Module 10 Quiz
Which of the following is an attack detection technique that monitors the network packet's header information? This technique also determines the increase inoverall number of distinct clusters and activity levels among the network flow clusters? Ping of death attack Activity profiling Wavelet-based signal analysis Sequential Change-point detection
Activity profiling
Which of the following statements is not true for a SYN flooding attack? Tuning the TCP/IP stack will help reduce the impact of SYN attacks. Attacker sends an ACK response to the SYN/ACK from the target server. Attacker sends a TCP SYN request with a spoofed source address to the target server. In a SYN attack, the attacker exploits the three-way handshake method.
Attacker sends an ACK response to the SYN/ACK from the target server. Explanation: In a SYN attack, the attacker exploits the three-way handshake method. First, the attacker sends a fake TCP SYN request to the target server, and when the server sends back a SYN/ACK in response to the client (attacker) request, the client never sends an ACK response. This leaves the server waiting to complete the connection.
Which of the following techniques can be used to prevent a botnet attack? Black hole filtering Physical security Information gathering Port scanning
Black hole filtering Explanation: Black hole filtering is used to discard packets at the routing level; especially suspicious malicious packets such as DDoS.Port scanning cannot prevent a botnet attack. Information gathering is part of footprinting and cannot prevent botnet attack. Physical security cannot prevent botnet attacks.
Ivan works as security consultant at "Ask Us Intl." One of his clients is under a large-scale protocol-based DDoS attack, and they have to decide how to deal with this issue. They have some DDoS appliances that are currently not configured. They also have a good communication channel with providers, and some of the providers have fast network connections. In an ideal scenario, what would be the best option to deal with this attack. Bear in mind that this is a protocol-based DDoS attack with at least 10 000 bots sending the traffic from the entire globe! Filter the traffic at the company Internet facing routers Absorb the attack at the provider level Block the traffic at the provider level Absorb the attack at the client site
Block the traffic at the provider level
When a client's computer is infected with malicious software which connects to the remote computer to receive commands, the client's computer is called a ___________ -Client -Bot -Botnet -Command and Control(C&C)
Bot
When a client's computer is infected with malicious software which connects to the remote computer to receive commands, the network created with infected computers is called ___________ C&C Bot Area Network (BAN) Botnet Bot
Botnet
Mike works for a company "Fourth Rose Intl." as the sales manager. He was sent to Las Vegas on a business trip to meet his clients. After the successful completion of his meeting, Mike went back to his hotel room, connected to the hotel Wi-Fi network and attended his other scheduled online client meetings through his laptop. After returning back to his office headquarters, Mike connects his laptop to the office Wi-Fi network and continues his work; however, he observes that his laptop starts to behave strangely. It regularly slows down with blue screening from time-to-time and rebooting without any apparent reason. He raised the issue with his system administrator. Some days later, the system administrator in Mike's company observed the same issue in various other computers in his organization. Meanwhile, he has also observed that large amounts of unauthorized traffic from various IP addresses of "Fourth Rose Intl." were directed toward organizational web server. Security division of the company analyzed the network traces and identified that Mike's Laptop's IP address has authorized and initiated other computers in the network to perform DDoS abuse over the organizational web server. They further identified a malicious executable backdoor file on Mike's Laptop that connects to a remote anonymous computer. This remote computer is responsible for sending commands to Mike's Laptop in order to initiate and execute DDoS attack over the organizational web server. In this case, Mike's laptop was part of the _________? Bot attack IRC attack Botnet attack Command-and-control (C&C) center
Botnet attack
When a client's computer is infected with malicious software which connects to the remote computer to receive commands, the remote computer is called ___________ Server C&C Botnet Bot
C&C Explanation: Answer is C&C, which will instruct the Bot what to do. When a client's computer is infected with malicious software which connects to the remote computer to receive commands, the remote computer is called C&C. Bot and Botnet respectively represent infected computer and network of the infected computers managed by C&C and server is not used in this terminology.
