Operational: Cyber Security 5.1 & 5.2 REVIEW QUESTIONS & VOCABULARY
What countermeasures can you use to control TCP/IP hijacking?
- IPSec or other encryption protocols - Certificate authentication - Mutual authentication - Randomizing sequencing mechanisms - Packet timestamps - Packet sequencing
What countermeasures can help prevent spoofing?
- Implement firewall and router filters to prevent spoofed packets from crossing into or out of your private secured network. Filters will drop any packet suspected of being spoofed. - Use certificates to prove identity. - Use reverse DNS lookup to verify the source email address. - Use encrypted communication protocols, such as IPsec. - Use ingress and egress filters to examine packets and identify spoofed packets. Ingress filters examine packets coming into the network, while egress filters examine packets going out of the network. Any packet suspected of being spoofed on its way into or out of your network will be dropped.
How does a distributed reflective denial of service (DRDoS) increase the severity of a DoS attack?
A Distributed Reflective Denial of Service (DrDoS) uses an amplification network to increase the severity of the attack. Packets are sent to theamplification network addressed as coming from the target. The amplification network responds back to the target system.Afriendlyorunintentional DoS attackis when a website experiences such heavy traffic that users can no longer access the website. This is donewhen many people flood to the website and cause the server to crash
Fraggle attack
A Fraggle attack is like a smurf attack, except that it uses the user datagram protocol, or UDP, rather than the more common transmission control protocol, or TCP. Fraggle attacks, like smurf attacks, are starting to become outdated and are commonly stopped by most firewalls or routers.
Buffer overflow
A buffer is a temporal storage location in RAM that is used to hold data so that the CPU can manipulate it before writing it back to the disc. Buffers have a size limit. This type of attack loads the buffer with more data that it can hold. This causes the buffer to overflow and corrupt the data it holds. Ex: Sending emails with file names that have 256 characters.
Distributed Denial of service attack (DDoS)
A distributed denial of service attack, or DDoS, is much like the ping flood method, only multiple computers are being used. In this instance, the computers that may or may not be aware of the fact that they are attacking a website or network. Trojans and viruses commonly give the hacker control of a computer, and thus, the ability to use them for an attack. In this case, the victim computers are called zombies.
Kernel panic
A kernel panic is a safety measure taken by an operating system's kernel upon detecting an error in which it either is unable, or cannot have the system continue to run without having a much higher risk of major data loss. The term is largely specific to Unix and Unix-like systems
Why is a man-in-the-middle attack so dangerous to the victim?
A man-in-the-middle attack is used to intercept information passing between two communication partners. During a man-in-the-middle attack: - An attacker inserts himself in the communication flow between the client and server. The client is fooled into authenticating to the attacker. - Both parties at the endpoints believe they are communicating directly with the other, while the attacker intercepts and/or modifies the data in transit. The attacker can then authenticate to the server using the intercepted credentials. - Man-in-the-middle attacks are commonly used to steal credit cards, online bank credentials, and confidential personal and business information.
Ping of Death
A type of DoS attack. It works by sending small data packets to the network resource. The ping of death takes advantage of this and sends data packets above the maximum limit (65,536 bytes) that TCP/IP allows. TCP/IP fragmentation breaks the packets into small chunks that are sent to the server. Since the sent data packages are larger than what the server can handle, the server can freeze, reboot, or crash.
How is footprinting used to determine the operating system of the recipient?
Also called footprinting or fingerprinting, is determined by sending uniquely fashioned packets to a recipient, and then analyzing the response to requests to determine the operating system of the recipient. (For example, you can identify the OS used by examining the format of the response to specific probes or messages.)
How does domain name kiting work?
Domain name kiting is the process of registering a domain name to test its monetization possibilities and then, if it doesn't generate sufficient advertising revenue, canceling it within the five-day grace period for a full refund.
What countermeasures help mitigate DoS and DDoS attacks?
Partner with your Internet service provider (ISP) to provide clean bandwidth to your network. Your ISP is the best countermeasure against DoS and DDoS attacks.
What is the difference between passive and active reconnaissance
Passive Reconnaissance: An attempt to gain information about targeted computers and networks without actively engaging with the systems. Active Reconnaissance: The attacker engages with the target system, typically conducting a port scan to determine find any open ports.
SYN flood
This type of attack takes advantage of the three-way handshake to establish communication using TCP. SYN attack works by flooding the victim with incomplete SYN messages. This causes the victim machine to allocate memory resources that are never used and deny access to legitimate users
Smurf attack
This type of attack uses large amounts of Internet Control Message Protocol (ICMP) ping traffic target at an Internet Broadcast Address. The reply IP address is spoofed to that of the intended victim. All the replies are sent to the victim instead of the IP used for the pings. Since a single Internet Broadcast Address can support a maximum of 255 hosts, a smurf attack amplifies a single ping 255 times. The effect of this is slowing down the network to a point where it is impossible to use it.
Teardrop attack
This type of attack uses larger data packets. TCP/IP breaks them into fragments that are assembled on the receiving host. The attacker manipulates the packets as they are sent so that they overlap each other. This can cause the intended victim to crash as it tries to reassemble the packets.
What methods should you employ to prevent a replay attack?
To prevent a replay attack, use a secure authentication method, such as Kerberos. The Kerberos protocol embeds additional data, such as the client's timestamp, into network packets.
Spoofing
When someone pretends to be someone else (IP Address) with the intent of obtaining unauthorized data.
In what ways can the HOSTS file be used to improve security?
Where Hosts files really shine is by letting you block ads, spyware sites, malware sites, and tracking sites. It does this by blocking your computer from connecting to annoying sites. What happens then is when a site, email, or what-have-you tried to steer you to a dodgy address, the Hosts file bounces it back and you're kept from going to the questionable domain.
What is the difference between primary and secondary DNS servers?
Primary DNS Server: Hosts the controlling zone file, which contains all the authoritative information for a domain (This means that it is trusted source for important information, such as the IP address of the domain). This includes important information such as the IP address of the domain and who is responsible for the administration of that domain. Primary servers get this information directly from local files. Changes to a zone's DNS records can only be made on a primary server, which can then update secondary servers. Secondary DNS Server: Contains read-only copies of the zone file, and they get their info from a primary server in a communication known as a zone transfer. Each zone can only have one primary DNS server, but it can have any number of secondary DNS servers. Changes to a zone's DNS records cannot be made on a secondary server, but in some cases a secondary server can pass along change requests to a primary server.
Land attack
The Land attack uses IP spoofing in combination with the opening of a TCP connection. In Land, both IP addresses, source, and destination are modified to be the same, and as a result, the kernel gets into an ACK war against itself.