Ch. 7: DDOS Attacks

Question 1

SYN spoofing attack targets ________.

a. Email service
b. TCP connections table
c. DNS service
d. None of the above

Answer 1

Correct Answer: B

Stallings, 4th Edition, Section 7.1, page 227

Question 2

What is a poison packet?

A. A packet that triggers a bug in the network software and makes it crash.
B. A packet that contains the signature of a virus.
C. A packet that infects other packets in the network buffer.
D. A packet that redirects other packets to a malicious target.

Answer 2

Correct Answer: A

p. 226

Question 3

What is a cyber slam?

A. Cyber slam is a made up term.
B. Another name for a DDoS attack.
C. A firewall packet strategy that helps to thwart a DoS or DDoS attack.
D. A large number of queries that severely load a server.

Answer 3

Correct Answer: D

p. 226

Question 4

If an attacker directs a large number of forged requests to a server, what type of attack is being made?

A. Slowloris
B. Source address spoofing
C. SYN spoofing
D. Reflector
E. Amplifier

Answer 4

Correct Answer: C

p. 230

Question 5

T/F: ICMP flood attacks remain common because some ICMP packets are critical to normal network behavior and cannot be filtered.

Answer 5

True

p. 223

Question 6

What is the difference between a TCP SYN flood attack and a SYN spoofing attack?

A. There is no difference, they are synonymous.
B. The difference is in the volume of packets.
C. SYN spoofing works with UDP only.
D. TCP SYN flood attacks don’t use spoofed source addresses.

Answer 6

Correct Answer: B

TCP SYN flood attacks may or may not use spoofed addresses, but the difference is in the volume of packets sent, meant to overwhelm the server. The SYN spoofing attack is meant to overwhelm the server in sending SYN-ACK messages to spoofed (preferably not invalid) addresses.

p. 231, 234

Question 7

What type of attack is based on sending a large number of INVITE requests with spoofed IP addresses to a server?

A. Reflection attack
B. Smurf attack
C. Slashdot attack
D. SIP flood attack

Answer 7

Correct Answer: D

p. 236, 241

Question 8

T/F: The best defense against a reflection attack is to not allow directed broadcasts to be routed into a network.

Answer 8

False

The description is the best defense for an Amplification attack. To defend against a reflection attack, filtering to block spoofed-source packets.

p. 241 - 242

Question 9

T/F: A characteristic of reflection attacks is the lack of backscatter traffic.

Answer 9

True

p. 241

Question 10

What are some ways to prevent SYN spoofing attacks?

A. Use SYN cookies
B. Modify the size of the TCP connections table or timeout period
C. Impose rate limits on network links
D. Use selective or random dropping of TCP table entries
E. All of the above
F. None of the above

Answer 10

Correct Answer: E

p. 246

Question 11

T/F: Slowloris uses a ping flood via ICMP echo request packets.

Answer 11

False

That is the smurf attack. Slowloris exploits servers that use multiple threads by sending multiple incomplete connections (by not including the terminating newline sequence) to a server.

p. 238, 242

Question 12

T/F: In a TCP spoofing attack, attacker ideally wishes to use addresses that will not respond to the SYN-ACK with a RST.

Answer 12

True

p. 231

Question 13

A recursive HTTP flood attack is also known as what?

A. a Fraggle attack
B. a Delayed Binding attack
C. a Spidering attack
D. a SIP flood

Answer 13

Correct Answer: C

bots start from a given HTTP link and then follows all links on the provided website in a recursive way. This is also called spidering.

p. 237