If you’re planning to take the SY0-501 exam, you should have a good understanding of common and advanced types of attacks launched against systems and networks. This includes identifying ARP poisoning and DNS attacks.
For example, can you answer this practice test question?
Q. Attackers have launched an attack using multiple systems against a single target. Which type of attack is this?
A. DoS
B. DDoS
C. SYN flood
D. Buffer overflow
More, do you know why the correct answer is correct and the incorrect answers are incorrect? The answer and explanation are available at the end of this post.
ARP Man-in-the-Middle Attacks
In a man-in-the-middle attack, an attacker can redirect network traffic and, in some cases, insert malicious code. Consider the figure. Normally, traffic from the user to the Internet will go through the switch directly to the router, as shown in the top of the figure. However, after poisoning the ARP cache of the victim, traffic is redirected to the attacker.
ARP poisoning used to redirect traffic
The victim’s ARP cache should include this entry to send data to the router:
192.168.1.1, 01-23-45-01-01-01
However, after poisoning the ARP cache, it includes this entry:
192.168.1.1, 01-23-45-66-66-66
The victim now sends all traffic destined for the router to the attacker. The attacker captures the data for analysis later. It also uses another method such as IP forwarding to send the traffic to the router so that the victim is unaware of the attack.
ARP DoS Attacks
An attacker can also use ARP poisoning in a DoS attack. For example, an attacker can send an ARP reply with a bogus MAC address for the default gateway. The default gateway is the IP address of a router connection that provides a path out of the network. If all the computers cache a bogus MAC address for the default gateway, none of them can reach it, and it stops all traffic out of the network.
DNS Poisoning Attacks
A DNS poisoning attack attempts to modify or corrupt DNS results. For example, a successful DNS poisoning attack can modify the IP address associated with google.com and replace it with the IP address of a malicious web site. Each time a user queries DNS for the IP address of google.com, the DNS server responds with the IP address of the malicious web site.
There have been several successful DNS poisoning attacks over the years. Many current DNS servers use Domain Name System Security Extensions (DNSSEC) to protect the DNS records and prevent DNS poisoning attacks.
Pharming Attacks
A pharming attack is another type of attack that manipulates the DNS name resolution process. It either tries to corrupt the DNS server or the DNS client. Just as a DNS poisoning attack can redirect users to different web sites, a successful pharming attack redirects a user to a different web site.
Pharming attacks on the client computer modify the hosts file used on Windows systems. This file is in the C:\Windows\System32\drivers\etc\ folder and can include IP addresses along with host name mappings. By default, it doesn’t have anything other than comments on current Windows computers. However, a mapping might look like this:
127.0.0.1 localhost
13.207.21.200 google.com
The first entry maps the name localhost to the loopback IP address of 127.0.0.1. The second entry maps the name google.com to the IP address of bing.com (13.207.21.200). If a user enters google.com into the address bar of a browser, the browser will instead go to bing.com. Practical jokers might do this to a friend’s computer and it isn’t malicious. However, if the IP address points to a malicious server, this might cause the system to download malware.
DDoS DNS Attacks
It’s difficult to take down the Internet. However, a cyberattack in October 2016 effectively did so for millions of users in North America and Europe. Specifically, on October 21, attackers launched three DDoS attacks during the day at 7:00 a.m., at 11:52 a.m., and at 4:00 p.m. These attacks prevented users from accessing a multitude of sites, such as Amazon, CNN, Fox News, Netflix, PayPal, Reddit, Spotify, Twitter, Xbox Live, and more.
Attackers infected many Internet-connected devices, such as video cameras, video recorders, printers, and baby monitors, with malware called Mirai. Mirai forces individual systems to become bots within large botnets. On October 21, they sent commands to millions of infected devices directing them to repeatedly send queries to DNS servers. These queries overwhelmed the DNS servers and prevented regular users from accessing dozens of web sites.
These three attacks were launched against DNS servers maintained by Dyn, Inc., an Internet performance management company. They clearly demonstrated that it is possible to seriously disrupt DNS services, causing Internet access problems for millions of people.
Q. Attackers have launched an attack using multiple systems against a single target. Which type of attack is this?
A. DoS
B. DDoS
C. SYN flood
D. Buffer overflow
Answer is B. A distributed denial-of-service (DDoS) attack includes attacks from multiple systems with the goal of depleting the target’s resources.
A DoS attack comes from a single system and a SYN flood is an example of a DoS attack.
A buffer overflow is a type of DoS attack that attempts to write data into an application’s memory.
See Chapter 7 of the CompTIA Security+: Get Certified Get Ahead: SY0-501 Study Guide for more information on common attacks.