Denial-of-Service

Which of the following DoS/DDoS countermeasures strategy can you implement using a honeypot? Deflecting attacks Absorbing attacks Mitigating attacks Degrading services

Deflecting attacks

What is the DoS/DDoS countermeasure strategy to at least keep the critical services functional?

Degrading services

A systems administrator in a small company named "We are Secure Ltd." has a problem with their Internet connection. The following are the symptoms: the speed of the Internet connection is slow (so slow that it is unusable). The router connecting the company to the Internet is accessible and it is showing a large amount of SYN packets flowing from one single IP address. The company's Internet speed is only 5 Mbps, which is usually enough during normal working hours. What type of attack is this? DoS DDoS DRDoS MitM

DoS

The DDoS tool created by anonymous sends junk HTTP GET and POST requests to flood the target, and its second version of the tool (the first version had different name) that was used in the so-called Operation Megaupload is called _______. HOIC BanglaDOS Dereil Pandora DDoS

HOIC

Don Parker, a security analyst, is hired to perform a DoS test on a company. Which of the following tools can he successfully utilize to perform this task? Hping3 Cain and Abel Recon-ng N-Stalker

Hping3

Which of the following network attacks takes advantage of weaknesses in the fragment reassembly functionality of the transmission control protocol (TCP) or Internet protocol (IP) stack? Teardrop attack SYN flood attack Smurf attack Ping of death attack

Teardrop attack

Sarah is facing one of the biggest challenges in her career—she has to design the early warning DDoS detection techniques for her employer. She starts with the network analysis and detection of an increase in activity levels and analyzing the network flows (focusing on network's packet header information). Her idea is to try to spot the increase in specific traffic, which is above normal traffic rate for this specific network flow. Which DDoS detection technique is she trying to implement? Activity profiling Change-point detection Wavelet-based signal analysis NetFlow detection

Activity profiling

Which of the following is an attack detection technique that monitors the network packet's header information? This technique also determines the increase in overall number of distinct clusters and activity levels among the network flow clusters? Activity profiling Wavelet-based signal analysis Sequential Change-point detection Ping of death attack

Activity profiling

Which of the following volumetric attacks technique transfers messages to the broadcast IP address in order to increase the traffic over a victim system and consuming his entire bandwidth? Amplification attack Flood attack Protocol attack Application layer attacks

Amplification attack

Which of the following is considered to be a smurf attack? An attacker sends a large amount of ICMP traffic with a spoofed source IPaddress. An attacker sends a large amount TCP traffic with a spoofed source IPaddress. An attacker sends a large number of TCP connection requests with spoofed source IPaddress. An attacker sends a large number of TCP/user datagram protocol (UDP) connection requests.

An attacker sends a large amount of ICMP traffic with a spoofed source IPaddress.

Martha is a network administrator in company named "Dubrovnik Walls Ltd." She realizes that her network is under a DDoS attack. After careful analysis, she realizes that large amount of HTTP POST requests are being sent to the web servers behind the WAF. The traffic is not legitimate, since the web application requires workflow to be finished in order to send the data with the POST request, and this workflow data is missing. So, What type of DDoS attack is this? Application layer attack Volume (volumetric) attack Protocol attack SYN flood attack

Application layer attack

Ivan works as security consultant at "Ask Us Intl." One of his clients is under a large-scale protocol-based DDoS attack, and they have to decide how to deal with this issue. They have some DDoS appliances that are currently not configured. They also have a good communication channel with providers, and some of the providers have fast network connections. In an ideal scenario, what would be the best option to deal with this attack. Bear in mind that this is a protocol-based DDoS attack with at least 10 000 bots sending the traffic from the entire globe! Block the traffic at the provider level Absorb the attack Block the attack at the client site Filter the traffic at the company Internet facing routers

Block all traffic at the provider level

When a client's computer is infected with malicious software which connects to the remote computer to receive commands, the client's computer is called a ___________ Bot Botnet Command and Control(C&C) Client

Bot

Mike works for a company "Fourth Rose Intl." as the sales manager. He was sent to Las Vegas on a business trip to meet his clients. After the successful completion of his meeting, Mike went back to his hotel room, connected to the hotel Wi-Fi network and attended his other scheduled online client meetings through his laptop. After returning back to his office headquarters, Mike connects his laptop to the office Wi-Fi network and continues his work; however, he observes that his laptop starts to behave strangely. It regularly slows down with blue screening from time-to-time and rebooting without any apparent reason. He raised the issue with his system administrator. Some days later, the system administrator in Mike's company observed the same issue in various other computers in his organization. Meanwhile, he has also observed that large amounts of unauthorized traffic from various IP addresses of "Fourth Rose Intl." were directed toward organizational web server. Security division of the company analyzed the network traces and identified that Mike's Laptop's IP address has authorized and initiated other computers in the network to perform DDoS abuse over the organizational web server. They further identified a malicious executable backdoor file on Mike's Laptop that connects to a remote anonymous computer. This remote computer is responsible for sending commands to Mike's Laptop in order to initiate and execute DDoS attack over the organizational web server. In this case, Mike's laptop was part of the _________? Botnet attack Bot attack Command-and-control (C&C) center IRC attack

