Attacks

Question 1

A packet containing a long string of NOP’s followed by a command is usually indicative of what?

Answer 1

A buffer overflow attack.

A series of the same control, hexidecimal, characters imbedded in the string is usually an indicator of a buffer overflow attack. A NOP is a instruction which does nothing (No Operation - the hexadecimal equivalent is 0x90)

The Intel x86 processors use the hexadecimal number 90 to represent NOP (no operation). Many buffer overflow attacks use long strings of control characters and this is representative of that type of attack.

Question 2

A piece of malicious code that can take many forms and serve many purposes. Needs a host in which to live, and an action by the user to spread.

Answer 2

Virus

Question 3

A type of malicious code that lays dormant until a logical event occurs (such as a specific person’s name is no longer in the payroll database)

Answer 3

Logic Bomb

Question 4

Many small attacks add up to equal a large attack (Movie: Office Space: stealing a fraction of a penny)

Answer 4

Salami

Question 5

Similar to a virus, but does not need a host and is self replicating

Answer 5

Worm

Question 6

One program (usually some type of malicious code) masquerades as another. Common means of distributing Back Door Programs

Answer 6

Trojan Horse

Question 7

Altering/Manipulating data, usually before entry (Taco Bell: charge 50-cents for a taco and pocket other $1.50)

Answer 7

Data Diddling

Question 8

Capturing and Viewing packets through the use of a protocol analyzer. (Passive Man-in-the Middle attack) Best defense: Encryption

Answer 8

Sniffing

Question 9

Where an attacker steps in between two hosts and either monitors the exchange, or often disconnects one.

Answer 9

Session Hijacking

Where an attacker steps in between two hosts and either monitors the exchange, or often disconnects one. Session hijacks are active types of Man-in-the Middle attacks. Encryption prevents sniffing and mutual authentication would prevent a session hijack

Question 10

A Program that allows access (often administrative access) to a system that bypasses normal security controls. Examples are NetBus, Back Orifice, SubSeven

Answer 10

Back Door Programs

Question 11

An attack on a RAS (Remote Access Server) where the attacker tries to find the phone number that accepts incoming calls. RAS should be set to use caller ID (can be spoofed), callback (best), and configured so that modem does not answer until after 4 calls.

Answer 11

Wardialing

Question 12

The purpose of these attacks is to overwhelm a system and disrupt its availability

Answer 12

Denial of Service (DoS)

Question 13

Characterized by the use of Control Machines (Handlers) and Zombies (Bots) An attacker uploads software to the control machines, which in turn commandeer unsuspecting machines to perform an attack on the victim. The idea is that if one machine initiating a denial of service attack, then having many machines perform the attack is better.

Answer 13

Distributed Denial of Service (DDoS)

Question 14

Sending a Ping Packet that violates the Maximum Transmission Unit (MTU) size—a very large ping packet.

Answer 14

Ping of Death

Considered a DoS

Question 15

Overwhelming a system with a multitude of pings

Answer 15

Ping Flooding

Considered a DoS

Question 16

Sending Malformed packets which the Operating System does not know how to reassemble. Layer 3 attack

Answer 16

Tear Drop

Question 17

Attacks that overwhelm a specific type of memory on a system—the buffers. Is best avoided with input validation

Answer 17

Buffer Overflow

Question 18

Similar to the Teardrop attack. Manipulates how a PC reassembles a packet and allows it to accept a packet much too large

Answer 18

Bonk

Question 19

Creates a “circular reference” on a machine. Sends a packet where source and destination are the same.

Answer 19

Land Attack

Question 20

Type of attack that exploits the three way handshake of TCP. Layer 4 attack. Stateful firewall is needed to prevent

Answer 20

Syn Flood

Question 21

Uses an ICMP directed broadcast. Layer 3 attack. Block distributed broadcasts on routers (aka block ICMP at the firewall)

Answer 21

Smurf

Considered a DDoS

Question 22

Similar to Smurf, but uses UDP instead of ICMP. Layer 4 attack. Block distributed broadcasts on routers

Answer 22

Fraggle

Question 23

What is the best defense for sniffing?

Answer 23

Encryption

Question 24

How would you prevent a session hijack?

Answer 24

Mutual Authentication

Question 25

How do you protect against wardialing?