In which of the following attacks does the attacker spoofs the source IP address with the victim's IP address and sends large number of ICMP ECHO request packets to an IP broadcast network? Smurf attack Ping of death attack SYN flood attack UDP flood attack
Smurf attack
Smith, a network security administrator, is configuring routers in his organization to protect the network from DoS attacks. Which router feature can he use to prevent SYN flooding effectively? Egress Filtering TCP Intercept Mac Address Filtering Ingress Filtering
TCP Intercept
Which of the following network attacks takes advantage of weaknesses in the fragment reassembly functionality of the transmission control protocol (TCP) or Internet protocol (IP) stack? Teardrop attack Ping of death attack Smurf attack SYN flood attack
Teardrop attack
Ivan works as security consultant at "Ask Us Intl." One of his clients is under a large-scale application layer-based DDoS attack, and they have to decide how to deal with this issue. Web application under attack is being used to send the user filled forms and save the data in MySQL database. Since the DDoS is abusing POST functionality, not only web application and web server are in DDoS condition but also MySQL database is in DDoS condition. They have some DDoS appliances that are currently not configured. They also have good communication channel with providers, and some of the providers have fast network connections. In an ideal scenario, what would be the best option to deal with this attack. Bear in mind that this is an application layer-based DDoS attack which sends at least 1000 malicious POST requests per second spread through the entire globe! Absorb the attack at the provider level Use CAPTCHA Absorb the attack at the client site Filter the traffic at the company Internet facing routers
Use CAPTCHA
Martha is a network administrator in a company named "Dubrovnik Walls Ltd." She realizes that her network is under a DDoS attack. After careful analysis, she realizes that large amounts of UDP packets are being sent to the organizational servers that are present behind the "Internet facing firewall." What type of DDoS attack is this? Protocol attack Volume (volumetric) attack SYN flood attack Application layer attack
Volume (volumetric) attack
Which of the following DoS attack detection techniques analyzes network traffic in terms of spectral components? It divides incoming signals into various frequencies and examines different frequency components separately. Change-point Detection'= Activity Profiling Wavelet-based Signal Analysis Signature-based Analysis
Wavelet-based Signal Analysis
A systems administrator in a small company named "We are Secure Ltd." has a problem with their Internet connection. The following are the symptoms: the speed of the Internet connection is slow (so slow that it is unusable). The router connecting the company to the Internet is accessible and it is showing a large amount of SYN packets flowing from one single IP address. The company's Internet speed is only 5 Mbps, which is usually enough during normal working hours. What type of attack is this? MitM DDoS DRDoS DoS
DoS
Marko is attacking John's computer with a custom-made application that is sending a specially crafted packet to John's computer after which John's computer shows a blue screen. Marko repeats this process every 3 seconds. John's computer is now under constant blue screen and reboots over and over again. This is an example of ____________. SYN flood attack DoS attack DDoS attack Ping of death attack
DoS attack
Systems administrator in a company named "We are Secure Ltd." has encountered with a problem where he suspects the possibility of a cyber attack over his company's router. He observed that vast amount of network traffic is directed toward the network router, causing router CPU utilization to reach 100% and making it non-functional to legitimate users. What kind of attack is this? Buffer overflow (BoF) attack SQL injection (SQLi) attack MitM attack DoS attack
DoS attack
Gordon was not happy with the product that he ordered from an online retailer. He tried to contact the seller's post purchase service desk, but they denied any help in this matter. Therefore, Gordon wants to avenge this by damaging the retailer's services. He uses a utility named high orbit ion cannon (HOIC) that he downloads from an underground site to flood the retailer's system with requests so that the retailer's site was unable to handle any further requests even from legitimate users' purchase requests. What type of attack is Gordon using? Gordon is using a denial-of-service attack. Gordon is using poorly designed input validation routines to create and/or to alter commands so that he gains access to the secure data and execute commands. Gordon is taking advantage of an incorrect configuration that leads to access with higher-than-expected privilege. Gordon is executing commands or is viewing data outside the intended target path.
Gordon is using a denial-of-service attack. Explanation: DoS and distributed denial-of-service (DDoS) attacks have become a major threat to computer networks. These attacks attempt to make a machine or network resource unavailable to its authorized users. In a DoS attack, an attacker overloads a system's resources, thereby bringing the system down or at least significantly slowing the system's performance. The goal of a DoS attack is not to gain unauthorized access to a system or to corrupt data; it is to keep away legitimate users from using the system. HOIC is an open-source network stress testing and DoS attack application written in BASIC and designed to attack as many as 256 URLs at the same time.
