cspp Chapter 7 - Denial-of-Service Attacks -- Stallings 4th edition

A cyberslam is an application attack that consumes significant resources, limiting the server's ability to respond to valid requests from other users. (True Or False)

T

A denial-of-service attack is an attempt to compromise availability by hindering or blocking completely the provision of some service. (True Or False)

T

SYN-ACK and ACK packets are transported using IP, which is an unreliable network protocol. (True Or False)

T

The SYN spoofing attack targets the table of TCP connections on the server. (True Or False)

T

The source of the attack is explicitly identified in the classic ping flood attack. (True Or False)

T

three-way handshake

TCP uses the _______ to establish a connection.

T

The SYN spoofing attack targets the table of TCP connections on the server.

SYN spoofing attack

The ______ attacks the ability of a network server to respond to TCP connection requests by overflowing the tables used to manage such connections.

F

The attacker needs access to a high-volume network connection for a SYN spoof attack.

Define a reflection attack.

The attacker sends a network packet with a spoofed source address to a service running on some network server. The server (=reflector) responds to this packet, sending it to the spoofed source address that belongs to the actual attack target. This is then called a reflection attack.

T

The best defense against being an unwitting participant in a DDoS attack is to prevent your systems from being compromised.

What is the goal of a flooding attack?

The intent is to overload the network capacity on some link to a server, and may aim to overload the server's ability to handle and respond to traffic.

A ______ triggers a bug in the system's network handling software causing it to crash and the system can no longer communicate over the network until this software is reloaded.

poison packet

During a ______ attack, the attacker sends packets to a known service on the intermediary with a spoofed source address of the actual target system and when the intermediary responds, the response is sent to the target.

reflection

If an organization is dependent on network services it should consider mirroring and ________ these servers over multiple sites with multiple network connections.

replicating

Requests and _______ are the two different types of SIP messages.

responses

Using forged source addresses is known as _________.

source address spoofing

Bots starting from a given HTTP link and then following all links on the provided Web site in a recursive way is called _______

spidering

In reflection attacks, the ______ address directs all the packets at the desired target and any responses to the intermediary.

spoofed source

TCP uses the _______ to establish a connection.

three-way handshake

_______ bandwidth attacks attempt to take advantage of the disproportionally large resource consumption at a server. A) Application-based B) System-Based C) Random D) Amplification

A) Application-Based

A characteristic of reflection attacks is the lack of _______ traffic. A) backscatter B) network C) three-way D) botnet

A) backscatter

Using forged source addresses is known as _________. A) source address spoofing B) a three-way address C) random dropping D) Directed broadcast

A) source address spoofing

______ attacks are a variant of reflector attacks and also involve sending a packet with a spoofed source address for the target system to intermediaries.

Amplification

What types of packets are commonly used for flooding attacks?

Any type of packet can be used in a flooding attack. Commonly used: ICMP, UDP or TCP SYN.

_______ bandwidth attacks attempt to take advantage of the disproportionally large resource consumption at a server.

Application-based

In a _______ attack the attacker creates a series of DNS requests containing the spoofed source address for the target system. A) SYN flood B) DNS amplification C) poison packet D) UDP flood

B) DNS amplification

______ relates to the capacity of the network links connecting a server to the wider Internet. A) Application Resource B) Network Bandwidth C) System Payload D) Directed Broadcast

B) Network Bandwidth

The ______ attacks the ability of a network server to respond to TCP connection requests by overflowing the tables used to manage such connections. A) DNS Amplification B) SYN Spoofing attack C) basic flooding attack D) poison packet attack

B) SYN Spoofing Attack

Bots starting from a given HTTP link and then following all links on the provided Web site in a recursive way is called _______. A) trailing B) spidering C) spoofing D) crowding

B) Spidering

True or False? Given sufficiently privileged access to the network handling code on a computer system, it is difficult to create packets with a forged source address.

False

True or False? Reflector and amplifier attacks use compromised systems running the attacker's programs.

False

True or False? Slowloris is a form of ICMP flooding.

