Comptia Network+ N10-008 Todd Lammle Chapter 17 Types of Attacks

Smurf

DoS attacks can occur via a ____________. It works by bad guys spoofing an intended victim's IP address and then sends a large number of ping echo requests to IP broadcast addresses. The receiving router responds by delivering the broadcast to all hosts in the subnet, and all the hosts respond with an IP echo reply, all at the same time. This results in major network gridlock because all the machines are kept busy responding to each echo request.

Ping of Death attack

During a ________________, a humongous ICMP packet is sent to the remote host victim, totally flooding the victim's buffer and causing the system to reboot or helplessly hang there. It's good to know that patches are available for most operating systems to prevent these attacks from working.

To pass through a MAC address filter. To receive data intended for another system. To impersonate a gateway for the purpose of receiving all data leaving a subnet.

MAC spoofing is the assumption of another system's MAC address for the following three purposes

distributed denial-of-service (DDoS) attack

Many computers collaborate to shut down a target, usually by keeping it busy or overwhelming it with incoming requests in a ___________________ attack.

Rogue DHCP Server

When a _______________ is introduced to the network, unsuspecting hosts may accept DHCP offer packets from the illegitimate DHCP server rather than the legitimate DHCP server. The illegitimate DHCP server will issue the host an incorrect IP address, subnet mask, default gateway, and DNS server address, which will lead to the host relying on the attacker's DNS server for the IP addresses of websites which can lead to phishing attacks.

wireless LAN controller (WLC) Radio Resource Management (RRM)

One way to keep rogue APs out of the wireless network is to employ a ____________________ to manage your APs. This is a nice mitigation technique because APs and controllers communicate using Lightweight Access Point Protocol (LWAPP) and one of the message types they share is called __________________, where your APs monitor all channels by momentarily switching from their configured channel and by collecting packets to check for rogue activity. Then you'll be able to locate rogue APs and prevent workstations from being exposed to them.

Phishing

___________ is a social engineering attack in which attackers try to learn personal information, including credit card information and financial data. This type of attack is usually carried out by implementing a fake website that is nearly identical to a legitimate website. Users are led there by fake emails that appear to come from a trusted source.

Tailgating

_______________ is the term used for someone being so close to you when you enter a building that they are able to come in right behind you without needing to use a key, a card, or any other security device. Many social-engineering intruders who need physical access to a site will use this method of gaining entry.

NTP reflection

________________ attacks use the same process of recruiting bots to aid the attack where NTP requests are reflected off Network Time Protocol (NTP) servers. The attacker's bots sends a small spoofed 8-byte UDP packet to vulnerable NTP servers that requests a large amount of data to be sent to the DDoS's target IP address. The attackers use the monlist command, a remote command in older versions of NTP, that sends the requester a list of the last 600 hosts who have connected to that server.

ARP spoofing

________________ is the process of adopting another system's MAC address for the purpose of receiving data meant for that system. It usually also entails ARP cache poisoning. ARP cache poisoning is usually a part of an on-path/man-in-the middle attack. The ARP cache contains IP address-to-MAC address mappings that a device has learned through the ARP process. One of the ways this cache can be poisoned is by pinging a device with a spoofed IP address. In this way, an attacker can force the victim to insert an incorrect IP address-to-MAC address mapping into its ARP cache.

Physical

_________________ attacks are those that cause hardware damage to a device. These attacks can be mitigated, but not eliminated, by preventing irl access to the device. Routers, switches, firewalls, servers, and other infrastructure devices should be locked away and protected by strong access controls.

Technology

_________________ based attacks are those that take advantage of weaknesses in software and the protocols that systems use to communicate with one another.

Ransomware

_________________ is a class of malware that prevents or limits users from accessing their information or systems. In many cases the data is encrypted and the decryption key is only made available to the user when the ransom has been paid.

Piggybacking

_________________ is done with the authorization of the person with access. Tailgating is done when the attacker sneaks inside without the person with access knowing. This is why access control vestibules (mantraps) and turnstiles deter tailgating and live guards and security training deter this.

IP spoofing

_________________ is the process of changing a source IP address so that one computer appears to be a different computer. It's usually done to get traffic through a firewall that would normally not be allowed. It may also be used to access a server to which the hacker would normally be disallowed access by their IP address.

Password attacks

__________________ are one of the most common attacks there are. Cracked or disclosed passwords can lead to severe data breaches. On the other hand, but still similar, phishing attacks often get the password via social engineering in the end. In the following sections, you'll learn about the two major approaches to cracking a password.

Reflected or amplified

___________________ attacks increase the effectiveness of a DoS attack. Two of the more effective of these types of attacks involve leveraging two functions that almost all networks use: DNS and NTP.

Boot-sector viruses

___________________ work their way into the master boot record that's essentially the ground-zero sector on your hard disk where applications aren't supposed to live. They overwrite your boot sector, making it appear as if there's no pointer to your operating system. You know you've got this type of virus when you power up the computer and get a Missing Operating System or Hard Disk Not Found error message.

Social engineering

____________________ attacks occur when attackers use believable language and user gullibility to obtain user credentials or some other confidential information. The best countermeasure against these threats is to provide user security awareness training.

Malicious software (or malware)

_____________________ is a term that describes any software that harms a computer, deletes data, or takes actions the user did not authorize.

