Principles of Information Security: Network Attacks (DDoS, ARP Spoofing, DNS Poisoning)

Network Attacks (DDoS, ARP Spoofing, DNS Poisoning)

Network Attacks Study Guide: DDoS, ARP Spoofing, DNS Poisoning

For CISSP, Security+, CEH, and Real-World Defense

What This Is

Network attacks exploit weaknesses in how devices communicate to disrupt services, steal data, or gain unauthorized access. These attacks can cripple businesses (e.g., the 2016 Dyn DDoS attack took down Twitter, Netflix, and Reddit for hours), enable financial fraud (e.g., ARP spoofing in a coffee shop to intercept credit card data), or redirect users to malicious sites (e.g., DNS poisoning leading to a fake bank login page). Understanding these attacks is critical for defending availability (DDoS), integrity (ARP spoofing), and confidentiality (DNS poisoning) of networked systems.

Key Terms & Concepts

• DDoS (Distributed Denial of Service): An attack where multiple compromised systems (botnet) flood a target with traffic, overwhelming its resources and making it unavailable. Example: A Mirai botnet attack using IoT devices to take down a DNS provider.
• Tools: LOIC, HOIC, Mirai malware.

• Standards: NIST SP 800-61 (Incident Handling), ISO 27035 (Incident Management).

• DoS (Denial of Service): A single-source attack to disrupt service (e.g., SYN flood). Less powerful than DDoS but easier to execute.

• ARP (Address Resolution Protocol): Translates IP addresses to MAC addresses in a local network. ARP spoofing manipulates this process to intercept traffic.

• Layer: OSI Layer 2 (Data Link).

• Tools: Ettercap, Cain & Abel, arpspoof.

• ARP Spoofing (ARP Poisoning): An attacker sends fake ARP messages to link their MAC address with a legitimate IP (e.g., the gateway), redirecting traffic to their machine. Used for MITM (Man-in-the-Middle) attacks.

• Example: Stealing login credentials in a public Wi-Fi network.

• DNS (Domain Name System): Translates human-readable domain names (e.g., google.com) to IP addresses. DNS poisoning corrupts this mapping.

• Port: UDP 53 (queries), TCP 53 (zone transfers).

• Standards: RFC 1035 (DNS protocol), NIST SP 800-81 (DNS security).

• DNS Poisoning (DNS Spoofing/Cache Poisoning): An attacker corrupts a DNS resolver’s cache to redirect users to malicious sites (e.g., phishing pages).

• Example: The 2010 Great Firewall of China DNS hijacking redirected users to government-approved sites.

• Tools: DNSspoof, Metasploit, dnschef.

• MITM (Man-in-the-Middle) Attack: An attacker secretly relays or alters communications between two parties (e.g., ARP spoofing, SSL stripping).

• Defenses: Encryption (TLS), ARP monitoring, HSTS.

• Botnet: A network of compromised devices (bots) controlled by an attacker (C2 server). Used for DDoS, spam, or data theft.

• Example: Emotet, TrickBot.

• SYN Flood: A DDoS attack exploiting the TCP handshake by sending SYN requests without completing the connection, exhausting server resources.

• Defense: SYN cookies, rate limiting.

• Amplification Attack: A DDoS technique where small requests generate large responses (e.g., DNS amplification, NTP amplification).

• Example: A 1-byte DNS query triggering a 100-byte response.

• MAC (Media Access Control) Address: A unique hardware identifier for network interfaces (Layer 2). ARP spoofing targets this.

• HSTS (HTTP Strict Transport Security): A web security policy that forces browsers to use HTTPS, preventing SSL stripping attacks.

Step-by-Step / Process Flow

1. Detecting and Mitigating DDoS Attacks

1. Monitor Traffic: Use a SIEM (e.g., Splunk, Wazuh) or NetFlow to detect unusual spikes in traffic.
2. Identify Attack Type: Is it a volumetric (flooding), protocol (SYN flood), or application-layer (HTTP flood) attack?
3. Engage DDoS Protection:
4. On-Premises: Deploy a scrubbing center (e.g., Arbor Networks) or rate limiting (iptables, Cisco ACLs).
5. Cloud-Based: Use AWS Shield, Cloudflare, or Akamai Prolexic.
6. Blacklist Malicious IPs: Update firewall rules or use BGP blackholing to drop attack traffic.
7. Post-Attack Analysis: Review logs to identify the botnet source and improve defenses (e.g., patching vulnerable IoT devices).

2. Defending Against ARP Spoofing

1. Enable Static ARP Entries: Manually map IPs to MAC addresses for critical devices (e.g., routers, servers).
2. Use ARP Monitoring Tools:
3. arpwatch (Linux) – Alerts on ARP changes.
4. XArp (Windows) – Detects spoofing attempts.
5. Deploy Port Security: On switches, limit the number of MAC addresses per port (e.g., Cisco port-security).
6. Use Encryption: VPNs (IPSec, OpenVPN) or TLS to protect data even if ARP is spoofed.
7. Segment Networks: Use VLANs to isolate sensitive traffic.

