Why This Matters
Network attacks aren't random chaos—they follow predictable patterns based on how networks communicate, how users behave, and where software fails to validate input. When you're analyzing an incident or designing defenses, you need to recognize not just what happened, but which vulnerability category the attacker exploited. That's the difference between memorizing a list of scary-sounding terms and actually understanding security.
You're being tested on your ability to classify attacks by their mechanism, explain how forensic artifacts differ between attack types, and recommend appropriate countermeasures. Don't just memorize that "DDoS floods servers with traffic"—know that it exploits the availability pillar of the CIA triad, leaves specific log signatures, and requires different mitigation than attacks targeting confidentiality or integrity. Each attack type demonstrates a fundamental principle about where networks and humans are vulnerable.
Traffic and Resource Exhaustion Attacks
These attacks exploit the fundamental design of network protocols—systems must process incoming requests before determining if they're legitimate. Attackers weaponize this by overwhelming resources with volume or malformed requests.
Distributed Denial of Service (DDoS)
- Targets availability by flooding servers with traffic from multiple compromised sources (botnets), making legitimate access impossible
- Amplification techniques exploit protocols like DNS or NTP that return larger responses than requests, multiplying attack power
- Forensic indicators include traffic spikes from geographically dispersed IPs, SYN flood patterns, and application layer request anomalies
Buffer Overflow
- Exploits memory allocation failures when programs write data beyond buffer boundaries, corrupting adjacent memory
- Code execution becomes possible when attackers overwrite return addresses to redirect program flow to malicious payloads
- Stack canaries and ASLR are defensive mechanisms you should know—they randomize memory layout to make exploitation harder
Compare: DDoS vs. Buffer Overflow—both cause service disruption, but DDoS exhausts network/server resources while buffer overflow exploits application memory handling. DDoS leaves network-layer evidence; buffer overflow leaves crash dumps and memory artifacts.
Interception and Eavesdropping Attacks
These attacks exploit the reality that network traffic travels through shared infrastructure where it can be captured or redirected. The attacker positions themselves to observe or modify data in transit.
Man-in-the-Middle (MitM)
- Intercepts communications by positioning between two parties, often through rogue access points or compromised routers
- Enables session hijacking, credential theft, and data manipulation while both parties believe they're communicating directly
- TLS/SSL inspection and certificate pinning are primary defenses—look for certificate warnings as forensic red flags
Packet Sniffing
- Passive reconnaissance captures unencrypted traffic using tools like Wireshark or tcpdump on shared network segments
- Promiscuous mode allows network interfaces to capture all packets, not just those addressed to the device
- Encrypted protocols (HTTPS, SSH) render captured packets unreadable—forensic analysis focuses on metadata and traffic patterns
ARP Spoofing
- Poisons ARP caches by sending false MAC-to-IP mappings, redirecting local network traffic through the attacker's machine
- Layer 2 attack operates below IP, making it effective on local networks but ineffective across routers
- Static ARP entries and Dynamic ARP Inspection (DAI) are primary countermeasures in enterprise environments
DNS Poisoning
- Corrupts DNS cache entries to redirect domain lookups to attacker-controlled IP addresses
- Enables phishing at scale by redirecting users to malicious sites while the URL bar shows legitimate domains
- DNSSEC validation cryptographically signs DNS records to prevent tampering—check for DNSSEC deployment in forensic analysis
Compare: ARP Spoofing vs. DNS Poisoning—both redirect traffic, but ARP operates at Layer 2 (local network only) while DNS operates at Layer 7 (can affect users anywhere). ARP spoofing requires local network access; DNS poisoning can target remote DNS servers.
These attacks exploit applications that trust user input without proper sanitization. The fundamental flaw is treating data as code.
SQL Injection
- Inserts malicious SQL commands through input fields, manipulating database queries to bypass authentication or extract data
- Union-based, blind, and error-based variants each leave different forensic signatures in application and database logs
- Parameterized queries and prepared statements prevent injection by separating code from data—look for these in code review
Cross-Site Scripting (XSS)
- Injects client-side scripts into web pages that execute in other users' browsers, stealing cookies or session tokens
- Stored XSS persists in databases (more dangerous); Reflected XSS requires victims to click malicious links
- Content Security Policy (CSP) headers and input encoding are primary defenses—check HTTP headers during forensic analysis
Compare: SQL Injection vs. XSS—both exploit poor input validation, but SQLi targets server-side databases while XSS targets client-side browsers. SQLi compromises backend data; XSS compromises user sessions. Different log sources reveal each attack.
Authentication and Session Attacks
These attacks target the mechanisms that verify identity and maintain authenticated state. They exploit weak credentials, predictable tokens, or stolen session data.
