Cybersecurity - Lesson 3

Cybersecurity - Lesson 3 of 6

Technical Attacks

When attackers target the technology directly. Brute force, denial of service, SQL injection, and data interception - the attacks that exploit weaknesses in software, protocols, and network infrastructure.

45 - 60 min Brute Force, DoS/DDoS, SQL Injection, Packet Sniffing

Opening scenario

At exactly 11:00pm on launch night, the gaming company's servers go quiet. Hundreds of thousands of players trying to log in get the same error: connection refused. The company's engineers can see millions of requests flooding in simultaneously - far more than any legitimate player base could generate. By the time they respond, the launch window is gone.

Think about it: This wasn't a software vulnerability or a stolen password. What type of attack is this? And why is it so difficult to defend against?

Unlike social engineering, technical attacks exploit weaknesses in software, protocols and network infrastructure directly. They require more technical knowledge but can be devastatingly effective at scale.

Why this matters in the exam

Technical attack questions often ask you to explain how an attack works, not just name it. For SQL injection especially, examiners want to see that you understand the mechanism. DoS vs DDoS is a distinction that frequently comes up - know the difference precisely.

Section 1

Brute force and dictionary attacks

Attack Type 1

Brute Force Attack

A brute force attack uses automated software to try every possible combination of characters until the correct password is found. Given enough time and computing power, every password is eventually crackable by brute force - the question is how long it takes.

A 4-digit PIN has only 10,000 combinations - cracked in under a second. A 12-character password using uppercase, lowercase, numbers and symbols has over 475 quintillion possibilities - potentially thousands of years at current speeds.

Defences: Account lockout after a set number of failed attempts, CAPTCHA, long and complex passwords, two-factor authentication.

Common mistake: Writing "brute force guesses the most common passwords." That's a dictionary attack - a refinement of brute force that tries real words and previously leaked passwords first before random combinations.

Brute force

Systematically trying every possible password combination using automated software.

Dictionary attack

A refined brute force that tries common words, phrases and previously leaked passwords first.

Account lockout

Automatically locking an account after a set number of failed login attempts to prevent automated attacks.

Section 2

DoS, DDoS and SQL Injection

Attack Type 2

Denial of Service (DoS) & DDoS

A DoS attack floods a server or network with so much traffic that it cannot respond to legitimate requests. The server's resources (bandwidth, memory, processing power) are exhausted, causing a service outage for real users.

A DDoS (Distributed Denial of Service) attack is the same principle but launched simultaneously from thousands of compromised devices (forming a botnet). This makes it far harder to block - you can't simply ban a single IP address when the traffic comes from 100,000 different sources worldwide.

Exam tip: The key distinction is distributed - DDoS uses multiple sources (a botnet), DoS uses one. Also: DDoS does not gain access to data - it just makes a service unavailable.

Common mistake: Writing that DDoS "steals data." It doesn't - it makes a service unavailable. The attack goal is disruption, not data theft.

Attack Type 3

SQL Injection

SQL injection exploits poorly sanitised input fields on websites that interact with a database. An attacker enters malicious SQL code into a text field (such as a login box or search bar), which gets passed directly to the database query - making it execute unintended commands.

This can allow attackers to bypass authentication, extract entire database contents, modify or delete records, or even gain administrative control.

-- Normal login query:

SELECT * FROM users WHERE username='alice' AND password='hunter2';

-- Attacker enters this as the username:

' OR 1=1; --

-- The query becomes:

SELECT * FROM users WHERE username='' OR 1=1; --' AND password='anything';

-- 1=1 is always TRUE. The -- comments out the rest.

-- Result: logged in without a valid password.

Defence - Input sanitisation: Validate and clean all user input. Parameterised queries (prepared statements) prevent SQL injection by treating input as data, never as executable code.

Common mistake: Students often say "a firewall prevents SQL injection." Firewalls operate at the network level - SQL injection exploits the application layer. The defence is input validation and parameterised queries.

Section 3

Packet sniffing & man-in-the-middle - interactive explorer

Packet sniffing involves intercepting data packets as they travel across a network. On unencrypted networks, the content of packets - including passwords and personal data - can be read directly by an attacker with the right software.

A man-in-the-middle (MITM) attack goes further: the attacker secretly intercepts and potentially modifies communications between two parties who believe they are communicating directly. The attacker sits "in the middle", reading and possibly altering everything that passes through.

Attack Step-by-Step Explorer

Select an attack to see how it works

Brute Force

DoS / DDoS

SQL Injection

Packet Sniffing / MITM

Attacker identifies a target login page or service protected by a password.

Automated software begins trying passwords - starting with common ones (dictionary attack) then moving to every possible combination.

Thousands to millions of attempts per second, depending on computing power available and any rate limiting in place.

If no account lockout exists, the attacker eventually finds the correct password and gains access.

Key defence: Account lockout after N failed attempts. Long, complex passwords dramatically increase attack time. 2FA makes the password alone insufficient even if found.

DoS: Attacker sends enormous volume of requests to a web server or network from a single device.

The server's resources (CPU, RAM, bandwidth) are consumed handling fake requests, leaving nothing for legitimate users.

DDoS extension: Instead of one device, a botnet of thousands of compromised machines all send traffic simultaneously.

The server cannot distinguish legitimate traffic from attack traffic at this scale - blocking one IP address makes no difference.

