CS6035 - Final
What are some ways to prevent SYN spoofing attacks? A. Use SYN cookies B. Modify the size of the TCP connections table or timeout period C. Impose rate limits on network links D. Use selective or random dropping of TCP table entries E. All of the above F. None of the above
E
True or False: Slowloris uses a ping flood via ICMP echo request packets.
False That is the smurf attack. Slowloris exploits servers that use multiple threads by sending multiple incomplete connections (by not including the terminating newline sequence) to a server.
True or False: The best defense against a reflection attack is to not allow directed broadcasts to be routed into a network.
False The description is the best defense for an Amplification attack. To defend against a reflection attack, filtering to block spoofed-source packets.
What are the 6 steps of intruder behavior?
1) Target Acquisition & Info Gathering 2) Initial Access 3) Privilege Escalation 4) Info Gathering & System Exploit 5) Maintain Access 6) Cover Tracks
What is a poison packet? A. A packet that triggers a bug in the network software and makes it crash. B. A packet that contains the signature of a virus. C. A packet that infects other packets in the network buffer. D. A packet that redirects other packets to a malicious target.
A
Block Cipher vs. Stream Cipher
A block cipher takes as input a plaintext in fixed sized blocks, and it produces a block of ciphertext of equal size, for each plain text block. To process a longer plain text, we can first break the plain text into a series of fixed size blocks, and then, apply block ciphers to each block. On other hand Stream Cipher is the type of encryption where the conversion of plain text performed by taking one byte of the plain text at a time.
What is a high interaction honeypot?
A high interaction honeypot, essentially replicates what what a real server or work station has in terms of operating systems, services and applications. In other words, they look really realistic and they can be deployed alongside with the real servers and work stations. Since a high induction honeypot mimics a real server and workstation, an attacker may be attacking it for a long time without knowing it is a honeypot.
If an attacker directs a large number of forged requests to a server, what type of attack is being made? A. Slowloris B. Source address spoofing C. SYN spoofing D. Reflector E. Amplifier
C
What is a low interaction honeypot?
A low interaction honeypot typically, emulates some network services, such as the web server. On the other hand, it is not a full version of the service. A low interaction honeypot is typically sufficient to detect network skin and probe and imminent attacks. On the other hand, a sophisticated attacker may realize that these services are not full version and probably are not real.
Anomaly Detection vs. Misuse / Signature Detection
Anomaly Detection - Based on data of normal behavior from legitimate users over a period of time - Current behavior is analyzed to determine if activity is malicious (not normal) Misuse / Signature Detection - Based on know malicious data which defines patterns or attack rules - Can identify only known attacks
What is asymmetric encryption?
Asymmetric encryption use a pair of keys: One is used for encryption and the other is used for decryption. The two keys are paired mathematically together. That is, if you use a key for encryption, only the corresponding paired key can decrypt a message.
SYN spoofing attack targets ___. A. Email service B. TCP connections table C. DNS service D. None of the above
B
What is the difference between a TCP SYN flood attack and a SYN spoofing attack? A. There is no difference, they are synonymous. B. The difference is in the volume of packets. C. SYN spoofing works with UDP only. D. TCP SYN flood attacks don't use spoofed source addresses.
B TCP SYN flood attacks may or may not use spoofed addresses, but the difference is in the volume of packets sent, meant to overwhelm the server. The SYN spoofing attack is meant to overwhelm the server in sending SYN-ACK messages to spoofed (preferably not invalid) addresses.
True or False: A characteristic of reflection attacks is the lack of backscatter traffic.
True
What is a cyber slam? A Cyber slam is a made up term. B. Another name for a DDoS attack. C. A firewall packet strategy that helps to thwart a DoS or DDoS attack. D. A large number of queries that severely load a server.
D
What type of attack is based on sending a large number of INVITE requests with spoofed IP addresses to a server? A. Reflection attack B. Smurf attack C. Slashdot attack D. SIP flood attack
D
What is a honeypot?
Honeypots are decoy systems to attract the attackers away from the critical systems. By diverting attackers from valuable systems to honeypots, we can observe what the attackers are trying to do to our systems and networks. And based on that information, we can develop strategies to respond to the attacks.
What is Kerberos?
Kerberos is a standard protocol used to provide authentication and access control in a network environment, typically an enterprise network. Every entity in a network, that is, all users and network resources, such as workstations and printers, have a master key that it shares with the Kerberos servers. And the Kerberos servers perform both authentication and key distribution.
True or False: ICMP flood attacks remain common because some ICMP packets are critical to normal network behavior and cannot be filtered.
True
What is symmetric encryption?
The same key is used for both encryption and decryption. The input is a plain text message. The encryption algorithm takes the plain text input, along with the encryption key, and processes the plain text using substitution and permutation to produce ciphertext. The decryption algorithm performs a reverse of the encryption process. It takes as input, the ciphertext, and the key, which is the same that was used for encryption, and it produced the original plain text.