Botnet attack

During the penetration testing of the MyBank public website, Marin discovered a credit/interest calculator running on server side, which calculates a credit return plan. The application accepts the following parameters: amount=100000&duration=10&scale=month Assuming that parameter amount is the amount of credit, the user is calculating the interest and credit return plan (in this case for 100,000 USD), parameter duration is the timeframe the credit will be paid off, and scale defines how often the credit rate will be paid (year, month, day, ...). How can Marin proceed with testing weather this web application is vulnerable to DoS? Change the parameter duration to a large number and change scale value to "day" and resend the packet few times to observe the delay. Change the parameter duration to a small number and leave scale value on "month" and resend the packet few times to observe the delay. Leave the parameter duration as is and change the scale value to "year" and resend the packet few times to observe the delay. Change the parameter duration to a small number and change scale value to "day" and resend the packet few times to observe the delay.

Change the parameter duration to a large number and change scale value to "day" and resend the packet few times to observe the delay.

Which algorithm does the "sequential change-point detection" technique use to identify and locate the DoS attacks? Cumulative Sum Obfuscation BlackShades Advanced Encryption Standard

Cumulative Sum

A systems administrator in a small company named "We are Secure Ltd." has a problem with their Internet connection. The following are the symptoms: The speed of the Internet connection is slow (so slow that it is unusable). The router connecting the company to the Internet is accessible and it is showing large amount of router solicitation messages from neighboring routers even though the router is not supposed to receive any of these messages. What type of attack is this? DRDoS (Distributed Reflected Denial of Service) DoS (Denial of Service) DDoS (Distributed Denial of Service) MitM (Man in the Middle)

DRDoS (Distributed Reflected Denial of Service)

The DDoS tool used by anonymous in the so-called Operation Payback is called _______ LOIC HOIC BanglaDOS Dereil

LOIC

A Company called "We are Secure Ltd." has a router that has eight I/O ports, of which, the port one is connected to WAN and the other seven ports are connected to various internal networks. Network Administrator has observed a malicious DoS activity against the router through one of the eight networks. The DoS attack uses 100% CPU utilization and shuts down the Internet connection. The systems administrator tried to troubleshoot the router by disconnect ports one-by-one in order to identify the source network of the DoS attack. After disconnecting port number 6, the CPU utilization normalized and Internet connection resumes. With this information complete the system administrator came to a conclusion that the source of the attack was from _______________ network. Local Area network (LAN) Wide Area Network (WAN) Metropolitan Area Network (MAN) Campus Area Network (CAN)

Local Area network (LAN)

John's company is facing a DDoS attack. While analyzing the attack, John has learned that the attack is originating from the entire globe, and filtering the traffic at the Internet Service Provider's (ISP) level is an impossible task to do. After a while, John has observed that his personal computer at home was also compromised similar to that of the company's computers. He observed that his computer is sending large amounts of UDP data directed toward his company's public IPs. John takes his personal computer to work and starts a forensic investigation. Two hours later, he earns crucial information: the infected computer is connecting to the C&C server, and unfortunately, the communication between C&C and the infected computer is encrypted. Therefore, John intentionally lets the infection spread to another machine in his company's secure network, where he can observe and record all the traffic between the Bot software and the Botnet. After thorough analysis he discovered an interesting thing that the initial process of infection downloaded the malware from an FTP server which consists of username and password in cleartext format. John connects to the FTP Server and finds the Botnet software including the C&C on it, with username and password for C&C in configuration file. What can John do with this information? Neutralize handlers Deflect the attack Mitigate the attack Protect Secondary Victims

Neutralize handlers

Paul has been contracted to test a network, and he intends to test for any DoS vulnerabilities of the network servers. Which of the following automated tools can be used to discover systems that are vulnerable to DoS? Nmap John the ripper Cain and Abel Netcraft

