CompTIA Security SY0-601 Exam: Basics of Network Attacks

Objective: Given a scenario, analyze potential indicators associated with network attacks.

Topics:
- evil twin
- rogue access point
- bluesnarfing
- bluejacking
- disassociation
- jamming
- radio frequency identification (RFID)
- near-field communication (NFC)
- initialization vector (IV) attack
- on-path attack
- Address Resolution Protocol (ARP) poisoning
- Media Access Control (MAC) flooding
- MAC spoofing
- domain hijacking
- DNS poisoning
- uniform resource locator (URL) redirection
- domain reputation
- distributed denial of service (DDoS) attack
- malicious script execution

Networks are becoming increasingly distributed and mobile. Not only are there various points of entry, but the idea of a tight perimeter no longer exists as technologies such as wireless, mobile devices, and modern cloud-based web applications have eliminated the idea of the perimeter. It is important to understand the different types of attacks. Keep in mind, however, that most single attacks do not succeed. A combination of attacks is often required. For these reasons, the idea of defense-in-depth is critical to the security of an organization. As you learn about the individual attacks in the sections that follow, think about the situations to which they might apply. Also think about how each of these attacks might be used and when a combination of attacks would be required.

Wireless
Wireless networks present unique security challenges. Wireless networks are subject to the same types of attacks as their wired counterparts, such as MITM, DoS, replay, and crypto attacks. These attacks have become more prevalent as wireless networks have become common. Replay attacks on a wireless network are arguably simpler than replay attacks carried out on wired networks. A wireless sniffer includes a hardware or software device that is capable of capturing the data or packets that traverse the wireless channel. When traffic being sent across the network is unencrypted, packet sniffing enables the attacker to capture the data and decode it from its raw form into readable text.
Wireless networks are further susceptible to being disrupted by other radio sources. Such disruptions can merely be unintentional interference or can be malicious attempts to jam the signal. For example, you might have personally experienced or heard stories about how the operation of a microwave oven can interfere with wireless access to the Internet. This can happen because specific wireless 802.11 devices operate at or near the same wireless band used by the microwave. In addition, specific attacks on wireless networks can be performed by setting up a nearby access point or using dedicated wireless jamming devices.
According to the Federal Communications Commission (FCC), “federal law prohibits the operation, marketing, or sale of any type of jamming equipment, including devices that interfere with cellular and Personal Communication Services (PCS), police radar, Global Positioning Systems (GPS) and wireless networking services (Wi-Fi).”
Counteracting a jamming attack is both simple and complicated. It is simple because most jamming attacks require physical proximity. In the case of a cell phone, for example, just moving 30 feet away can make a difference. However, changing location is not always a viable option. Sometimes you must either locate the source of the jamming or boost the signal being jammed. Many enterprise-grade devices provide power levels that can be configured and have the capability to identify and locate rogue devices that are causing interference.

Key to wireless networks are wireless access point devices. Wireless endpoints connect to an access point. The access point typically acts as a bridge to the wired network. A common attack involves the use of a rogue access point. In such a situation, an unauthorized wireless access point is set up. In an organization, well-meaning insiders might connect to rogue access points (rogue APs), which create a type of man-in-the-middle attack, referred to as an evil twin. Because the client’s request for connection is an omnidirectional open broadcast, it is possible for a hijacker to act as an access point to the client and to act as a client to the true network access point. This enables the hijacker to follow all data transactions and thus modify, insert, or delete packets at will. By implementing a rogue access point that has stronger signal strength than more remote permanent installations, an attacker can cause a wireless client to preferentially connect to its own stronger connection by using the wireless device’s standard roaming handoff mechanism.
Fortunately, it is simple to detect rogue access points by using software. A common method for detecting rogue access points is to use wireless sniffing applications. As wireless networks have become ubiquitous and often required, organizations have conducted wireless site surveys to analyze and plan wireless networks. These site surveys are often associated with new deployments, but they are also conducted in existing wireless networks. Looking for rogue access points is part of the survey process because these access points can negatively impact not just security but also quality of service for the legitimate wireless network.
When a rogue access point is disconnected, it receives a deauthentication frame and is disassociated from the network. However, this message can be exploited in another common attack that involves a denial of service between wireless users and the wireless access point: a dissociation or deauthentication attack. By spoofing a user’s MAC address, an attacker can send a deauthentication data transmission to the wireless access point.
Some Wi-Fi technologies have been shown to be especially susceptible to initialization vector (IV) attacks, which are attacks that use passive statistical analysis. An IV is an input to a cryptographic algorithm, which is essentially a random number. Ideally, an IV should be unique and unpredictable. An IV attack can occur when the IV is too short, is predictable, or is not unique. If the IV is not long enough, there is a high probability that the IV will repeat after only a small number of packets. Modern wireless encryption algorithms use a longer IV, and newer protocols also use a mechanism to dynamically change keys as the system is used.
An IV that is repeated with a given key is especially subject to being attacked.

