Network-Based Indicators (Part 1) (Domain 2)
In this episode, we are focusing on network-based indicators that signal an active cyberattack or unauthorized behavior in progress. These indicators are often found by monitoring traffic, reviewing logs, and watching for anomalies across network infrastructure. Today, we will examine two major categories of network-based threats: Distributed Denial-of-Service attacks and Domain Name System abuse. Understanding how these attacks function—and what signs they leave behind—can help you detect and stop them before serious damage occurs.
Let’s begin with Distributed Denial-of-Service attacks, commonly known as D D o S attacks. These attacks are designed to overwhelm a target system with massive volumes of traffic, making it unavailable to legitimate users. The goal isn’t to steal data, but to disrupt operations—shutting down websites, blocking access to services, or degrading performance so severely that systems become unusable.
D D o S attacks often originate from botnets—a network of compromised devices under the attacker’s control. The attacker instructs all of these devices to send traffic to the same target at the same time. What makes D D o S so dangerous is the scale. Even modest attacks can saturate bandwidth, consume server resources, or exhaust firewall capacities.
There are two common D D o S techniques you should recognize: amplification and reflection. Amplified attacks occur when small requests are sent to third-party servers, which then respond with much larger responses that are directed to the victim. The attacker’s request is amplified in size and redirected. A common example uses open N T P servers. A single small request can trigger a massive response aimed at the target.
Reflected attacks follow a similar pattern but add another layer of deception. In a reflected attack, the attacker spoofs the victim’s IP address when sending requests. The servers receiving the request think the victim is the one asking, and they respond by sending traffic back to the victim—flooding it with unwanted replies.
To detect D D o S attacks, administrators should monitor for traffic spikes, unusually large flows of data, and resource exhaustion. You may notice a sudden drop in server responsiveness, an uptick in dropped packets, or firewall logs that show connections from many different sources. If the attack is volumetric, bandwidth graphs will show sharp increases from one or multiple sources.
D D o S mitigation involves several layers. Content delivery networks can absorb traffic and keep systems running during volumetric attacks. Rate limiting, geo-blocking, and blackhole routing can redirect or reduce malicious traffic. Working with internet service providers and cloud-based D D o S mitigation providers is also essential, especially for high-volume attacks.
Now let’s move to Domain Name System-based attacks. The Domain Name System, or D N S, is how computers translate human-readable domain names into IP addresses. Because nearly every internet transaction begins with a D N S request, this system is a prime target for attackers.
One major D N S threat is spoofing. In a D N S spoofing attack, the attacker returns a false D N S response to the victim, redirecting them to a malicious or fake site. The victim may think they are visiting a trusted domain—like a bank or email service—but instead land on a lookalike site controlled by the attacker. From there, the attacker can steal credentials, deliver malware, or conduct further social engineering.
Another related threat is cache poisoning. In this attack, the attacker corrupts the D N S records stored in a local resolver’s cache. When users on that network request the same domain, the poisoned entry sends them to the attacker’s site. Because the response comes from the local resolver, users are unlikely to suspect anything is wrong.
Indicators of D N S-based attacks include sudden changes in D N S response behavior, redirected traffic, or D N S requests pointing to unfamiliar or suspicious IP addresses. You might also see multiple D N S queries for the same domain in rapid succession or activity from domains with very short lifespans. These signs often indicate automated tools or malware using D N S to communicate.
To protect against D N S attacks, organizations should implement secure D N S practices. This includes using Domain Name System Security Extensions, known as D N S S E C, to authenticate D N S responses with cryptographic signatures. D N S resolvers should be configured to refuse external recursive queries and to validate responses wherever possible.
D N S logging and monitoring are also critical. Logs should capture query sources, response codes, and timestamps so that suspicious behavior can be reviewed later. Suspicious domains should be blocked through filtering tools, and alerting should be configured to flag anomalies like sudden spikes in D N S traffic or outbound queries to command and control servers.
As you prepare for the Security Plus exam, be ready to identify signs of D D o S and D N S-based attacks. Know how amplified and reflected D D o S attacks differ, and understand the role of botnets in flooding systems with traffic. For D N S threats, focus on spoofing and cache poisoning as the core risks. You may be asked to recommend detection or prevention tools or to explain what network logs might reveal during one of these attacks.
