If you’re planning to take the SY0-501 exam, you should have a good understanding of common and advanced types of attacks launched against systems and networks. This includes identifying ARP poisoning and DNS attacks.
For example, can you answer this practice test question?
Q. Attackers have launched an attack using multiple systems against a single target. Which type of attack is this?
A. DoS
B. DDoS
C. SYN flood
D. Buffer overflow
More, do you know why the correct answer is correct and the incorrect answers are incorrect? The answer and explanation are available at the end of this post.
Each of the eleven chapters presents topics in an easy to understand manner and includes real-world examples of security principles in action. You’ll understand the important and relevant security topics for the Security+ exam, without being overloaded with unnecessary details. Additionally, each chapter includes a comprehensive review section to help you focus on what’s important. Over 300 realistic practice test questions with in-depth explanations will help you test your comprehension and readiness for the exam. The book includes: Each practice test question includes a detailed explanation to help you understand the content and the reasoning behind the question. You’ll be ready to take and pass the exam the first time you take it. If you plan to pursue any of the advanced security certifications, this guide will also help you lay a solid foundation of security knowledge. Learn this material, and you’ll be a step ahead for other exams. This SY0-601 study guide is for any IT or security professional interested in advancing in their field, and a must-read for anyone striving to master the basics of IT security.The 601 Version of the Study Guide
The CompTIA Security+: Get Certified Get Ahead: SY0-601 Study Guide is an update to the top-selling SY0-201, SY0-301, SY0-401, and SY0-501 study guides, which have helped thousands of readers pass the exam the first time they took it. It includes the same elements readers raved about in the previous four versions.
ARP Man-in-the-Middle Attacks
In a man-in-the-middle attack, an attacker can redirect network traffic and, in some cases, insert malicious code. Consider the figure. Normally, traffic from the user to the Internet will go through the switch directly to the router, as shown in the top of the figure. However, after poisoning the ARP cache of the victim, traffic is redirected to the attacker.
ARP poisoning used to redirect traffic
The victim’s ARP cache should include this entry to send data to the router:
192.168.1.1, 01-23-45-01-01-01
However, after poisoning the ARP cache, it includes this entry:
192.168.1.1, 01-23-45-66-66-66
The victim now sends all traffic destined for the router to the attacker. The attacker captures the data for analysis later. It also uses another method such as IP forwarding to send the traffic to the router so that the victim is unaware of the attack.
ARP DoS Attacks
An attacker can also use ARP poisoning in a DoS attack. For example, an attacker can send an ARP reply with a bogus MAC address for the default gateway. The default gateway is the IP address of a router connection that provides a path out of the network. If all the computers cache a bogus MAC address for the default gateway, none of them can reach it, and it stops all traffic out of the network.
DNS Poisoning Attacks
A DNS poisoning attack attempts to modify or corrupt DNS results. For example, a successful DNS poisoning attack can modify the IP address associated with google.com and replace it with the IP address of a malicious web site. Each time a user queries DNS for the IP address of google.com, the DNS server responds with the IP address of the malicious web site.
There have been several successful DNS poisoning attacks over the years. Many current DNS servers use Domain Name System Security Extensions (DNSSEC) to protect the DNS records and prevent DNS poisoning attacks.
Pharming Attacks
A pharming attack is another type of attack that manipulates the DNS name resolution process. It either tries to corrupt the DNS server or the DNS client. Just as a DNS poisoning attack can redirect users to different web sites, a successful pharming attack redirects a user to a different web site.
Pharming attacks on the client computer modify the hosts file used on Windows systems. This file is in the C:\Windows\System32\drivers\etc\ folder and can include IP addresses along with host name mappings. By default, it doesn’t have anything other than comments on current Windows computers. However, a mapping might look like this:
127.0.0.1 localhost
13.207.21.200 google.com
The first entry maps the name localhost to the loopback IP address of 127.0.0.1. The second entry maps the name google.com to the IP address of bing.com (13.207.21.200). If a user enters google.com into the address bar of a browser, the browser will instead go to bing.com. Practical jokers might do this to a friend’s computer and it isn’t malicious. However, if the IP address points to a malicious server, this might cause the system to download malware.
DDoS DNS Attacks
It’s difficult to take down the Internet. However, a cyberattack in October 2016 effectively did so for millions of users in North America and Europe. Specifically, on October 21, attackers launched three DDoS attacks during the day at 7:00 a.m., at 11:52 a.m., and at 4:00 p.m. These attacks prevented users from accessing a multitude of sites, such as Amazon, CNN, Fox News, Netflix, PayPal, Reddit, Spotify, Twitter, Xbox Live, and more.
Attackers infected many Internet-connected devices, such as video cameras, video recorders, printers, and baby monitors, with malware called Mirai. Mirai forces individual systems to become bots within large botnets. On October 21, they sent commands to millions of infected devices directing them to repeatedly send queries to DNS servers. These queries overwhelmed the DNS servers and prevented regular users from accessing dozens of web sites.
These three attacks were launched against DNS servers maintained by Dyn, Inc., an Internet performance management company. They clearly demonstrated that it is possible to seriously disrupt DNS services, causing Internet access problems for millions of people.
Q. Attackers have launched an attack using multiple systems against a single target. Which type of attack is this?
A. DoS
B. DDoS
C. SYN flood
D. Buffer overflow
Answer is B. A distributed denial-of-service (DDoS) attack includes attacks from multiple systems with the goal of depleting the target’s resources.
A DoS attack comes from a single system and a SYN flood is an example of a DoS attack.
A buffer overflow is a type of DoS attack that attempts to write data into an application’s memory.
See Chapter 7 of the CompTIA Security+: Get Certified Get Ahead: SY0-501 Study Guide for more information on common attacks.
