6.9 Denial-of-Service Attacks
The information below is from Wireshark. Which kind of attack is occurring? A DDoS attack
A DDoS attack The Wireshark example shows a DDoS attack. There are multiple hosts (192.168.122.172 and 192.168.122.135) that are sending a high volume of TCP connections in a very short timeframe (4.404* seconds). This is also a distributed denial-of-service attack because there are multiple sources (not just one).
Your Intrusion Detection System (IDS) doesn't seem to be listing any new security attacks on your network. Which of the following DDoS attack methods is MOST likely being used? Application Layer DDoS attack.
Application Layer DDoS attack. Application Layer DDoS attacks are often more subtle and harder to detect with traditional IDS because they target specific application functions rather than overwhelming the network or transport layer.
You discover that your web server is receiving a large number of HTTP requests, causing it to repeatedly load a web page. Which of the following DDoS attack methods does this fall under? Application layer DDoS
Application layer DDoS An application layer DDoS's goal is to exhaust the target's resources by overloading a specific program or service: An attacker sends a large number of HTTP requests to a web server causing it to repeatedly load a web page. This method takes little effort on the attacker's end, but will quickly overwhelm the web server as it repeatedly loads the media files including images, audio, and video.
A security analyst discovers that an attacker is attempting to launch a distributed denial-of-service (DDoS) attack on the company's network. What action should the security analyst take to prevent the DDoS attack from succeeding? Configure the router to limit the amount of traffic coming from the attacker's IP address.
Configure the router to limit the amount of traffic coming from the attacker's IP address The security analyst should configure the router to limit the amount of traffic coming from the attacker's IP address. This will prevent the attacker from overwhelming the company's server with traffic.
Which of the following attacks sends fragmented packets that exceed 65, 535 bytes and cause a buffer overflow and system crash when reassembled? Ping of Death attack.
Ping of Death attack. The Ping of Death involves sending malformed or oversized packets, typically exceeding the maximum allowed size, which can overflow the buffer and potentially crash or destabilize the target system upon reassembly.
An attack targets ICMP protocol vulnerabilities and is conducted by creating ICMP echo request packets using the spoofed IP address of the target machine. It then sends packets to the broadcast address network, which results in numerous devices responding with replies to the target's IP address, disabling it. Which type of attack is this? Smurf DDoS attack.
Smurf DDoS attack. A Smurf attack exploits the Internet Control Message Protocol (ICMP) by sending ICMP echo request packets with the spoofed IP address of the target to a broadcast address. This causes multiple devices on the network to respond to the target's IP address with ICMP echo replies, overwhelming the target and potentially disabling it.
DDoS attacks are successful when they use all available bandwidth. What is the method an attacker normally uses to consume all available bandwidth to a targeted server? Spoofing a target IP address by opening connections with multiple servers, then directing all SYN/ACK responses to the target server.
Spoofing a target IP address by opening connections with multiple servers, then directing all SYN/ACK responses to the target server. In a DDoS attack, an attacker normally attempts to consume all available bandwidth to a targeted server by spoofing a target IP address and opening connections with multiple servers to do that. With all SYN/ACK responses directed to the target server, it quickly runs out of bandwidth.
You are currently attempting to establish a baseline of regular network traffic to detect potential DDoS attacks. At the moment, you are choosing a representative period for data collection. Which step in establishing a baseline are you currently working on? Step 1: Choose a representative period for data collection. This period should capture the network's standard activity during normal business hours, weekends, and other regular events that influence network load.
The following are the steps (in order) for establishing a baseline of regular network traffic for detecting potential DDoS attacks: Step 1: Choose a representative period for data collection. This period should capture the network's standard activity during normal business hours, weekends, and other regular events that influence network load. Step 2: Track numerous parameters like the number of packets sent and received, the number of unique connections, bandwidth usage, and other metrics that reflect the network's regular operation. It's essential to consider peak and off-peak times to account for the network's full range of activity. Step 3: Analyze data to identify typical patterns and levels of network traffic. This establishes the "normal" baseline against which future traffic can be compared. There is no Step 4 in the process of establishing a baseline of regular network traffic for detecting potential DDoS attacks.
Which of the following BEST describes a DoS fragmentation attack? An attack in which fake UDP or ICMP packets larger than the MTU are sent to exhaust the processing resources.
An attack in which fake UDP or ICMP packets larger than the MTU are sent to exhaust the processing resources. In a DoS fragmentation attack, the attacker sends fragmented packets that are larger than the Maximum Transmission Unit (MTU), causing the target system to expend excessive resources attempting to reassemble the fragmented data. This can lead to system slowdowns or crashes, effectively denying service to legitimate users.
It is important to be prepared for a DoS attack, as these attacks are becoming more common. Which of the following BEST describes the response you should take for a service degradation? Set services to throttle or shut down.
Set services to throttle or shut down. To respond to a service degradation, services can be set to throttle or even shut down in the event of an attack.
