📘Cisco Certified CyberOps Associate (200-201 CBROPS)
Network attacks target availability, integrity, and confidentiality of systems and data. Attackers use weaknesses in network protocols, system resources, and communication paths to disrupt services or steal information.
For the CBROPS exam, you must clearly understand four major categories of attacks:
- Protocol-based attacks
- Denial of Service (DoS) attacks
- Distributed Denial of Service (DDoS) attacks
- Man-in-the-Middle (MITM) attacks
1. Protocol-Based Attacks
What is a Protocol-Based Attack?
A protocol-based attack exploits weaknesses or improper behavior in network protocols such as:
- TCP
- UDP
- ICMP
- ARP
- DNS
These attacks target how protocols work, not applications or users.
Common Protocol-Based Attacks
a. TCP SYN Flood
- TCP uses a three-way handshake:
- SYN
- SYN-ACK
- ACK
- The attacker sends many SYN requests but never completes the handshake.
- The server keeps these connections half-open.
- Server memory fills up and cannot accept legitimate connections.
Impact
- Server becomes slow or unreachable
- Resource exhaustion (CPU, memory)
b. ICMP Flood
- ICMP is used for network diagnostics (for example, ping).
- Attacker sends excessive ICMP echo requests.
- Target system spends resources replying to each request.
Impact
- High CPU usage
- Network congestion
c. ARP Spoofing / ARP Poisoning
- ARP maps IP addresses to MAC addresses.
- Attacker sends fake ARP replies.
- Devices update their ARP tables with incorrect MAC addresses.
Impact
- Traffic is redirected to attacker
- Enables packet sniffing and MITM attacks
d. DNS Attacks (Protocol Abuse)
- DNS servers receive excessive or malformed queries.
- Exploits recursive DNS behavior.
Impact
- DNS resolution failure
- Websites become unreachable even if servers are healthy
Key Exam Points for Protocol-Based Attacks
- Exploit protocol weaknesses
- Cause resource exhaustion
- Often target network infrastructure
- Can lead to DoS conditions
2. Denial of Service (DoS) Attacks
What is a DoS Attack?
A Denial of Service (DoS) attack aims to make a system unavailable to legitimate users by overwhelming it with traffic or requests from a single source.
How DoS Attacks Work
- Attacker sends a large number of packets or requests
- Target system:
- Runs out of CPU
- Runs out of memory
- Runs out of bandwidth
Common Types of DoS Attacks
a. Application-Level DoS
- Targets services such as:
- Web servers (HTTP)
- Email servers (SMTP)
- Sends excessive valid-looking requests.
Impact
- Application crashes or becomes unresponsive
b. Network-Level DoS
- Targets network bandwidth or protocols
- Uses ICMP, UDP, or TCP floods
Impact
- Network congestion
- Legitimate traffic dropped
Key Characteristics of DoS
- Single attacking system
- Easier to detect than DDoS
- Easier to block using firewalls or IPS
Key Exam Points for DoS
- Goal: Availability disruption
- Source: Single attacker
- Target: Network, system, or application
3. Distributed Denial of Service (DDoS) Attacks
What is a DDoS Attack?
A Distributed Denial of Service (DDoS) attack is similar to a DoS attack but is launched from many systems at the same time.
These systems are often part of a botnet.
What is a Botnet?
- A botnet is a group of compromised devices
- Controlled remotely by an attacker
- Devices may include:
- Servers
- PCs
- Cloud workloads
- IoT devices
How DDoS Attacks Work
- Thousands or millions of systems send traffic simultaneously
- Target cannot distinguish legitimate traffic from attack traffic
- Blocking one IP does not stop the attack
Types of DDoS Attacks
a. Volumetric Attacks
- Goal: consume bandwidth
- Uses:
- UDP floods
- ICMP floods
- Measures traffic in Gbps
b. Protocol Attacks
- Exploit protocol weaknesses
- Examples:
- SYN floods
- Fragmented packets
c. Application-Layer DDoS
- Targets specific applications
- Sends HTTP requests that appear legitimate
Impact of DDoS Attacks
- Complete service outage
- Financial loss
- Reputation damage
Key Differences: DoS vs DDoS
| Feature | DoS | DDoS |
|---|---|---|
| Attack source | Single system | Multiple systems |
| Detection | Easier | Difficult |
| Mitigation | Firewall rules | Requires specialized protection |
| Scale | Smaller | Very large |
Key Exam Points for DDoS
- Uses multiple sources
- Harder to block
- Often uses botnets
- Primary goal: availability disruption
4. Man-in-the-Middle (MITM) Attacks
What is a Man-in-the-Middle Attack?
A Man-in-the-Middle (MITM) attack occurs when an attacker intercepts and possibly alters communication between two systems without their knowledge.
The attacker secretly sits between the sender and receiver.
How MITM Attacks Work
- Victim sends data to a destination
- Attacker intercepts the traffic
- Attacker:
- Reads the data
- Modifies the data
- Forwards it to the destination
Both sides believe they are communicating directly.
Common MITM Techniques
a. ARP Poisoning (Most Common)
- Attacker poisons ARP tables
- Traffic flows through attacker’s system
b. DNS Spoofing
- Attacker provides fake DNS responses
- Victim is redirected to attacker-controlled systems
c. Session Hijacking
- Attacker steals session cookies or tokens
- Gains unauthorized access
What Can an Attacker Do in MITM?
- Capture credentials
- Read sensitive data
- Modify data in transit
- Inject malicious content
Impact of MITM Attacks
- Loss of confidentiality
- Data integrity compromise
- Credential theft
Key Exam Points for MITM
- Attacker is in the communication path
- Often invisible to users
- Targets confidentiality and integrity
- Commonly enabled by ARP spoofing
Summary for Exam Revision
Attack Type vs Goal
| Attack Type | Primary Goal |
|---|---|
| Protocol-based | Exploit protocol weaknesses |
| DoS | Make service unavailable |
| DDoS | Large-scale service disruption |
| MITM | Intercept or alter communication |
Must-Remember Exam Keywords
- Protocol-based → TCP, ICMP, ARP abuse
- DoS → Single source, availability attack
- DDoS → Multiple sources, botnets
- MITM → Interception, ARP poisoning, traffic manipulation
Final Exam Tip
For CBROPS:
- Focus on what the attack does
- Understand how it works at a high level
- Know which security property is affected:
- Availability → DoS / DDoS
- Confidentiality & Integrity → MITM