False

True or False? The attacker needs access to a high-volume network connection for a SYN spoof attack.

False

_____ attacks flood the network link to the server with a torrent of malicious packets competing with valid traffic flowing to the server.

Flooding

T

Flooding attacks take a variety of forms based on which network protocol is being used to implement the attack.

F

Given sufficiently privileged access to the network handling code on a computer system, it is difficult to create packets with a forged source address.

A _______ flood refers to an attack that bombards Web servers with HTTP requests.

HTTP

The best defense against broadcast amplification attacks is to block the use of _______ broadcasts.

IP-directed

Since filtering needs to be done as close to the source as possible by routers or gateways knowing the valid address ranges of incoming packets, an _______ is best placed to ensure that valid source addresses are used in all packets from its customers.

ISP

What steps should be taken when a DoS attack is detected?

Identification of the type of attack, application of suitable filters to block the attack packets. In addition, an ISP may trace the flow of packets back in attempt to identify the source.

Why do many DoS attacks use packets with spoofed source addresses?

If there is a valid system at the spoofed source address, it will respond with a RST packet. However, if there is no system then no reply will return. In these cases the server will resend the packet a number of times before finally assuming the connection request has failed. In this period, the server is using an entry in its memory. If many connection requests with forged addresses are incoming, the memory fills up, making the server incapable of handing any more requests (not even legitimate ones).

DNS amplification

In a _______ attack the attacker creates a series of DNS requests containing the spoofed source address for the target system.

What types of resources are targeted by such attacks?

+ Network bandwidth + System resources + Application resources

A DoS attack targeting application resources typically aims to overload or crash its network handling software. (True Or False)

F

DoS attacks cause damage or destruction of IT infrastructures. (True Or False)

F

Given sufficiently privileged access to the network handling code on a computer system, it is difficult to create packets with a forged source address. (True Or False)

F

True or False? A DoS attack targeting application resources typically aims to overload or crash its network handling software.

False

True or False? DoS attacks cause damage or destruction of IT infrastructures.

False

The standard protocol used for call setup in VoIP is the ________ Protocol.

Session Initiation

F

Slowloris is a form of ICMP flooding.

T

A SIP flood attack exploits the fact that a single INVITE request triggers considerable resource consumption.

T

A cyberslam is an application attack that consumes significant resources, limiting the server's ability to respond to valid requests from other users.

Define a denial-of-service attack.

A denial of service is an action that prevents or impairs the authorized use of networks, systems, or applications by exhausting resources such as CPU, memory, bandwidth and disk space.

T

A denial-of-service attack is an attempt to compromise availability by hindering or blocking completely the provision of some service.

A ______ triggers a bug in the system's network handling software causing it to crash and the system can no longer communicate over the network until this software is reloaded. A) echo B) reflection C) poison packet D) flash flood

C) Poison Packet

_______ is a text-based protocol with a syntax similar to that of HTTP. A) RIP B) DIP C) SIP D) HIP

C) SIP

It is possible to specifically defend against the ______ by using a modified version of the TCP connection handling code. A) three-way handshake B) UDP flood C) SYN spoofing attack D) flash crowd

C) SYN spoofing attack

In both direct flooding attacks and ______ the use of spoofed source addresses results in response packets being scattered across the Internet and thus detectable. A) SYN spoofing attacks B) indirect flooding attacks C) ICMP attacks D) system address spoofing

D) SYN spoofing attacks

______ attempts to monopolize all of the available request handling threads on the Web server by sending HTTP requests that never complete. A) HTTP B) Reflection attacks C) SYN Flooding D) slowloris

D) Slowloris

Modifying the system's TCP/IP network code to selectively drop an entry for an incomplete connection from the TCP connections table when it overflows, allowing a new connection attempt to proceed is _______. A) poison packet B) slashdot C) backscatter traffic D) random drop

D) random drop

TCP uses the _______ to establish a connection. A) zombie B) SYN cookie C) directed broadcast D) three-way handshake

D) three-way handshake

SYN spoofing attack

It is possible to specifically defend against the ______ by using a modified version of the TCP connection handling code.

