Why This Matters
Network attacks follow predictable patterns based on how networks communicate, how users behave, and where software fails to validate input. When you're analyzing an incident or designing defenses, you need to recognize not just what happened, but which vulnerability category the attacker exploited. That's the difference between memorizing a list of scary-sounding terms and actually understanding security.
You're being tested on your ability to classify attacks by their mechanism, explain how forensic artifacts differ between attack types, and recommend appropriate countermeasures. Don't just memorize that "DDoS floods servers with traffic." Know that it exploits the availability pillar of the CIA triad, leaves specific log signatures, and requires different mitigation than attacks targeting confidentiality or integrity. Each attack type demonstrates a fundamental principle about where networks and humans are vulnerable.
Traffic and Resource Exhaustion Attacks
These attacks exploit a basic design reality of network protocols: systems must process incoming requests before they can determine whether those requests are legitimate. Attackers weaponize this by overwhelming resources with volume or malformed requests.
Distributed Denial of Service (DDoS)
- Targets availability by flooding servers with traffic from multiple compromised sources (botnets), making legitimate access impossible
- Amplification techniques exploit protocols like DNS or NTP that return responses much larger than the original request. For example, a small DNS query can produce a response 50โ70x larger, and the attacker spoofs the source IP so all that amplified traffic hits the victim.
- Forensic indicators include sudden traffic spikes from geographically dispersed IPs, SYN flood patterns (massive numbers of half-open TCP connections), and anomalous surges in application-layer requests (like HTTP GET floods)
Buffer Overflow
- Exploits memory allocation failures when a program writes data beyond the boundary of a fixed-size buffer, corrupting adjacent memory
- Code execution becomes possible when the attacker overwrites a function's return address on the stack, redirecting program flow to a malicious payload (called shellcode) that the attacker included in the overflow data
- Stack canaries and ASLR are two defensive mechanisms worth knowing. Stack canaries place a known value before the return address so the program can detect if it's been overwritten. ASLR (Address Space Layout Randomization) randomizes where code and data are loaded in memory, making it much harder for attackers to predict where to redirect execution.
Compare: DDoS vs. Buffer Overflow โ both can cause service disruption, but DDoS exhausts network/server resources while buffer overflow exploits application memory handling. DDoS leaves network-layer evidence (traffic logs, flow data); buffer overflow leaves crash dumps and memory artifacts.
Interception and Eavesdropping Attacks
These attacks exploit the reality that network traffic travels through shared infrastructure where it can be captured or redirected. The attacker positions themselves to observe or modify data in transit.
Man-in-the-Middle (MitM)
- Intercepts communications by positioning between two parties, often through rogue Wi-Fi access points, ARP spoofing, or compromised routers
- Enables session hijacking, credential theft, and data manipulation while both parties believe they're communicating directly with each other
- TLS/SSL and certificate pinning are primary defenses. During forensic analysis, look for unexpected certificate warnings, mismatched certificate authorities, or TLS downgrade attempts as red flags.
Packet Sniffing
- Passive reconnaissance that captures unencrypted traffic using tools like Wireshark or tcpdump on shared network segments
- Promiscuous mode allows a network interface to capture all packets on the segment, not just those addressed to that device. On switched networks, attackers may combine sniffing with ARP spoofing to force traffic through their machine.
- Encrypted protocols (HTTPS, SSH, WPA3) render captured packet payloads unreadable. Forensic analysis of encrypted traffic focuses on metadata: source/destination IPs, timing patterns, packet sizes, and connection frequency.
ARP Spoofing
- Poisons ARP caches by sending forged ARP replies that map the attacker's MAC address to another host's IP (often the default gateway), redirecting local network traffic through the attacker's machine
- Layer 2 attack that operates below IP, making it effective within a local broadcast domain but ineffective across routers
- Static ARP entries and Dynamic ARP Inspection (DAI) on managed switches are the primary countermeasures in enterprise environments
DNS Poisoning
- Corrupts DNS cache entries to redirect domain lookups to attacker-controlled IP addresses. This can target a local resolver, an ISP's caching server, or even authoritative DNS infrastructure.
