Domain 2 · 2.4 Indicators of Malicious Activity

2.4.3 Network Attacks

DDoS, DNS, wireless, on-path, replay.

17 min

Network attacks encompass a diverse set of tactics designed to compromise the confidentiality, integrity, and availability of data as it traverses or resides on a digital network.

Denial of Service Attacks - DoS/DDoS: A Denial of Service (DoS) originates from a single source, while a Distributed Denial of Service (DDoS) uses a botnet of compromised "zombies" to overwhelm a target. - Amplification: An attacker sends small requests to a third-party server (often DNS or NTP) with a spoofed source IP, causing large responses to be directed at the victim. - Operational Impact: These attacks aim for data unavailability by saturating bandwidth or exhausting system resources like CPU and RAM.

DNS and Routing Attacks - DNS Poisoning: Injecting false information into a DNS cache so that users are redirected to malicious websites. - Domain Hijacking: An attacker gains unauthorized access to domain registration accounts to change DNS records at the source. - URL Hijacking: Also known as Typosquatting, this relies on users making typing errors (e.g., "gogle.com") to lead them to fraudulent sites.

On-Path and Replay Attacks - On-path (Man-in-the-Middle): The attacker intercepts and potentially alters communication between two parties without their knowledge. - Replay: A threat actor captures valid network traffic, such as a login session or a command, and retransmits it later to gain unauthorized access. - Mitigation: Using session tokens, timestamps, and strong encryption like TLS helps prevent these interceptions.

Wireless Network Attacks - Rogue Access Point: An unauthorized AP connected to the wired infrastructure without the administrator's knowledge. - Evil Twin: A rogue AP that mimics a legitimate SSID (e.g., "Starbucks_WiFi") to trick users into connecting so the attacker can capture traffic. - Deauthentication: An attacker sends "deauth" packets to force a client off a wireless network, often as a precursor to an Evil Twin attack or to capture a handshake. - Bluejacking/Bluesnarfing: Bluetooth-specific attacks where the former sends unsolicited messages and the latter steals data.

Exam tips - Botnet is the primary trigger word for DDoS infrastructure. - On-path attacks are frequently mitigated by mutual authentication and end-to-end encryption. - Distinguish between Evil Twin (malicious mimicry) and Rogue AP (unauthorized hardware). - DNSSEC is the primary defense against DNS poisoning by providing origin authority. - Digital signatures and sequence numbers are key defenses against Replay attacks.