CS6262- Network Security Exam
Questions and Answers
DOS attack classification- Hitlist Scanning ANSWERS A portion of a list of targets
is supplied to
a compromised computer
DOS attack classification - Permutation Scanning ANSWERS All compromised
computers share a
common pseudo-random permutation of the
IP address space.
DOS attack classification - Signpost Scanning ANSWERS Uses the
communication patterns of the
compromised computer to find new target.
DOS attack classification- Random Scanning ANSWERS Each compromised
computer probes
random addresses
DOS attack classification - Random Spoofing ANSWERS Generate 32-bit
numbers and stamp
packets with them.
SYN flood attack ANSWERS An attack that takes advantage of the procedures for
initiating a TCP/IP session. Type of DoS attack in which the attacker sends multiple
SYN messages initializing TCP connections with a target host. The attacker uses IP
spoofing to send a large number of packets requesting connections to the victim
computer. These appear to be legitimate but in fact reference a client system that is
unable to respond. Example: MS blaster worm
MS Blaster Worm ANSWERS The Blaster worm in 2003 infected many machines.
And these infected machines were insructed to launch a denial of service attack at noon
on August 16th. That is, these machines were instructed to launch SYN flood on port 80
on the target server windowsupdate.com. In particular, 50 SYN requests were sent
every second. And each packet is 40 bytes. And the source IP address of these request
packets were randomly generated. As a result, the server windowsupdate.com was
rendered unavailable. As a response, Microsoft moved the Windows update service to a
new domain, windowsupdate.microsoft.com.
, how do we defend against SYN flood attacks? ANSWERS How about increase
the memory size or decrease the timeout value so that when a server does not receive
an ACK packet, it just clears out the memory. These are not good solutions, because an
attacker can just send more packets or at a faster pace. A better solution is to remove
the need for a server to keep state.
ANSWERS SYN cookies does not require modified version of TCP, so this is
false. SYN cookies are only applied when there's a SYN flood attack. That is, during
normal operations, or when a server does not experience a overload, it does not require
SYN cookies. Therefore, SYN cookies should not lead to overall slower performance,
that is the second statement is false. The third statement is true because during an
attack, the server uses SYN cookies and does not keep stay information in memory.
IP Traceback ANSWERS identify the network path(s) traversed by attack traffic
without requiring interactive operational support from Internet Service
Providers (ISPs). Moreover, this traceback can be performed
"post-mortem" - after an attack has completed.
DOS attack classification - Subnet Spoofing ANSWERS Generate random
addresses within
a given address space.
DOS attack classification - Fixed Spoofing ANSWERS The spoofed address is the
address
of the target.
DOS attack classification - Infrastructure attack ANSWERS The motivation of this
attack is a
crucial service of a global internet
operation, for example core router
DOS attack classification - Server Application ANSWERS The attack is targeted to
a specific
application on a server
DOS attack classification -Network Access ANSWERS The attack is used to
overload or
crash the communication mechanism of a
network.
Amplification DOS attack ANSWERS Amplification DOS Attack means that the
attacker only needs to send a small number of packets and can achieve a big effect
such as rendering the targeted site unavailable.
Types of amplification attacks. ANSWERS DoS bug and DOS flood. Denial of
service bug and denial of service flood
Questions and Answers
DOS attack classification- Hitlist Scanning ANSWERS A portion of a list of targets
is supplied to
a compromised computer
DOS attack classification - Permutation Scanning ANSWERS All compromised
computers share a
common pseudo-random permutation of the
IP address space.
DOS attack classification - Signpost Scanning ANSWERS Uses the
communication patterns of the
compromised computer to find new target.
DOS attack classification- Random Scanning ANSWERS Each compromised
computer probes
random addresses
DOS attack classification - Random Spoofing ANSWERS Generate 32-bit
numbers and stamp
packets with them.
SYN flood attack ANSWERS An attack that takes advantage of the procedures for
initiating a TCP/IP session. Type of DoS attack in which the attacker sends multiple
SYN messages initializing TCP connections with a target host. The attacker uses IP
spoofing to send a large number of packets requesting connections to the victim
computer. These appear to be legitimate but in fact reference a client system that is
unable to respond. Example: MS blaster worm
MS Blaster Worm ANSWERS The Blaster worm in 2003 infected many machines.
And these infected machines were insructed to launch a denial of service attack at noon
on August 16th. That is, these machines were instructed to launch SYN flood on port 80
on the target server windowsupdate.com. In particular, 50 SYN requests were sent
every second. And each packet is 40 bytes. And the source IP address of these request
packets were randomly generated. As a result, the server windowsupdate.com was
rendered unavailable. As a response, Microsoft moved the Windows update service to a
new domain, windowsupdate.microsoft.com.
, how do we defend against SYN flood attacks? ANSWERS How about increase
the memory size or decrease the timeout value so that when a server does not receive
an ACK packet, it just clears out the memory. These are not good solutions, because an
attacker can just send more packets or at a faster pace. A better solution is to remove
the need for a server to keep state.
ANSWERS SYN cookies does not require modified version of TCP, so this is
false. SYN cookies are only applied when there's a SYN flood attack. That is, during
normal operations, or when a server does not experience a overload, it does not require
SYN cookies. Therefore, SYN cookies should not lead to overall slower performance,
that is the second statement is false. The third statement is true because during an
attack, the server uses SYN cookies and does not keep stay information in memory.
IP Traceback ANSWERS identify the network path(s) traversed by attack traffic
without requiring interactive operational support from Internet Service
Providers (ISPs). Moreover, this traceback can be performed
"post-mortem" - after an attack has completed.
DOS attack classification - Subnet Spoofing ANSWERS Generate random
addresses within
a given address space.
DOS attack classification - Fixed Spoofing ANSWERS The spoofed address is the
address
of the target.
DOS attack classification - Infrastructure attack ANSWERS The motivation of this
attack is a
crucial service of a global internet
operation, for example core router
DOS attack classification - Server Application ANSWERS The attack is targeted to
a specific
application on a server
DOS attack classification -Network Access ANSWERS The attack is used to
overload or
crash the communication mechanism of a
network.
Amplification DOS attack ANSWERS Amplification DOS Attack means that the
attacker only needs to send a small number of packets and can achieve a big effect
such as rendering the targeted site unavailable.
Types of amplification attacks. ANSWERS DoS bug and DOS flood. Denial of
service bug and denial of service flood