Shoulder surfing

____________________________ involves nothing more than watching someone when they enter their sensitive data. They can see you entering a password, typing in a credit card number, or entering any other pertinent information. The best defense against this type of attack is simply to survey your environment before entering personal data. Privacy filters can be used that make the screen difficult to read unless you are directly in front of it.

coordinated attack

Another unmistakable feature of a DDoS attack is the presence of a ____________________. To properly amplify the attack, the bots must attack the victim at the same time. If all the bots can be instructed to attack at precisely the same second, the attack becomes much more dangerous to the victim.

dictionary

A __________________ attack uses all the words in a dictionary until a key is discovered that successfully decrypts the ciphertext. This attack requires considerable time and processing power and is very difficult to complete. It also requires a comprehensive dictionary of words.

multipartite virus

A ___________________ is one that affects both the boot sector and files on your computer, making such a virus particularly dangerous and exasperatingly difficult to remove. They are keen at attacking the boot sector, memory, and the disk at once.

wireless deauthentication

A ____________________ attack is a form of a DoS attack in which the attacker sends a large number of management packets called deauthentication frames on the WLAN, causing stations to be disconnected from the access point.

unintentional DoS

A _____________________ attack is not one that is not caused by malicious individuals; instead, it's a spike in activity to a website or resource that overpowers its ability to respond.

file virus

A ___________ attacks executable application and system program files like those with filenames ending in .com, .exe, and .dll. These viruses do their damage by replacing some or all of the target program's code with their own. Only when the compromised file is executed can the virus do its dirty work.

SYN Flood

A ______________ attack is also a DoS attack that inundates the receiving machine with lots of packets that cause the victim to waste resources by holding connections open. While the server is waiting for the final acknowledgement, a small part of memory is reserved for the requesting machines TCP connection. As connection requests for more TCP connections continue to arrive, the receiving machine's memory is gradually consumed.

Rogue AP

A ______________ is a wireless device that is has been connected to your wired infrastructure without your knowledge. The attacker did this to entice your wireless clients to disastrously associate with their wireless connection. It's achieved by placing their AP on a different channel from your legitimate APs and then setting its SSID in accordance with your SSID. Wireless clients identify the network by the SSID, and, if the attacker jams the channel that your APs are on, it will cause your stations to roam to the bad guy's AP instead.

Botnet

A _______________ is a group of programs connected on the Internet for the purpose of performing a task in a coordinated manner. Some are created to maintain control of Internet Relay Chat (IRC) channels and are legal, while others are illegally created to carry out attacks like a DDoS.

brute-force

A _________________ attack is a form of password cracking. The attacker attempts every possible combination of numbers and letters that could be in a password. Theoretically, given enough time and processing power, any password can be cracked. When long, complex passwords are used, however, it can take years.

denial of service (DoS)

A _________________ attack prevents users from accessing the network and/or its resources.

logic bomb

A _________________ is a type of malware that executes when a particular event takes place.

On-Path

A __________________ attack happens when someone intercepts packets intended for one computer and reads the data. A common guilty party could be someone working for your very own ISP using a packet sniffer and augmenting it with routing and transport protocols. Rogue ATM machines and even credit-card swipers are tools that are also increasingly used for this type of attack.

DNS amplification

A __________________ attack is a form of reflection attack where the attacker delivers traffic to the victim by reflecting it off a third party. It relies on the exploitation of publicly accessible open DNS servers (the servers being the third party) to deluge victims with DNS response traffic. The attacker sends a small DNS message using the victim's IP address as the source to an open resolver. The type of request used returns all known information about the DNS zone, which allows for the maximum level of response amplification directed to the victim's server.

permanent DoS (PDoS) phlashing denial of service (PDoS)

A __________________ attack is one in which the device is damaged and must be replaced. It requires physical access to the device, or does it? Actually, it doesn't! An attack called a _______________________ attack, attacks the firmware located in many systems. Using tools that introduces errors to the device's firmware, attackers cause the device to be unusable.

VLAN hopping

A __________________ attack results in traffic from one VLAN being sent to the wrong VLAN. The attackers process starts with double tagging, which is placing a fake VLAN tag into the packet along with the real tag. When the frame goes through multiple switches, the real tag is taken off by the first switch, leaving the fake tag. When the frame reaches the second switch, the fake tag is read and the frame is sent to the VLAN to which the hacker intended the frame to go.

Evil Twin hijacking

An _______________ is an AP that is not under your control but is used to perform a _______________ attack which is where the hacker connects one or more of your users' computers to their network for the purpose of a peer-to-peer attack. It is done via SSID and not channels. The hacker will "jam" the channel on which your access point is transmitting. When a station gets disconnected from an access point, it scans the area for another access point with the same SSID. The stations will find the hacker's access point and will connect to it. Once the station is connected to the hacker's access point, it will receive an IP address from a DHCP server running on the access point and the user will now be located on the same network as the hacker. At this point, the hacker is free to commence a peer-to-peer attack.

spike in traffic Intrusion Detection or Prevention System (IPS or IDS) Load Balancers

DDoS attacks can cause a major spike in traffic in the network as bots that have been recruited mount the attack. For this reason, any major ______________ should be regarded with suspicion. Two ways to detect and prevent these include __________________ and _____________________.

DNS cache poisoning

In a ___________________ attack, the attacker attempts to refresh or update DNS records when they expire, based on TTL values, with a different and spoofed address. If the attacker can convince the DNS server to accept this refresh, the local DNS server will then be responding to client requests for that computer with the address inserted by the attacker. Typically, the address they now receive is for a fake website that appears to look in every way like the site the client is requesting. The hacker can then harvest all the name and password combinations entered on his fake site.

zero-day

This condition is known as a ______________ attack as it is the first day the virus has been released and therefore no known fix exists. This term may also be applied to an operating system bug that has not been corrected.