The service becomes unavailable. No data is stolen - the attack goal is disruption.

Key defences: Traffic filtering, rate limiting, CDN services that absorb traffic, working with ISPs to block attack traffic upstream.

Attacker finds a website that passes user input directly into a database query without sanitisation.

Attacker enters malicious SQL code into an input field (username, search box, URL parameter).

The website's database executes the injected code as part of the query instead of treating it as plain text.

The attacker can bypass login, extract all database records, modify data, or delete entire tables.

Key defence: Input validation + parameterised queries (prepared statements). These treat all user input as data, never as executable SQL code.

Attacker positions themselves on the same network as the victim (e.g. a public Wi-Fi hotspot).

Packet sniffing: Using software, the attacker captures data packets travelling across the network. On unencrypted connections, packet contents are readable.

MITM extension: Attacker tricks both parties into routing traffic through them, intercepting and optionally modifying communications in real time.

Victim and server believe they are communicating directly. The attacker reads (and potentially alters) all data exchanged.

Key defence: Encryption (HTTPS/TLS) renders intercepted packets unreadable. Even if an attacker captures packets, encrypted content appears as random ciphertext.

Quick quiz

5-Question Check

Technical attacks

Question 1 of 5

What is the key difference between a DoS attack and a DDoS attack?

Question 2 of 5

An attacker enters ' OR 1=1; -- into a website's username field and gains access without a valid password. What attack is this?

Question 3 of 5

Which of the following best defends against SQL injection?

Question 4 of 5

Why is encryption particularly important when using public Wi-Fi networks?

Question 5 of 5

A brute force attack would take 1 second to crack a 4-digit PIN. How can users most effectively make brute force attacks impractical?

0/5

Questions answered correctly

Think deeper

A DDoS attack is described as "sending lots of traffic to a server." Explain in detail how this causes disruption, and why simply blocking individual attacking IP addresses is ineffective against a DDoS attack.

How disruption occurs: Every server has finite resources - a maximum amount of traffic (bandwidth) it can handle, limited processing power, and limited memory. A DDoS attack sends requests at a volume far exceeding these limits. The server must spend all its resources processing the flood of fake requests, leaving nothing available to handle legitimate users. The service becomes unavailable - users receive timeout errors or connection refused messages.

Why blocking IPs is ineffective: A DDoS attack originates from thousands or millions of different devices (a botnet) spread across different countries and ISPs. Each device sends traffic from a different IP address. To block the attack by IP, the target would need to block thousands of different addresses simultaneously - while new ones keep appearing. Additionally, many of the attacking IP addresses belong to innocent devices that have been compromised without their owners' knowledge, so simply blocking them would also block legitimate future traffic from those addresses.

Printable Worksheets

Practice what you have learned

Three levels of worksheet for this lesson. Download, print and complete offline.

Recall

Attack Types

Name and define each attack type. Complete comparison tables for DoS vs DDoS and network vs application attacks.

Download

Apply

Attack Analysis

Analyse attack scenarios, identify the attack type, and select the correct technical defence with justification.

Download

Exam Style

Exam-Style Questions

Extended answer and evaluate questions on SQL injection, denial of service, and network interception attacks.

Download

Cybersecurity Flashcards

Review all Cybersecurity terms with flashcards. Filter by lesson, shuffle, and track what you know.

Open Flashcards

Lesson 2 Lesson 4: Technical Prevention

Teacher Panel

L3: Technical Attacks

Suggested timing

0–5 min: Hook - DDoS scenario discussion
5–15 min: Brute force and dictionary attacks
15–30 min: DoS/DDoS and SQL injection (SQL demo is excellent on board)
30–45 min: Interactive explorer - students choose attack type
45–60 min: Quiz + Think Deeper + worksheets

Learning objectives

Explain how brute force and dictionary attacks work

Distinguish between DoS and DDoS attacks

Explain how SQL injection bypasses authentication

Describe packet sniffing and man-in-the-middle attacks

Starter / board demo

The SQL injection demo is highly effective shown on the board. Walk through what happens when the database receives the injected input - draw the query structure on the board. Students are genuinely surprised that a simple text input can bypass authentication. Then ask: "What should the developer have done differently?" to lead into input validation.

Board vocabulary

Brute force attack

Tries every possible password combination using automated software

Dictionary attack

Refined brute force using common words and leaked passwords

DoS attack

Floods a server with traffic from one source to cause disruption

DDoS attack

DoS launched from thousands of devices simultaneously (botnet)

SQL injection

Entering malicious SQL into input fields to manipulate database queries

Packet sniffing

Intercepting and reading unencrypted data packets on a network

Common misconceptions

✗"DDoS steals data" - it makes services unavailable. It does not extract data.

✗"A firewall stops SQL injection" - SQL injection is an application-layer attack; the defence is input validation and parameterised queries.

✗"Brute force tries common passwords" - that's a dictionary attack. Pure brute force tries every possible combination.

Exit tickets

Explain the difference between a DoS attack and a DDoS attack.

[2 marks]

Describe how SQL injection works and suggest one way to prevent it.

[4 marks]

A user is on public Wi-Fi. Explain why using HTTPS websites reduces the risk of a packet sniffing attack.

[3 marks]

Resources

Worksheet 1 - Recall & Definitions Worksheet 2 - Application Questions Worksheet 3 - Exam Practice Unit Exam Paper Series Overview