Cybersecurity Terms
Remote Access Trojan (RAT)
A Trojan that also gives the threat agent unauthorized remote access and control to the victim's computer by using specially configured communication protocols.
Watering Hole Attack
A computer attack strategy in which an attacker guesses or observes which websites an organization often uses and infects one or more of them with malware. Eventually, some member of the targeted group will become infected.
VPC Flow Logs (AWS)
A feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC. Flow log data can be published to Amazon CloudWatch Logs or Amazon S3. After you've created a flow log, you can retrieve and view its data in the chosen destination. Flow log data is collected outside of the path of your network traffic, and therefore does not affect network throughput or latency. You can create or delete flow logs without any risk of impact to network performance.
packet-filtering / stateless firewall
A firewall that examines each packet and determines whether to let the packet pass. To make this decision, it examines the source IP address, the destination IP address, TCP/UDP source and destination port numbers, ICMP message type and TCP SYN and ACK bits.
Software as a Service (SaaS)
A form of cloud computing where a firm subscribes to a third-party software and receives a service that is delivered online. - a third party hosting an application and making it available on the internet (e.g. netflix, gmail, dropbox)
Correlation rule
A logical expression that causes the system to take a specific action if a particular event occurs. In other words, it is a condition (or set of conditions) that functions as a trigger. Ex: If a user fails more than three login attempts on the same computer within an hour, trigger an alert.
DNS Tunneling
A method of inserting covert communications in DNS traffic that is received by an attacker-controlled C2 server. A method of data exfiltration in which the data of programs and protocols is encoded in DNS queries and responses.
DHCP (Dynamic Host Configuration Protocol)
A network management protocol used to automate the process of configuring devices on IP networks, thus allowing them to use network services such as DNS, NTP, and any communication protocol based on UDP or TCP. A _________________ server dynamically assigns an IP address and other network configuration parameters to each device on a network so they can communicate with other IP networks. A protocol for assigning dynamic, or temporary, IP addresses to devices.
Proxy firewall / application-level firewall (application-level gateways)
A network security system that protects network resources by filtering messages at the application layer. It basically acts as an intermediary server between in-house clients and servers on the Internet. The difference is that in addition to intercepting Internet requests and responses, a proxy firewall also monitors incoming traffic for layer 7 protocols, such as HTTP. In addition to determining which traffic is allowed and which is denied, a proxy firewall uses stateful inspection technology and deep packet inspection to analyze incoming traffic for signs of attack.
Subdomains / lower-level domains
A portion of a URL that usually indicates a specific subdivision or server within a large site. (e.g. support.acme.com)
DNS zone
A portion of the DNS namespace for which one organization is assigned authority to manage.
IronDefense Front-end Appliance (IronSensor)
Ingests raw network traffic, parses network protocols, performs deep packet inspection, generates custom session metadata (IronFlows), and locally stores full-capture indexed PCAP. Can also ingest specific network infrastructure log types to aid analysis. It processes network metadata and full packet-capture (PCAP) on enterprise physical, cloud, and virtual traffic, enabling security teams to gain real-time threat detection of known and unknown threats at scale.
IronVue
IronDefense's graphical user interface that provides access to alerts generated by big data analytics, behavioral modeling, IronDome events, and customer-provided threat feeds. Cutting-edge graphical displays help you visualize the data in your network. High-speed queries of alerts and events along with packet data collection provide resources to quickly investigate suspicious network traffic.
Cobalt Strike
It has become one of the most prevalent threat emulation software packages used by red teams. Unfortunately, its combination of multiple exploitation techniques also makes it a platform of choice by attackers. Common antivirus (AV) systems, which focus on security data, often miss it because the platform uses numerous techniques to evade detection. The platform implements two main techniques to avoid detection by mainstream AV systems. It 1) obfuscates the shellcode and 2) leverages a domain-specific language called Malleable Command and Control (Malleable C2).
Cyber kill chain and its stages
It is a never-ending cycle that adversaries use until they succeed in their objectives. stages: reconnaissance, access, command and control (C2) and action
HTTPS (Hypertext Transfer Protocol Secure)
It is an implementation of TLS encryption on top of the HTTP protocol, which is used by all websites as well as some other web services. Any website that uses it is therefore employing TLS encryption.
