Network Attacks and Defences Lecture 7

A comprehensive set of 50 question-and-answer flashcards covering sniffing, ARP/DHCP, MITM, DoS/DDoS, DNS and DNSSEC, Wi-Fi security, and firewall/IDS concepts from the lecture.

What is packet sniffing in network security?

Eavesdropping on network communications by capturing packets in transit.

Which element of the CIA triad does packet sniffing primarily violate?

Confidentiality.

Why is passive sniffing easy on non-switched (hub) networks?

Hubs send every packet to every port, so any host can see all traffic without special effort.

In VirtualBox, which network option simulates a hub to enable sniffing?

Promiscuous Mode = Allow All.

Why are layer-1 hubs rare today?

They are noisy, insecure, and inefficient compared with switches.

What major risk do open wireless networks pose?

Attackers can freely capture and inspect all unencrypted traffic.

What does the tool Driftnet do?

Listens to network traffic and extracts images from observed TCP streams.

Name a historic example of a physical network tap operation.

Operation Ivy Bells, where the CIA/Navy tapped Soviet under-sea cables.

Give one modern hardware device used for network MITM/tapping.

Hak5 LAN Turtle (or an optic-fibre tap).

What legitimate switch feature mirrors traffic to a monitoring port?

SPAN (Switch Port Analyzer) / mirror port.

What is the purpose of ARP (Address Resolution Protocol)?

To map an IP address to its corresponding MAC address on a LAN.

How is an ARP request sent and how is an ARP reply sent?

Request: broadcast to all hosts; Reply: unicast to the requester.

What information is stored in an ARP cache?

IP-to-MAC address mappings learned recently.

What is ARP cache poisoning?

Injecting forged ARP replies so a victim stores the attacker’s MAC for a valid IP.

Where must the attacker be located to perform ARP poisoning effectively?

On the same subnet/broadcast domain as the victims.

Describe MITM via ARP poisoning.

Attacker tricks both victim and gateway into mapping each other’s IP to attacker’s MAC, relaying traffic through the attacker.

Name a switch feature that mitigates ARP cache poisoning.

Dynamic ARP Inspection (DAI).

What problem does DHCP solve for a new host?

Provides initial network configuration (IP, DNS server IP, gateway IP).

List the four messages in a DHCP handshake in order.

1) Discover, 2) Offer, 3) Request, 4) Acknowledgement.

Why are ARP and DHCP vulnerable to spoofing?

They use broadcasts and have no built-in authentication, so the first response wins.

Differentiate DoS and DDoS attacks.

DoS uses one source to overwhelm a target; DDoS uses many compromised systems to amplify the effect.

What is TCP RST (reset) injection?

Sending forged RST packets with correct ports/sequence numbers to forcibly close a TCP connection.

What knowledge does an attacker need for TCP RST injection?

Source/Destination IPs and ports plus correct sequence/ack numbers (often from sniffing).

What is a SYN-flooding attack?

Sending a large number of TCP SYNs (often with spoofed IPs) to exhaust a server’s half-open connection table.

How do SYN cookies defend against SYN floods?

Server encodes state in the SYN-ACK’s sequence number (cookie) and postpones resource allocation until the client’s ACK proves legitimacy.

What is an amplification attack?

Spoofing small requests to services that send large responses, causing traffic amplification toward the victim.

Give an example of an amplification attack using ICMP.

Smurf attack: broadcast ICMP echo requests with victim’s spoofed IP; many hosts reply, flooding the victim.

How does DNS amplification work?

Spoof DNS queries that yield large responses, so the DNS server floods the victim with amplified traffic.

What is hosts-file poisoning?

Altering a local hosts file so domain names resolve to attacker-chosen IPs.

Explain DNS cache poisoning via spoofed UDP response.

Attacker sniffs query and sends a fake DNS reply faster than the real server, inserting malicious IPs into the cache.

Requirement for LAN-side DNS spoofing attacks?

Attacker must be on the same subnet and able to sniff traffic (e.g., open Wi-Fi or MITM).

What cryptographic mechanism does DNSSEC add to DNS records?

Digital signatures (RRSIG) verified with public keys (DNSKEY).

How does DNSSEC establish trust in name-server public keys?

A certificate-like chain of DS records from the root down the hierarchy creates inherited trust.

List the common Wi-Fi security modes from weakest to strongest (legacy).

Open, WEP, WPA, WPA2 (and WPA3 modern).

Why is WEP considered insecure?

Uses RC4 with a 24-bit IV and fixed key; attackers can collect IVs and recover the key in minutes.

State one design goal of WPA2.

Encrypt traffic so attackers without the Wi-Fi password cannot read packets.

Briefly describe the WPA2 4-way handshake purpose.

Derives fresh Pairwise Transient Key (PTK) from the pre-shared key (PSK) and nonces to encrypt traffic.

How can an attacker perform an offline brute-force attack against WPA2-PSK?

Capture the 4-way handshake, guess passwords offline, derive PTK, and verify MIC until a match is found.

Name two notable WPA/WPA2 vulnerabilities disclosed after deployment.

Key Reinstallation Attack (KRACK, 2017) and Hashcat’s PMKID offline crack (2018).

What 2019 attack highlighted weaknesses in early WPA3 implementations?

Dragonblood attack.

What is the primary purpose of a firewall in network security?

Provide a single controlled point for inbound/outbound traffic based on security policy.

How does a stateless (packet-filter) firewall differ from a stateful firewall?

Stateless inspects each packet’s header only; stateful tracks connection states and can detect spoofed or out-of-sequence packets.

What extra visibility does an application-layer (Layer-7) firewall provide?

Examines protocol content (e.g., HTTP) to block attacks like SQL injection or XSS.

Describe the traditional DMZ segmentation model.

Internet-facing servers are isolated in a DMZ; north-south traffic restricted, east-west internal traffic more lenient.

What is microsegmentation?

Applying granular, zero-trust policies between individual servers or workloads to limit lateral movement.

List the three main detection methodologies used by IDS/IPS systems.

Signature-based, anomaly-based, and stateful protocol analysis.

What is the difference between IDS and IPS?

IDS monitors and alerts; IPS is inline and can actively block or drop malicious traffic.

What tool can monitor ARP traffic to detect poisoning attempts?

arpwatch.

Which legacy protocols should be avoided because they transmit data unencrypted?

FTP, Telnet, HTTP, SMTP, etc.

Name two secure protocols recommended to protect against sniffing and MITM.

SSL/TLS (e.g., HTTPS) and SSH.