DOS Flashcards
Define DOS attack
an action that overwhelms target system with excessive traffic, preventing users from accessing services
Resources that are targets of DOS attacks?
- Network Bandwidth
- System Resources
- Application Resources
How to respond to DOS attacks?
- Implement antispoofing and rate limit or use CAPTCHA to filter human vs bot behavior
- Monitor network traffic for abnormal patterns
- Trace the source of the attack through ISPs then update incident response plans to prepare for future attacks
Define DDOS attack
A coordinated assult where many systems flood a target with overwhelming traffic/requests, making it unavaliable to users
Explain one or two defense mechanism against the SYN flooding attack
- Blocking spoofed addresses
- SYN cookies
Could you explain the SYN flooding attack method? Also, what resource of the system does the SYN flooding attack exhaust?
The SYN flooding attack sends TCP SYN packets with spoofed addresses, leading the server to maintain half-open connections until its connection table overflows.
System’s network handling resources
Describe the Session Initiation Protocol (SIP) flooding attack. Explain what resources are targeted by the attack.
Overloads SIP servers with too many session initiation requests.
Exhauses server’s memory and processing capacity.
Explain DNS Amplification Attack. This attack method is based on a specific feature of DNS. Explain whether this is an attack using sex.
Attacker sends tiny DNS queries with spoofed source addresses then server replies with large responses to the target, overwhelming resources.
What are the three common types of firewalls, and how do they function?
Packet-Filtering Firewall:
Checks each packet’s header against a set of rules.
Decides whether to allow or block the packet.
Application-Level Gateway:
Works as a middleman for specific applications.
Adds security by filtering traffic and requiring user authentication.
Circuit-Level Gateway:
Creates two separate TCP connections: one with the user and one with the external server.
Relays data between them without inspecting the actual content.
What are the advantages and disadvantages of packet-filtering firewalls?
Advantages:
Simplicity.
Transparency to users.
High speed.
Disadvantages:
Difficult to set up rules correctly.
Lack of user authentication.
Cannot deal with applications at the packet-filtering level
What is the key difference between stateful inspection firewalls and traditional packet filters?
Stateful Firewalls: Track connections and validate packets dynamically.
Packet-Filtering Firewalls: Use static rules without tracking connections.
What are the advantages of an application-level gateway over packet filters?
- Provides better security by scrutinizing traffic at the application level.
- Can be configured to support specific application features only.
- Makes it easier to log and audit incoming traffic
What is a screened subnet firewall configuration, and what are its advantages?
A screened subnet firewall uses two packet-filtering routers to create an isolated subnet.
Advantages:
1. Provides three levels of defense.
2. Hides the internal network from the internet by advertising only the screened subnet.
3. Prevents direct routing between internal systems and the internet
What are the advantages of host-based firewalls?
Filtering rules can be tailored to the host environment.
Provides protection independent of network topology.
Adds an extra layer of protection for individual hosts
What is the primary function of an Intrusion Prevention System (IPS), and how does it differ from a firewall?
An IPS detects and attempts to block malicious activities in real time. Unlike a firewall, which uses static rules to filter traffic, an IPS uses algorithms to identify anomalous or known malicious behaviors and then acts to prevent them
What are the limitations of a firewall?
- Cannot protect against attacks that bypass it, such as those using direct dial-up connections.
- Does not protect against internal threats, like malicious insiders.
- Cannot scan and block virus-infected files transferred via supported applications
Explain the anomaly detection method and the signature-based detection method. What are their advantages and disadvantages?
Anomaly Detection: Spots unusual behavior.
Pros: Detects new attacks.
Cons: High false positives.
Signature Detection: Matches known attack patterns.
Pros: Accurate for known threats.
Cons: Misses new attacks.
Define the terms ‘False Positive’ and ‘False Negative.’ What are the challenges if an IDS has a 1% false positive rate and a 1% false negative rate in real environments?
False Positive: When the IDS incorrectly classifies legitimate activity as malicious.
False Negative: When the IDS fails to detect an actual attack.
Challenges:
A 1% false positive rate in high-traffic environments could overwhelm administrators with alerts, leading to alert fatigue.
A 1% false negative rate leaves the system vulnerable to undetected attacks, potentially causing severe damage
When a hacker attacks a system, explain the general behavior pattern step by step.
- Gather info about the target
- use identified weaknesses to gain access
- Increase access rights to perform more actions
- Delete logs and evidence
List at least five IDS requirements and explain them.
Accuracy: Minimize false positives and negatives.
Scalability: Handle high volumes of data in large networks.
Real-Time Detection: Identify attacks as they happen.
Robustness: Operate effectively under attack.
Ease of Management: Allow for straightforward configuration and updates.
Compare a stateless firewall (packet filtering firewall) and a stateful firewall.