Answer 25

RAS should be set to use caller ID (can be spoofed), callback (best but could be call forwarded), and configured so that modem does not answer until after 4 calls. Use authentication

Use a different number than your normal extension range for your modems

Question 26

How do you protect against buffer overflow?

Answer 26

Is best avoided with input validation

Question 27

How do you prevent against SYN flood?

Answer 27

Stateful firewall is needed to prevent

Question 28

How do you protect against Smurf?

Answer 28

Block distributed (directed) broadcasts on routers

aka block ICMP at the firewall

Question 29

How do you protect against Fraggle?

Answer 29

Block distributed (directed) broadcasts on routers

Similar to Smurf, but uses UDP instead of ICMP. Layer 4 attack.

Question 30

Sending malformed or improper data in the IMCP header. Considered a “covert channel” attack

Answer 30

Loki

Question 31

Driving around looking for unsecured wireless networks

Answer 31

War driving

Question 32

Unauthorized wireless access points offer the opportunity for what type of attack?

Answer 32

Man in the middle attacks

Question 33

Sniffing wireless signals

Answer 33

Airsnarfing

Question 34

Sending SPAM to nearby bluetooth devices

Answer 34

Blue Jacking

Mitigation:
Disable it if you’re not using it
Disable auto-discovery
Disable auto-pairing

Question 35

Copies information off of remote devices

Answer 35

Blue Snarfing

Mitigation:
Disable it if you’re not using it
Disable auto-discovery
Disable auto-pairing

Question 36

Allows full use of phone
Allows one to make calls
Can eavesdrop on calls

Answer 36

Blue Bugging

Most serious of Bluetooth attacks

Mitigation:
Disable it if you’re not using it
Disable auto-discovery
Disable auto-pairingx

Question 37

Whats is a TCP SYN flood?

Answer 37

Category: Network Attack

Type: common TCP denial of service

Info: A system must keep track of any remote system that starts a TCP three-way handshake. Attacker sends many SYNs but never ACKs. The victims half-open connection table will start to fill.

Result: If the attacker can exhaust that table then no new connections can be made.

Question 38

What is a LAND attack?

Answer 38

Category: Network Attack

Type: Single Packet DoS

Info: a single packet DoS attack involving the victim’s web service listening on Port 80. A packet is forged from the victim’s IP Address / Port 80 to the victim’s IP Address / Port 80.

Result: The victim’s computer sometimes get confused and crashes.

Question 39

What is a Fraggle Attack?

Answer 39

Category: Network Attack

Type: DoS

Info: Based on Smurf Attack using UDP echo packets in place of ICMP. Attacker forges UDP packets from the victim to the UNIX services Port 7 (echo, which “echos” characters back tot he sender) and Port 19 (which is Character Generator, which sends a stream of characters back to the sender).

Result: Victim is overwhelmed by characters.

Question 40

What is a Teardrop attack?

Answer 40

Category: Network Attack

Type: DoS

Info: Attack replies on fragmentation reassembly. The attacker sends multiple large overlapping IP fragments.

Result: System may crash as it attempts to reassemble the bogus fragments.

Question 41

What is an ARP scan attack?

Answer 41

Once an attacker is on the LAN, Layer 2 scans and attacks are possible.

ARP scan is a Layer 2 scan that sends ARP requests for each IP address on a subnet, learning the MAC address of each system.

Question 42

What is a TCP scan attack?

Answer 42

Sends a TCP SYV packet to ports on a host, reporting those that answer SNY/ACK.

A “connect scan” completes the three way handshake
A “half-open scan” does not complete the TCP handshake

half-open connections have advantages because they often are not logged.

Attackers can also craft packets with strange flag combinations (SYN/RST, all TCP flags set, no flags set, etc.). Attackers may be able to determine OS version by the way these packets are handled.

Question 43

What is a UDP scan attack?

Answer 43

Sends UDP packets to ports on a system and listens for answers.

UDP scans are harder and slower than TCP scans. Unlike TCp, there is no connection and no universal way for UDP service to respond to a UDP packet.

Question 44

What type of attack inserts tagging values into network and switch-based protocols with the goal of manipulating traffic at the Data Link Layer?

Answer 44

VLAN Hopping

Attacker can have a system act as though it is a switch. The system understands the tagging values being used in the network and trunking protocols, and can insert itself between other VLAN devices and gain access tot he traffic going back and forth.