Term
| What are the common types of malware? |
|
Definition
Virus - hidden code carrying out destructive task
Worm - replicates itself using host resources
Trojan horse - disguised as normal file to be installed
Spyware - gathers info from system
Hoax - social engineering |
|
|
Term
| What are the characteristics of a DHCP starvation attack? |
|
Definition
Broadcast of DHCP requests with spoofed MAC.
Goal is to exhaust addresses on DHCP server and set up rogue DHCP server to provide network info to clients and result in man-in-the-middle attack. |
|
|
Term
What are the two categories of network access attacks?
(Give examples) |
|
Definition
Data access - unauthorized data retrieval of info
Eg. privilege escalation
System Access - unauthorized access to system resources & devices (programs, cameras, etc)
Eg. malware, password attacks. |
|
|
Term
What are the characteristics of a simple DoS aiming at resource exhaustion?
Give most common examples. |
|
Definition
Single attacker sending large number of packets for victim to process.
Spoofing, SYN flood |
|
|
Term
| Describe the ping of death attack. |
|
Definition
Last fragment of ICMP packet contains offset such that reconstructed packet is larger than 65535 byte limit of IP packet size.
Causes buffer overruns. |
|
|
Term
| Describe the Land (Land.c) attack. |
|
Definition
Attacker sends TCP SYN where
srcIP=dstIP=victim's host IP
and srcPort=dstPort
Victim tries to open TCP connection to itself and goes into infinite loop |
|
|
Term
Describe the Smurf attack.
(How can it be avoided?) |
|
Definition
Spoofed broadcast ICMP to flood victim with requests where
dstIP=broadcast & srcIP=victim's spoofed IP
(no ip directed-broadcast) |
|
|
Term
| Describe the Fraggle attack. |
|
Definition
| Large amount of UDP echo traffic sent to IP broadcast address with spoofed source address. |
|
|
Term
| Describe the Teardrop attack |
|
Definition
Sending IP fragments with overlapping oversized payloads.
Captializes on bugs in TCP/IP fragementation & reassembly code to crash or compromise OS. |
|
|
Term
| Describe the Banana attack. |
|
Definition
| Redirecting outgoing messages from client back to itself, thus preventing access and flooding client. |
|
|
Term
| Describe the Pulsing zombie attack. |
|
Definition
| Pinging host/network from many attackers over time, degrading network quality and consuming CPU/bandwidth resources. |
|
|
Term
| What are the common characteristics of DDoS attacks? |
|
Definition
Distributed Denial of Service - launched from large number of attackers
attacker ->{ masters ->{ slaves/zombies -> victim
|
|
|
Term
| Describe the BOINK attack. |
|
Definition
| CPU-intensive attack that sends a file with 1 data byte per packet out of sequence, forcing host to spend cycles on reassembly |
|
|
Term
| Describe the Chargen attack and how to mitgate it. |
|
Definition
Attempts to connect to host via TCP or UDP ports to attempt to generate a data stream.
Command used is: telnet <ip> chargen
Mitigation:
no service udp-small-servers
no service tcp-small-servers |
|
|
Term
| Describe the Birthday Attack |
|
Definition
Attacker presents digital signature form that looks trusted (via hash collision). After host signs it, it is used in a fraudulent contract.
Based on probability of generating a valid hash using invalid/fraudulent information. |
|
|
Term
| What are the characteristics of the slammer worm? |
|
Definition
Exploited buffer overflow bug in MS SQL Server Desktop Engine (MSDE) and caused DoS on hosts.
Attacks UDP port 1434 (MSDE)
Entire worm fit in 1 UDP packet. |
|
|
Term
| What are the characteristics of the Code Red worm? |
|
Definition
Attacked computers running MS IIS web server via buffer overflow vulnerability
Attacks used TCP port 80 (HTTP GET) |
|
|
Term
| Describe the TTL Expiry Attack |
|
Definition
Attack using a flood of icmp type 3 (destination unreachable) packets with TTL <= 1.
This creates a DoS attack against network equipment, as it takes more CPU for IOS to process the response ICMP than to forward the packet. |
|
|
Term
| What is the purpose of ingress(/egress) filtering? What standards does it come from? |
|
Definition
RFC 2827
BCP 38
Technique to filter incoming (outgoing) packets to prevent IP Spoofing (and resulting DDoS) attacks. |
|
|
Term
What is the purpose and characteristics of
SYN Cookies? |
|
Definition
Technique against SYN flood attacks
Particular choice in initial TCP sequence numbers.
Allows server to avoid dropping connections when SYN queue fills up: Server sends SYN_ACK to client but discards SYN queue entry. If receives subsequent ACK from client, server reconstructs the entry. |
|
|
Term
| What solutions does Anti-X refer to? |
|
Definition
| Refers to, as a whole, the various anti-virus, anti-spyware, anti-spam and anti-phishing solutions |
|
|
Term
What is the purpose of :
1. dynamic access lists (aka lock-and-key)
2. time-based access lists
3. reflexive access lists |
|
Definition
1. Create specific, temporary openings in response to user authentication.
2. Create specific, temporary openings for a certain amount of time.
3. Temporary entries/filters for network traffic based on IP upper-layer protocol session information; nested in extended named ACL on interface |
|
|
Term
What does the "established" option signify at the end of an access list?
eg. access-list xxx permit ... tcp established |
|
Definition
A match occurs if the TCP datagram has the ACK or RST control bits set.
Blocks the initial TCP datagram used to form a connection (SYN). |
|
|
Term
What is the purpose of pvlans?
What problems does it resolve? |
|
Definition
Private vlans - allows restrictions on L2 traffic for vlan
Resolves ARP spoofing attack (attacker uses gratuitous ARP to fake addresses to see traffic or cause DoS) |
|
|
Term
| What is directed broadcast and how should it be secured? |
|
Definition
Allows packets to be broacast to all devices on attached subnet.
Feature should be disabled to prefent smurf attacks and packet floods.
no ip directed-broadcast |
|
|
Term
| What is the purpose of dynamic arp inspection and how does it work? |
|
Definition
Protects against arp cache poisoning.
Intercepts and validates ARP packets received before updating ARP cache and forwarding packet. Checks against MAC to IP bindings stored in trusted database (built w/ DHCP snooping) and user configured ACLs. Invalid ARPs are dropped. |
|
|
Term
What is the purpose of DNSSec?
How does it work? |
|
Definition
DNS Security Extension
Detect spoof attacks to DNS & cache-poisoning on DNS servers
Adds data origin authentication (via PKI and trusted/anchor keys) and integrity protection |
|
|
Term
| What are the characteristics of TCP intercept? |
|
Definition
Used to intercept all requests to a server with ACL of any source and list of destinations to protect.
Watch mode - connection requests allowed to pass but are reset if does not go EST in 30 seconds
Prevents SYN floods/attacks |
|
|
