| π Back to Exam Syllabus | πΊ RooCloud on YouTube | π RooCloud Practice Exams |
CISSP 17.2 - Implementing Detection & Preventive Measures (Part 2 of 5)
This episode of the ISC2 Certified Information Systems Security Professional (CISSP) exam prep series continues Domain 7, Security Operations, by drilling into the specific attacks you need to recognize on sight. It walks through classic techniques and their defenses, so you can name a pattern and apply the right fix in minutes rather than scrambling while the business suffers.
What this episode covers
- SYN flood and defenses β floods of opening requests with no final acknowledgment, countered by SYN cookies and shorter waits.
- TCP reset attack β a spoofed, forged reset that forces two systems to tear down an active connection.
- Smurf and Fraggle attacks β broadcast floods that trick a whole network into flooding a victim, now blocked by modern routers.
- Ping flood β a flood of ping requests, devastating when launched from a botnet, defended by blocking incoming pings.
- Legacy attacks β ping of death, teardrop, and land attacks whose variants resurface, with patching as the common cure.
- Zero-day β an exploit of an unknown flaw with no patch, defended with basics and honeypots.
- On-path attacks and employee sabotage β a hidden relay between two systems, and an insider threat met with swift termination and auditing.
Watch the full episode above for the worked examples and detailed explanations of each concept.
Frequently Asked Questions
How does a SYN flood abuse the handshake, and how do you stop it?
Two systems normally open a connection with a synchronize, a synchronize-acknowledge, then an acknowledge. In a SYN flood the attacker sends a torrent of opening requests but never sends the final acknowledgment, so the server holds resources open for each half-finished connection until it exhausts memory and stops answering real users. SYN cookies let the server skip heavy reservation until a real acknowledgment arrives, and shortening the wait flushes half-open connections faster.
How does a TCP reset attack kill a live session?
Sessions normally end with a finish or a reset packet. An attacker spoofs the source address and sends a forged reset, tricking two systems into tearing down an active connection, which they then have to rebuild from scratch. This hits hardest on systems that rely on long-lived, persistent connections, because re-creating the session and its data is far more work than a quick reconnection.
What are Smurf, Fraggle, and ping flood attacks?
A Smurf attack sends a broadcast ping while spoofing the victimβs address, so every machine that answers floods the victim with replies, and a Fraggle attack does the same over certain UDP ports. Modern routers do not forward directed broadcasts and firewalls often block the traffic, so these are rarely a problem today. A ping flood simply overwhelms a victim with ping requests, becoming devastating when launched from a botnet as a distributed attack.
What makes a zero-day so dangerous?
A zero-day exploits a vulnerability defenders do not yet know about, so no patch exists. The purest version is when an attacker discovers the flaw first, and the label also covers the gap when a vendor knows but has not shipped a fix, and the window right after a patch drops before organizations apply it. An attack landing weeks after a patch was available is not a zero-day, just an unpatched system. Defend with the basics plus honeypots to observe unknown attacks.
How do on-path attacks and employee sabotage differ from network floods?
In a man-in-the-middle or on-path attack, the attacker slips into the flow between two endpoints, either sniffing traffic or acting as a hidden relay that captures and alters everything while both sides think they talk directly; patching and a VPN both help. Employee sabotage comes from inside, from someone who already has knowledge and access, so terminations should be swift, access disabled immediately, and activity closely audited and monitored.
π Master the ISC2 CISSP Exam!
Ready to test your knowledge? Access chapter-specific Multiple Choice Questions (MCQs) and full-length practice exams for the ISC2 CISSP certification at RooCloud.com. Solve the chapter-wise questions to reinforce this lesson before moving to the next episode.
Reference: This article is based on concepts discussed in CISSP 17.2 - Implementing Detection & Preventive Measures (Part 2 of 5).