Link Layer Concepts
- Switch
- A device that forwards Ethernet frames to specific ports based on learned MAC addresses.
- CAM Table (Content Addressable Memory)
- A switch’s table mapping MAC addresses to ports.
- CAM Overflow
- Filling the switch’s MAC table so that unknown-destination frames are broadcast.
- ARP (Address Resolution Protocol)
- Maps IP addresses to MAC addresses without authentication.
- ARP Poisoning
- Forging ARP replies to redirect a victim’s traffic through the attacker.
- Dynamic ARP Inspection (DAI)
- Validates ARP replies against trusted bindings (learned from DHCP snooping or static configuration) to block forged ARP packets.
- Port Security
- A managed switch control that limits which MAC addresses can appear on a given port and can shut down or restrict a port if violations occur.
- VLAN (Virtual LAN)
- A logical segmentation of a switch that separates traffic between groups of ports.
- VLAN Hopping
- Bypassing VLAN isolation to send or receive traffic from another VLAN.
- DHCP (Dynamic Host Configuration Protocol)
- Automatically assigns network settings such as IP address, gateway, and DNS servers.
- DHCP Snooping
- A switch feature that designates trusted ports for DHCP server traffic and blocks DHCP replies on untrusted ports to stop rogue DHCP servers.
- Rogue DHCP Server
- An unauthorized DHCP server providing malicious configuration settings.
Network Layer Concepts
- Router
- A device that forwards packets between networks based on routing tables.
- IP Spoofing
- Forging the source IP address in packets to hide the sender or misdirect responses.
- Route Table Poisoning
- An attack where false routing entries are inserted into a router’s table, causing misrouting, blackholing, or interception of traffic.
- BGP (Border Gateway Protocol)
- The inter-domain routing protocol used between ISPs and large networks.
- Autonomous System (AS)
- A network under one administrative authority that participates in BGP.
- BGP Hijacking
- Announcing unauthorized IP prefixes to redirect or block traffic.
- RPKI (Resource Public Key Infrastructure)
- Cryptographically verifies which AS is allowed to announce an IP prefix.
- BGPsec
- Signs each AS hop in a BGP path to prevent route tampering.
Transport Layer Concepts
- TCP Three-Way Handshake
- The SYN → SYN-ACK → ACK process that establishes a TCP connection.
- TCP Session Hijacking
- Injecting forged packets into a TCP stream by predicting sequence numbers.
- SYN Flooding
- Overloading a server with incomplete TCP handshakes to exhaust its backlog.
- TCP Reset Attack
- Forcing a connection to close by sending a forged RST packet.
- UDP (User Datagram Protocol)
- A stateless transport protocol where packets can be easily spoofed.
- UDP Spoofing
- Forging the source of UDP packets to impersonate another host.
DNS Concepts
- Resolver
- The DNS server that performs lookups for clients.
- Authoritative Server
- The DNS server with the official records for a domain.
- DNS Cache
- Stored DNS answers that are used to speed up future lookups.
- Pharming
- Redirecting users to attacker-controlled sites by manipulating DNS settings.
- Cache Poisoning
- Injecting forged DNS responses into a resolver’s cache.
- 0x20 Encoding
- A DNS hardening technique that randomizes the capitalization of letters in a query name, adding extra entropy because authoritative servers must echo the case in their responses.
- DNSSEC
- Cryptographically signs DNS responses to ensure authenticity.
- DNS Rebinding
- Using DNS changes to make a victim’s browser send requests to private network addresses.
- Sitting Ducks Attack
- Taking over misconfigured domains with broken delegation.
DDoS Concepts
- Denial of Service (DoS)
- Making a service unavailable by overwhelming it with traffic or expensive requests.
- Distributed Denial of Service (DDoS)
- A DoS attack carried out by many devices simultaneously.
- Volumetric Attack
- A DDoS attack that saturates the target’s bandwidth.
- Packet-per-second (PPS) Attack
- A DDoS attack that overwhelms routers or firewalls by sending more packets per second than the devices can process.
- Requests-per-second (RPS) Attack
- An application-layer attack that overwhelms a server by generating more HTTP or other application requests per second than the server can handle.
- Reflection Attack
- Spoofing a victim’s IP address so servers send their responses to the victim.
- Amplification Attack
- Using services where small requests generate large responses to multiply attack traffic.
- Botnet
- A network of malware-infected devices used to launch coordinated attacks.
- Command and Control (C&C)
- The mechanism attackers use to control botnet devices.