Don Parker, a security analyst, is hired to perform a DoS test on a company. Which of the following tools can he successfully utilize to perform this task? Cain and + Recon-ng Hping3 N-Stalker
Hping3
The DDoS tool used by anonymous in the so-called Operation Payback is called _______ LOIC Dereil HOIC BanglaDOS
LOIC
A Company called "We are Secure Ltd." has a router that has eight I/O ports, of which, the port one is connected to WAN and the other seven ports are connected to various internal networks. Network Administrator has observed a malicious DoS activity against the router through one of the eight networks. The DoS attack uses 100% CPU utilization and shuts down the Internet connection. The systems administrator tried to troubleshoot the router by disconnect ports one-by-one in order to identify the source network of the DoS attack. After disconnecting port number 6, the CPU utilization normalized and Internet connection resumes. With this information complete the system administrator came to a conclusion that the source of the attack was from _______________ network. Wide Area Network (WAN) Correct! Local Area network (LAN) Campus Area Network (CAN) Metropolitan Area Network (MAN)
Local Area network (LAN)
Sarah is facing one of the biggest challenges in her career—she has to design the early warning DDoS detection techniques for her employer. She starts with the network analysis and detection of an increase in activity levels and analyzing the network flows (focusing on network's packet header information). Her idea is to try to spot the increase in specific traffic, which is above normal traffic rate for this specific network flow. Which DDoS detection technique is she trying to implement? Activity profiling NetFlow detection Wavelet-based signal analysis Change-point detection
Activity profiling Explanation: The correct answer is "Activity profiling," since the technique that Sarah is trying to implement is to monitor the network packet header information and identify any increase in traffic. The higher a flow's average packet rate or activity level, the less time there is between consecutive matching packets. Randomness in average packet rate or activity level can indicate suspicious activity. The entropy calculation method of activity profiling measures randomness in activity levels. If the network is under attack, entropy of network activity levels will increase. Change-point detection technique filters network traffic by IP addresses, targeted port numbers, and communication protocols used, and stores the traffic flow data in a graph that shows the traffic flow rate versus time. The wavelet analysis technique analyzes network traffic in terms of spectral components. It divides incoming signals into various frequencies and analyzes different frequency components separately. Analyzing each spectral window's energy determines the presence of anomalies. NetFlow detection could be a part of activity profiling, but it is not used as a self-contained DDoS detection technique.
Which of the following volumetric attacks technique transfers messages to the broadcast IP address in order to increase the traffic over a victim system and consuming his entire bandwidth? Application layer attacks Protocol attack Amplification attack Flood attack
Amplification attack
Which of the following is considered to be a smurf attack? An attacker sends a large amount of ICMP traffic with a spoofed source IPaddress. An attacker sends a large number of TCP/user datagram protocol (UDP) connection requests. An attacker sends a large number of TCP connection requests with spoofed source IPaddress. An attacker sends a large amount TCP traffic with a spoofed source IPaddress.
An attacker sends a large amount of ICMP traffic with a spoofed source IPaddress.
Martha is a network administrator in company named "Dubrovnik Walls Ltd." She realizes that her network is under a DDoS attack. After careful analysis, she realizes that large amount of HTTP POST requests are being sent to the web servers behind the WAF. The traffic is not legitimate, since the web application requires workflow to be finished in order to send the data with the POST request, and this workflow data is missing. So, What type of DDoS attack is this? SYN flood attack Application layer attack Volume (volumetric) attack Protocol attack
Application layer attack Explanation: The answer is application layer DDoS attack, which includes GET/POST floods. This attacks that targets web server, application or OS vulnerabilities, Slowloris, and so on. It is not volume-based attack, which includes UDP floods, ICMP floods, and other spoofed-packet floods. It is not protocol attack, which includes SYN floods, fragmented packet attacks, ping of death, smurf DDoS, teardrop, land attack, and so on. It is not SYN flood since SYN flooding is a part of the protocol attack.
