CIS4360_Chapter_07 Flashcards

1
Q

What is a denial of service attack?

A

A denial of service is an action that prevents or impairs the authorized use of networks, systems, or applications by exhausting resources such as CPU, memory, bandwidth and disk space.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What type of resources are targeted by a denial of service attack?

A

+ Network bandwidth
+ System resources
+ Application resources

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What is the goal of a flooding attack?

A

The goal of a flood attack is to overload the network capacity of the target.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

`What type of packets are commonly used for flooding attacks?

A

Any type of packet can be used in a flooding attack. Commonly used: ICMP, UDP or TCP SYN.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Why do many DoS attacks use packets with spoofed source addresses?

A

If there is a valid system at the spoofed source address, it will respond with a RST packet. However, if there is no system then no reply will return. In these cases the server will resend the packet a number of times before finally assuming the connection request has failed. In this period, the server is using an entry in its memory. If many connection requests with forged addresses are incoming, the memory fills up, making the server incapable of handing any more requests (not even legitimate ones).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Define a distributed denial-of-service attack.

A

A distributed denial of service attack is a denial of service attack using multiple systems.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What architecture does a distributed denial of service attack typically use?

A

A botnet consisting of infected zombie PCs is used, that is under the control of a hacker.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Define a reflection attack.

A

The attacker sends a network packet with a spoofed source address to a service running on some network server. The server (=reflector) responds to this packet, sending it to the spoofed source address that belongs to the actual attack target. This is then called a reflection attack.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Define an amplification attack.

A

They differ to reflection attacks in that they are generating multiple response packets for each original packet sent. This can be achieved by directing the original request to the broadcast address for some network. As a result, all hosts will respond, generating a flood of responses.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What is the primary defense against many DoS attacks, and where is it implemented?

A

Limiting the ability of systems to send packets with spoofed source addresses. An ISP knows which addresses are allocated to all its customers and hence can ensure that valid source addresses are used in all packets from its customers.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What defenses are possible against TCP SYN spoofing attacks?

A

Using a modified version of the TCP connection handling code, where the connection details
are stored in a cookie on the client computer rather than the server.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What do the terms slashdotted and flash crowd refer to? What is the relation between these
instances of legitimate network overhead and the consequences of a DoS attack?

A

These terms refer to the following occurrence: A posting to the well-known site Slashdot news aggregation site often results in overload to the referenced server system. There is very little that can be done to prevent this type of either accidental or deliberate overhead The provision of excess network bandwidth is the usual response.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What defenses are possible to prevent an organization’s system being used as intermediaries in an amplification attack?

A

They should have implemented antispoofing, directed broadcast and rate limiting filters. In addition you should have some form of automated network monitoring and intrusion detection system.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What steps should be taken when a DoS attack is detected?

A

Identification of the type of attack, application of suitable filters to block the attack packets.
In addition, an ISP may trace the flow of packets back in attempt to identify the source.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly