Selection one option from below and complete the discussion question.

Discuss/describe the port scanning and/or enumeration techniques (attacks)  not covered in Module 2.  How can the attacks you have described be detected and prevented?
Enhance and elaborate on the port scanning and/or enumeration techniques (attacks) covered in Module 2.  Share any additional thoughts you may have on them and explain how they can be detected and/or prevented.

B.  Enhance and elaborate on the port scanning and/or enumeration techniques (attacks) covered in Module 2.  Share any additional thoughts you may have on them and explain how they can be detected and/or prevented.

In last week’s module titled The Preattack Phases, several methods were discussed regarding how Nmap scans a network to determine if ports are open.  One of the methods known as the SYN stealth scan involves sending a packet to a host and then failing to respond to the host’s SYN/ACK.  This scan is also known as a half-open scan and is considered stealthy because a connection is never established (UMUC, 2012).  Since a connection never occurs, this type of scan is less likely to be logged and detected.  The process of establishing half-open connections to detect open ports can also be used against a host to cause a Denial of Service (DoS).  A SYN flood attack causes a DoS by flooding a network device with SYN requests and not responding to the host’s SYN/ACK response.  The objective for performing this type of DoS attack commonly involves extortion, espionage, or protesting (Dambala, 2011).  According to Prolexic’s Quarterly Global DDoS Attack Report (2013), SYN floods comprise approximately one-third of all reported DoS attacks.  This level of SYN flood attacks represents the highest volume for any single attack type since Prolexic began publishing its Quarterly Report.

Denial of service attacks such as SYN floods are a common disruptive technique that many organizations experience today.  The organizations that are affected by these types of attacks vary across a spectrum of industries that include financial, retail, healthcare, and media.  The following actions are some countermeasures that organizations can employ to mitigate this type of attack:

Decrease the connection-established timeout period
Increase the size of the connection queue in the IP stack
Install vendor-specific patches, where available, to deal with SYN attacks
Employ a network-based IDS to watch for this type of activity
Install a firewall to watch for these types of attacks and alert the administrator to cut off the connection (Harris, 2008, p. 1012).

Damballa. (2011). Understanding the modern DDoS threat [White Paper]. Retrieved from

Harris, S. (2008).  CISSP all-in-one exam guide (4th ed).  New York, NY: McGraw-Hill.

Prolexic. (2013). Prolexic quarterly global DDoS attack report [Q2 2013]. Retrieved from

Discuss/describe one or more LAN based attacks (also known as layer 2 attacks or lower layer attacks) which are not covered in the Module 3, or share any additional thoughts you may have    on LAN based attacks covered in Module 3.
Discuss the security measures or methods used to prevent or mitigate the LAN based attacks you presented in Question A.

Local area network (LAN) based attacks can be divided into two arenas; wired or wireless network attacks.  In addition to the LAN based attacks discussed in Module 3 (Media Access Control (MAC) & Address Resolution Protocol (ARP) Attacks), other LAN based attacks on wired networks include content address (CAM) table exhaustion, dynamic host configuration protocol (DHCP) starvation attacks, and virtual LAN (VLAN) hopping (University of Maryland University College, 2012).  Wireless network attacks on the LAN include hidden node attacks, deauth attacks, and fake access point (FakeAP) attacks.  Since the world is constantly moving towards a more mobile infrastructure, discussion of wireless LAN based attacks seems appropriate.

Part A

FakeAP attacks spoof the 802.11 beacon frame advertising an access point.  To begin with, the Institute of Electrical and Electronics Engineers (IEEE) 802.11 standard refers to the wireless local area network (WLAN) MAC and physical layer specifications (IEEE Standards Association, 2012).  Beacons, in this setup, are designed to transmit the presence of an access point; the more beacons available, the more responsive the association and roaming process is (Geier, 2001).  FakeAP attacks generate counterfeit access points by spoofing the beacon frame advertising an access point and exploit a network via the generated beacons (Oconnor, 2010).

There are at least two tools in use that exploit the 802.11 beacon, Black Alchemy and KaraMetaSploit.  Black Alchemy generates thousands of counterfeit 802.11 access points, causing problems with wireless network mapping (Oconnor, 2010).  KaraMetaSploit takes Black Alchemy many steps further, by generating, advertising and integrating 802.11 beacons to launch automatic attacks against an unsuspecting user (Oconner, 2010).  Like an ARP Protocol, beacons do not have the ability to check an identity and authenticate real access points from fake access points, easily allowing an intruder to find and gain access to a network (Chomsiri, 2008).

Part B

Detecting the FakeAP tool is fairly simple.  Between increases in overhead assets, decrease in throughput, and out of order timestamp data intrusion detection and prevention systems (IDPS) are able to be designed around detecting these anomalies.

Since FakeAP attacks rely on increasing the number of beacons, exponentially, to make the association and roaming process very responsive, the network reacts by incurring additional overhead, using a great deal more power, thus decreasing throughput (Geier, 2001).  This fluctuation in power and throughput is easily detectable.  Moreover, as beacons must use the 802.11 carrier sense multiple access/collision avoidance (CSMA/CA) algorithm, pinpointing the fluctuation is also easily detectable (Geier, 2001).

Additionally, since time is linear factor on Earth, random timestamps are also an easily detectable error used by the FakeAP tools.  Timestamps grow incrementally when clients attempt to sync with an access point; fakeAP tools, however, spoof random timestamp information (Oconner, 2010).  This randomization is also easily detectable.  As both tools are easily identifiable when in use IDPS are able to alert and prevent these actions from continuing.


Chomsiri, T. (2008). Sniffing packets on LAN without ARP spoofing. Retrieved from:

Geier, J.  (2001). 802.11 Beacons Revealed. Retrieved from

IEEE Standards Association. (2012). IEEE 802.11. Retrieved from:

Oconnor, T. (2010). Detecting and responding to data link layer attacks.  Retrieved from the  SANS Institute InfoSec Reading Room:,d.dmg

University of Maryland University College. (2012). Switching and routing vulnerabilities, CSEC 640 – Module 3. Retrieved from


You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *