Malicious Activity & Hardening

What is a Denial of Service (DoS) attack?

An attack that makes a computer, server, or network unavailable to legitimate users by overwhelming resources or exploiting vulnerabilities.

What’s the goal of a DoS attack?

To disrupt normal operations and deny service to valid users.

What is a Distributed Denial of Service (DDoS) attack?

An advanced form of DoS where multiple compromised machines (bots) coordinate to flood a single target.

What is a ping flood attack?

An attacker sends excessive ICMP echo requests (pings) to exhaust the target's bandwidth or processing capacity.

How is a ping flood mitigated?

Block ICMP echo replies at the firewall—this causes attacker timeouts without affecting service.

What is a SYN flood attack?

Exploits the TCP three-way handshake by sending SYNs without completing the handshake, consuming server connection slots.

How do you mitigate SYN floods?

• Use flood guards

• Shorten SYN timeout

• Deploy an Intrusion Prevention System (IPS)

What is Permanent Denial of Service (PDoS)?

A destructive attack that corrupts firmware to permanently disable a device.

What is a fork bomb?

A self-replicating process that rapidly consumes CPU and memory by exponentially creating child processes.

Is a fork bomb a worm?

No—it stays local to the attacked system and does not spread like a worm.

Why is DDoS more effective than DoS?

Because it uses multiple devices (botnets) to flood the target, bypassing modern defenses.

What is a botnet?

A network of compromised machines (bots) under control of an attacker, used to launch coordinated attacks.

What’s a DNS amplification attack?

An attacker sends small DNS requests with a spoofed victim IP, triggering large DNS replies sent to the victim.

How does DNS amplification amplify traffic?

Small queries return large DNS responses, flooding the target using minimal effort.

What was significant about the GitHub DDoS in 2018?

It reached 1.35 Tbps, briefly taking the site offline—yet GitHub recovered in 5 minutes, showcasing strong defenses.

What is blackholing or sinkholing?

Redirecting malicious traffic to a non-existent IP, discarding it before reaching the target.

What are limitations of blackholing?

Attackers can change IPs quickly, bypassing the sinkhole.

How do Intrusion Prevention Systems (IPS) help?

They can detect and block smaller-scale DoS but struggle with large-scale DDoS.

What is elastic cloud infrastructure?

An architecture that automatically scales resources to absorb high traffic during DDoS.

What's the downside of elastic scaling during a DDoS?

It can result in high cloud bills even for malicious, non-revenue-generating traffic.

What do companies like CloudFlare and Akamai offer for DDoS mitigation?

Web application firewalls + CDNs that filter and absorb traffic before it reaches the origin server.

Why are these services effective?

They offer robust, multi-layer defenses designed to withstand massive-scale attacks.

What are signs of a SYN flood on a test?

A web service is slow or unresponsive with lots of incomplete TCP handshakes.

What’s a hint that an attack is a DNS amplification?

Look for mention of spoofed DNS requests and disproportionately large responses.

What is the Domain Name System (DNS)?

It’s a core Internet component that translates human-readable domain names (like example.com) into IP addresses (like 192.0.2.1).

Why is DNS a common attack target?

Because compromising DNS can redirect traffic, disrupt services, or steal data.

What is DNS Cache Poisoning?

Corrupting a DNS resolver’s cache with false DNS records to redirect users to malicious sites.

How does DNS cache poisoning work?

An attacker injects fraudulent DNS records into a resolver’s cache, fooling users into visiting fake sites.

How do you mitigate DNS cache poisoning?

• Use DNSSEC for authentication

• Enforce secure network configurations and firewalls

What is a DNS amplification attack?

A DDoS attack where small queries trigger large responses from open DNS servers, overwhelming a victim.

How does DNS amplification use spoofed IPs?

The attacker sends requests with the victim's IP, so replies flood the victim, not the attacker.

How do you mitigate DNS amplification?

• Rate limiting and response size limits

• Disable open resolvers

What is DNS tunneling?

Using DNS queries to encapsulate non-DNS traffic (e.g., HTTP, SSH) and bypass firewall inspection.

Why is DNS tunneling dangerous?

It’s a covert channel for command-and-control (C2) or data exfiltration through Port 53.

How do you detect or prevent DNS tunneling?

• Monitor DNS logs for anomalies

• Use Deep Packet Inspection (DPI)

• Implement DNS firewalling

What is domain hijacking?

Unauthorized takeover of a domain name’s registration, allowing attackers to redirect traffic or deface content.

How do attackers hijack domains?

Through access to registrar accounts via phishing or weak credentials.

How do you mitigate domain hijacking?

• 2FA and strong passwords on registrar accounts

• Registry lock services

• Regularly update domain contact/security settings

What is a DNS zone transfer attack?

An attacker obtains entire DNS zone data by exploiting misconfigured DNS servers.

Why is zone transfer leakage dangerous?

It reveals internal IPs, hostnames, and services—valuable for reconnaissance.

How do you prevent zone transfer attacks?

• Restrict zone transfers to trusted servers

• Use Access Control Lists (ACLs)

What’s the key to protecting DNS infrastructure?

• Apply DNSSEC

• Secure DNS server configurations

• Monitor logs and traffic

• Enforce strong registrar security

What is an injection attack?

A type of attack where malicious input is inserted into an application interface to manipulate application logic or system behavior.

What is a directory traversal (path traversal) attack?

An attack that uses special character sequences to access files and directories outside the web root.

What characters are commonly used in directory traversal?

../ on Linux/macOS and ..\ on Windows.

What is the goal of a directory traversal attack?

To read or execute files outside the web-accessible directory, such as /etc/shadow.

How does a traversal path like ../../../../etc/shadow work?