- Enables phishing at scale because users are redirected to malicious sites while the URL bar still shows the legitimate domain name
- DNSSEC cryptographically signs DNS records to prevent tampering. During forensic analysis, check whether DNSSEC was deployed and whether DNS response records show unexpected IP addresses or missing signatures.
Compare: ARP Spoofing vs. DNS Poisoning โ both redirect traffic, but ARP operates at Layer 2 (local network only) while DNS operates at Layer 7 (can affect users anywhere that queries the poisoned resolver). ARP spoofing requires local network access; DNS poisoning can target remote DNS servers.
These attacks exploit applications that trust user input without proper sanitization. The fundamental flaw is treating data as executable code.
SQL Injection
SQL injection inserts malicious SQL commands through input fields (login forms, search bars, URL parameters), manipulating database queries to bypass authentication or extract data.
There are several variants, each with different forensic footprints:
- Union-based appends extra SELECT statements to retrieve data from other tables. Logs may show unusually long or complex query strings.
- Error-based deliberately triggers database errors that leak information in error messages.
- Blind SQLi infers data one bit at a time through true/false conditions or time delays, making it harder to detect but slower for the attacker.
Parameterized queries and prepared statements prevent injection by ensuring user input is always treated as data, never as SQL code. During code review, the absence of these is a major red flag.
Cross-Site Scripting (XSS)
- Injects client-side scripts (typically JavaScript) into web pages that then execute in other users' browsers, stealing cookies, session tokens, or performing actions on behalf of the victim
- Stored XSS persists in the application's database and fires every time a user loads the affected page, making it more dangerous and wider-reaching. Reflected XSS requires the victim to click a crafted link containing the malicious script.
- Content Security Policy (CSP) headers and proper input/output encoding are primary defenses. During forensic analysis, check HTTP response headers for CSP configuration and inspect stored content for embedded script tags.
Compare: SQL Injection vs. XSS โ both exploit poor input validation, but SQLi targets server-side databases while XSS targets client-side browsers. SQLi compromises backend data; XSS compromises user sessions. You'll find SQLi evidence in database and web server logs, while XSS evidence appears in stored page content and client-side network requests.
Authentication and Session Attacks
These attacks target the mechanisms that verify identity and maintain authenticated state. They exploit weak credentials, predictable tokens, or stolen session data.
Password Attacks (Brute Force, Dictionary)
- Brute force systematically tests all possible combinations; dictionary attacks use wordlists of common passwords and known leaked credentials. Both exploit weak credential policies.
- Rate limiting, account lockouts, and CAPTCHA are defensive controls. Their absence in an application is itself a vulnerability.
- Credential stuffing is a specific variant that takes breached username/password pairs from one site and tests them across other sites, exploiting password reuse. Forensic analysis should cross-reference login attempts against known breach databases.
Session Hijacking
- Steals or predicts session tokens to impersonate an authenticated user without ever knowing their password
- Common techniques include cookie theft via XSS, session fixation (forcing a user to authenticate with a token the attacker already knows), and sidejacking (capturing tokens sent over unencrypted connections, such as on public Wi-Fi)
- Secure, HttpOnly, and SameSite cookie flags plus session regeneration after login are critical defenses. The
Secure flag ensures cookies only travel over HTTPS; HttpOnly prevents JavaScript from reading them (blocking XSS-based theft); SameSite restricts cross-origin cookie sending.
Compare: Password Attacks vs. Session Hijacking โ password attacks target authentication (proving identity), while session hijacking targets authorization (maintaining access after login). Password attacks leave failed login attempts in authentication logs; session hijacking may show impossible travel patterns (logins from two distant locations in minutes) or sudden user-agent string changes mid-session.
Malicious Software Attacks
Malware delivers code that executes on victim systems to achieve attacker objectives. Classification depends on how it propagates and what its payload does.
Malware (Viruses, Worms, Trojans)
- Viruses attach to host files and require user action (opening a file, running a program) to spread. Worms self-propagate across networks without user interaction by exploiting vulnerabilities in network services. Trojans masquerade as legitimate software, tricking users into installing them.
- Persistence mechanisms are key forensic indicators across all malware types. Look for new registry run keys, scheduled tasks, startup folder entries, or modified system services that allow the malware to survive reboots.
- Behavioral analysis and sandboxing detect unknown malware by observing what it does (file modifications, network connections, process injection) rather than matching known signatures. This is critical for catching variants that evade antivirus.