Stateless Firewall: Filters individual packets.
Pros: Simple, fast.
Cons: Can’t track connections, spoofing risk.
Stateful Firewall: Tracks connections.
Pros: Blocks SYN floods.
Cons: Higher overhead.
Describe an attack that can be blocked by a stateful firewall but not by a stateless firewall.
A SYN Flood Attack can be blocked by a stateful firewall because it tracks incomplete TCP handshakes and can drop excessive SYN packets. A stateless firewall, which only inspects individual packets, would not recognize the incomplete connections
Explain the TL and Fragment Offset fields among the fields in the IP header.
TTL: Limits packet lifespan; decrements at each hop. Used in traceroute.
Fragment Offset: Indicates a fragment’s position for proper reassembly.
Compare and explain the advantages and disadvantages of the signature-based method and the anomaly-based method in intrusion detection.
Signature-Based Detection:
Advantages: Accurate for known threats, low false positives.
Disadvantages: Cannot detect new, unknown threats. Requires constant updates to the signature database.
Anomaly-Based Detection:
Advantages: Can detect unknown attacks by monitoring deviations from normal behavior.
Disadvantages: High false-positive rate, as legitimate activities might deviate from the baseline.
Discuss about the tunnel and transport modes of the IPsec protocol.
Tunnel Mode:
Encrypts the entire IP packet (headers and payload).
Commonly used for site-to-site VPNs.
Protects against traffic analysis since the original packet is entirely encapsulated.
Transport Mode:
Encrypts only the payload, leaving the IP header intact.
Used for end-to-end communication between two hosts.
Answer the following questions about the Probabilistic Packet Masking method.
(a) What is the purpose of this method?
(b) Explain the packet masking method.
(c) What are the advantages of this method over other methods?
(a) Purpose:
Protects packet data by introducing probabilistic alterations that make attacks less effective.
(b) Packet Masking Method:
Masks specific parts of a packet to prevent attackers from fully reconstructing sensitive data.
Involves randomization or selective encryption of packet fields.
(c) Advantages:
Adds unpredictability, making reconnaissance difficult for attackers.
More efficient compared to full encryption.
As for DNS cache poisoning, in what conditions is poisoning possible.
- DNS server accepts incorrect responses without validating authenticity.
- The attacker can predict the transaction ID of DNS queries.
- Lack of proper DNS security extensions (DNSSEC).
DNSSEC method can be used to respond to DNS-related attacks such as DNS Cache poisoning. What are the problems with DNSSEC method?
- Complexity in implementation and management.
- Increased computational overhead due to cryptographic operations.
- DNSSEC does not prevent all forms of DNS attacks
Answer the following questions about ARP.
(a) Explain about the ARP protocol.
(b) What is the ARP Cache Poisoning attack?
(a) ARP Protocol:
Maps IP addresses to MAC addresses within a local network.
Operates by broadcasting ARP requests and receiving ARP replies.
(b) ARP Cache Poisoning:
Attacker sends fake ARP replies to associate their MAC address with the victim’s IP address.
Results in man-in-the-middle attacks or denial of service by intercepting or disrupting traffic.
Answer the following questions about the TL field in the IP Packet header.
(a) Describe the TTL field (purpose, how to use, ).
(b) Give an example of a typical application implemented using the TTL field and explain how it works.
(a) Purpose:
Prevents infinite packet looping in the network.
Used for diagnostic purposes (e.g., traceroute).
(b) Example Application:
Traceroute: Sends packets with incremental TTL values to discover each hop along the path to the destination.
The TTL expiration generates an ICMP “Time Exceeded” message, revealing the intermediate router’s address.
When running a program, how is the stack used?
The stack is a region of memory used for managing function calls and local variables during program execution.
It stores:
Function parameters.
Return addresses.
Local variables.
Saved registers and bookkeeping information
What data does a stack buffer overflow overwrite?
Local variables.
Return addresses.
Frame pointers (saved base pointers).
What does an attacker mainly want to change through stack buffer overflow?
Targeted Data: The return address in the stack.
Why: By modifying the return address, an attacker can redirect the program’s execution flow to malicious code (e.g., shellcode injected into the stack).
Goal: Execute arbitrary code, escalate privileges, or cause a denial of service
Define a Buffer Overflow Attack.
A buffer overflow attack occurs when a program writes more data into a buffer than it can hold, overwriting adjacent memory locations
Techniques to Prevent Stack Buffer Overflow
(a) Random Canary Method:
Inserts a “canary” value before the return address in the stack.
The canary is checked before returning from a function; any modification indicates an overflow.
Advantage: Effective at detecting basic buffer overflows.