SSL/TLS handshake
It is the process that kicks off a communication session that uses TLS encryption. During this process, the two communicating sides exchange messages to acknowledge each other, verify each other, establish the encryption algorithms they will use, and agree on session keys. This process is a foundational part of how HTTPS works.
Collective Defense
Multiple IronDefense systems can be linked together to form a collective security capability called IronDome. IronDome delivers broad threat insights and cybersecurity visibility, enabling the identification of threats that are difficult to identify by any single enterprise working in isolation. IronDome offers automated data and knowledge sharing between participants, threat intelligence generation, and group-wide real-time visibility into attack trends. IronDome can be applied at a government level to provide capability across several departments or ministries, and/or at the private sector level for community, MSSP, or supply chain operations.
PCAP
Packet Capture; an application programming interface (API) that captures live network packet data from OSI model Layers 2-7. Network analyzers like Wireshark create .pcap files to collect and record packet data from a network. These PCAP files can be used to view TCP/IP and UDP network packets. If you want to record network traffic then you need to create a .pcapfile. PCAP is a valuable resource for file analysis and to monitor your network traffic.
Key benefits of IronDefense
Superior behavioral detection; unparalleled scalability; real-time visibility across your threat landscape; unparalleled expertise - Get real-time situational awareness down to the packet level across your organization's information environment. - Leverage behavior-based alerting that learns over time as models become more in tune to an organization's normal network traffic. - Run petabyte-scale big data analytics, focused on detecting attacks well before incurring catastrophic loss.
Time To Live (TTL)
The DNS records are stored in cache for a period of time called _____________________, defined in the configuration of each DNS record - cached data must eventually time out in order to force name servers to evaluate possible changes. Each RR has a __________ value, which governs how long another name server may cache that record. These range from seconds to hours to days. The administrator of the zone that contains the record decides on the __________. When the __________ reaches 0, the name server deletes the record
DNS resolver
The client side of DNS, it is a server designed to receive DNS queries from web browsers and other applications. It receives a hostname - for example, www.example.com - and is responsible for tracking down the IP address for that hostname. When it receives the IP, the query is resolved. These, unlike name servers, are not usually separate pieces of software - they're often part of an operating system such as Windows, MacOS X or iOS
IronDefense advanced analytics
The distinguishing feature of IronDefense is its suite of predictive models and behavioral analytics that identify network activity consistent with advanced threats operating on the network. When such behaviors are identified on the network, IronDefense generates an event that contains all relevant information about the specific behavior. Each event is then passed to the IronDefense Expert System for enrichment and scoring.
HTTP (Hypertext Transport Protocol)
The protocol that dictates how a Web browser communicates with a Web server. It is the foundation of the World Wide Web, and is used to load web pages using hypertext links. It is an application layer protocol designed to transfer information between networked devices and runs on top of other layers of the network protocol stack. A typical flow over this involves a client machine making a request to a server, which then sends a response message.
DNS Root Zone
The root of the DNS system, represented by a dot at the end of the domain name—for example, www.example.com.—is the primary DNS zone. It is overseen by the Internet Corporation for Assigned Names and Numbers (ICANN). It is operated by 13 logical servers, run by organizations like Verisign, the U.S. Army Research Labs and NASA. Any recursive DNS query starts by contacting one of these, and requesting details for the next level down the tree—the Top Level Domain (TLD) server.
kernel
core of operating system and manages the system by interacting directly with the hardware
structured data
data that has been organized in a formatted repository, typically a database, so that its elements can be made addressable for more effective processing and analysis
semi-structured data
data that has not been organized in a specialized repository, but that nevertheless has associated info, like metadata, that makes it more amenable to processing than raw data
stateless inspection
each packet is inspected one at a time with no knowledge of previous packets - source IP address is examined against access control list to determine if access is allowed
stateful inspection
each packet is inspected with knowledge of all the other packets that have been sent/received from the same session (session = consists of all packets exchanged between parties during an exchange)
Principle of Least Privilege
giving user access to only what they need - why? better system stability, better system security, and ease of deployment
unstructured data
information, in many different forms, that has not been organized into a format that makes it easier to access and process (in reality, very little data is completely unstructured)
Data minimization
involves limiting data collection to only what is required to fulfill a specific purpose. When an organization applies this, any processing (the analysis of data to produce meaningful insight) they do will only use the least amount of data necessary.
