- Phishing attack
Distributed Denial of Service (DDoS) attack
A DDoS attack uses multiple devices or servers in different locations to flood the target network with unwanted traffic.
What type of attack poses as a TCP connection and floods a server with packets simulating the first step of the TCP handshake?
- ICMP flood
- SYN flood attack
- SYN-ACK flood attack
- On-path attack
SYN flood attack
A SYN flood attack poses as a TCP connection and floods a server with packets simulating the first step of the TCP handshake. This overwhelms the server, making it unable to function.
The Denial of Service (DoS) attack _____ is caused when a hacker sends a system an ICMP packet that is bigger than 64KB.
- Ping of Death
- ICMP flood
- SYN flood
- On-path
Ping of Death
Which types of attacks take advantage of communication protocols by sending an overwhelming number of requests to a server? Select all that apply.
- SYN flood attack
- ICMP flood and SYN flood attacks take advantage of communication protocols by sending an overwhelming number of requests to a server.
- TCP connection attack
Tailgating attack - ICMP flood attack
- SYN flood attack
- ICMP flood attack
ICMP flood and SYN flood attacks take advantage of communication protocols by sending an overwhelming number of requests to a server.
What do Data Packets include?
- Header
- Body
- Footer
A header which contains the sender’s and receiver’s IP addresses.
Packets also contain a body, which may contain valuable information like names, date of birth, personal messages, financial information, and credit card numbers.
Define Packet sniffing
The practice of using software tools to observe data as it moves across a network.
Which part of a data packet might contain valuable information about the data in transit?
- Footer
- Body
- Network
- Header
Body
The body of a data packet may contain sensitive information such as credit card numbers, dates of birth, or personal messages. Malicious actors can use the information contained in the body of a data packet to their advantage.
How can malicious actors use packet sniffing?
However, malicious actors may also use packet sniffing to look at data that has not been sent to them. This is a little bit like opening somebody else’s mail.
Malicious actors may insert themselves in the middle of an authorized connection between two devices. Then they can use packet sniffing to spy on every data packet as it comes across their device. The goal is to find valuable information in the data packets that they can then use to their advantage. Attackers can use software applications or a hardware device to look into data packets. Malicious actors can access a network packet with a packet sniffer and make changes to the data. They may change the information in the body of the packet, like altering a recipient’s bank account number.
Define Passive packet sniffing
A type of attack where data packets are read in transit.
Since all the traffic on a network is visible to any host on the hub, malicious actors can view all the information going in and out of the device they are targeting.
Thinking back to the example of a letter being delivered, we can compare a passive packet sniffing attack to a postal delivery person maliciously reading somebody’s mail. The postal worker, or packet sniffer, has the right to deliver the mail, but not the right to read the information inside.
Define Active packet sniffing
A type of attack where data packets are manipulated in transit.
This may include injecting internet protocols to redirect the packets to an unintended port or changing the information the packet contains.
Active packet sniffing attack would be like a neighbor telling the delivery person “I’ll deliver that mail for you,” and then reading the mail or changing the letter before putting it in your mailbox. Even though your neighbor knows you and even if they deliver it to the correct house, they are actively going out of their way to engage in malicious behavior.
What are some ways to protect against malicious packet sniffing?
- Use a VPN to encrypt and protect data as it travels across the network.
When you use a VPN, hackers might interfere with your traffic, but they won’t be able to decode it to read it and read your private information.
- Make sure that websites use HTTPS at the beginning of the domain address.
HTTPS uses SSL/TLS to encrypt data and prevent eavesdropping when malicious actors spy on network transmissions.
- Avoid using unprotected WiFi (unless you have a VPN service already installed on your device)
This means that anyone on the network can access all of the data traveling to and from your device.
Define IP spoofing
A network attack performed when an attacker changes the source IP of a data packet to impersonate an authorized system and gain access to a network.
In this kind of attack, the hacker is pretending to be someone they are not so they can communicate over the network with the target computer and get past firewall rules that may prevent outside traffic.
What are some common IP spoofing attacks?
- On-path attacks
- Replay attacks
- Smurf attacks
Define On-path attack
An attack where the malicious actor places themselves in the middle of an authorized connection and intercepts or alters the data in transit.
On-path attackers gain access to the network and put themselves between two devices, like a web browser and a web server. Then they sniff the packet information to learn the IP and MAC addresses to devices that are communicating with each other. After they have this information, they can pretend to be either of these devices.