3. Preventing DNS Poisoning

1. Use DNSSEC (DNS Security Extensions):
2. Validates DNS responses with digital signatures to prevent spoofing.
3. Tools: BIND, PowerDNS, Cloudflare DNSSEC.
4. Harden DNS Servers:
5. Disable recursive queries for external clients.
6. Restrict zone transfers to authorized servers (ACLs).
7. Deploy DNS Filtering:
8. Use Cisco Umbrella, OpenDNS, or Quad9 to block malicious domains.
9. Monitor DNS Logs:
10. Look for unusual queries (e.g., nslookup to known malicious domains).
11. Use HSTS: Force HTTPS to prevent SSL stripping attacks.

Common Mistakes

• Mistake: Confusing DoS with DDoS.

• Correction: DoS = single source; DDoS = distributed (botnet). DDoS is harder to block because traffic comes from many IPs.

• Mistake: Thinking ARP spoofing only works on Wi-Fi.

• Correction: ARP spoofing works on any local network (wired or wireless) because ARP is a Layer 2 protocol.

• Mistake: Assuming DNS poisoning only affects public DNS servers.

• Correction: Attackers can poison local DNS caches (e.g., on a corporate resolver or even a single machine).

• Mistake: Believing firewalls alone stop DDoS attacks.

• Correction: Firewalls can block some attacks (e.g., SYN floods), but volumetric DDoS requires cloud-based scrubbing or ISP intervention.

• Mistake: Ignoring application-layer DDoS (e.g., HTTP floods).

• Correction: These attacks mimic legitimate traffic and require WAFs (Web Application Firewalls) or rate limiting at the app layer.

Certification Exam Tips

CISSP

• Management vs. Technical: CISSP focuses on risk management (e.g., "Which control best mitigates DDoS risk?") rather than technical details (e.g., "How to configure a firewall for SYN floods").
• Key Concepts:
• DDoS: Understand business impact (e.g., loss of revenue, reputation damage) and mitigation strategies (cloud scrubbing, BGP blackholing).
• ARP Spoofing: Know it’s a Layer 2 attack and how port security or static ARP entries mitigate it.
• DNS Poisoning: DNSSEC is the gold standard for prevention.

Security+

• Question Patterns:
• "Which attack redirects traffic by corrupting ARP tables?"-ARP spoofing.
• "Which protocol prevents DNS cache poisoning?"-DNSSEC.
• "What’s the primary goal of a DDoS attack?"-Disrupt availability.
• Tricky Distinction: DoS vs. DDoS – DDoS is distributed (multiple sources).

CEH

• Hands-On Focus: Expect questions on tools (e.g., "Which tool performs ARP spoofing?"-Ettercap).
• Attack Chains: CEH may ask how attacks combine (e.g., ARP spoofing-MITM-SSL stripping).
• Defenses: Know specific commands (e.g., arp -a to check ARP cache, iptables -A INPUT -p tcp --syn -m limit --limit 1/s -j ACCEPT for SYN flood protection).

Quick Check Questions

1. A security analyst detects an unusual spike in outbound DNS queries from multiple internal hosts to an external IP. Which attack is most likely occurring?

• A) ARP spoofing
• B) DNS amplification DDoS
• C) SYN flood
• D) SSL stripping Answer: B) DNS amplification DDoS. Explanation: DNS amplification attacks use small queries to trigger large responses, often from multiple internal hosts to a target.

2. An attacker in a coffee shop intercepts a victim’s HTTPS traffic by redirecting them to a fake login page. Which attack was likely used first?

• A) DNS poisoning
• B) ARP spoofing
• C) SYN flood
• D) MAC flooding Answer: B) ARP spoofing. Explanation: ARP spoofing allows the attacker to position themselves as a MITM, enabling further attacks like SSL stripping or DNS spoofing.

3. Which of the following is the BEST defense against DNS cache poisoning?

• A) Enabling HSTS
• B) Implementing DNSSEC
• C) Using a stateful firewall
• D) Disabling ICMP redirects Answer: B) Implementing DNSSEC. Explanation: DNSSEC validates DNS responses with digital signatures, preventing spoofed records.

Last-Minute Cram Sheet

1. DDoS = Distributed Denial of Service (botnet attack). DoS = single source.
2. ARP Spoofing = Layer 2 attack linking attacker’s MAC to victim’s IP. Defense: Static ARP, port security.
3. DNS Poisoning = Corrupts DNS cache to redirect users. Defense: DNSSEC, HSTS.
4. MITM = Man-in-the-Middle (e.g., ARP spoofing + SSL stripping).
5. DNS Ports: UDP 53 (queries), TCP 53 (zone transfers).
6. SYN Flood = Exploits TCP handshake. Defense: SYN cookies, rate limiting.
7. Amplification Attack = Small request-large response (e.g., DNS, NTP).
8. Botnet = Network of compromised devices (C2 server). Example: Mirai, Emotet.
9. ARP Spoofing-MAC Flooding (MAC flooding overloads switch CAM table).
10. DNSSEC-DNS over HTTPS (DoH) – DNSSEC validates records; DoH encrypts queries.