5.4.1. Remote Access: VPN, ZTNA, and Jump Servers
💡 First Principle: Network attacks exploit specific protocol weaknesses, architectural assumptions, or configuration errors. Each attack exploits something that the protocol designers assumed would be trustworthy. ARP assumes any device can claim any IP-to-MAC mapping. DNS assumes recursive resolvers will accept authoritative answers. TCP assumes both endpoints want a connection. Understanding the assumption being exploited is the key to understanding both the attack and its defense.
DoS and DDoS:
| Attack Type | Mechanism | Defense |
|---|---|---|
| SYN flood | Sends massive SYN packets, exhausting server half-open connection table | SYN cookies (server encodes state in ISN, doesn't allocate until ACK); rate limiting |
| Smurf attack | ICMP echo requests to broadcast with spoofed source = victim; all hosts reply to victim | Disable directed broadcasts (ip directed-broadcast off on routers) |
| Fraggle attack | Same as Smurf but using UDP echo | Disable UDP echo; disable directed broadcasts |
| Ping of Death | Oversized ICMP packets that overflow buffers | Modern OSes patched; historical |
| HTTP flood | High volume of legitimate-looking HTTP requests | WAF rate limiting; CAPTCHA; behavioral analysis |
| Amplification DDoS | Small request → large response; spoofed source IP floods victim (DNS, NTP, SSDP, Memcached) | Source address validation (BCP38); rate limit amplifiable services |
| Volumetric DDoS | Saturate bandwidth with raw traffic volume | Upstream scrubbing center; CDN; anycast routing |
Man-in-the-Middle (MITM):
| Attack | Setup | Target | Defense |
|---|---|---|---|
| ARP spoofing | Poison ARP tables to claim gateway MAC | Local network segment | Dynamic ARP Inspection (DAI); 802.1X; static ARP entries |
| DNS spoofing | Poison DNS cache with false records | DNS resolution | DNSSEC; DoH/DoT |
| SSL stripping | Downgrade HTTPS to HTTP by intercepting redirect | HTTPS connections | HSTS (force HTTPS even without redirect); HSTS preloading |
| BGPM hijacking | Advertise more specific routes to intercept traffic | Internet routing | RPKI; BGPsec |
| Session hijacking | Steal authenticated session token | Application session | Secure cookie flags (HttpOnly, Secure, SameSite); short token lifetime |
Password attacks:
| Attack | Method | Target | Defense |
|---|---|---|---|
| Brute force | Try all combinations | Short/simple passwords | Account lockout; MFA; strong password policy |
| Dictionary attack | Try common words/passwords | Weak passwords | Same as above + password manager |
| Rainbow table | Pre-computed hash→password lookups | Unsalted hashes | Salted hashes (bcrypt, Argon2, scrypt) |
| Credential stuffing | Use breached credential lists on other sites | Password reuse | MFA; breach detection; unique passwords |
| Password spraying | Try common passwords against many accounts | Lockout evasion | Behavioral analytics; alert on distributed low-volume attempts |
Injection attacks: SQL injection, command injection, LDAP injection — all exploit insufficient input validation. Defense: parameterized queries, input validation, output encoding, least-privilege database accounts. Covered in detail in Domain 8 (Phase 9).
⚠️ Exam Trap: Rainbow table attacks are defeated by salting — adding a unique random value to each password before hashing. This means two users with the same password have different hashes. Rainbow tables precompute hash-to-password mappings; with a unique salt, a separate rainbow table would need to be computed for each salt value — computationally infeasible. Simply using SHA-256 instead of MD5 does NOT defeat rainbow tables; salting does.
Reflection Question: An attacker captures the password hash file from a compromised server. The file contains SHA-256 hashes without salts. The attacker cracks 40% of passwords in two hours using a rainbow table. A second server uses bcrypt with a per-user salt. Why would the attacker's rainbow table approach fail against the bcrypt server, and what is the attacker's best remaining option against the bcrypt hashes?