Each ../ moves up one directory level from the web root to reach sensitive files.

What determines whether an attacker can access a file?

Whether the web server process has permission to read or execute the targeted file.

How does platform specificity affect traversal?

• Linux/macOS: ../ (forward slash)

• Windows: ..\ (backslash), but often accepts ../

What is URL encoding in traversal attacks?

Encoding ../ as %2e%2e%2f to bypass basic filters.

What is file inclusion?

A vulnerability where an attacker forces the web app to include a local or remote file during execution.

What is Remote File Inclusion (RFI)?

Attacker injects a URL to a remote script that the web app downloads and runs.

What is Local File Inclusion (LFI)?

Attacker points to a local file on the server, forcing the app to execute it.

What is a null byte injection (%00)?

Used in LFI to terminate file paths early, bypassing extensions like .php.

How does input validation help prevent directory traversal?

By blocking dangerous characters and accepting only known-safe patterns.

What’s better: whitelisting or blacklisting input?

Whitelisting, because blacklisting can miss obfuscated threats.

How does the Principle of Least Privilege apply?

Run web servers with minimum necessary access, limiting file exposure if exploited.

What can a Web Application Firewall (WAF) do?

Detect and block common traversal patterns and file inclusion attempts.

How does secure configuration help?

Store sensitive files outside the web document root, making them inaccessible to traversal.

What log pattern indicates a directory traversal attempt?

Presence of ../ or ..\ in a URL or parameter.

What’s the relationship between directory traversal and LFI?

LFI is a specific type of directory traversal, where local files are included and executed.

What’s the primary goal of RFI attacks?

Remote code execution by running attacker-controlled scripts.

What is Arbitrary Code Execution (ACE)?

A vulnerability that allows an attacker to run their own code on a victim’s machine.

How is ACE typically exploited?

By leveraging access (local or partial compromise) to execute attacker-supplied code.

What is Remote Code Execution (RCE)?

A specific form of ACE where attackers execute code on a system remotely over a network.

How does RCE differ from ACE?

RCE is network-based, whereas ACE may require local presence or access.

What is privilege escalation?

When a user or process gains higher access rights than intended or authorized.

What is vertical privilege escalation?

A standard user gains elevated privileges (e.g., administrator/root).

What is horizontal privilege escalation?

A user accesses another user’s resources at the same privilege level.

Why is privilege level important in attacks?

Code injected into an application runs with that application's privileges, possibly enabling further compromise.

What is a rootkit?

Malware designed to conceal its presence and maintain persistent, privileged access to a system.

What makes rootkits dangerous?

They are stealthy, persistent, and capable of installing malware, creating backdoors, and hiding network activity.

What are system privilege rings?

A hierarchical structure in operating systems used to control access:

• Ring 0 – Kernel Mode (highest privilege)

• Ring 3 – User Mode (least privilege)

What is a kernel-mode rootkit?

Operates at Ring 0, giving it complete control and making it very difficult to detect or remove.

What is a user-mode rootkit?

Operates at Ring 3, relying on OS components for persistence—less powerful than kernel-mode, but still significant.

ACE vs. RCE – what’s the key difference?

ACE = local or internal execution, RCE = execution over a network.

How are privilege escalation attacks categorized?

• Vertical = gaining higher-level access

• Horizontal = accessing peer-level data/resources

What’s a telltale sign of a rootkit?

Unexplained system behavior, logs missing, or processes that vanish from task lists.

What is a replay attack?

A network-based attack where valid data is maliciously rebroadcast, repeated, or delayed to perform unauthorized actions.

How does a replay attack work?

The attacker captures legitimate data transmissions and resends them later to trick a system into reprocessing them.

How is a replay attack different from session hijacking?

• Replay attack: Reuses previously captured data.

• Session hijacking: Manipulates an active session in real time.

What’s an example of a replay attack?

An attacker intercepts a user’s login credentials or session token during a bank login and reuses them later to gain account access.

What can an attacker do with a replayed session?

• Gain unauthorized access

• Perform transactions

• Potentially lock out the real user

How do session tokens defend against replay attacks?

They are unique and time-limited. Once used or expired, a replayed token is rejected.

What are nonces used for?

Nonces are “numbers used once”—they make each session unique and prevent reuse.

How does Multi-Factor Authentication (MFA) help?

MFA requires an extra verification step, preventing access even if credentials are replayed.

How do secure protocols like WPA3 help?

They ensure session uniqueness and encrypt communications, preventing reuse of captured data.

What is the role of timestamps and sequence numbers?

They allow systems to detect outdated or duplicate packets, signaling a possible replay attempt.

What is a cryptographic challenge-response?

The server sends a random challenge, which the client encrypts and returns—ensuring the response is fresh and unique.

What’s the core defense strategy against replay attacks?

Combine robust session management, authentication, and modern secure protocols to invalidate reused transmissions.

What is the primary purpose of session management in web applications?

To uniquely identify a user and maintain their data state

Why are cookies used in web applications?

Because HTTP is a stateless protocol

What happens to session cookies when the browser is closed?

They are deleted automatically

What is session hijacking?

An attack where the attacker takes control of a valid session

How can session prediction attacks be prevented?

By generating session tokens using non-predictable algorithms

What is cookie poisoning?

Modifying the contents of a cookie to exploit vulnerabilities

Which of the following is a mitigation strategy against cookie poisoning?

Encrypting cookies during transmission and storage

What is the difference between session cookies and persistent cookies?

Session cookies are deleted when the browser closes, while persistent cookies remain until manually deleted or expired

Why is it important to encrypt cookies?

To maintain confidentiality of sensitive data

What is a key characteristic of a secure session token?

It is a one-time use ticket for the session duration