trojan
malware that appears to be a valid application or part of the computer's operating system, but it actually malicious. It typically has the same name as the operating system module it replaces. (deceptive software)
A network request
1. A user enters a URL, which contains a hostname, into a browser. 2. The operating system does a DNS lookup on the hostname. 3. A TCP connection, based on the IP addresses from the lookup, is made between the two machines.
security updates, critical (high priority) updates, software updates, service packs
4 types of updates for Windows OSes
Non-recursive query
A query in which the DNS Resolver already knows the answer. It either immediately returns a DNS record because it already stores it in local cache, or queries a DNS Name Server which is authoritative for the record, meaning it definitely holds the correct IP for that hostname. In an iterative DNS query, each DNS query responds directly to the client with an address for another DNS server to ask, and the client continues querying DNS servers until one of them responds with the correct IP address for the given domain. Client tells the DNS resolver, "Hey, I need the IP address for this domain. Please let me know the address of the next DNS server in the lookup process so I can look it up myself."
stuxnet
A recombinant virus that was designed specifically to target the uranium centrifuge facility in Iran. It was the first widely known weaponized virus used by a country, although others have preceded it. It is interesting because of two features—it was designed as an offensive weapon, and it is recombinant—made from several other software fragments. The recombinant nature of it is perhaps its most serious property, because it means malicious software of the future will mutate into more powerful and sophisticated threats. It targeted the industrial control system for the uranium centrifuge, gave it commands to speed up, destabilizing and destroying the centrifuges; however, it was sophisticated in that they were able to do this without the employees being able to see that something was wrong or being manipulated.
resource record (RR)
A record that holds information associated with the domain name - units of data stored in the DNS namespace; They are the basic building blocks of host-name and IP information and are used to resolve all DNS queries
endpoint
A remote computing device that communicates back and forth with a network to which it is connected. Examples include: Desktops, Laptops.
Cipher suite
A set of encryption algorithms for use in establishing a secure communications connection. (An encryption algorithm is a set of mathematical operations performed on data for making data appear random.) There are a number of these in wide use, and an essential part of the TLS handshake is agreeing upon which ____________ will be used for that handshake.
Splunk
A software platform to search, analyze and visualize the machine-generated data gathered from the websites, applications, sensors, devices etc. which make up your IT infrastructure and business.
recursive query
A solution that repeatedly calls upon itself - In a recursive lookup, a DNS server does the recursion and continues querying other DNS servers until it has an IP address to return to the client (often a user's operating system). The client does a form of delegation - It tells the DNS resolver, "Hey, I need the IP address for this domain, please hunt it down and don't get back to me until you have it."
Domain fronting
A technique attackers use for hiding their command and control traffic to infected computers by masquerading as traffic to trusted servers hosted behind Content Delivery Networks (CDNs). This concept can appear so confusing, but when boiled down to its core, it's simple: there are two "addresses" for the command and control server and the attacker mismatches them in a careful way. A technique for Internet censorship circumvention that uses different domain names in different communication layers of an HTTPS connection to discreetly connect to a different target domain than is discernable to third parties monitoring the requests and connections
brute force attack
An attack based on trial and error - An attack on passwords or encryption that tries every possible password or encryption key.
SSL Certificate
An electronic document that confirms the identity of a website or server and verifies that a public key belongs to a trustworthy individual or company - lays down an encrypted, secure communication channel between the client browser and the server. This means that the next time you visit the site, the connection will be established over HTTPS using port 443.
zero-day exploit
An exploit that takes advantage of a software vulnerability that hasn't yet become public, and is known only to the hacker who discovered it. These are particularly dangerous because the vulnerability is exploited before the software developer has the opportunity to provide a solution for it.
Keylogger
Any hardware / software that records every keystroke made by a user
SYN Flooding
attacker establishes many bogus TCP connections, so there are no resources left for 'real connections' - form of denial of service attack in which synchronization packets are repeatedly sent to every port on the server
The hierarchal DNS System
Converts URLs into IP addresses. DNS security is extremely tight and the root DNS servers are kept in hidden locations because if a flaw or malware attack on a DNS server succeeds in changing the correspondence between URL and IP address, the Internet is essentially rewired.
IronDefense integrated hunt capability
Enables seamless pivot from alerting to investigation by providing on-demand full-session packet retrieval and integrated data enrichments to help investigate threats at the "speed of thought." Additionally, it offers ad-hoc query capability across all parsed protocol attributes stored within IronDefense to help identify the breadth of specific activities, or to proactively hunt for activities of interest.
