Network Security exam2

Flowbits in a Suricata rule

Definition: Flowbits is a Suricata keyword that stores or checks state information about a network flow.

Explanation: Flowbits lets one rule “tag” a connection with a flag (e.g., set), and another rule later check that flag (isset, noalert, unset). This enables multi-stage/multi-packet detection.

Distance and Within keywords on Suricata

Distance: number of bytes after the previous match where the next pattern starts.

Within: maximum number of bytes allowed from previous match to the next match.Used to ensure patterns appear in the correct order and proximity.

Proxy & Networking

An intermediary server that handles requests on behalf of a client. It provides caching, filtering, privacy, access control, content inspection, and hides internal clients from outside networks.

Forward Proxy

Sits between internal clients and the internet, sending requests on their behalf to provide filtering, caching, or anonymity.

Reverse Proxy

Sits in front of servers and handles client requests for them, adding load balancing, caching, and security.

Anonymous Proxy

Hides the client's IP address from the destination server but still identifies itself as a proxy.

Transparent Proxy

Intercepts and processes client traffic without requiring any client configuration and without hiding that it's a proxy.

High-Anonymity Proxy

Hides both the client's IP address and the fact that a proxy is being used.

CGI Proxy (Common Gateway Interface)

A web-based proxy accessed through a webpage where the user enters a URL, and the server fetches and displays the content on their behalf. It hides the user's IP and requires no browser configuration but is slower because all content is rewritten by the proxy.

ARP

Maps an IPv4 address to a MAC address on a LAN. Hosts broadcast "Who has IP X?" and the owner replies with its MAC.

ARP Spoofing/Poisoning

Attacker sends forged ARP replies to bind their MAC to a victim's IP → MITM.

Gratuitous ARP Abuse

Fake unsolicited ARP updates to overwrite tables.

DoS via ARP Flooding

occurs when an attacker sends massive numbers of forged ARP requests or replies, overwhelming a switch or host's ARP table until it becomes full or unstable. This forces the device into fail-open behavior—often reverting the switch to broadcast mode—causing severe network slowdown, packet loss, or complete outage.

IP Fragmentation Attack

Attackers manipulate fragment sizes or create overlapping/tiny fragments to confuse the reassembly process, bypass firewalls, or crash systems that mishandle malformed fragments.

Teardrop Attack

Uses overlapping IP fragments that cause the target's reassembly logic to fail, often crashing older operating systems.

Ping of Death

Sends oversized ICMP packets split into fragments that exceed 65,535 bytes when reassembled, causing buffer overflows.

Tiny Fragment Attack

Splits key header fields across extremely small fragments to evade security devices that can't properly inspect multi-fragment headers

IP Spoofing

Forges the source IP address in packets to hide the attacker's identity or to trick systems into sending responses to a victim.

UDP Flood

Bombards a target with high-volume UDP packets, forcing it to repeatedly check nonexistent ports and exhausting resources

Fraggle Attack

A DDoS attack using UDP packets sent to broadcast addresses with a spoofed victim IP, causing all hosts to flood the victim with replies.

UDP Scanning

Uses stateless UDP probes to determine open ports by analyzing whether ICMP "port unreachable" messages are returned.

SYN Flood

Sends many SYN packets without completing the handshake, filling the server's half-open connection table and preventing legitimate connections.

RST Injection

Sends forged TCP RST packets to abruptly terminate an active connection by guessing valid sequence numbers.

TCP Session Hijacking

Predicts or manipulates TCP sequence numbers to insert malicious data into an existing session.

FIN/NULL/Xmas Scans

Use abnormal TCP flag combinations to probe systems and reveal firewall or port behavior based on how they respond.

ICMP Flood

Overwhelms a target with ICMP echo requests or replies, consuming bandwidth and CPU resources.

Smurf Attack

Uses spoofed ICMP echo requests sent to broadcast addresses so that all hosts collectively overwhelm the victim with replies.

ICMP Redirect Attack

Sends forged ICMP redirect messages to trick a host into sending traffic through a malicious router.

ICMP Fragment Attack

Uses fragmented ICMP packets to bypass filters that only inspect the first fragment.

Public Key Cryptography

Uses mathematically linked public and private key pairs so that the public key handles encryption or verification while the private key handles decryption or signing, enabling secure communication without pre-shared secrets.

Diffie-Hellman

A secure key-exchange method where two parties exchange computed public values and independently generate the same shared secret using their private exponents, even over an insecure channel.

Digital Signature Integrity

The sender signs the hash of a message with their private key, and the receiver verifies the signature by decrypting it with the sender's public key and comparing it to their own computed hash.

IPSec AH

Provides authentication and integrity for IP packets but does not encrypt the payload; useful when encryption is not required.

IPSec ESP

Provides confidentiality, integrity, and authentication by encrypting the payload and optionally authenticating the entire packet

Transport Mode

Protects only the payload of the IP packet, keeping the original header intact for end-to-end host communication.

Tunnel Mode

Encapsulates the entire original IP packet into a new one, enabling secure gateway-to-gateway or site-to-site VPNs.

PPTP

A legacy VPN protocol using GRE and MS-CHAPv2 that offers simple setup but is considered insecure due to weak authentication and outdated encryption.

L2TP

A tunneling protocol that provides no encryption on its own but is typically paired with IPSec to form the secure L2TP/IPSec VPN.

IPSec VPN

A secure VPN solution using AH/ESP with strong cryptography and IKE key management, suitable for site-to-site and remote-access connections.

SSL/TLS VPN

A VPN that uses HTTPS (port 443) to tunnel traffic through encrypted sessions, often requiring no dedicated client and easily traversing firewalls.