Network: DDoS (amplified/reflected), DNS attacks, wireless, on-path, credential replay, malicious code

2.2 Indicators of malicious activity

📘CompTIA Security+ SY0-701

1. DDoS (Distributed Denial of Service) Attacks

A DDoS attack aims to make a network, server, or service unavailable by overwhelming it with massive amounts of traffic from multiple sources.

How it works:

  • The attacker uses a botnet (a group of compromised computers) to send large amounts of requests to a target server or network.
  • The server becomes overloaded and cannot respond to legitimate users, causing downtime or very slow performance.

Types of DDoS attacks:

a) Amplified DDoS Attack

  • The attacker uses amplification to make small requests that generate large responses from third-party servers.
  • These large responses are sent to the victim’s IP address.
  • This “amplifies” the attack power, making it more damaging without needing a large botnet.

Example in IT terms:
A small DNS request (say, 60 bytes) can trigger a large DNS response (up to 4,000 bytes) sent to the victim’s network, consuming its bandwidth.

b) Reflected DDoS Attack

  • The attacker spoofs (fakes) the victim’s IP address when sending requests to legitimate servers.
  • Those servers then send their responses to the victim’s system instead of the attacker.
  • The victim gets flooded with traffic from many servers.

Example:
Sending fake HTTP requests to web servers with the victim’s IP address as the source. All those servers respond to the victim, overwhelming it.

Indicators of DDoS Activity:

  • Sudden spike in network traffic.
  • Legitimate users unable to access resources.
  • Network performance slowdown.
  • Multiple systems sending requests from many different IP addresses.

2. DNS Attacks

DNS (Domain Name System) translates domain names (like example.com) into IP addresses. Attackers often target DNS because it’s essential for network communication.

Common DNS Attack Types:

a) DNS Poisoning (or DNS Cache Poisoning)

  • Attackers insert false information into a DNS server’s cache.
  • Users trying to visit a legitimate site are redirected to a malicious site.

Example:
A user types bank.com, but due to poisoning, is redirected to a fake site controlled by the attacker.

b) DNS Tunneling

  • Attackers use DNS queries and responses to secretly pass data or commands through the network.
  • It hides malicious traffic inside normal-looking DNS traffic.

Example:
Malware on a device sends stolen data encoded inside DNS queries, bypassing firewalls.

c) DNS Hijacking

  • Attackers modify DNS settings on a server or endpoint.
  • This redirects traffic to malicious destinations without the user knowing.

Indicators of DNS Attacks:

  • Users being redirected to fake or unexpected websites.
  • Unusual DNS query patterns.
  • Unauthorized DNS configuration changes.

3. Wireless Attacks

Wireless networks (Wi-Fi) are common attack targets because signals can be intercepted easily.

Common Wireless Attack Types:

a) Evil Twin

  • An attacker sets up a fake Wi-Fi access point with the same name (SSID) as a legitimate one.
  • Users connect to the fake access point, allowing the attacker to intercept data.

b) Deauthentication Attack

  • The attacker sends “deauth” frames to disconnect users from a Wi-Fi network.
  • The user is forced to reconnect, often to a malicious access point.

c) Rogue Access Point

  • An unauthorized access point connected to a network, allowing attackers inside the internal network.

Indicators of Wireless Attacks:

  • Multiple networks with the same SSID.
  • Frequent disconnections.
  • Unexpected or unauthorized devices connected to the Wi-Fi network.
  • Unusual wireless traffic patterns.

4. On-Path (Man-in-the-Middle) Attacks

An on-path attack (also called Man-in-the-Middle) happens when an attacker secretly intercepts and possibly alters communication between two systems.

How it works:

  • The attacker positions themselves between two communicating devices (e.g., between a user and a website).
  • They can read, modify, or inject data into the communication without either side knowing.

Common Techniques:

  • ARP Spoofing: The attacker sends fake ARP messages to associate their MAC address with a legitimate IP address.
  • Session Hijacking: The attacker takes over an active session by stealing session tokens or cookies.
  • SSL Stripping: The attacker downgrades HTTPS connections to HTTP, making data unencrypted.

Indicators of On-Path Attacks:

  • Unexpected SSL certificate warnings.
  • Unusual network latency.
  • Multiple MAC addresses associated with one IP address.
  • Changes in DNS or ARP tables.

5. Credential Replay Attacks

A credential replay attack occurs when an attacker captures valid login information and reuses it to gain unauthorized access.

How it happens:

  • Attackers capture usernames and passwords (often through phishing, sniffing, or keylogging).
  • They then “replay” those credentials on another system or service.

Common Forms:

  • Pass-the-Hash: The attacker uses a stolen password hash instead of the plain password to authenticate.
  • Pass-the-Ticket: The attacker uses Kerberos tickets to impersonate a legitimate user in a Windows environment.

Indicators of Credential Replay:

  • Multiple login attempts from different locations in a short time.
  • Logins at unusual hours.
  • Authentication logs showing reused or old credentials.
  • Failed login attempts followed by successful ones.

6. Malicious Code in Network Traffic

Attackers often embed malicious code in data packets or use network channels to spread malware.

How it works:

  • Malware can be delivered through infected emails, file downloads, or compromised websites.
  • It can also spread through open network shares, SMB (Server Message Block), or RDP (Remote Desktop Protocol).

Examples of Malicious Network Behavior:

  • Unexpected outbound connections to unknown IPs or domains.
  • Large data transfers (data exfiltration).
  • Encrypted traffic on unusual ports.
  • Command and Control (C2) communications from infected devices to attacker-controlled servers.

Indicators:

  • Unusual or unauthorized network connections.
  • IDS/IPS alerts showing suspicious payloads.
  • Abnormal data transfer patterns.
  • Outbound connections to known malicious domains.

Summary Table:

Attack TypeGoalKey Indicator
DDoSDisrupt availabilityHigh traffic volume, service outages
DNS AttackRedirect or hide dataFake websites, DNS changes
Wireless AttackIntercept Wi-Fi communicationDuplicate SSIDs, rogue devices
On-Path AttackIntercept/modify communicationSSL warnings, ARP changes
Credential ReplayReuse stolen credentialsRepeated logins from different places
Malicious CodeDeliver malware through networkSuspicious connections or payloads

Exam Tip:

For Security+:

  • Know the purpose of each attack.
  • Understand how it’s detected (indicators).
  • Know the impact — whether it affects confidentiality, integrity, or availability.

Key Takeaways

  • DDoS disrupts service availability.
  • DNS attacks manipulate name resolution.
  • Wireless attacks target Wi-Fi networks.
  • On-path attacks intercept communications.
  • Credential replay reuses stolen login information.
  • Malicious code spreads through the network to infect systems.

Leave a Reply

Your email address will not be published. Required fields are marked *

Buy Me a Coffee

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by