Ransomware process
Deployment; installation; command and control (c2); destruction, extortion
top-level domain
Domains (including .net, .org, .com, .mil., and country codes) at the end of a domain name are the highest level of the domain name hierarchy.
HTTPS (HTTP Secure server) and SSL (Secure Socket Layer)
HTTPS Appears in the URL when a website is secured by an SSL certificate. Should be used instead of http, when security is important. HTTPS/SSL encrypts transmissions between server and Web browser.
stateful firewall
Have state tables that allow the firewall to compare current packets with previous packets - Inspects traffic leaving the inside network as it goes out to the Internet. Then, when returning traffic from the same session (as identified by source and destination IP addresses and port numbers) attempts to enter the inside network, the stateful firewall permits that traffic. The process of inspecting traffic to identify unique sessions is called stateful inspection.
Lateral movement
Mechanism whereby an attacker uses a presence on a compromised internal system to access additional internal systems within a network. Refers to the techniques that a cyberattacker uses, after gaining initial access, to move deeper into a network in search of sensitive data and other high-value assets. After entering the network, the attacker maintains ongoing access by moving through the compromised environment and obtaining increased privileges using various tools. It is a key tactic that distinguishes today's advanced persistent threats (APTs) from simplistic cyberattacks of the past. After gaining initial access to an endpoint, such as through a phishing attack or malware infection, the attacker impersonates a legitimate user and moves through multiple systems in the network until the end goal is reached. There are three main stages: reconnaissance, credential/privilege gathering, and gaining access to other computers in the network.
IronDefense Back-end Stack
Receives IronFlow metadata from the front-end appliances (and optionally infrastructure log data) and analyzes it using a suite of advanced analytics. It then presents the analytic results to the user through the IronVue user interface. Stores IronFlow metadata for an integrated hunt capability
Firewalls
Protection mechanisms that isolate orgs' internal networks from the larger internet allowing some packets to pass and blocking others - a part of a computer system or network that is designed to block unauthorized access while permitting outward communication.
Behavioral-based network security
Provides improved detection of unauthorized intrusion attempts, data breaches, and insider network activity, regardless of the tool, technique, or procedure used by malicious or negligent users. IronDefense, which continues to evolve, uses a combination of baseline models, clustering, and microclusters to optimize the benefits of behavioral modeling.
Domain zones
Second-level domains like the domain, "ns1.com", are defined as separate DNS zones, operated by individuals or organizations. Organizations can run their own DNS name servers, or delegate management to an external provider (e.g. Wordpress). If a domain has subdomains, they can be part of the same zone. Alternatively, if a subdomain is an independent website, and requires separate DNS management, it can be defined as its own DNS zone.
IronDefense Expert System
Solves a challenge that other behavioral-based tools are unable to overcome - accurately scoring and prioritizing identified behaviors to eliminate analyst alert fatigue. It orchestrates the acquisition of enrichment data for every identified event and then applies IronNet tradecraft cyber expertise to effectively score the severity of each event and produce a prioritized list of alerts for the SOC analyst. This orchestration and prioritization replaces hours of human effort and delivers actionable results for the SOC. Each alert can then be triaged and investigated within IronVue using the integrated hunt capability
IPv4 (Internet Protocol version 4)
The first version of IP and is the dominant protocol for routing traffic on the Internet. It is a 32-Bit IP address that specifies "to" and "from" addresses using a dotted decimal such as "122.45.255.0". It is a connectionless protocol
access
The intruder accesses the target's network. To be successful, an attacker would typically need to complete the following stages: • Weaponization: The intruder creates a remote access malware weapon, such as a virus or worm, tailored to one or more vulnerabilities. • Delivery: The intruder transmits the weapon to a target via e-mail, website, or USB drive. • Exploitation: The malware weapon's program code triggers, acting on the target network to exploit. • Installation: The malware weapon installs an access point or backdoor to be used by the intruder.
reconnaissance
The intruder selects, researches, and/or scans one or more targets to identify network vulnerabilities.
IPv6 (Internet Protocol version 6)
The most recent version of IP that was created with the aim to resolve issues associated with IPv4. It is a 128-Bit IP address, and it provides a large number of new addresses to route Internet traffic, using "from" and "to" addresses written as colon-hexadecimal notation, such as "fe80::42:acff:feaa:1bf0".