Ransomware
- Encrypts victim files using strong cryptography (typically AES for file encryption with RSA-protected keys), then demands payment (usually cryptocurrency) for the decryption key
- Double extortion variants also exfiltrate sensitive data before encrypting, threatening to publish it if the ransom isn't paid. This increases forensic complexity because you now need to determine what data was stolen, not just what was encrypted.
- Offline backups and network segmentation are critical defenses. Forensic analysis should prioritize identifying the initial access vector (phishing email? exposed RDP?) and tracing lateral movement through the network before encryption began.
Zero-Day Exploits
- Targets previously unknown vulnerabilities before the vendor has released a patch, making signature-based detection ineffective by definition
- Advanced Persistent Threats (APTs) frequently use zero-days for initial access in targeted attacks against high-value organizations, since these exploits are expensive to develop or acquire
- Behavioral detection, anomaly-based monitoring, and proactive threat hunting are necessary countermeasures. Forensic analysis relies on identifying anomalous system behavior rather than matching known indicators of compromise.
Compare: Ransomware vs. Traditional Malware โ ransomware has an explicit financial motivation with immediately visible impact (encrypted files, ransom notes displayed on screen), while other malware may operate covertly for espionage, data theft, or botnet recruitment. Ransomware forensics prioritizes identifying the specific variant, since public decryption tools exist for some families.
Social Engineering and Human-Targeted Attacks
These attacks exploit human psychology rather than technical vulnerabilities. The attack surface is the user, not the system.
Phishing
- Deceives users through fraudulent communications (emails, websites, text messages) that impersonate trusted entities to harvest credentials or deliver malware
- Spear phishing targets specific individuals with personalized content researched from social media or prior breaches. Whaling targets executives or high-privilege users. The more valuable the target, the more effort goes into making the message convincing.
- Email header analysis reveals the true sender origin by examining fields like
Return-Path, Received headers, and SPF/DKIM/DMARC validation results. Forensic investigation should trace the full attack chain from the initial click through any subsequent compromise.
Social Engineering
- Manipulates human behavior through techniques like pretexting (fabricating a believable scenario, such as posing as IT support), baiting (leaving infected USB drives in parking lots), or impersonation (tailgating through secure doors)
- Bypasses technical controls entirely by convincing authorized users to take actions or reveal information voluntarily
- Security awareness training is the primary defense. Forensic analysis for social engineering incidents must include user interviews and review of communications (emails, phone logs, chat records), not just technical logs.
Compare: Phishing vs. Social Engineering โ phishing is a subset of social engineering that specifically uses deceptive electronic communications. Broader social engineering also includes phone calls (vishing), physical access attempts (tailgating), and in-person manipulation. Both require analyzing human factors alongside technical evidence.
Quick Reference Table
|
| Availability Attacks | DDoS, Ransomware, Buffer Overflow |
| Traffic Interception | MitM, Packet Sniffing, ARP Spoofing |
| Input Validation Failures | SQL Injection, XSS, Buffer Overflow |
| Authentication Bypass | Password Attacks, Session Hijacking, Phishing |
| Protocol Exploitation | ARP Spoofing, DNS Poisoning, DDoS Amplification |
| Human Factor Exploitation | Phishing, Social Engineering, Baiting |
| Malicious Code Execution | Malware, Ransomware, Zero-Day Exploits |
| Layer 2 vs. Layer 7 Attacks | ARP Spoofing (L2) vs. DNS Poisoning, SQLi, XSS (L7) |
Self-Check Questions
-
Which two attack types both redirect network traffic but operate at different OSI layers? What forensic evidence would distinguish them?
-
A forensic analyst finds malicious JavaScript stored in a web application's database that steals session cookies. What attack type is this, and how does it differ from SQL injection in terms of what's being targeted?
-
Compare and contrast brute force password attacks with session hijacking. Which CIA triad element does each primarily threaten, and what log sources would reveal each?
-
An organization experiences a ransomware attack. Describe how you would determine whether this was an opportunistic attack or part of an APT campaign using zero-day exploits.
-
If an FRQ asks you to recommend countermeasures for interception attacks on a corporate network, which three attack types should you address, and what's one defense that mitigates all three?