Network Attacks Flashcards
What is a network attack?
A network attack is mostly an attempt to gain unauthorized access to a computer network, system, or device with the intent of stealing, damaging, or manipulating data. These attacks can come from external sources such as hackers or viruses, or from internal sources such as employees or contractors. Network attacks can cause significant harm to businesses, organizations, and individuals. And they can broadly be classified into two categories passive attacks and active attacks.
Whats a passive attack aka eavesdropping or sniffing?
Where an attacker monitors network traffic or systems to gather information without directly modifying or disrupting them. The primary goal is to collect data, often sensitive information like passwords or data transmission patterns, without alerting the victim or system administrators. Passive attacks are difficult to detect because they don’t involve any direct action or changes to the targeted system. This can involve hardware/software.
What’s an active attack?
It is a type of attack where an attacker directly interacts with a system or network to alter, disrupt, or destroy data or services. Unlike passive attacks, which involve monitoring or eavesdropping, active attacks aim to modify or damage the system or network.
What does sniffing involve?
Sniffing can be done with hardware or software. Hardware-based sniffing involves using specialized network devices, such as network taps or port mirroring on network switches, to capture network traffic. These devices are physically connected to the network and can capture data without being detected by the target system or network monitoring tools.
Software-based sniffing utilizes tools or applications installed on a computer to monitor and capture network traffic. These tools can run on the attacker’s device or, in some cases, run on the target system to capture data remotely. Some popular sniffing tools are Wireshark and Tcpdump.
What is spoofing?
You’ve learned that spoofing refers to a cyberattack where an attacker impersonates a legitimate user or device by falsifying the source information, such as an IP address or email. The main goal is to deceive the target system or user into believing that the attack comes from a trustworthy source. The image below indicates that during a spoof attack, a false request for data appears to come from a trusted source. The server is tricked into thinking the request is genuine and sends large amounts of data to the attacker.
What are the types of spoofing?
-IP spoofing: forges the souce of IP address
-ARP “: falsified Address Resolution Protocol (ARP) messages to associate their MAC address with the IP address of another device, intercepting the target’s network traffic.
-DNS “: manipulating the Domain Name System (DNS), an attacker redirects users to false websites by providing a fake IP address associated with a legitimate domain name.
-SSL/TLS “: intercepts and alters SSL/TLS certificates, allowing them to eavesdrop on or modify encrypted communications between users and secure websites.
What is a man-in-the-middle (MITM) attack?
is a form of network attack that involves sniffing and spoofing in which the attacker intercepts and may alter the communication between two parties without their knowledge. The goal of a MITM attack is often to eavesdrop on sensitive information or manipulate the communication to achieve a specific outcome. The diagram below demonstrates how a MITM attack works. The original connection between two network devices such as a user and a server is intercepted and replaced by new connection passing the MITM. ARP spoofing, DNS spoofing, or SSL/TLS hijacking is included. Ettercap is a package suite used for man-in-the-middle attacks and can execute both passive and active sniffing.
What is a DoS and DDoS attack?
A Denial-of-Service (DoS) attack is a cyberattack aimed at making a computer or network resource unavailable to its intended users by temporarily or indefinitely disrupting services. This is typically achieved by flooding the target with excessive requests or invalid data, overwhelming its resources and preventing legitimate traffic from being processed.
A Distributed Denial of Service (DDoS) attack is a cyberattack where multiple compromised computers, forming a botnet, flood a targeted server or network with traffic, overwhelming it and making it unavailable to legitimate users. The goal is to disrupt online services by making them slow or inaccessible.
Initially, attackers compromise many devices by exploiting vulnerabilities, social engineering, or distributing malware. Once the devices are infected, the attacker gains control over them and incorporates them into the botnet. Then, from a command-and-control control center, which is also called C&C, the attacker initiates the DDoS attack on the target system.
What are the types of DoS and DDoS attacks?
-Volume based attacks
-Protocol attacks
-App layer attacks
What does Wifi passwork cracking include?
-Dictionary attack: common phrases & passwords
-Brute force “: all possible combos
-Rainbow table “: precomputed tables of hashed password combinations (called rainbow tables) to quickly look up the plaintext password corresponding to a given hash. This method can be faster than brute force but requires significant storage resources.
What is port scanning?