Domain Name System (DNS)
The phonebook of the Internet. It translates domain names to IP addresses so browsers can load Internet resources.
Beaconing
The practice of sending short and regular communications from an infected host to an attacker-controlled host (C2 server) to communicate that the infected host malware is alive, functioning, and ready for instructions. The C2 server hosts instructions for the malware, which are then executed on the infected machine after the malware checks in. How frequently the malware checks in, and what methods it uses for this communication are typically configured by the attacker. (However, it does not have to be malicious - It is a communication characteristic. It's not good or evil, but just a way of describing the communication flow.)
IronDefense
The primary analytics, hunt, and mitigation platform maintaining visibility on the cyber activities of all entities communicating over the network segments where IronSensors have been placed. It performs enrichment and further backend analytics on the IronFlow metadata it receives and provides higher level scoring, alerting, hunt, and mitigation on both events and entities.
Port 443
The standard port for HTTPS traffic - When we use a TLS certificate, the communication channel between the browser and the server gets encrypted to protect all sensitive data exchanges. All such secure transfers are done using this port. A TLS connection typically uses this port. When your browser makes an HTTPS connection, a TCP request is sent via this port.
TLD Zones
There is a DNS zone for each Top Level Domain, such as ".com", ".org" or country codes like ".co.uk". There are currently over 1500 top level domains, most of which are managed by ICANN/IANA.
Transport Layer Security (TLS)
This cryptographic protocol encrypts internet traffic of all types, providing secure communications over a computer network. The most common is web traffic; you know your browser is connected via this protocol if the URL in your address starts with "https"; It is a data encryption technology used for securing data transmitted over the Internet. It succeeded SSL. There are three main components to what this protocol accomplishes: Encryption, Authentication, and Integrity.
second-level domain
Unique name within a top-level domain (such as Yahoo.com, Whitehouse.gov, Unesco.org)
Domain Generation Algorithms (DGA)
Used to dynamically identify a destination domain for C2 traffic rather than relying on a list of static IP addresses or domains. The means for malicious code to identify and rendezvous with C2 servers to avoid being blocked or other defensive measures. Attackers often use __________ to create new domains to receive call back communications from an infected host. These domains are constantly replaced with new ones to avoid detection.
buffer overflow attack
When the amount of data entered into a program is greater than the amount of the input buffer. The input overflow overwrites the next computer instruction, causing the system to crash. Hackers exploit this by crafting the input so that the overflow contains code that tells the computer what to do next. This code could open a back door into the system. Essentially, this exploit uses that fact that a computer does not know the difference between data and program code. In this type of exploit, a virus, disguised as data, is sent from the attacker to the victim, but once it arrives at the target computer, it turns into a malicious program. What was thought to be data actually turns out to be a malicious program.
Authoritative Name Server
a DNS server that has a single zone and knows the IP address of all the computers in its domain. Usually, it is the resolver's last step in the journey for an IP address. It provides actual answer to your DNS queries such as - mail server IP address or web site IP address (A resource record). It provides original and definitive answers to DNS queries. It does not provides just cached answers that were obtained from another name server. Therefore it only returns answers to queries about domain names that are installed in its configuration system.
Platform as a Service (PaaS)
a category of cloud computing services that provides a platform allowing customers to develop, run, and manage application without the complexity of building and maintaining the infrastructure typically associated with developing and launching an app (e.g. Windows Azure, Google App Engine)
shell
a computer program which exposes an operating system's services to a human user or other program. It is a interface design for user to interact directly with kernel
Network security group (NSG) flow logs (Microsoft Azure)
a feature of Azure Network Watcher that allows you to log information about IP traffic flowing through an NSG. Flow data is sent to Azure Storage accounts from where you can access it as well as export it to any visualization tool, SIEM, or IDS of your choice.
backdoor
a program a cyber thief can store on a cracked system for use at a later time that the hacker activates from outside of the security zone of the cracked system. The program may lie dormant for a long period of time before it is activated or activate itself periodically. It can look like an authorized part of the system but instead become destructive
virus
a self‐replicating malware that is activated by an authorized owner or operator of a computer system
Rootkit
a set of software tools that enable an unauthorized user to gain control of a computer system without being detected - a Trojan that gets past the security checkpoints of your operating system and lies in wait for a command from the criminal to take control of the victim computer. Perhaps the worst type of exploit because it yields completer control of a computer to a hacker and requires an entire rebuild of the victim computer to remove
Virtual Private Cloud (VPC)
a subset of a public cloud that has highly restricted, secure access. An on-demand configurable pool of shared resources allocated within a public cloud environment, providing a certain level of isolation between the different organizations using the resources.