Short-Range Wireless Communications
As the use of wireless networks has increased, so has the use of a variety of wireless technologies. Much of this growth has been spawned by computer peripherals and other small electronics. Consider mobile devices. Most mobile phones today take advantage of Bluetooth and near-field communication (NFC) technology. If you walk into almost any store today, you can find a wide array of Bluetooth-enabled devices, such as speakers and earbuds, that can be used to play music from a phone or any other Bluetooth-enabled device.

Bluetooth
Mobile devices equipped for Bluetooth short-range wireless connectivity, such as laptops, tablets, and cell phones, are subject to receiving photos, messages, or other broadcast spam sent from nearby Bluetooth-enabled transmitting devices in an attack referred to as bluejacking. Although this act is typically benign, attackers can use this form of attack to generate messages that appear to come from a legitimate device. Users then follow obvious prompts and establish an open Bluetooth connection with the attacker’s device. When paired with the attacker’s device, the user’s device makes data available for unauthorized access, modification, or deletion, which is a more aggressive attack referred to as bluesnarfing.
Do not confuse bluejacking and bluesnarfing. Bluesnarfing is generally associated with more dangerous attacks that can expose or alter a user’s information.

Near-Field Communication
Near-field communication (NFC) is a set of standards for contactless communication between devices. Although NFC is considered contactless, in most practical uses, devices establish communication by being close or touching. Currently, varying use cases for NFC exist. Most individuals are familiar with NFC as a smartphone feature. NFC is available on most devices, such as those running the Android operating system and the Apple iPhone.
An NFC chip in a mobile device generates an electromagnetic field. This allows the device to communicate with other devices or with a tag that contains specific information that leverages the electromagnetic field as a power supply to send the information back to the device. For example, an advertisement at a bus stop may be embedded with a tag that is able to communicate with a smart device.

Given NFC’s limited range, the types and practicality of attacks are limited by distance. However, NFC still presents potential risks, including the following:
- Confidentiality: Attacks can take advantage of the risks posed by any communications methods, including eavesdropping. Any sensitive data must be encrypted to mitigate such concerns.
- Denial of service: NFC could be subject to jamming and interference disruptions that cause loss of service.
- Man-in-the-middle (MITM) attacks: Theoretically, MITM attacks are possible. But again, given the limitations of proximity, such attacks are uncommon with NFC.
- Malicious code: As with any client device, malware prevention and user awareness are key controls.

Specific concerns about NFC that have surfaced largely stem from lenient configurations. For example, applications of NFC might provide a function to pass information such as contacts and applications, but no confirmation may be required from the receiving end. In other applications, such as with device pairing, in the absence of any type of confirmation, an attacker can easily connect and run further attacks to access the device.

RFID
Radio frequency identification (RFID) is a wireless technology that was initially common to supply-chain and inventory tracking. RFID has been around longer than NFC. In fact, NFC is based on the RFID protocols. RFID is commonly used with toll booths, ski lifts, passports, credit cards, key fobs, and other applications. RFID chips can even be implanted into the human body for medical purposes. RFID uses electromagnetic fields and is one-way. Information is transmitted from a chip, also known as a smart tag, to an RFID reader. There are two types of RFID tags: active and passive tags. An active tag can broadcast a signal over a larger distance because it contains a power source. A passive tag, on the other hand, isn’t powered but is activated by a signal sent from the reader.
Cryptography is an important component for RFID security. Without it, an RFID tag is susceptible to attackers writing or modifying data to the tag. Arguably one of the biggest concerns surrounding RFID has been privacy. Even when RFID tags are encrypted, an attacker can read them, for example, to track the movement of a tag or the object to which a tag is applied.

NFC is based on RFID protocols. However, NFC provides peer-to-peer communication, which sets it apart from most RFID devices. An NFC chip functions as both a reader and a tag.