Bob is trying to access his friend Jason's email account without his knowledge. He guesses and tries random passwords to log into the email account resulting in the lockdown of the email account for the next 24 hours. Now, if Jason tries to access his account even with his genuine password, he cannot access the email account for the next 24 hours. How can you categorize this DoS? Permanent Denial-of-Service (PDoS) attack Bandwidth attack Application-level attack Peer-to-Peer attack
Application-level attack Explanation: Application-level flood attacks result in the loss of services of a particular network resource. Examples include email, network resources, temporary ceasing of applications and services, and so on. By using this attack, attackers exploit weaknesses in programming source code to prevent the application from processing legitimate requests. In this type of attack, an attacker tries to exploit the vulnerabilities in application layer protocol or in the application itself to prevent the access of the application to the legitimate user. Using application-level flood attacks, attackers attempt to: -Flood web applications to legitimate user traffic -Disrupt service to a specific system or person, for example, blocking a user's access by repeating invalid login attempts -Jam the application database connection by crafting malicious SQL queries
The DDoS tool created by anonymous sends junk HTTP GET and POST requests to flood the target, and its second version of the tool (the first version had different name) that was used in the so-called Operation Megaupload is called _______. Dereil Pandora DDoS HOIC BanglaDOS
HOIC
During the penetration testing of the MyBank public website, Marin discovered a credit/interest calculator running on server side, which calculates a credit return plan. The application accepts the following parameters: amount=100000&duration=10&scale=month Assuming that parameter amount is the amount of credit, the user is calculating the interest and credit return plan (in this case for 100,000 USD), parameter duration is the timeframe the credit will be paid off, and scale defines how often the credit rate will be paid (year, month, day, ...). How can Marin proceed with testing weather this web application is vulnerable to DoS? Change the parameter duration to a large number and change scale value to "day" and resend the packet few times to observe the delay. Leave the parameter duration as is and change the scale value to "year" and resend the packet few times to observe the delay. Change the parameter duration to a small number and leave scale value on "month" and resend the packet few times to observe the delay. Change the parameter duration to a small number and change scale value to "day" and resend the packet few times to observe the delay.
Change the parameter duration to a large number and change scale value to "day" and resend the packet few times to observe the delay.
Jacob Hacker is a disgruntled employee and is fired from his position as a network engineer. He downloads a program outside the company that transmits a very small packet to his former company's router, thus overloading the router and causing lengthy delays in operational service of his former company. He loads the program on a bunch of computers at several public libraries and executes them. What type of attack is this? HTTP response-splitting attack Man-in-the-middle attack DDoS attack SSH Brute-Force attack
DDoS attack
A systems administrator in a small company named "We are Secure Ltd." has a problem with their Internet connection. The following are the symptoms: The speed of the Internet connection is slow (so slow that it is unusable). The router connecting the company to the Internet is accessible and it is showing largeamount of router solicitation messages from neighboring routers even though the router is not supposed to receive any of these messages. What type of attack is this? MitM (Man in the Middle) DDoS (Distributed Denial of Service) DoS (Denial of Service) DRDoS (Distributed Reflected Denial of Service)
DRDoS (Distributed Reflected Denial of Service)
What is the DoS/DDoS countermeasure strategy to at least keep the critical services functional? Absorbing the attack Shutting down the services Degrading services Deflecting attacks
Degrading services
John's company is facing a DDoS attack. While analyzing the attack, John has learned that the attack is originating from the entire globe, and filtering the traffic at the Internet Service Provider's (ISP) level is an impossible task to do. After a while, John has observed that his personal computer at home was also compromisedsimilar to that of the company's computers. He observed that his computer is sending large amounts of UDP data directed toward his company's public IPs. John takes his personal computer to work and starts a forensic investigation. Two hours later, he earns crucial information: the infected computer is connecting to the C&C server, and unfortunately, the communication between C&C and the infected computer is encrypted. Therefore, John intentionally lets the infection spread to another machine in his company's secure network, where he can observe and record all the traffic between the Bot software and the Botnet. After thorough analysis he discovered an interesting thing that the initial process of infection downloaded the malware from an FTP server which consists of username and password in cleartext format. John connects to the FTP Server and finds the Botnet software including the C&C on it, with username and password for C&C inconfiguration file. What can John do with this information? Neutralize handlers' Deflect the attack Protect Secondary Victims Mitigate the attack
Neutralize handlers'
Paul has been contracted to test a network, and he intends to test for any DoS vulnerabilities of the network servers. Which of the following automated tools can be used to discover systems that are vulnerable to DoS? Netcraft Nmap John the ripper Cain and Abel
Nmap
