Section 15: Network Attacks

DoS and DDoS Attacks - Denial of Service (DoS) floods a network or system with excessive traffic to cause downtime, while Distributed Denial of Service (DDoS) uses multiple devices (botnets) to amplify the attack.

Common Types of DDoS Attacks - Volumetric attacks overwhelm bandwidth, protocol attacks target network infrastructure (e.g., SYN floods), and application-layer attacks disrupt services like HTTP and DNS.

MAC Flooding - Overloads a network switch’s MAC address table by sending excessive fake MAC addresses, forcing it into flooding mode and allowing an attacker to capture unicast traffic.

How to Prevent MAC Flooding - Implement Port Security on switches to limit MAC addresses per port and enable dynamic ARP inspection (DAI).

ARP Attacks - Involves spoofing ARP messages to trick devices into sending traffic to an attacker’s MAC address, allowing Man-in-the-Middle (MitM) attacks and packet sniffing.

How to Prevent ARP Attacks - Use Dynamic ARP Inspection (DAI) and static ARP entries to verify valid ARP responses.

VLAN Hopping - Exploiting misconfigured VLANs to gain unauthorized access to traffic on another VLAN, often through switch spoofing or double-tagging attacks.

How to Prevent VLAN Hopping - Disable unused switch ports, set manual trunking, and restrict VLAN assignments.

DNS Attacks - Includes DNS poisoning (injecting fake DNS records), DNS hijacking (redirecting traffic), and amplification attacks (massive DNS queries overwhelming a target).

On-Path Attack (MitM) - An attacker secretly intercepts and manipulates network traffic between two parties, often using ARP spoofing, DNS poisoning, or rogue access points.

How to Prevent On-Path Attacks - Use encryption (TLS/SSL, VPNs), static ARP entries, and secure DNS (DNSSEC).

Rogue Devices and Attacks - Rogue APs (unauthorized wireless access points) can bypass network security, allowing attackers to intercept data or conduct Evil Twin attacks.

How to Prevent Rogue Devices - Implement 802.1X authentication, enable Wireless Intrusion Detection Systems (WIDS), and monitor for unauthorized devices.

Social Engineering Attacks - Psychological manipulation to trick people into revealing sensitive information or granting unauthorized access (e.g., phishing, pretexting, baiting, tailgating).

Understanding Phishing Attacks - Attackers impersonate trusted sources via email, phone, or text to steal credentials, money, or personal information. Variants include spear phishing (targeted) and whaling (high-profile targets).

How to Identify Phishing Emails - Look for urgent language, spoofed domains, unexpected attachments, and generic greetings.

Malware Attacks - Malicious software that disrupts, damages, or gains unauthorized access to a system. Includes viruses, worms, Trojans, ransomware, and spyware.

How to Prevent Malware - Use updated antivirus software, firewalls, regular patching, and avoid downloading unknown files or clicking suspicious links.

DoS vs. DDoS - DoS is a single-source attack; DDoS uses multiple systems (botnets) to flood a network or service.

What is a SYN Flood? - A DoS attack where the attacker sends multiple SYN requests to a server but never completes the handshake, overloading it.

What is an amplification attack? - A DDoS technique that exploits a service (like DNS or NTP) to multiply attack traffic against a target.

How can you mitigate DDoS attacks? - Use rate limiting, traffic filtering, firewalls, and DDoS protection services like Cloudflare or AWS Shield.

Why does MAC flooding work? - Overloads a switch’s MAC address table, forcing it into flooding mode, making it act like a hub and exposing all traffic.

How do switches defend against MAC flooding? - Port security, which limits MAC addresses per port, and storm control, which blocks excessive traffic.

How does an ARP spoofing attack work? - The attacker sends fake ARP replies, mapping their MAC address to a legitimate IP, intercepting traffic.

What tools can detect ARP attacks? - Wireshark, ARPwatch, and Dynamic ARP Inspection (DAI).

Two types of VLAN hopping attacks? - Switch Spoofing (tricking a switch into granting VLAN access) and Double Tagging (modifying VLAN tags to jump networks).

What setting prevents VLAN hopping? - Disable Dynamic Trunking Protocol (DTP) and use manual VLAN assignments.

What is DNS poisoning? - An attack that injects false DNS records into a cache, redirecting users to malicious sites.

How can DNS attacks be prevented? - Use DNSSEC, encrypted DNS (DoH/DoT), and configure DNS filtering.

What is a DNS amplification attack? - A DDoS attack that exploits open DNS resolvers to send large responses to a victim’s IP, overwhelming their network.

How does an attacker perform a MitM attack? - They intercept communication using ARP poisoning, rogue APs, or compromised routers to eavesdrop or manipulate data.

What prevents MitM attacks? - Encryption (TLS, VPNs), static ARP entries, and secure authentication (e.g., multifactor authentication).

What is an Evil Twin attack? - A rogue Wi-Fi access point that mimics a legitimate one to steal credentials and intercept traffic.

How do you detect rogue access points? - Use Wireless Intrusion Detection Systems (WIDS) and scan for unauthorized SSIDs.

What are common social engineering methods? - Pretexting, baiting, tailgating, phishing, and vishing (voice phishing).

How can employees protect against social engineering? - Security awareness training, verifying requests, and using multifactor authentication (MFA).

What is spear phishing? - A targeted phishing attack that uses personal information to trick a specific victim into revealing credentials.

What is whaling? - A phishing attack aimed at high-profile individuals like CEOs and executives.

How can you identify a phishing email? - Look for misspellings, urgent language, fake links, and verify the sender’s email domain.

What is the difference between a virus and a worm? - A virus needs a host file to spread, while a worm is self-replicating across networks.

What is a Trojan horse? - Malware that disguises itself as legitimate software but contains a malicious payload.

How does ransomware work? - Encrypts files on a victim’s device and demands a ransom to restore access.