On-Path Attack
The on-path attack, also known as a man-in-the-middle (MITM) attack takes place when an attacker intercepts traffic and then tricks the parties at both ends into believing that they are communicating with each other. This type of attack is possible because of the nature of the three-way TCP handshake process, which uses SYN and ACK packets. TCP is a connection-oriented protocol, and a three-way handshake takes place when establishing a connection and when closing a session. When establishing a session, the client sends a SYN request, the server sends an acknowledgment and synchronization (SYN-ACK) to the client, and then the client sends an ACK (also referred to as SYN-ACK-ACK) to complete the connection. During this process, an attacker may initiate a man-in-the-middle attack. The attacker uses a program that appears to the client as the server and appears to the server as the client. An attacker may also choose to alter the data or eavesdrop and pass it along. This type of attack is common with the Telnet protocol and wireless technologies. It is also generally difficult to implement because of physical routing issues, TCP sequence numbers, and speed.
If an on-path attack is attempted on an internal network, physical access to the network is required. Be sure that access to wiring closets and switches is restricted; if possible, such an area should be locked. After you have secured the physical environment, be sure to protect the services and resources that allow a system to be inserted into a session. DNS can be compromised and used to redirect the initial request for service, providing an opportunity to execute a man-in-the-middle attack. You should restrict DNS access to read-only for everyone except the administrator. The best way to prevent these types of attacks is to use encryption, secure protocols, and methods for keeping track of the user’s session or device.
An on-path attack takes place when a computer intercepts traffic and either eavesdrops on the traffic or alters it. Many organizational proxy servers are designed to do this. The clients have digital certificates and trust the proxy.

On-path attacks have declined due to the prevalence of prevention techniques. As a result, a newer type of on-path attack, known as a man-in-the-browser (MITB) attack, has become more common. An MITB attack is a Trojan that infects web browser components such as browser plug-ins and other browser helper objects. MITB attacks are particularly dangerous because everything occurs at the application level on the user’s system. These attacks are capable of avoiding web application controls that might otherwise be alerted to a traditional MITM attack at the network layer. MITB attacks can also go beyond mere interception to injecting web code and performing other functions to interact with the user.

Layer 2 Attacks
Layer 2 is the data link layer of the Open Systems Interconnection (OSI) model for computer networks. This is the layer responsible for transferring data between systems on a local network. Computers are often connected to a switch in a wiring closet. Switches operate at Layer 2 of the OSI model. Their packet-forwarding decisions are based on Media Access Control (MAC) addresses. Switches allow LANs to be segmented, thus increasing the amount of bandwidth that goes to each device. Each segment is a separate collision domain, but all segments are in the same broadcast domain.
As you consider network attacks at Layer 2, keep in mind that the OSI model allows each layer to work without having to be considered with the others. However, lower layers can affect the layers above them. Thus, if the physical layer is hacked, Layer 2 will suffer, and if Layer 2 is hacked, the network layer (Layer 3) is also compromised, and so forth.

MAC Spoofing
Spoofing is a method of providing false identification information to gain unauthorized access. Spoofing a MAC address, called MAC spoofing, involves changing the built-in MAC address of a networked device, which is hard-coded and assigned to each network interface from the factory. In some circumstances, this address can be changed, but most attacks simply mask or spoof the address to something else. Some networks might control access via this address. An attacker able to spoof this address could then gain access. Many wireless networks restrict access to systems with only known MAC addresses. For example, most home wireless access devices provide an option to configure this quite easily. You could, for example, provide a unique address for each device the members of your household use so only they can access the network. You can also provide a user-friendly name to each device as its MAC address doesn’t change (unless, of course, it’s spoofed). You would see an unknown device on your network if you weren’t authorizing by MAC address. If you were blocking by MAC address, the attacker would need to be able to spoof an allowed MAC address.