Bob is frustrated with his competitor, Brownies Inc., and he decides to launch an attack that would result in severe financial losses to his competitor. He plans and executes his attack carefully at an appropriate moment. Meanwhile, Trent, an administrator at Brownies Inc., realized that their primary financial transaction server had been attacked. As a result, one of their pieces of network hardware is rendered unusable, and he needs to replace or reinstall it to resume services. This process involves human interaction to fix it. What kind of DoS attack has been best illustrated in the aforementioned scenario? Application-level flood attack Bandwidth attack PDoS attack Peer-to-Peer attack
PDoS attack
Identify the DoS attack that does not use botnets for the attack. Instead, the attackers exploit flaws found in the network that uses the DC++ (direct connect) protocol, which allows the exchange of files between instant messaging clients. Bandwidth attack Service request flood attack DRDoS attack Peer-to-peer attack
Peer-to-peer attack
Which of the following is NOT a type of DDoS attack? Protocol attack Volume (volumetric) attack Phishing attack Application layer attack
Phishing attack
Identify the type of a DoS attack where an attacker sends e-mails, Internet relay chats (IRCs), tweets, and posts videos with fraudulent content for hardware updates to the victim with the intent of modifying and corrupting the updates with vulnerabilities or defective firmware. SYN flooding attack Phlashing attack Ping of death attack Internet control message protocol(ICMP) flood attack
Phlashing attack
John's company is facing a DDoS attack. While analyzing the attack, John has learned that the attack is originating from entire globe and filtering the traffic at the Internet Service Provider's (ISP) level is an impossible task to do. After a while, John has observed that his personal computer at home was also compromisedsimilar to that of the company's computers. He observed that his computer is sending large amounts of UDP data directed toward his company's public IPs. John takes his personal computer to work and starts a forensic investigation. Two hours later, he earns crucial information: the infected computer is connecting to the C&C server, and unfortunately, the communication between C&C and the infected computer is encrypted. Therefore, John intentionally lets the infection spread to another machine in his company's secure network, where he can observe and record all the traffic between the Bot software and the Botnet. After thorough analysis he discovered an interesting thing that the initial process of infection downloaded the malware from an FTP server which consists of username and password in cleartext format. John connects to the FTP Server and finds the Botnet software including the C&C on it, with username and password for C&C inconfiguration file. What can John do with this information? After successfully stopping the attack against his network, John connects to the C&C again, dumps all the IPs the C&C is managing, and sends this information to the national CERT. What is John trying to do? Mitigate the attack Protect secondary victims Deflect the attack Neutralize handlers
Protect secondary victims Explanation: The correct answer is "Protecting secondary victims" because the CERT will try to inform all the infected computer owners (or at least providers) that their computers are infected. If the IP in question is not in this CERTs jurisdiction, they will send the information to the CERT "in charge" for this IP address range. Not all the users will be directly contacted, but ISP could block specific traffic flowing from infected computers. John is not trying to neutralize handlers, he already did that by stopping the attack, and he is not trying to deflect or mitigate the attack.
Martha is a network administrator in a company named "Dubrovnik Walls Ltd.". She realizes that her network is under a DDoS attack. After careful analysis, she realizes that a large amount of fragmented packets are being sent to the servers present behind the "Internet facing firewall." What type of DDoS attack is this? SYN flood attack Volume (volumetric) attack Application layer attack Protocol attack
Protocol attack
What is the goal of a DDoS attack? Capture files from a remote computer Exploit a weakness in the TCP stack Render a network or computer incapable of providing normal service Create bugs in web applications
Render a network or computer incapable of providing normal service
Sarah is facing one of the biggest challenges in her career—she has to design the early warning DDoS detection techniques for her employer. She starts developing the detection technique which uses signal analysis to detect anomalies. The technique she is employing analyzes network traffic in terms of spectral components where she divides the incoming signals into various frequencies and analyzes different. Which DDoS detection technique is she trying to implement? NetFlow detection Change-point detection Wavelet-based signal analysis Activity profiling
Wavelet-based signal analysis Explanation: The correct answer is "Wavelet-based signal analysis" because this technique divides the signal in spectral components and analyzes it. The wavelet analysis technique analyzes network traffic in terms of spectral components. It divides incoming signals into various frequencies and analyzes different frequency components separately. Analyzing each spectral window's energy determines the presence of anomalies. These techniques check frequency components present at a specific time and provide a description of those components. Presence of an unfamiliar frequency indicates suspicious network activity. It is not activity profiling technique since this technique monitors the network's packet header information and identifies increase in specific type of traffic. Change-point detection technique filters network traffic by IP addresses, targeted port numbers, and communication protocols used, and stores the traffic flow data in a graph that shows the traffic flow rate versus time. NetFlow detection could be a part of activity profiling, but it is not used as a self-contained DDoS detection technique.
