~/root@quiz $ cat guides/attacks-ids.md

Attacks & Intrusion Detection

Once you understand how attacks actually work, intrusion detection stops feeling like a list of acronyms and starts feeling like common sense.

Practice with a quiz → ← Back home

The eavesdropper in the middle

A Man-in-the-Middle (MitM) attack — sometimes jokingly called a "monkey-in-the-middle" or "monster-in-the-middle" attack in more modern, gender-neutral phrasing — happens when an attacker secretly inserts themselves between two parties who believe they're talking directly to each other. Picture mailing a letter to a friend, except someone intercepts it, reads it, maybe even rewrites it, then reseals it and sends it on. Neither you nor your friend notices anything happened.

Two classic techniques make this possible: ARP spoofing, where an attacker tricks devices on a local network into sending traffic to the attacker's machine instead of the real destination, and DNS spoofing (or DNS poisoning), where an attacker corrupts the system that translates website names into IP addresses, silently redirecting you to a malicious server that looks identical to the real one.

Overwhelm, don't sneak: DoS and DDoS

Not every attack is about being sneaky — some are about being loud. A Denial of Service (DoS) attack floods a target with traffic or requests until it simply can't keep up and legitimate users get locked out. A Distributed Denial of Service (DDoS) attack does the exact same thing, but from thousands of sources at once — usually a botnet, a network of compromised devices controlled remotely by a bot herder (sometimes called a zombie army).

Imagine a small coffee shop that can comfortably serve 50 customers an hour. A DoS attack is one person standing in line ordering, canceling, and reordering nonstop. A DDoS attack is 10,000 people showing up at once, none of whom actually want coffee — they're just there to make sure no real customer can get through the door. Defending against this kind of volume usually means upstream filtering (stopping the flood before it ever reaches you, often at the ISP level) rather than trying to fight it at your own front door.

The classic web attacks: XSS and SQL injection

Two attacks show up in almost every web security discussion because they're so common and so preventable. Cross-Site Scripting (XSS) happens when an attacker sneaks malicious code into a webpage that other users will load — for example, hiding a script inside a comment field so that anyone who views the comment unknowingly runs the attacker's code in their own browser. SQL injection is the database equivalent: sneaking malicious SQL commands into an input field (like a login form) so the underlying database executes commands the developer never intended, sometimes exposing or destroying an entire database.

Both attacks exploit the exact same root mistake: trusting user input without checking it first. If you remember nothing else from this section, remember this — never trust input from a user, ever, no matter how harmless the input field looks.

How detection actually works: signatures vs. behavior

An Intrusion Detection System (IDS) watches network or host activity and raises an alert when it spots something suspicious; an Intrusion Prevention System (IPS) does the same thing but actively blocks the threat instead of just reporting it. Under the hood, both typically rely on one (or both) of two approaches:

Each approach has a weakness worth knowing. Signature-based detection can't catch a brand-new attack it's never seen before. Behavior-based detection can catch novel attacks, but it's prone to false positives (flagging harmless activity as malicious) if your baseline of "normal" wasn't built carefully — and a false negative (missing a real threat entirely) is the failure mode every security team fears most.

Ad space

Key takeaways

Quiz: Attacks & Intrusion Detection →