ARP Poisoning
A unique 48-bit address is hard-coded into every network card. For network communications to occur, this hardware address must be associated with an IP address. Address Resolution Protocol (ARP), which operates at Layer 2 (data link layer) of the OSI model, associates MAC addresses to IP addresses. ARP is a simple lower-layer protocol that consists of requests and replies without validation. However, this simplicity also leads to a lack of security.
When you use a protocol analyzer to look at traffic, you see an ARP request and an ARP reply, which are the two basic parts of ARP communication. Reverse ARP (RARP) requests and RARP replies also are used. A device maintains an ARP table that contains a cache of the IP addresses and MAC addresses the device has already correlated. The host device searches its ARP table to see whether a MAC address corresponds to the destination host IP address. When no matching entry exists, it broadcasts an ARP request to the entire network. All systems see the broadcast, but only the device that has the corresponding information replies. However, devices can accept ARP replies before even requesting them. This type of entry is known as an unsolicited entry because the information was not explicitly requested.
ARP does not require any type of validation. Thus, as ARP requests are sent, the requesting devices believe that the incoming ARP replies are from the correct devices. Thus a perpetrator may be able to trick a device into thinking any IP address is related to any MAC address.
Address Resolution Protocol (ARP) poisoning is limited to attacks that are locally based, so an intruder needs either physical access to the network or control of a device on the local network. To mitigate ARP poisoning on a small network, you can use static or script-based mappings for IP addresses and ARP tables. For large networks, by using equipment that offers port security, you can permit only one MAC address for each physical port on the switch. In addition, you can deploy monitoring tools or an intrusion detection system (IDS) to alert you when suspicious activity occurs.

MAC Flooding
ARP poisoning can lead to attacks such as DoS attacks, on-path attacks, and MAC flooding. DoS attacks are covered in greater detail later in this guide. Media Access Control (MAC) flooding is an attack that compromises a networking switch. This type of attack is successful because of the way all switches and bridges work. Only a limited amount of space is allocated to store source addresses of packets. When the table becomes full, the device can no longer learn new information and becomes flooded. As a result, the switch may be forced into a hub-like state and broadcast all network traffic to every device in the network.

Port Stealing
A lesser vulnerability of ARP is port stealing. Port stealing is an on-path attack that exploits the binding between a port and a MAC address. The idea behind port stealing is that an attacker sends numerous packets with the source IP address of the victim and the destination MAC address of the attacker. This attack applies to broadcast networks built using switches.

Domain Name System (DNS) Attacks
Domain Name System (DNS) translates user-friendly names, such as example.com, to IP addresses, such as 93.184.216.34. Several DNS attacks take advantage of vulnerabilities in DNS and the way in which DNS works. Organizations more than ever before need to protect their domains, especially given that applications and services are provided from these domains. Part of this protection is monitoring for domain reputation. Domain reputation monitoring, which also includes IP monitoring, provides useful threat intelligence that helps an organization understand its own domain and also protect against external malicious domains. Understanding what domains have been deemed malicious can help with incident response and blacklisting controls. Even nonmalicious domains could wind up with low reputation as a result of being compromised and used to attack others. For this reason, an organization needs to also understand the reputation of its own domain. The following sections take a closer look at three common DNS attacks you need to be familiar with:
- Domain hijacking
- URL redirection
- DNS poisoning

Domain Hijacking
Domain hijacking occurs when a domain is taken over without the original owner’s knowledge or consent. This can occur opportunistically when the domain ownership expires, but direct attacks are usually the result of security issues with the domain registrar or direct attacks via social engineering or through the administration portal of the domain owner. Domain registrars now include optional privacy controls and countermeasures to help thwart such attacks. Once an attacker has hijacked a domain, several opportunities exist to cause harm. The attacker may post embarrassing or malicious content from the domain on the web or may redirect the domain to another domain. The attacker might even sell the domain to another party.

Universal Resource Locator (URL) Redirection
URL redirection is a common technique that is often employed for legitimate purposes, but it can also be abused. First, let’s look at a common example of a useful redirect you have likely experienced. Imagine that you’re logged in to your bank, and you create a bookmark for the page where you can transfer money. After logging out, you decide to revisit that bookmark. Because you aren’t logged in, the bank implements a redirect function to send you back to the login page. How can an attacker take advantage of this process? If you trust http://www.example.com and see a link beginning with http://example.com/bank/example.php, you might feel confident that you are visiting the legitimate site. The attacker, however, actually sends a different link for you to click: http://example.com/banktransfer/example.php?url=http://malicious-web-site.example.com. This type of attack works when the original example.php page contains code like the following that has the intended useful purpose of redirecting you:

$redirect_url = $_GET['url'];

This code takes the parameter given to it and redirects the user. So if an attacker gives a malicious website URL as the parameter, the code instead redirects the user there. While redirection is a useful feature, organizations need to ensure that this function can’t be abused. The following are a couple examples to prevent such abuse:
- Prevent offsite redirects by validating the input of URLs passed to ensure that all URLs passed use relative paths only.
- If you need to pass to other sites, use whitelisting.

