18. Network Attacks

Flashcard 1
Q: What is a network

A: A network is a collection of interconnected computers with shared resources that must be protected from unwanted inspection, modification, and attacks.

Flashcard 2
Q: How is network security defined

A: Network security is about protecting the network infrastructure to ensure the integrity, confidentiality, and availability of resources.

Flashcard 3
Q: Why can switched Ethernet hinder direct packet sniffing

A: Switched Ethernet forwards packets only to the intended recipient’s port, making direct sniffing more difficult than in a hub-based network.

Flashcard 4
Q: What is MAC flooding

A: MAC flooding involves overwhelming a switch with bogus MAC addresses to overflow its address table, causing it to behave like a hub and broadcast traffic to all ports.

Flashcard 5
Q: How does MAC duplicating (or cloning) work as an attack

A: An attacker sets their host’s MAC address to match that of a target machine, bypassing MAC-based filtering and receiving traffic intended for the target.

Flashcard 6
Q: What is the purpose of the Address Resolution Protocol (ARP)

A: ARP maps IP addresses to MAC addresses within a local network, enabling proper Ethernet communication between hosts.

Flashcard 7
Q: How does ARP spoofing (or poisoning) work

A: In ARP spoofing, an attacker sends forged ARP replies to victims to poison their ARP cache, redirecting traffic through the attacker’s machine for interception or manipulation.

Flashcard 8
Q: What is the effect of ARP spoofing in a switched network

A: It enables a man-in-the-middle (MITM) attack where the attacker can intercept, modify, or drop data between two victim hosts.

Flashcard 9
Q: What are some common ARP spoofing defenses

A: Defenses include using static ARP entries for critical addresses, cache poisoning resistance measures (like ignoring unsolicited replies), and monitoring tools such as arpwatch.

Flashcard 10
Q: What is the purpose of DHCP in a network

A: DHCP dynamically assigns IP addresses and other network configuration details (like default gateway and DNS servers) to hosts on a network.

Flashcard 11
Q: How can an attacker exploit DHCP through server spoofing

A: By operating a rogue DHCP server, an attacker can assign malicious IP configurations (such as a bogus default gateway), redirecting traffic to enable MITM attacks.

Flashcard 12
Q: What is DHCP starvation

A: DHCP starvation occurs when an attacker floods the DHCP server with fake requests using spoofed MAC addresses, exhausting the available IP addresses and denying service to legitimate clients.

Flashcard 13
Q: What role does DHCP snooping play in defense

A: DHCP snooping filters DHCP packets on untrusted ports, maintains a binding table of legitimate leases, and helps prevent rogue DHCP servers and starvation attacks.

Flashcard 14
Q: What is a port in networking, and why is it important

A: A port is an endpoint for network communications, and knowing which ports are open on a host helps determine which services are running and potentially exploitable.

Flashcard 15
Q: How can attackers use port scanning

A: Attackers use tools like nmap, ZMap, or Shodan to scan for open ports, fingerprint services, and gather information for subsequent exploits.

Flashcard 16
Q: What is the significance of TCP’s three-way handshake

A: The three-way handshake (SYN, SYN-ACK, ACK) establishes a reliable TCP connection; understanding it is key to recognizing various TCP-based scans and attacks.

Flashcard 17
Q: What are common TCP flags, and what do they do

A: Common TCP flags include SYN (initiate connection), ACK (acknowledge receipt), FIN (finish communication), and RST (reset connection), each controlling aspects of connection management.

Flashcard 18
Q: What is a SYN scan, and why is it used

A: A SYN scan (half-open scan) sends a SYN packet to initiate a connection; if a SYN-ACK is received, the port is considered open. It’s fast and stealthier than a full connection scan.

Flashcard 19
Q: How does a FIN scan differ from other TCP scans

A: In a FIN scan, a FIN packet is sent to a port; closed ports typically reply with an RST, while open ports usually ignore the FIN, helping determine port status.

Flashcard 20
Q: What is TCP fingerprinting

A: TCP fingerprinting analyzes how a host responds to specific TCP packets to deduce its operating system and software version, using variations in parameters like initial packet size, TTL, and window size.

Flashcard 21
Q: What is TCP hijacking

A: TCP hijacking involves injecting spoofed TCP segments with correct sequence and acknowledgment numbers to insert data or reset connections, potentially desynchronizing the legitimate session.

