Malicious Activity

Question 1

What is Denial of Service (DoS)? 什么是拒绝服务攻击？

Answer 1

攻击者疯狂发送请求，把你的电脑或服务器崩溃。

An attacker floods your computer or server with requests until it crashes.

Question 2

What are Flood Attacks? 什么是洪水攻击？

Answer 2

• Ping Flood（ICMP洪水）：大量发ping请求，压垮目标。
• SYN Flood（半开连接洪水）：只发起TCP握手请求，不完成连接，让服务器卡住。

Ping Flood: Sends tons of ICMP pings to overload the target.
SYN Flood: Sends many half-open TCP handshakes, leaving servers stuck waiting.

Question 3

What is PDOS (Permanent Denial of Service)? 什么是永久性拒绝服务攻击？

Answer 3

直接破坏设备，比如刷坏路由器固件，让设备无法使用。

It damages the device permanently, like bricking a router by corrupting its firmware.

Question 4

What is a Fork Bomb? 什么是叉子炸弹？

Answer 4

疯狂复制自己，创建大量小程序，耗尽CPU资源。

It keeps copying itself, creating endless processes that exhaust CPU resources.

Question 5

What is Distributed Denial of Service (DDoS)? 什么是分布式拒绝服务攻击？

Answer 5

利用成百上千台机器（僵尸网络）一起攻击目标。

It uses hundreds or thousands of machines (botnets) to attack a target simultaneously.

Question 6

Q: How to defend against DoS and DDoS attacks? 如何防御DoS和DDoS攻击？

Answer 6

A:
• Blackhole / Sinkhole Routing 黑洞/引流：把坏流量丢进“无底洞”。
Divert bad traffic into a “black hole” to discard it.
• Intrusion Prevention Systems (IPS) 入侵防御系统：检测小规模攻击并自动拦截。
Detect and block small attacks automatically.
• Elastic Cloud Infrastructure 弹性云基础设施：按需扩展服务器资源，扛大流量。
Scale server resources on demand to handle big traffic.
• Specialized Cloud Providers 专业防护服务：使用Cloudflare、Akamai等公司增强防御。

Question 7

What is DNS Cache Poisoning? 什么是DNS缓存投毒？

Answer 7

骗DNS缓存，把访问引导到坏网站。

Tricks DNS cache to redirect you to a malicious website.

使用DNSSEC验证、防火墙保护。

Use DNSSEC validation and firewall protection.

Question 8

What is DNS Amplification? 什么是DNS放大攻击？

Answer 8

小小请求，通过放大回声淹没目标。

Small requests become huge responses to flood the target.

限制DNS回复大小和速率。

Limit response size and rate.

Question 9

What is DNS Tunneling? 什么是DNS隧道攻击？

Answer 9

在DNS流量里偷藏数据，绕过防火墙。

Hides data inside DNS traffic to bypass firewalls.

监控DNS日志，发现异常。

Monitor DNS logs for unusual activities.

Question 10

What is Domain Hijacking? 什么是域名劫持？

Answer 10

偷走域名注册权，夺取你的网站。

Steals domain registration control to hijack your website.

注册账号加固，启用域名锁定服务。

Strengthen account security and use domain locking services.

Question 11

What is a DNS Zone Transfer Attack? 什么是DNS区域传输攻击？

Answer 11

偷偷获取整个域名服务器的地图，做侦查。

Steals a full map of DNS zones for reconnaissance.

禁止未授权的Zone Transfer操作。

Block unauthorized zone transfers.

Question 12

What is a Directory Traversal attack?

Answer 12

Accessing sensitive system files by jumping through file paths (e.g., ../../etc/passwd).

通过跳路径（比如../../etc/passwd）访问系统敏感文件。 Defense 防护方法: Input validation and path filtering.

输入验证，过滤路径。

Question 13

What is a Remote File Inclusion (RFI) attack?

Answer 13

Loading a malicious remote file (from another server) into the local web application.

从远程服务器加载恶意文件到本地应用。 Defense 防护方法: Only allow local files, strictly validate URLs.

只允许本地文件，严格验证URL。

Question 14

What is a Local File Inclusion (LFI) attack?

Answer 14

Loading sensitive local files already on the server into the web application.

加载服务器上已有的敏感文件。 Defense 防护方法: Restrict file access permissions.

限制文件访问权限。

Question 15

What is an Encoding Evasion attack?

Answer 15

Hiding directory traversal attempts using URL encoding like %2e%2e%2f.

