CySA+ Study Notes 5

Question 1

An HTTP response code is the header value returned by a server when a client requests a URL.

200—This indicates a successful GET or POST request (OK).

201—This indicates where a PUT request has succeeded in creating a resource.

3xx—Codes in this range indicate a redirect, where the server tells the client to use a different path to access the resource.

4xx—Codes in this range indicate an error in the client request, such as requesting a non-existent resource (404), not supplying authentication credentials (401), or requesting a resource without sufficient permissions (403). Code 400 indicates a request that the server could not parse.

5xx—These codes indicate a server-side issue, such as a general error (500) or overloading causing service unavailability (503). If the server is acting as a proxy, messages such as 502 (bad gateway) and 504 (gateway timeout) indicate an issue with the upstream server.

Answer 1

info

Question 2

??? connections permitted or denied, port and protocol usage, bandwidth usage, address translation audit trail == NAT or PAT helpful to find internal user conducting attacks on outside world from inside your network; PAT forwards requests for services on the external IP address and port on the firewall to an address and port of a server behind the firewall.

Answer 2

Firewall Logs can show :

Question 3

uses syslog format; each log entry is prefixed with a timestamp, a device ID or host name, and a facility (usually kernel).

Answer 3

Linux iptables

Question 4

??? are susceptible to “blinding” attacks, where the adversary generates more traffic than the system can handle then initiates the real intrusion, hoping that only an incomplete record will be made of it in the log.

Answer 4

under-resourced logging system

Question 5

At the Internet edge, firewalls are often deployed in a demilitarized zone (DMZ) configuration, with an external firewall controlling the interface between the Internet zone and hosts within the DMZ segment, and an internal firewall controlling the interface between the LAN and the DMZ. Services such as web hosting, email transfer (SMTP), VoIP, and remote access/virtual private network (VPN) run on hosts within the DMZ.

Answer 5

info

Question 6

Dropping the packet means that it is discarded without notifying the client. Rejecting the packet means that a response is sent to the client (either a TCP RST or an ICMP port or protocol unreachable for a UDP request). Dropping traffic makes it harder for an adversary to identify port states accurately but makes troubleshooting connections more difficult for legitimate users.

Answer 6

info

Question 7

??? allow only whitelisted app ports, restrict DNS lookups to own ISP’s DNS services, block access to known bad ip address ranges, block access from any IP address space not authorized on your local network, block all internet access from host subnets that dont need connect to internet like most internal server types, workstations used to manage ICSs, etc …

Answer 7

Egress Filter Config’s

Question 8

??? is a means of determining a router or firewall’s ACL and mapping the internal network from the outside, or conversely discovering which outbound port and source address combinations are permitted. The attacker first discovers which ports are open on the perimeter firewall, then crafts a packet for the open port with a TTL of one past the firewall. If this packet is received by the host behind the firewall, it will respond with a “TTL exceeded” notification. Firewalking can be mitigated using network address translation (NAT) to prevent the attacker from identifying the address space behind the router and by blocking outgoing ICMP status messages.

Answer 8

Firewalking

Question 9

A sinkhole is similar to configuring a black hole, and the terms are often used interchangeably. With sinkholing however, you usually retain some ability to analyze and forward the captured traffic. Sinkhole routing can be used as a DDoS mitigation technique so that the traffic flooding an IP address is routed to a different network where it can be analyzed. Potentially, some legitimate traffic could be allowed through, but the real advantage is to identify the source of the attack and devise rules to filter it. The target can then use low TTL DNS records to change the IP address advertised for the service and try to allow legitimate traffic past the flood.

Answer 9

info

Question 10

??? drops traffic before it reaches its intended destination, and without alerting the source. ex : drop packets at routing layer to stop DDoS attack.

Answer 10

black hole