DNS Poisoning
DNS poisoning enables a perpetrator to redirect traffic by changing the IP record for a specific domain, thus permitting attackers to send legitimate traffic anywhere they choose. The attacker not only sends a requestor to a different website but also caches this information for a short period, distributing the attack’s effect to the server users. DNS poisoning is also referred to as DNS cache poisoning because it affects cached information.
Every Internet page request starts with a DNS query. If the IP address is not known locally, the request is sent to a DNS server. Two types of DNS servers are used: authoritative and recursive. Whereas DNS servers share information, recursive servers maintain information in cache. This means a caching or recursive server can answer queries for resource records even if it cannot resolve a request directly. A flaw in the resolution algorithm allows the poisoning of DNS records on a server. All an attacker has to do is delegate a false name to the domain server and provide a false address for the server. For example, imagine that an attacker creates the hostname hack.example.com. After that, the attacker queries your DNS server to resolve the host example.com. The DNS server resolves the name and stores this information in its cache. Until the zone expiration, any further requests for example.com do not result in lookups but are answered by the server from its cache. It is now possible for the attacker to set your DNS server as the authoritative server for his or her zone with the domain registrar. If the attacker conducts malicious activity, the attacker can make it appear that your DNS server is being used for these malicious activities.
DNS poisoning can result in many different issues. Domain name servers can be used for DDoS attacks. Malware can be downloaded to an unsuspecting user’s computer from the rogue site, and all future requests by that computer will be redirected to the fake IP address. This process could be used to build an effective botnet. This method of poisoning can also allow for code injection exploits, especially because content can be pulled from multiple websites at the same time.

To minimize the effects of DNS poisoning, check the DNS setup if you are hosting your own DNS server. Be sure the DNS server is not open recursive. An open-recursive DNS server responds to any lookup request without checking where it originates. Disable recursive access for other networks to resolve names that are not in your zone files. You can also use different servers for authoritative and recursive lookups and require that caches discard information except from the com servers and the root servers. From the user perspective, education works best. However, it is becoming more difficult to spot a problem by watching the address bar on the Internet browser. Therefore, operating system vendors are adding more protection. Microsoft Windows User Account Control (UAC) notifies the user that a program is attempting to change the system’s DNS settings, thus preventing the DNS cache from being poisoned.

Denial of Service
The purpose of a denial-of-service (DoS) attack is to disrupt the resources or services that a user would expect to have access to. These types of attacks are executed by manipulating protocols and can happen without the need to be validated by the network. An attack typically involves flooding a listening port on a user’s machine with packets. The idea is to make that system so busy processing the new connections that it cannot process legitimate service requests.
Many of the tools used to produce DoS attacks are readily available on the Internet. Administrators use them to test connectivity and troubleshoot problems on the network, and malicious users use them to cause connectivity issues.

Consider some examples of DoS attacks:
- Smurf/smurfing: This attack is based on the Internet Control Message Protocol (ICMP) echo reply function, also known as ping, which is the command-line tool used to invoke this function. In a smurf attack, the attacker sends ping packets to the broadcast address of the network but replaces the original source address in the ping packets with the source address of the victim. This causes a flood of traffic to be sent to the unsuspecting network device.
- Fraggle: This attack is similar to a smurf attack, but it uses UDP instead of ICMP. The attacker sends spoofed UDP packets to broadcast addresses, as in a smurf attack. These UDP packets are directed to port 7 (Echo) or port 19 (Chargen).
- Ping flood: A ping flood attempts to block service or reduce activity on a host by sending ping requests directly to the victim. A variation of this type of attack is the ping of death, in which the packet size is so large that the system does not know how to handle the packets.
- SYN flood: This attack takes advantage of the TCP three-way handshake. The source system sends a flood of SYN requests but never sends the final ACK, thus creating half-open TCP sessions. The TCP stack waits before resetting the port, and in the meantime, the attack overflows the destination computer’s connection buffer, making it impossible to service connection requests from valid users.
- Land: In this attack, the attacker exploits a behavior in the operating systems of several versions of Windows, Linux, macOS, and Cisco IOS with respect to their TCP/IP stacks. The attacker spoofs a TCP/IP SYN packet to the victim system with the same source and destination IP address and the same source and destination ports. This confuses the system as it tries to respond to the packet.
- Teardrop: This form of attack targets a known behavior of UDP in the TCP/IP stack of some operating systems. An attacker sends fragmented UDP packets to the victim with odd offset values in subsequent packets. When the operating system attempts to rebuild the original packets from the fragments, the fragments overwrite each other, causing confusion. Because some operating systems cannot gracefully handle this type of error, the system is likely to crash or reboot.