使用URL编码（如%2e%2e%2f）隐藏目录遍历的企图。 Defense 防护方法: Decode inputs first, then check for dangerous patterns.

先解码输入，再检查是否有危险字符。

Question 16

What is Arbitrary Code Execution? 什么是任意代码执行？

Answer 16

攻击者可以在你的电脑上随意运行自己的程序。

The attacker can run any code they want on your computer.

Question 17

What is Remote Code Execution (RCE)? 什么是远程代码执行？

Answer 17

攻击者可以通过网络，远程直接运行恶意程序。

The attacker can remotely execute malicious code over a network.

Question 18

What is Vertical Privilege Escalation? 什么是垂直权限提升？

Answer 18

普通用户升级成管理员，获得更高的控制权。

A normal user gains admin or higher-level privileges.

Question 19

What is Horizontal Privilege Escalation? 什么是水平权限提升？

Answer 19

攻击者横跳到同级别的其他账户，窃取权限。

An attacker moves sideways to access another user’s privileges.

Question 20

What is a Rootkit? 什么是Rootkit（根套件）？

Answer 20

隐藏在系统中，长期秘密控制你的设备。

Hides deep in the system to maintain long-term secret control.

Question 21

What is a Kernel Mode Rootkit? 什么是内核模式Rootkit？

Answer 21

藏在操作系统最核心（内核），超级隐蔽、超级危险。

Hides inside the operating system’s core (kernel) — extremely stealthy and dangerous.

Question 22

What is a User Mode Rootkit? 什么是用户模式Rootkit？

Answer 22

藏在用户空间，利用系统正常功能保持存在。

Hides in user space and uses normal system functions to stay hidden.

Question 23

What is a Replay Attack? 什么是重放攻击？

Answer 23

It is when valid data is intercepted and maliciously retransmitted later to trick the system.
重放攻击是指拦截合法数据后，稍后恶意地重新发送，以欺骗系统。

Question 24

How is a Replay Attack different from a Session Hijack? 重放攻击和会话劫持有什么不同？

Answer 24

Replay reuses past data later, while Session Hijack alters real-time communication.
重放攻击是重用过去的数据，而会话劫持是篡改实时传输的数据。

Question 25

Where are Replay Attacks commonly seen? 重放攻击通常发生在哪些场景？

Answer 25

Banking, email, online shopping, social media, and wireless authentication (especially WEP). 银行业务、电子邮件、网购、社交媒体，以及无线认证（尤其是旧的WEP协议）中常见。

Question 26

What is a Credential Replay Attack? 什么是凭证重放攻击？

Answer 26

It captures a user’s login credentials and reuses them for unauthorized access. 凭证重放攻击是捕获用户登录凭证，然后用于非法访问。

Question 27

Name two ways to prevent Replay Attacks. 说出两种防止重放攻击的方法。

Answer 27

Use session tokens and implement multi-factor authentication (MFA). 使用会话令牌（Session Tokens）和多因素认证（MFA）。

Question 28

What is Session Management?

Answer 28

Tracks and identifies users across different actions on a web application. ## Footnote 在网页应用中跟踪并识别用户。

Question 29

What is the difference between Session Cookies and Persistent Cookies?

Answer 29

Session cookies are temporary and deleted when the browser closes. Persistent cookies are stored in the browser until manually deleted or expired. ## Footnote 会话Cookie浏览器关闭即删除；持久性Cookie则长期保存在浏览器中。

Question 30

What is Session Hijacking?

Answer 30

An attacker steals or manipulates a user's session to impersonate them. ## Footnote 攻击者窃取或篡改用户的会话信息，冒充用户。

Question 31

What is Session Prediction Attack?

Answer 31

The attacker guesses the session token to hijack a session. ## Footnote 攻击者通过猜测Session令牌来劫持会话。

Question 32

What is Cookie Poisoning?

Answer 32

Modifying the contents of a cookie to exploit vulnerabilities in a web application. ## Footnote 修改Cookie内容以攻击Web应用。

Question 33

What is an On-Path Attack?

Answer 33

An attacker secretly inserts themselves between two communicating hosts. ## Footnote 攻击者偷偷插入通信链路，窃听或篡改数据。

Question 34

What is ARP Poisoning?

Answer 34

Manipulating ARP tables to redirect network traffic. ## Footnote 篡改局域网ARP表，将流量引向攻击者。

Question 35

What is a Replay Attack?