The transmission between these two trusted network devices could contain valuable information like usernames and passwords that the malicious actor can collect.
Or, it could be that the intercepted transmission contains a DNS system look-up. A DNS server translates website domain names into IP addresses. If a malicious actor intercepts a transmission containing a DNS lookup, they could spoof the DNS response from the server and redirect a domain name to a different IP address, perhaps one that contains malicious code or other threats.
The most important way to protect against an on-path attack is to encrypt your data in transit, e.g. using TLS.
What is an On-path attack sometimes referred to?
Meddler-in-the middle attack
Define Replay attack
A network attack performed when a malicious actor intercepts a data packet in transit and delays it or repeats it at another time.
A delayed packet can cause connection issues between target computers, or a malicious actor may take a network transmission that was sent by an authorized user and repeat it at a later time to impersonate the authorized user.
Define Smurf attack
A smurf attack is a combination of a DDoS attack and an IP spoofing attack. The attacker sniffs an authorized user’s IP address and floods it with packets. Once the spoofed packet reaches the broadcast address, it is sent to all of the devices and servers on the network. This overwhelms the target computer and can bring down a server or the entire network.
Which of the following attacks use IP spoofing? Select three answers.
- Replay attack
- Smurf attack
- On-path attack
- Tailgating
- Replay attack
- Smurf attack
- On-path attack
Replay attacks, on-path attacks, and smurf attacks are common types of IP spoofing attacks.
A replay attack is a network attack performed when an attacker intercepts a data packet in transit and delays it or repeats it at another time.
A smurf attack is when an attacker sniffs an authorized user’s IP address and floods it with packets.
An on-path attack is an attack where a malicious actor places themselves in the middle of an authorized connection and intercepts or alters the data in transit.
How you can protect a network from IP spoofing?
Encryption should always be implemented so that the data in your network transfers can’t be read by malicious actors.
Firewalls can be configured to protect against IP spoofing.
IP spoofing makes it seem like the malicious actor is an authorized user by changing the sender’s address of the data packet to match the target network’s address. So if a firewall receives a data packet from the internet where the sender’s IP address is the same as the private network, then the firewall will deny the transmission since all the devices with that IP address should already be on the local network.
You can make sure that your firewalls configure correctly by creating a rule to reject all incoming traffic that has the same IP address as the local network.
What does NIC stand for?
Network Interface Card (NIC)
Define NIC
A piece of hardware that connects the device to a network.
The NIC reads the data transmission, and if it contains the device’s MAC address, it accepts the packet and sends it to the device to process the information based on the protocol. This occurs in all standard network operations.
However, a NIC can be set to promiscuous mode, which means that it accepts all traffic on the network, even the packets that aren’t addressed to the NIC’s device.
Passive packet sniffing involves data packets being manipulated while in transit, which may include injecting internet protocols to redirect the packets to unintended ports or changing the information the packet contains.
- True
- False
False
Active packet sniffing is a type of attack that involves data packets being manipulated while in transit. This can include injecting internet protocols to redirect the packets to unintended ports or changing the information the packet contains. Passive packet sniffing is a type of attack where data packets are read in transit.
A security analyst can protect against malicious packet sniffing by _____ to encrypt data as it travels across a network.
- using only websites with HTTP at the beginning of their domain addresses
- using a network hub
- using a VPN
- using free public Wi-Fi
using a VPN
A VPN is a network security service that changes a public IP address and hides a virtual location to keep data private when using a public network.
Which type of attack involves an attacker changing the source IP of a data packet to impersonate an authorized system and gain access to the network?
- IP spoofing
- On-path attack
- Ping of death
- Replay attack
IP spoofing
IP spoofing involves an attacker changing the source IP of a data packet to impersonate an authorized system and gain access to the network.
An on-path attack involves a malicious actor placing themselves in the middle of an authorized connection and intercepting or altering the data in transit.
Which of the following statements accurately describes a smurf attack?
- A network attack performed when an attacker intercepts a data packet in transit and delays it or repeats it at another time
- A DoS attack that is caused when a hacker pings a system by sending it an oversized ICMP packet that is bigger than the maximum size
- A network attack performed when an attacker sniffs an authorized user’s IP address and floods it with packets
- A DoS attack performed by an attacker repeatedly sending ICMP packets to a network server
A network attack performed when an attacker sniffs an authorized user’s IP address and floods it with packets
A smurf attack is a network attack performed when an attacker sniffs an authorized user’s IP address and floods it with packets. It is a combination of a DDoS attack and an IP spoofing attack
