🃏 Network Analysis Flashcards

Q: What is a SYN flood attack?

A: A DoS attack that sends many TCP SYN packets without completing the handshake, exhausting server resources with half-open connections.

Q: What does Wireshark display filter "tcp.flags.syn == 1" show?

A: All packets with the SYN flag set — useful for finding connection attempts.

Q: What is DNS tunneling?

A: Encoding data in DNS queries/responses to exfiltrate data or establish C2 channels, bypassing firewalls that allow DNS traffic.

Q: What is the difference between signature-based and anomaly-based detection?

A: Signature-based matches known attack patterns (fast, misses new attacks). Anomaly-based detects deviations from normal behavior (catches new attacks, more false positives).

Q: What is NetFlow?

A: A Cisco protocol that collects IP traffic flow data: source/dest IP, ports, protocol, bytes, timestamps. Useful for traffic analysis without full packet capture.

Q: What is a PCAP file?

A: Packet Capture file — contains raw network traffic captured by tools like Wireshark or tcpdump for offline analysis.

Q: What is an indicator of compromise (IOC)?

A: Evidence that a security breach may have occurred: malicious IP addresses, file hashes, unusual DNS queries, registry changes, etc.

Q: What is beaconing?

A: Regular, periodic outbound connections from a compromised host to a C2 server. Detectable by analyzing connection timing patterns.

Q: What does the TCP RST flag indicate?

A: The connection is being forcefully terminated. Can indicate port scanning (RST response to SYN on a closed port).

Q: What is ARP spoofing?

A: An attacker sends fake ARP replies to associate their MAC address with a legitimate IP, enabling man-in-the-middle attacks. Mitigated by DAI.