Flashcard 22
Q: What is an “ACK storm” in TCP hijacking

A: An ACK storm occurs when injected data causes both endpoints to continuously send acknowledgments in an attempt to resynchronize the connection, leading to network congestion.

Flashcard 23
Q: How do hosts resolve domain names to IP addresses

A: Hosts use DNS to convert human-readable domain names into IP addresses, using a distributed system of authoritative name servers and caching mechanisms.

Flashcard 24
Q: What is DNS cache poisoning

A: DNS cache poisoning occurs when an attacker injects forged DNS responses to corrupt a DNS resolver’s cache, causing users to be redirected to malicious sites.

Flashcard 25
Q: How does the bailiwick check help prevent DNS cache poisoning

A: Bailiwick checking restricts additional data in DNS responses to only the domain originally queried, preventing attackers from injecting unrelated fraudulent records.

Flashcard 26
Q: Why are DNS query IDs and destination port randomization important

A: Randomizing query IDs and using a wide range of ephemeral ports make it harder for attackers to successfully guess the values needed to forge DNS responses.

Flashcard 27
Q: What are secure DNS options that mitigate cache poisoning

A: Options include DNSSEC (which uses digital signatures to validate responses) and DNS over HTTPS (which encrypts DNS traffic).

Flashcard 28
Q: What is TLS, and why is it important

A: TLS (Transport Layer Security) provides encrypted communication, ensuring confidentiality, data integrity, and authentication between clients and servers over a network.

Flashcard 29
Q: How has TLS evolved over time

A: Starting from SSL 1.0 and evolving through SSL 3.0, TLS 1.0, 1.1, 1.2, and 1.3, newer versions address vulnerabilities and improve performance and security standards.

Flashcard 30
Q: What is the role of certificates in TLS

A: Certificates (typically in X.509 format) authenticate the server’s identity and establish a chain of trust, with digital signatures linking certificates to trusted authorities.

Flashcard 31
Q: What is forward secrecy in TLS

A: Forward secrecy ensures that session keys derived during the TLS handshake cannot be recovered even if the server’s private key is compromised later, provided a Diffie-Hellman (DH) suite is used.

Flashcard 32
Q: What is Encrypted ClientHello (ECH) in TLS

A: ECH is a proposed enhancement that encrypts the ClientHello message—hiding the domain the client wants to contact—to prevent eavesdroppers from knowing the target domain.

Flashcard 33
Q: What is a downgrade attack in the context of TLS

A: A downgrade attack forces clients to use older, less secure TLS/SSL versions by interfering with handshake messages, potentially exposing them to known vulnerabilities.

Flashcard 34
Q: What was the TLS POODLE attack

A: The POODLE attack exploited vulnerabilities in SSL 3.0’s CBC padding, allowing attackers to decrypt portions of secure communications when older protocol versions were allowed.

Flashcard 35
Q: What caused the Heartbleed bug in TLS

A: Heartbleed was a bug in OpenSSL’s implementation of the TLS Heartbeat extension that allowed attackers to read random memory, potentially leaking sensitive data like keys and passwords.

Flashcard 36
Q: What is the purpose of security indicators (e.g., locks) in web browsers

A: Security indicators help users identify whether a connection is encrypted via TLS, warn of potential errors (like expired certificates), and encourage safe browsing practices.

Flashcard 37
Q: How can attackers use fingerprinting techniques in network attacks

A: By analyzing network responses, such as variations in TCP/IP header fields or timing differences, attackers can deduce the operating system and software versions, aiding in targeted exploits.

Flashcard 38
Q: What is the role of tools like ZMap and Shodan in network security

A: ZMap performs high-speed, Internet-wide scans to map device distributions, while Shodan searches for connected devices and services—both useful for attackers and defenders during reconnaissance.

Flashcard 39
Q: How do switches and routers affect the way network attacks are conducted

A: They segment and route traffic; however, misconfigurations or inherent design limitations (like MAC flooding or ARP spoofing) can be exploited to bypass security controls.

Flashcard 40
Q: Why is continuous monitoring and timely patching essential for network security

A: Because networks are dynamic, and new vulnerabilities (such as those in TLS implementations or DNS configurations) can emerge, proactive monitoring and patching help mitigate risks