Answer 35

Capturing valid data and sending it later to trick a system. ## Footnote 捕获正常数据包并重放以欺骗系统。

Question 36

What is SSL Stripping?

Answer 36

Downgrading HTTPS connections to HTTP to capture unencrypted data. ## Footnote 把HTTPS降级成HTTP，从而窃取明文数据。

Question 37

How can Downgrade Attacks be prevented?

Answer 37

Enforce the use of strong encryption protocols like TLS 1.3. ## Footnote 强制使用强加密协议（如TLS 1.3），禁止旧协议。

Question 38

What is an Injection Attack?

Answer 38

An attacker sneaks malicious input into an application to make it execute unintended commands. ## Footnote 攻击者将恶意输入塞入应用，让其执行意料之外的命令。

Question 39

What is LDAP Injection?

Answer 39

Fabricating LDAP queries to manipulate authentication or data lookup. ## Footnote 伪造LDAP查询，干扰用户验证或数据检索。

Question 40

What is Command Injection?

Answer 40

Forcing a vulnerable app to execute system-level shell commands. ## Footnote 让漏洞应用执行系统级命令。

Question 41

Name two techniques used in Process Injection.

Answer 41

DLL Injection and Process Hollowing. ## Footnote DLL注入 和 进程空洞（Process Hollowing）。

Question 42

How can you mitigate Injection Attacks?

Answer 42

Input validation, endpoint security, security kernel modules, and least privilege practices. ## Footnote 输入验证、端点安全、核心模块保护、最小权限原则。

Question 43

What is DLL Injection?

Answer 43

Attaching a malicious DLL file to a running process to execute malicious code. ## Footnote 将恶意DLL文件注入到正在运行的进程中，让其执行恶意代码。

Question 44

What is Thread Execution Hijacking?

Answer 44

Taking control of an existing thread and forcing it to run malicious code. ## Footnote 控制已有线程，让它执行恶意代码。

Question 45

What is Process Hollowing?

Answer 45

Starting a legitimate process, removing its code, and replacing it with malware. ## Footnote 启动正常进程后，清空其原始代码，并注入恶意代码替换运行。

Question 46

What is Process Doppelgänging?

Answer 46

Using NTFS file system tricks to create a malicious process that appears legitimate to security tools. ## Footnote 利用NTFS事务伪装成正常进程，骗过安全检测。

Question 47

What is Asynchronous Procedure Call (APC) Injection?

Answer 47

Queuing malicious code to a thread’s execution via an asynchronous call. ## Footnote 通过异步调用，把恶意代码插入线程执行队列。

Question 48

What is Portable Executable (PE) Injection?

Answer 48

Injecting malicious code directly into the structure of a Portable Executable file. ## Footnote 直接将恶意代码注入到可执行文件（PE文件）结构中。

Question 49

What is an Account Lockout? 什么是账户锁定？

Answer 49

Too many failed login attempts cause the account to be locked. ## Footnote 多次登录失败导致账号被锁定。

Question 50

What are Concurrent Sessions? 什么是并发会话？

Answer 50

The same account is logged in from multiple places at the same time. ## Footnote 同一个账号在多个地方同时登录。

Question 51

What is Blocked Content Access? 什么是访问受限内容？

Answer 51

Trying to access restricted or forbidden resources. ## Footnote 尝试访问受限或禁止的资源。

Question 52

What is Impossible Travel? 什么是不可能的旅行？

Answer 52

Login attempts from distant locations within a short time frame. ## Footnote 短时间内从相隔很远的地方登录。

Question 53

What are Resource Spikes? 什么是资源飙升？

Answer 53

Unusual spikes in CPU, memory, or network usage. ## Footnote CPU、内存或网络使用量异常飙升。

Question 54

What is Inaccessibility? 什么是不可访问？

Answer 54

Inability to access files or services. ## Footnote 无法访问文件或服务。

Question 55

What is Out-of-Cycle Logging? 什么是异常时间日志？

Answer 55

Logs appear at strange or unexpected times. ## Footnote 日志记录在奇怪或异常的时间。

Question 56

What are Missing Logs? 什么是日志缺失？

Answer 56

Important logs have been deleted or are missing. ## Footnote 重要日志被删除或丢失。

Question 57

What are Published Articles by Hackers? 什么是黑客公开炫耀？

Answer 57

Hackers publicly boasting about their attacks in articles or posts. ## Footnote 黑客在文章或帖子中公开炫耀自己的攻击行为。