It is a process where a tool probes a computer or server to identify which ports are open and listening, meaning they are accepting external data. It helps determine which services are running on the system and reveals potential vulnerabilities. While useful for security assessments, it can also be misused by attackers to find entry points into a network.
What are some phishing attack signs?
First-time or infrequent senders
Mismatched email domains
Generic greetings
Urgent call to action or threats
Spelling and bad grammar
Suspicious links or unexpected attachments
How to minimize network attacks?
-Update antivirus and antimalware software
-Patch and update regularly
-VPN
-Security Policies
What does a firewall do?
most firewalls deny all incoming traffic and filter outgoing traffic until an organization security team configures what traffic should be allowed in and out. The firewall checks each data packet to determine if
certain conditions are met before it allows traffic to pass through. These conditions could be; a specified IP address, a network port, a network protocol or a combination of conditions. Some firewalls are hardware-based and are inside devices built to act as firewalls. Firewalls can also be virtualized to run on a server. Other firewalls are software programs that run on personal computers or even inside routers. In all cases, a firewall is a list of permit and deny statements of what can and can’t pass through it, thereby protecting a network. Firewalls have to check every packet of data that arrives against a list of rules to decide if the packet is permitted or denied.
What is a zone?
A zone is made up of a single device or devices with the same trust level. These devices can be physically remote from one another on the network or they can be close by. But as long as they all share the same trust level, they’re in the same zone. The trust level is assigned on a scale of 0-100. The higher the number, the higher the level of trust and the firewall acts according to what zone traffic is going to or coming from. But it also means that the firewall won’t check
outgoing traffic as rigorously as for other zones.
What is a perimeter zone aka demiliarized zone (DMZ)?
The perimeter zone, also known as DMZ or demilitarized zone, is where resources and services accessible from outside the organization are available. This zone is typically assigned the value of 50. Not all incoming traffic will need to be checked, but it’s still treated with a lot of caution.
A public zone contains everything outside the organization. This zone is part of the internet or another network and not under the organization’s control. It carries the most risk. It has a trust level of zero.
What are the firewall types?
-Packet filtering firewalls
-App-layer “
-Circuit level “: check whether TCP and UDP connections across a network are valid before data is exchanged.
-Proxy server “: control the information that goes in and out of a network. This ability means the server can monitor, filter, and cache data requests to and from a network.
-Stateful “-inspect connections on a network. As traffic hits the firewall, it monitors all packets that go through it and stores a combination of information about the packets in a state table. The state table tracks sessions by recording port numbers as sessions start from inside the network and are transmitted outside of the network.
-Next Gen “-
Why does firewall require a policy?
To determine what traffic is and isn’t allowed onto the network. A Firewall policy allows network administrators to govern the behavior firewalls. The policy is made up of firewall rules which relate to certain criteria, including source and destination, along with protocols and port numbers.
What are the firewall rules?
Source address – where the data has come from. This is typically an IP address but can also be a fully qualified domain name or FQDN. An FQDN is the name of a device on the internet, verified by an external DNS server.
Destination address – where the data is going. This is usually an IP address but can also be a fully qualified domain name (FQDN).
Port and protocol numbers – the services that applications require.
The interface– rules can be associated with a particular interface or port on a firewall.
Direction – whether the traffic is inbound or outbound.
Time –specify when the data will or won’t be permitted.
The decision – whether to permit or deny the packet.
What are the (3) rules when creating a firewall?
Top-down processing – a firewall starts at the top of a policy list, making its way down to the bottom, so the order of the rules is critical.
Rule matched – if any incoming traffic matches the criteria of a firewall rule, the firewall will apply the specified allow or deny action without proceeding to the next rule. Any of the other rules below the matched rule will not be considered because firewalls implements top-down processing.
Implicit deny – also known as deny all. This is typically an invisible rule applied when a firewall is initially set up, and it blocks all traffic from the start. It enables a firewall to protect the network as soon as it’s activated. This rule remains active the whole time, so many firewall policies have permit statements (also known as allow statements) to allow necessary traffic through. Implicit deny is always the last rule on the rules list. And because it’s active by default and invisible, it’s important to remember it’s there.
What are firewall maintence threats?
-Outdated firewall software
-Improper config
-Lack of doc
-Next-generation firewalls (NGFW)