What is the primary defense against many DoS attacks, and where is it implemented?

Limiting the ability of systems to send packets with spoofed source addresses. An ISP knows which addresses are allocated to all its customers and hence can ensure that valid source addresses are used in all packets from its customers.

random drop

Modifying the system's TCP/IP network code to selectively drop an entry for an incomplete connection from the TCP connections table when it overflows, allowing a new connection attempt to proceed is _______.

______ relates to the capacity of the network links connecting a server to the wider Internet.

Network bandwidth

Define a distributed denial-of-service attack.

Recognizing the limitations of flooding attacks generated by a single system, hackers invented tools for the use of multiple systems to generate attacks. That is called a distributed denial-of service attack.

_______ is a text-based protocol with a syntax similar to that of HTTP.

SIP

The ______ attacks the ability of a network server to respond to TCP connection requests by overflowing the tables used to manage such connections.

SYN spoofing attack

T

SYN-ACK and ACK packets are transported using IP, which is an unreliable network protocol.

What do the terms slashdotted and flash crowd refer to? What is the relation between these instances of legitimate network overhead and the consequences of a DoS attack?

These terms refer to the following occurrence: A posting to the well-known site Slashdot news aggregation site often results in overload to the referenced server system. There is very little that can be done to prevent this type of either accidental or deliberate overhead The provision of excess network bandwidth is the usual response.

Define an amplification attack.

They differ to reflection attacks in that they are generating multiple response packets for each original packet sent. This can be achieved by directing the original request to the broadcast address for some network. As a result, all hosts will respond, generating a flood of responses.

What defenses are possible to prevent an organization's system being used as intermediaries in an amplification attack?

They should have implemented antispoofing, directed broadcast and rate limiting filters. In addition you should have some form of automated network monitoring and intrusion detection system.

True or False? A SIP flood attack exploits the fact that a single INVITE request triggers considerable resource consumption.

True

True or False? A cyberslam is an application attack that consumes significant resources, limiting the server's ability to respond to valid requests from other users.

True

True or False? A denial-of-service attack is an attempt to compromise availability by hindering or blocking completely the provision of some service.

True

True or False? Flooding attacks take a variety of forms based on which network protocol is being used to implement the attack.

True

True or False? SYN-ACK and ACK packets are transported using IP, which is an unreliable network protocol.

True

True or False? The SYN spoofing attack targets the table of TCP connections on the server.

True

True or False? The best defense against being an unwitting participant in a DDoS attack is to prevent your systems from being compromised.

True

True or False? The source of the attack is explicitly identified in the classic ping flood attack.

True

True or False? There is very little that can be done to prevent a flash crowd.

True

What defenses are possible against TCP SYN spoofing attacks?

Using a modified version of the TCP connection handling code, where the connection details are stored in a cookie on the client computer rather than the server.

source address spoofing

Using forged source addresses is known as _________.

What architecture does a distributed denial of service attack typically use?

Usually a botnet consisting of infected zombie PCs is used, that is under the control of a hacker. Usually a small number of systems act as handlers controlling a much larger number of agent systems that ultimately launch the attack.

Slowloris

______ attempts to monopolize all of the available request handling threads on the Web server by sending HTTP requests that never complete.

Network bandwidth

______ relates to the capacity of the network links connecting a server to the wider Internet.

The four lines of defense against DDoS attacks are: attack prevention and preemption, attack detection and filtering, attack source traceback and identification and _______.

attack reaction

The ICMP echo response packets generated in response to a ping flood using randomly spoofed source addresses is known as _______ traffic.

backscatter

A ______ is a graphical puzzle used to attempt to identify legitimate human initiated interactions.

captcha

A _____ is an action that prevents or impairs the authorized use of networks, systems, or applications by exhausting resources such as central processing units, memory, bandwidth, and disk space.

denial-of-service (DoS)

To respond successfully to a DoS attack a good ______ plan is needed that includes details of how to contact technical personal for your ISP(s).

incident response