MIS4800 CH. 4 Denial of Service
A. Denial of Service
What is one of the most common and simplest attacks on a system? A. Denial of Service B. Buffer overflow C. Session hacking D. Password cracking
B. Computers can only handle a finite load.
What is the basic mechanism behind a DoS attack? A. Computers don't handle TCP packets well. B. Computers can only handle a finite load. C. Computers cannot handle large volumes of TCP traffic. D. Computers cannot handle large loads
A. Distributed denial of service
What is the most common class of DoS attacks? A. Distributed denial of service B. Smurf attacks C. SYN floods D. Ping of death
D. The attack must be sustained.
What is the most significant weakness in a DoS attack from the attacker's viewpoint? A. The attack is often unsuccessful. B. The attack is difficult to execute. C. The attack is easy to stop. D. The attack must be sustained.
A. Ping of death
What type of attack is dependent on sending packets too large for the server to handle? A. Ping of death B. Smurf attack C. Slammer attack D. DDoS
D. DDoS
What type of attack uses Internet routers to perform a DoS on the target? A. Ping of death B. Smurf attack C. Slammer attack D. DDoS
A. Stack tweaking
What type of defense depends on changing the server so that unfinished handshaking times out sooner? A. Stack tweaking B. RST cookies C. SYN cookies D. Hash tweaking
C. SYN cookies
What type of defense depends on sending the client an incorrect SYNACK? A. Stack tweaking B. RST cookies C. SYN cookies D. Hash tweaking
C. Smurf attack
Which attack mentioned in this chapter causes a network to perform a DoS on one of its own servers? A. SYN flood B. Ping of death C. Smurf attack D. DDoS
A. MyDoom virus
Which of the following is an example of a DDoS attack? A. MyDoom virus B. Bagle virus C. DoS virus D. Smurf virus
C. Maximum voltage
Which of the following is not a valid way to define a computer's workload? A. Number of simultaneous users B. Storage capacity C. Maximum voltage D. Speed of network connection
A. MyDoom virus
Which of the following was rated by many experts to be the fastest growing virus on the Internet? A. MyDoom virus B. Bagle virus C. Slammer virus D. Smurf virus
MyDoom
An DDoS attack on SCO which used between 500,000 to 1,000,000 infected machines. A response to SCO demanding license fees on what seemed to be parts of SCO UNIX in other distributions of UNIX.
Denial of Service (DOS) Attack
An attack that seeks to prevent legitimate users from accessing a system by overloading the system with illegitimate requests.
Low Orbit Ion Cannon (LOIC)
Application used to launch a DoS attack. Very easy to use.
Teardrop Attack
Attacker sends two fragments of a message that overlap in such a way that when reconstructed, the header is destroyed. When the victim attempts to reconstruct the message it is destroyed and crashes or halts the system.
TCP SYN Flood Attack
Attempts to flood a system with TCP packets with synchronize set.
Stacheldraht
German for "Barbed Wire." It combines elements from multiple well known DDoS tools into one package that performs a variety of attacks such as: UDP Flood, ICMP Flood, TCP SYN Flood, Smurf attacks.
D. It will prevent an attack from propagating across network segments.
How can securing internal routers help protect against DoS attacks? A. Attacks cannot occur if your internal router is secured. B. Because attacks originate outside your network, securing internal routers cannot help protect you against DoS. C. Securing the router will only stop router-based DoS attacks. D. It will prevent an attack from propagating across network segments.
XOIC
Similar to LOIC, it also allows the user to launch DoS attacks.
Smurf IP Attack
A DoS attack that sends out an ICMP echo packet to an intermediary's IP broadcast addresses which will echo it out to the other machines in the system in order to congest the network the target machine is on and ultimately deny legitimate requests.
UDP Flood Attack
A UDP packet is sent to a port that is not running anything, generating an ICMP packet of "destination is unreachable." Using many UDP packets can slow the system down (it has to determine the proper application, which does not exist).
D. Hash tweaking
A defense that depends on a hash encryption being sent back to the requesting client is called what? A. Stack tweaking B. RST cookies C. SYN cookies D. Hash tweaking
Stack Teaking
A way to defend against TCP SYN flood attacks. Alters the TCP stack in order to time out incomplete SYN requests quickly.
Micro Blocks
A way to defend against TCP SYN flood attacks. It attempts to limit the effects of the attack by allocating very little space to requests (as opposed to a full connection).
SYN Cookies
A way to defend against TCP SYN flood attacks. It sends a cookie with its SYN+ACK packet and if a matching cookie is returned with ACK packet from the client, it will establish a complete connection. NOTE: the system does not fully allocate memory until the third step of the TCP handshake.
RST Cookies
A way to defend against TCP SYN flood attacks. The server sends back an incorrect SYN+ACK packet back to client. If the client is legitimate, they should respond with a RST (reset) packet and can continue connecting.
C. SYN flood attack
Leaving a connection half open is referred to as what? A. Smurf attack B. Partial attack C. SYN flood attack D. DDoS attack
Land Attack
Not applicable to modern computers, attempts to crash the system by having it send messages to and from itself.
Distributed Denial of Service (DDoS) Attack
Same principal as a DoS attack, just executed with multiple attackers. It is popular to use botnets in order to carry out such a thing.
Ping of Death
Sending a very large packet that the target cannot handle.
ICMP Flood Attack
Two types: flood, nuke. Flood: large number of pings or UDP packets. Nuke: exploits bugs in the O.S. (sends a packet the O.S. cannot handle).
TFN2K
Used to launch DoS attacks. Can be used to instruct agent machines to flood a target. Harder to counteract due to some security measures such as: master IP spoofing, encryption of master-agent contact, communications and attacks can be randomly sent via TCP, UDP, and ICMP packets.
A. SYN cookies, RST cookies, and stack tweaking
What are three methods for protecting against SYN flood attacks? A. SYN cookies, RST cookies, and stack tweaking B. SYN cookies, DoS cookies, and stack tweaking C. DoS cookies, RST cookies, and stack deletion D. DoS cookies, SYN cookies, and stack deletion
D. Disallow all traffic that comes from untrusted sources
What can you do to your internal network routers to help defend against DoS attacks? A. Disallow all traffic that is not encrypted B. Disallow all traffic that comes from outside the network C. Disallow all traffic that comes from inside the network D. Disallow all traffic that comes from untrusted sources
D. Block all incoming ICMP packets
What can you do with your firewall to defend against DoS attacks? A. Block all incoming traffic B. Block all incoming TCP packets C. Block all incoming traffic on port 80 D. Block all incoming ICMP packets
D. DDoS attack
What do you call a DoS launched from several machines simultaneously? A. Wide-area attack B. Smurf attack C. SYN flood D. DDoS attack
A. Because many denial of service attacks are conducted by using a Trojan horse to get an unsuspecting machine to execute the DoS
Why will protecting against Trojan horse attacks reduce DoS attacks? A. Because many denial of service attacks are conducted by using a Trojan horse to get an unsuspecting machine to execute the DoS B. Because if you can stop a Trojan horse attack, you will also stop DoS attacks C. Because a Trojan horse will often open ports allowing a DoS attack D. Because a Trojan horse attacks in much the same way as a DoS attack