Ransomware
a type of malicious software that infects the host with code that restricts the access to the computer or the data on it - attacker demands a ransom to be paid to get data/access back - if not paid in time, the data is often destroyed
port
a virtual numbered address that's used as a communication endpoint by transport layer protocols like UDP or TCP. These direct traffic to the right places — i.e., they help the devices involved identify which service is being requested.
database query language
allows an admin to interact with the database (e.g. SQL)
JARM
an active Transport Layer Security (TLS) server fingerprinting tool. Quickly verify that all servers in a group have the same TLS configuration. It works by actively sending 10 TLS Client Hello packets to a target TLS server and capturing specific attributes of the TLS Server Hello responses. The aggregated TLS server responses are then hashed in a specific way to produce the ___________ fingerprint. These fingerprints can be used to: - Group disparate servers on the internet by configuration, identifying that a server may belong to Google vs. Apple, for example. - Identify default applications or infrastructure. - Identify malware c2 infrastructure and other malicious servers on the Internet.
Linux
an open-source version of the UNIX operating system - an open-source operating system licensed under the General Public License (GPL), which guarantees end users have freedom to run, study, share, and modify the software
logic bombs
piece of code that lies dormant until set off by a trigger (or when specific conditions are met) and performs a malicious act, often erasing data or corrupting systems
penetration testing (pentest) / ethical hacking
practice of testing a computer system, network application, web app, or software app to find security vulnerabilities that an attacker could exploit and gain authorized access to a system/app
hash function
provides encryption without. a key - using an algorithm, a variable length plaintext is 'hashed' into a fixed-length hash value (called a hash or message digest). If the hash of a plaintext changes, the plaintext itself has changed (provides integrity verification) weakness: these are prone to collisions, meaning two different plaintexts can have the same hash
worm
self‐replicating malware that spreads and activates on its own. Can be thought of as mobile viruses, because they copy themselves onto target computers but do not require a user to initiate them. They are a favorite of black‐hats because they can infect the entire Internet with little time, effort, or expense on the part of the attacker (a self-activating program that spreads through a computer network like an epidemic)
patch
set of changes to a computer program or its supporting data designed to update, fix, or improve it
adware
software that automatically displays or downloads unsolicited advertising material, usually seen on browser pop-ups when a user is online.
Infrastructure as a Service (IaaS)
the delivery of computer hardware capability, including the use of servers, networking, and storage, as a service (e.g. Amazon Web Services, DigitalOcean, Microsoft Azure)
port 80
the port that's responsible for handling all unencrypted HTTP web traffic. However, HTTPS port 443 also supports sites to be available over HTTP connections. If the site uses HTTPS but is unavailable over port 443 for any reason, this port will step in to load the HTTPS-enabled website.
Resolution
the process by which resolvers and name servers cooperate to locate data stored in DNS. A DNS Resolver is responsible for checking if the host name is available in local cache, and if not, contacts a series of DNS Name Servers, until eventually it receives the IP of the website or service you are trying to reach. The process is known as DNS ____________________ of a hostname to IP address. (The process is basically query --> refer --> repeat until the answer is found)
User datagram protocol (UDP) and transmission control protocol (TCP)
two primary transport protocols on the internet. They are network protocols that are used to send data packets. TCP is a connection-oriented protocol (meaning that before sending TCP packets, a connection is established between the server and the client - TCP handshaking) .and UDP is a connectionless protocol (meaning each packet is sent individually and directly from the sender to the receiver without a reliable data channel) - TCP is more reliable, but UDP is more efficient and faster
microcluster models
used to cluster like activity together in order to detect changes in behavior within a grouping of similar entities.
Port 53
well known port for DNS. DNS has always been designed to use both UDP and TCP port _____ from the start1, with UDP being the default, and fall back to using TCP when it is unable to communicate on UDP, typically when the packet size is too large to push through in a single UDP packet.
IP spoofing
when an intruder uses another site's IP address to masquerade as that other site - router can't know if data really comes from claimed source (done significantly with internet attacks that the source destination is not in fact the true source destination but is masqueraded)