Password Attacks (Brute Force, Dictionary)
- Brute force systematically tests all combinations; dictionary attacks use wordlists of common passwords—both exploit weak credential policies
- Rate limiting, account lockouts, and CAPTCHA are defensive controls; their absence indicates vulnerability
- Credential stuffing uses breached username/password pairs across multiple sites—forensic analysis should check for known breach correlation
Session Hijacking
- Steals or predicts session tokens to impersonate authenticated users without knowing their credentials
- Cookie theft via XSS, session fixation, and sidejacking (capturing tokens over unencrypted connections) are common techniques
- Secure, HttpOnly, and SameSite cookie flags plus session regeneration after login are critical defenses
Compare: Password Attacks vs. Session Hijacking—password attacks target authentication (proving identity), while session hijacking targets authorization (maintaining access after login). Password attacks leave failed login attempts in logs; session hijacking may show impossible travel patterns or user-agent changes.
Malicious Software Attacks
Malware attacks deliver code that executes on victim systems to achieve attacker objectives. Classification depends on propagation method and payload behavior.
Malware (Viruses, Worms, Trojans)
- Viruses require host files and user action to spread; worms self-propagate across networks; Trojans masquerade as legitimate software
- Persistence mechanisms (registry keys, scheduled tasks, startup folders) are key forensic indicators across all malware types
- Behavioral analysis and sandboxing detect unknown malware by observing actions rather than matching signatures
Ransomware
- Encrypts victim files using strong cryptography, demanding payment (typically cryptocurrency) for decryption keys
- Double extortion variants also exfiltrate data, threatening to publish if ransom isn't paid—increases forensic complexity
- Offline backups and network segmentation are critical defenses; forensic analysis should identify initial access vector and lateral movement
Zero-Day Exploits
- Targets unknown vulnerabilities before patches exist, making signature-based detection ineffective
- Advanced Persistent Threats (APTs) frequently use zero-days for initial access in high-value targeted attacks
- Behavioral detection and threat hunting are necessary countermeasures; forensic analysis relies on anomaly identification
Compare: Ransomware vs. Traditional Malware—ransomware has explicit financial motivation with visible impact (encrypted files, ransom notes), while other malware may operate covertly for espionage or botnet recruitment. Ransomware forensics prioritizes identifying the variant for potential decryption tools.
Social Engineering and Human-Targeted Attacks
These attacks exploit human psychology rather than technical vulnerabilities. The attack surface is the user, not the system.
Phishing
- Deceives users through fraudulent communications (emails, websites, messages) that impersonate trusted entities
- Spear phishing targets specific individuals with personalized content; whaling targets executives—sophistication correlates with target value
- Email header analysis reveals true sender origins; forensic investigation should trace the full attack chain from initial click
Social Engineering
- Manipulates human behavior through pretexting (fabricated scenarios), baiting (enticing offers), or impersonation
- Bypasses technical controls entirely by convincing authorized users to take actions or reveal information
- Security awareness training is the primary defense; forensic analysis must include user interviews and communication review
Compare: Phishing vs. Social Engineering—phishing is a subset of social engineering that specifically uses deceptive electronic communications. Broader social engineering includes phone calls (vishing), physical access attempts, and in-person manipulation. Both require analyzing human factors, not just technical logs.
Quick Reference Table
|
| Availability Attacks | DDoS, Ransomware, Buffer Overflow |
| Traffic Interception | MitM, Packet Sniffing, ARP Spoofing |
| Input Validation Failures | SQL Injection, XSS, Buffer Overflow |
| Authentication Bypass | Password Attacks, Session Hijacking, Phishing |
| Protocol Exploitation | ARP Spoofing, DNS Poisoning, DDoS Amplification |
| Human Factor Exploitation | Phishing, Social Engineering, Baiting |
| Malicious Code Execution | Malware, Ransomware, Zero-Day Exploits |
| Layer 2 vs. Layer 7 Attacks | ARP Spoofing (L2) vs. DNS Poisoning, SQLi, XSS (L7) |
Self-Check Questions
-
Which two attack types both redirect network traffic but operate at different OSI layers? What forensic evidence would distinguish them?
-
A forensic analyst finds malicious JavaScript stored in a web application's database that steals session cookies. What attack type is this, and how does it differ from SQL injection in terms of what's being targeted?
-
Compare and contrast brute force password attacks with session hijacking—which CIA triad element does each primarily threaten, and what log sources would reveal each?
-
An organization experiences a ransomware attack. Describe how you would determine whether this was an opportunistic attack or part of an APT campaign using zero-day exploits.
-
If an FRQ asks you to recommend countermeasures for interception attacks on a corporate network, which three attack types should you address, and what's one defense that mitigates all three?