Nmap

Identify the DoS attack that does not use botnets for the attack. Instead, the attackers exploit flaws found in the network that uses the DC++ (direct connect) protocol, which allows the exchange of files between instant messaging clients. DRDoS attack Peer-to-peer attack Bandwidth attack Service request flood attack

Peer-to-peer attack

Which of the following is NOT a type of DDoS attack? Phishing attack Volume (volumetric) attack Protocol attack Application layer attack

Phishing attack

Identify the type of a DoS attack where an attacker sends e-mails, Internet relay chats (IRCs), tweets, and posts videos with fraudulent content for hardware updates to the victim with the intent of modifying and corrupting the updates with vulnerabilities or defective firmware. SYN flooding attack Internet control message protocol(ICMP) flood attack Ping of death attack Phlashing attack

Phlashing attack

John's company is facing a DDoS attack. While analyzing the attack, John has learned that the attack is originating from the entire globe, and filtering the traffic at the Internet Service Provider's (ISP) level is an impossible task to do. After a while, John has observed that his personal computer at home was also compromised similar to that of the company's computers. He observed that his computer is sending large amounts of UDP data directed toward his company's public IPs. John takes his personal computer to work and starts a forensic investigation. Two hours later, he earns crucial information: the infected computer is connecting to the C&C server, and unfortunately, the communication between C&C and the infected computer is encrypted. Therefore, John intentionally lets the infection spread to another machine in his company's secure network, where he can observe and record all the traffic between the Bot software and the Botnet. After thorough analysis he discovered an interesting thing that the initial process of infection downloaded the malware from an FTP server which consists of username and password in cleartext format. John connects to the FTP Server and finds the Botnet software including the C&C on it, with username and password for C&C in configuration file. What can John do with this information? After successfully stopping the attack against his network, and informing the CERT about the Botnet and new password which he used to stop the attack and kick off the attackers from C&C, John starts to analyze all the data collected during the incident and creating the so-called "Lessons learned" document. What is John doing? Postattack forensics Neutralize the handlers Prevent potential attacks Protect secondary victims

Postattack forensics

John's company is facing a DDoS attack. While analyzing the attack, John has learned that the attack is originating from entire globe and filtering the traffic at the Internet Service Provider's (ISP) level is an impossible task to do. After a while, John has observed that his personal computer at home was also compromised similar to that of the company's computers. He observed that his computer is sending large amounts of UDP data directed toward his company's public IPs. John takes his personal computer to work and starts a forensic investigation. Two hours later, he earns crucial information: the infected computer is connecting to the C&C server, and unfortunately, the communication between C&C and the infected computer is encrypted. Therefore, John intentionally lets the infection spread to another machine in his company's secure network, where he can observe and record all the traffic between the Bot software and the Botnet. After thorough analysis he discovered an interesting thing that the initial process of infection downloaded the malware from an FTP server which consists of username and password in cleartext format. John connects to the FTP Server and finds the Botnet software including the C&C on it, with username and password for C&C in configuration file. What can John do with this information? After successfully stopping the attack against his network, John connects to the C&C again, dumps all the IPs the C&C is managing, and sends this information to the national CERT. What is John trying to do? Protect secondary victims Neutralize handlers Deflect the attack Mitigate the attack

Protect secondary victims

Martha is a network administrator in a company named "Dubrovnik Walls Ltd.". She realizes that her network is under a DDoS attack. After careful analysis, she realizes that a large amount of fragmented packets are being sent to the servers present behind the "Internet facing firewall." What type of DDoS attack is this? Protocol attack Volume (volumetric) attack Application layer attack SYN flood attack

Protocol attack

Martha is a network administrator in a company named "Dubrovnik Walls Ltd." She realizes that her network is under a DDoS attack. After careful analysis, she realizes that large amounts of UDP packets are being sent to the organizational servers that are present behind the "Internet facing firewall." What type of DDoS attack is this? Volume (volumetric) attack Protocol attack Application layer attack SYN flood attack

Volume (volumetric) attack

Which of the following DoS attack detection techniques analyzes network traffic in terms of spectral components? It divides incoming signals into various frequencies and examines different frequency components separately. Activity Profiling Wavelet-based Signal Analysis Change-point Detection Signature-based Analysis

Wavelet-based Signal Analysis

Sarah is facing one of the biggest challenges in her career—she has to design the early warning DDoS detection techniques for her employer. She starts developing the detection technique which uses signal analysis to detect anomalies. The technique she is employing analyzes network traffic in terms of spectral components where she divides the incoming signals into various frequencies and analyzes different. Which DDoS detection technique is she trying to implement? Wavelet-based signal analysis Activity profiling Change-point detection NetFlow detection

Wavelet-based signal analysis