Linux Security Threats: Attack Sources and Types of Attacks


Start exploring Linux Security Fundamentals by downloading the free sample chapter today. DOWNLOAD NOW

In part 1 of this series, we discussed the seven different types of hackers who may compromise your Linux system. White hat and black hat hackers, script kiddies, hacktivists, nation states, organized crime, and bots are all angling for a piece of your system for their own nefarious/various reasons.

It’s important to also realize that these hackers can perpetrate an attack from inside or outside your organization. And their attacks can be either active or passive:

An active attack attempts to alter system resources or affect their operation, so it compromises the Integrity or Availability.

A passive attack attempts to learn or make use of information from the system, but does not affect system resources, so it compromises Confidentiality.

Active Attacks

Let’s look at different types of active attacks.

Denial of service attacks

Generally done by flooding the service or network with more requests than can be serviced, which results in the service becoming unreachable. This sometimes happens due to a client mis-configuration.

Spoofing attacks

Take place when a valid or authorized system is impersonated via IP address manipulation. The service thinks it is communicating with an authorized system when it is really talking to an impostor. ARP (Address Resolution Protocol), DNS (Domain Name System), IP Address, and MAC (Message Authentication Code) are susceptible to spoofing.

Port scanning

Can be done with the nmap utility and involves sending SYN packets to a range of ports on the target systems. The replies, or lack of replies, from the target provide a significant amount of information about the possible services running on the target.

Idle scans

Variations on port scans that use a third system, referred to as zombie, to gain information about a target system. To learn more about idle scans, you can go to

There are quite a variety of network attacks that are still widely used that take advantage of various network protocols required in most infrastructures. ARP storms, session hijacking, packet injection are all active network attack techniques.

Passive Attacks

Now, let’s take a look at a passive wiretapping attack.

Wiretapping is generally done with tcpdump or Wireshark to listen to traffic on the network. This is done by placing network interfaces into a promiscuous mode, in which all packets the switch sends to the port are then passed to the tcpdump application.

During normal operations, network interfaces throw away packets sent to them by the network devices when the destinations do not match those configured on the host. Pretty much all communications protocols and mechanisms are susceptible to wiretapping, including:

• Ethernet

• Wi-Fi


• Cellular networks.

In part 3 of this series, we’ll discuss the trade-offs you’ll face when making security decisions including the likelihood of an attack, the value of the assets you’re protecting, and the impact to business operations.

Stay one step ahead of malicious hackers with The Linux Foundation’s Linux Security Fundamentals course. Download a sample chapter today!

Read the other articles in this series:

Linux Security Threats: The 7 Classes of Attackers

Linux Security Fundamentals Part 3: Risk Assessment / Trade-offs and Business Considerations

Linux Security Fundamentals: Estimating the Cost of a Cyber Attack

Linux Security Fundamentals Part 5: Introduction to tcpdump and wireshark

Linux Security Fundamentals Part 6: Introduction to nmap