IP spoofing and packet sniffing are common techniques for attacking and exploiting networks.
In IP spoofing, a malicious actor transmits IP packets from a spoofed source address that might appear to originate from a legitimate source. This technique is often the source of denial-of-service attacks, which are used to flood networks, resulting in the inability of legitimate traffic to reach its destination.
Packet sniffing is used to capture information in a network packet. This technique is commonly used to steal credentials (e.g., user IDs, passwords, credit card numbers). Attackers can lie dormant in a network, making them difficult to detect as they collect data.
Resources
Check Your Knowledge
Choose the best answer to each question:
Question
1
Which of the following captures packets that travel the network and is used to capture users' passwords?
DDoS attack
spoofing
sniffers
MitM attack
In DDoS attacks, critical services or resources can be made unavailable to legitimate users on the network. DDoS attacks do not capture packets or passwords. Try again.
Spoofing enables the identification of the pattern of legitimate IP addresses and then enables the attacker to forge the IP address in the packet header. In this type of attack, the attacker sniffs network traffic to identify the pattern of legitimate IP addresses for that particular network in an attempt to gain access to the network. While spoofing can be used to introduce applications (e.g., a Trojan or keylogger) to the network, it is not used to capture packets or passwords. Try again.
That's correct. Sniffers capture packets that travel the network. Additionally, sniffers are sometimes able to collect sensitive information such as user account names and passwords.
MitM, or man-in-the-middle, attacks are those in which the attacker intercepts communications between two entities and relays the messages between them without their knowledge. There is no capture of passwords in this attack type. Try again.
Question
2
One of the most common ways sniffers collect information is through ________.
phishing/social engineering
the physical attachment of the sniffer to a network device
the installation of the sniffer software on a local machine
the sniffer website
Sniffers operate at the data-link layer of the network to intercept and analyze data packets. Sniffers do not use social engineering. Try again.
That's correct. Sniffers operate at the data-link layer of the network and commonly collect information by attaching to a network device.
Sniffers operate at the data-link layer of the network and not on the local machine. Try again.
Browsing to the sniffer website should not result in the collection of data such as would occur in an attack. Try again.
Question
3
Which of the following is true of an IP spoofing attack?
It convinces a system or user that the system or user is communicating with a trusted source.
It modifies the source addresses of trusted sources.
It can be used in a Smurf attack.
all of the above
It is correct that IP spoofing attacks convince a system or user that the system or user is communicating with a trusted source; however, there are other correct responses in this list. Try again.
It is correct that IP spoofing attacks modify the source addresses of trusted sources; however, there are other correct responses in this list. Try again.
It is true that IP spoofing attacks can be used in Smurf attacks (DDoS attacks whereby a large volume of ICMP packets are broadcast to a network using the intended victim's spoofed IP address); however, there are other correct responses in this list. Try again.
That's correct. All of the statements listed in this question are true of IP spoofing attacks.
Question
4
Which of the following is affected by a DDoS (distributed denial-of-service) attack?
confidentiality
integrity
nonrepudiation
availability
DDoS attacks do not affect confidentiality. Try again.
DDoS attacks do not affect integrity. Try again.
DDoS attacks do not affect nonrepudiation. Try again.
That's correct. In DDoS attacks, critical services or resources can be made unavailable to legitimate users in the network. DDoS attacks can result in the flooding of servers, making services provided by them (e.g., email) unavailable.
Question
5
The difference between a DoS attack and a DDoS attack is which of the following?
DoS attacks can affect all parts of the CIA triad, whereas DDoS attacks affect only one part.
DoS attacks affect many nodes, whereas DDoS attacks affect only a few.
A DDoS attack can be a one-to-many attack, whereas DoS attacks can be only one-to-one.
DDoS cannot be detected by a network-based IDS, but DoS can be.
DoS attacks affect only the availability component of the CIA triad. Try again.
DoS attacks generally do not affect many nodes. Try again.
That's correct. DDoS attacks may be one-to-many, with one source affecting different points of presence.
DDoS attacks can be detected by a network-based IDS because of the significant increase in network activity. Try again.