DoS attacks come in many shapes and sizes. The first step in protecting yourself from such an attack is to understand the nature of the attacks in this list. Although various security solutions are designed specifically to help prevent such attacks, you might consider other measures in your organization. Fundamentally, organizations should ensure that they have well-defined processes related to auditing, standard operating procedures, and documented configurations. Finally, being well versed in the nature of the different types of attacks can help you make better decisions when it comes to attack recognition and implementing controls such as packet filtering and rights management.

Distributed DoS
Another simple expansion of a DoS attack is referred to as a distributed denial-of-service (DDoS) attack. In this type of attack, masters are computers that run the client software, and zombies run software. The attacker creates master handlers or command-and-control servers, which, in turn, create many zombies, forming a botnet. The software running on the zombies can launch multiple types of attacks, such as UDP or SYN floods on a target.

An example of a DDoS attack


Example of a DDoS attack
Basically, the attacker distributes zombie software or infects multiple hosts (or even thousands of hosts), providing the attacker partial or full control of the infected computer system through one or more command-and-control servers. Finally, the army of bots or compromised machines attacks the victim by overwhelming it, making it slow or unable to respond to legitimate requests.
When attackers compromise enough systems with the installed zombie software, they can initiate an attack against a victim from a wide variety of hosts. The attacks come in the form of the standard DoS attacks, but the effects are multiplied by the total number of zombie machines under the control of the attacker, resulting in distributed denial of service.
Often DoS and DDoS attacks involve reflection; that is, the attacker takes advantage of legitimate third-party services and spoofs the source address to be that of the victim. As a result, any replies from the service are directed at the victim, hiding the attacker’s identity. Network time servers and DNS servers are common examples of third-party services used to execute such attacks. These attacks can further take advantage of amplification: An attack is magnified, increasing the amount of traffic sent to the victim, which is fundamental to a DoS attack. Requests to an NTP time server, for example, are amplified back by a factor of more than 500%. Because these attacks use UDP, a connection is not required, and the source is not verified.
Although DDoS attacks generally come from outside the network to deny services, you must also consider the effect of DDoS attacks mounted from inside the network. Disgruntled or malicious internal users may use DDoS attacks to disrupt services without any outside influence.
Many of the denial-of-service attacks discussed earlier are network-based attacks based on TCP, UDP, or ICMP. More modern attacks use Layer 7 application-based attacks, often against web servers. Such an attack generates a high number of requests each second against the application, often using a flood of GET and POST traffic via HTTP. Recently, DDoS attacks against operational technology (OT) have become more prevalent. These attacks are possible because operational technology is now being interconnected and exposed to the outside world, whereas, in the past, this technology was isolated in businesses and factories. Just consider how many devices and applications are being connected around the world outside information technology—in electrical grids, smart cities, automobiles, and IP-based video surveillance and in more common Internet of Things (IoT) devices like doorbells, smart thermostats, and lighting automation.

DDoS attacks can have a wide operational impact across an organization and the customers it serves. DDoS attacks aren’t quiet, however; fortunately, they are easy to detect. Unfortunately, the impacts from an attack are felt immediately, and, if not quickly mitigated, can cause extended loss of operations, including lost revenue and even loss of lives. The following symptoms may indicate that a DDoS attack has been launched:
- Users report slow response from applications and services.
- Applications and services are not available outside of known maintenance windows or other failures.
- Anomalous spikes occur in requests coming in within a short time span, many of them from the same IP address or range of addresses.

Denial-of-service attacks can be launched from the network layer or the application layer, and they can impact these layers as well. Networking devices, applications, and even operational technology can be impacted by DoS and DDoS attacks.
To help protect your network, you can set up filters on external routers to drop packets involved in these types of attacks. You should also set up another filter that denies traffic originating from the Internet that shows an internal network address. When you do this, you give up the ability to use ping and some other services and utilities for testing network connectivity, but this is a small price to pay for network protection. If the operating system allows it, reduce the amount of time before the reset of an unfinished TCP connection. Doing so makes it harder to keep resources unavailable for extended periods of time.
Subscribing to security emails and checking security websites daily ensures that you keep up with the latest attacks and exploits. Applying the manufacturer’s latest operating system patches or fixes can also help prevent attacks.

