Chapter 11: DoS

Question 1

DoS goal

Answer 1

To remove the A from the Confidentiality, Integrity, & Availability triad

Question 2

Buffer Overflow

Answer 2

takes adv. of a flaw in a program’s coding by inputting more data than the program’s buffer, or memory space, has room for; once the buffer of a program is an overflow state, it can crash, etc

Question 3

C functions & signs of buffer overflow

Answer 3

Some C functions do not perform bounds checking, making it vulnerable to buffer overflow

gets(), scanf(), strcpy(), strcat() are common functions for buffer overflow

Question 4

Stack pointer represents

Answer 4

the top of a stack; in a buffer overflow, the stack pointer is ignored an data is stacked over top of it creating False EIPs (Extended instruction pointer/point of execution) and False Stack pointers

When smashing the stack, the EIP points to injected malicious code

Question 5

NOP sled

Answer 5

shellcode (or machine code) used in buffer overflow attack; uses multiple “NO OPERATION” commands in a sequenced chunk; 0x90 will instruct an Intel processor to perform one clock cycle on empty process

Equates to a full CPU cycle w/ no acutal work being accomplished

Question 6

Define Load Balancing

Answer 6

distributing workloads across multiple computer resources

Question 7

Buffer Overflow vs. Stack Overflow

Answer 7

Stack overflow is when the execution stack grows beyond the memory reserved whereas Buffer Overflow is any case in which a program writes beyond the end of the memory allocated (INCLUDING in the heap, not just the stack)

Question 8

SERVICE REQUEST FLOODS (DoS Attack)

Answer 8

1) SERVICE REQUEST FLOODS - flooding web server or web app w/ requests until all resources are used up; These are typically carried out by setting up repeated TCP connection to a system

Question 9

SYN ATTACK/FLOOD (DoS Attack)

Answer 9

2) SYN ATTACK/FLOOD - This exploits the 3-way handshake; Done by forging SYN packets w/ a bogus source address. When victim system responds w/ a SYN-ACK, it goes to this bogus address, & since the address doesn’t exist, it causes the victim system to wait for a response that will never come; This ties up a connection up for 75 seconds, attacker can keep opening half open connections to keep systems out of service //THE ACK RESPONSE IS MISSING; Syn is sent, syn-ack replied;

Question 10

ICMP FLOOD ATTACK (DoS Attack)

Answer 10

3) ICMP FLOOD ATTACK - an ICMP request requires the server to process the request & respond; Attacks include smurf attacks, ICMP floods, ping floods, all of which flood the server w/ ICMP requetss w/ out waiting for the response

Question 11

PING OF DEATH (DoS Attack)

Answer 11

4) PING OF DEATH - used back in the day; a ping packet that was larger than the allowable 64K was sent

Question 12

TEARDROP (DoS Attack)

Answer 12

5) TEARDROP - sending custom-crafted fragmented packets w/ offset values that overlap during the attempted rebuild making the target machine unstable

Question 13

SMURF (DoS Attack)

Answer 13

6) SMURF - spoofs the target IP & sends numerous ICMP echo requests to the broadcast address of intermediary sites; The intermediary sites amplify the ICMP traffic back to the source IP, saturating the NW

Question 14

FRAGGLE (DoS Attack)

Answer 14

7) FRAGGLE - like SMURF attack but uses UDP instead of ICMP. Still uses an intermediary for amplification & spoofs target IP; The attack targets the UDP echo requests to the CHARGEN (character generator) port of the intermediary systems

Question 15

LAND (DoS Attack)

Answer 15

8) LAND - sends traffic to the target machine w/ the source spoofed as the target machine itself; The victim attempts to acknowledge the requests repeatedly w/ no end.

Question 16

PHLASHING (DoS Attack)

Answer 16

9) PHLASHING pushes bogus/incorrect updates to a system’s firmware, this system is said to be BRICKED, aka worthless computer

Question 17

HEAP

Answer 17

HEAP //dynamic storage location that does not have sequential constraints or organizational scheme; considered the larger pool of free storage for programs to use as needed; once dynamic memory space is no longer needed, it is freed

Question 18

STACK

Answer 18

STACK // linear in operation (top, bottom, LIFO); smaller pool of storage; memory allocated to a program for short-term processing, main action area where program variables are temporarily stored, added, & removed as needed; Can only see values from top down; LIFO; PUSH describes adding to a stack, POP is removing

Question 19

RFC 3704 FILTERING

Answer 19

1) RFC 3704 FILTERING //designed to block or stop packets from addresses that are unused or reserved in any given IP range

Question 20

BLACK HOLE FILTERING

Answer 20

2) BLACK HOLE FILTERING //a black hole or area is created on the NW where offending traffic is fowarded or dropped

Question 21

SOURCE IP REPUTATION FILTERING

Answer 21

3) SOURCE IP REPUTATION FILTERING //filters traffic based on reputation (determined by past history of attacks & other factors)

Question 22

NOP in Hex

Answer 22

0x90

Question 23

INGRESS/EGRESS FILTERING

Answer 23

Ingress filtering prevents DoS and DDoS
attacks by filtering for items such as spoofed IP addresses coming in from an outside
source. In other words, if traffic coming in from the public side of your connection has a
source address matching your internal IP scheme, then you know it’s a spoofed address.
Egress filtering helps prevent DDoS attacks by filtering outbound traffic that may prevent
malicious traffic from getting back to the attacking party.

Question 24

REVERSE PROXY

Answer 24

Similar to Load Balancer, sits in front of web server and distributes requests. Also caches content