Malicious Code and Script Execution
In “Attack Basics,” you learned that office applications provide a power function to automate tasks through the use of macros. Malicious script execution takes advantage of this power to create macro viruses. In addition, fileless viruses have used other automation tools and scripting languages, such as Windows PowerShell, to do their work. Scripts aid system administrators in efficiently performing operations and automating actions that otherwise would require multiple steps and manual interaction. An attacker can take advantage of the same benefits but for nefarious purposes. These scripting languages can be used as part of malware and can also be used inside a network to further the malicious work. Examples of these scripting languages include the following:
- PowerShell: PowerShell is a command-line scripting language from Microsoft for task automation and configuration management.
- Python: This common scripting language is included with most Linux distributions and has wide use in application development, including exploits.
- Bash: Commonly referred to as the Unix shell, Bash is the environment and command-line language for many versions of Apple’s macOS and most Linux distributions.
- Visual Basic for Applications (VBA): Based on the Visual Basic programming language from Microsoft, VBA helps drive specific events or actions. Microsoft macros for Office documents are written or recorded using VBA.

Quiz

1. The sales team reports that when it was traveling recently, team members received unsolicited photos to their mobile devices at the airport. Which of the following occurred? A. Bluesnarfing B. Bluejacking C. On-path attack D. Deauthentication

2. Which of the following is an attack that affects data availability? A. Rogue AP B. MAC address D. DDoS attack

3. Before leaving for the day, one of the security administrators sends an email to the director of security, informing him that an evil twin had been found and removed from the network. The director forwards the email to you and asks what this means. Which of the following is the best reply? A. A rogue wireless access point was found connected to the network. B. A user’s laptop was discovered to have had a spoofed MAC address. C. Two identical antennas were lying in the hallway. D. A network sniffer had been downloaded but not yet installed to a user’s laptop.

4. Which specific type of attack occurs when a perpetrator redirects traffic by changing the IP record for a specific domain in order to be able to send legitimate traffic anywhere he chooses? A. DNS poisoning B. Domain hijacking C. On-path browser attack D. Port stealing

5. How would you mitigate ARP poisoning on a small network? A. Implement whitelisting B. Validate the input of URLs passed C. Use a three-way handshake D. Use static mappings for IP addresses

Answer 1: B. Bluejacking involves the receipt of unsolicited photos or messages on a Bluetooth-enabled device from a nearby device. Bluesnarfing is also a Bluetooth attack, but it involves unauthorized pairing and access to the device, so answer A is incorrect. Answer C is incorrect. An on-path attack occurs when an attacker intercepts traffic between two parties. Answer D is incorrect as deauthentication refers to a frame being received when access points are disconnected.
Answer 2: D. A distributed denial-of-service (DDoS) attack is an attack from multiple infected systems that seeks to disrupt the victim, often affecting the ability of the system to respond and making the services and data unavailable. Answers A and C are incorrect, as a rogue access point and an on-path attack would still provide for availability but would compromise confidentiality. Answer B is incorrect as a MAC address is not an attack but a factory-assigned address for a network interface.
Answer 3: A. An evil twin is a rogue wireless access point and is the most accurate choice here. Answers B and C are both incorrect answers. Answer D is also incorrect. However, an attacker can use a network sniffer in conjunction with a rogue wireless access point. In addition, a wireless network sniffer can be used to help locate rogue access points.
Answer 4: A. Domain Name System (DNS) poisoning enables a perpetrator to redirect traffic by changing the IP record for a specific domain, thus permitting attackers to send legitimate traffic anywhere they choose. DNS poisoning sends a requestor to a different website and also caches this information for a short period, distributing the attack’s effect to the server users. Answer B is incorrect. Domain hijacking, the act of changing domain name registration, occurs when an entire domain is taken over without the original owner’s knowledge or consent. Answer C is incorrect. An on-path browser attack is a Trojan that infects web browser components such as browser plug-ins and other browser helper objects. Answer D is incorrect because port stealing is an on-path attack that exploits the binding between a port and a MAC address.
Answer 5: D. To mitigate Address Resolution Protocol (ARP) poisoning on a small network, you can use static or script-based mappings for IP addresses and ARP tables. Answers A and B are incorrect because validating the input of URLs passed and using whitelists applies to mitigating URL redirection in the context of this guide. Answer C is incorrect and applies to a SYN flood attack, which takes advantage of the TCP three-way handshake.