Disadvantage: Does not prevent more advanced attacks like Return-Oriented Programming (ROP)
(b) Guard Page Method:
Places non-accessible memory pages (guard pages) around critical stack regions.
Any attempt to overflow into these pages causes a segmentation fault.
Advantage: Prevents overwriting beyond stack boundaries.
Disadvantage: Increased memory overhead
Response Methods for Buffer Overflow
Compile-Time Defenses:
Using High-Level Languages: Enforces range checks and reduces vulnerabilities.
Static Analysis Tools: Identifies unsafe functions and buffer-related bugs.
Compiler Extensions (e.g., StackGuard): Adds runtime checks for stack integrity
Run-Time Defenses:
Data Execution Prevention (DEP): Marks stack regions as non-executable.
Address Space Layout Randomization (ASLR): Randomizes memory addresses to make exploitation harder
Four Stages of Execution for a Virus or Worm?
Propagation: Spreads to other systems through vulnerabilities or user interaction.
Trigger: Waits for a specific condition (e.g., date or user action) to activate.
Payload Execution: Carries out the intended malicious action (e.g., data theft, destruction).
Stealth/Concealment: Hides its activity to avoid detection (e.g., rootkits or obfuscation techniques)
Metamorphic vs. Polymorphic Viruses
Polymorphic Virus: Changes its code slightly (e.g., using encryption) with each replication to evade signature detection.
Metamorphic Virus: Rewrites its entire code structure during replication, making it even harder to detect as its behavior and structure constantly change
Describe the “packing” technique used to prevent analysis of malware.
- Packing compresses or encrypts malware code to make static analysis difficult.
- When executed, the packed code decompresses or decrypts itself in memory before execution.
- Used to evade antivirus and other analysis tools
Answer the following questions about malware analysis methods.
(a) Explain the static analysis method and the dynamic analysis method.
(b) What is the biggest problem with the tatic analysis method?
(a) Static Analysis:
Involves analyzing the malware’s code without executing it.
Examples: Disassembling the code, analyzing file structure, checking for known signatures.
(b) Dynamic Analysis:
Involves executing the malware in a controlled environment to observe its behavior.
Examples: Using sandboxes or virtual machines to track file system changes, registry edits, or network communication.
Biggest Problem with Static Analysis:
Obfuscation: Malware often uses techniques like packing or encryption to hide its code, making static analysis challenging and sometimes ineffective
Answer the following questions about botnets.
(a) Describe the four components that make up a botnet and explain the role of each component.
(b) Write at least three reasons why botnet attacks are difficult to respond to on personal computers, unlike existing malware.
(c) Explain how to use “dynamic DNS” as a rally mechanism for botnets.
(a) Four Components of a Botnet:
Bots: Infected devices that perform tasks for the botnet controller.
Role: Execute malicious commands like DDoS attacks or spamming.
Command and Control (C&C) Server: Central server used to control the botnet.
Role: Issues commands to the bots and receives stolen data.
Botmaster: The operator controlling the botnet.
Role: Plans and executes malicious activities through the botnet.
Targets: The systems or services under attack.
Role: Victims of data theft, service disruption, or other malicious activities
.
(b) Reasons Botnet Attacks Are Hard to Respond To:
Distributed Nature: Bots are spread across multiple personal computers, making detection and takedown difficult.
Dynamic Membership: Bots can join or leave the botnet dynamically, complicating its detection.
Encrypted Communication: Modern botnets use encrypted channels to communicate with the C&C server, hiding their activities.
(c) Dynamic DNS as a Rally Mechanism:
Dynamic DNS allows botmasters to update domain name mappings to IP addresses dynamically.
When a C&C server changes location or IP, bots can still connect using the updated DNS record, maintaining the botnet’s functionality
Describe the Generic Decryption (GD) scanner.
A GD scanner is a tool used to analyze encrypted malware.
How It Works:
Executes the malware in a controlled environment.
Allows the malware to decrypt itself during runtime.
Captures the decrypted code for analysis.
Describe data permission and output permission
Data Permission: Refers to access controls determining who can read, write, or modify specific data. Implemented using access control lists (ACLs) or role-based access control (RBAC).
Output Permission: Refers to restrictions on what outputs are generated and who can access them, preventing unauthorized data leaks.
Explain what reference attack is and how to defend against interference attacks with perturbation tech.
Reference Attack: Repeated queries analyze patterns to infer sensitive data.
Perturbation Defense: Adds noise to outputs to protect individual data.
What is SQL injection attack and how to defend against reference attack
Exploits vulnerabilities in input validation to inject malicious SQL queries into a database.
Input validation and sanitization.
Use of parameterized queries (prepared statements).
Implementing least privilege for database users
Defending Against Reference Attacks in Statistical Databases (SDB)
Query Restrictions: Limiting the number and type of queries users can perform.
Noise Addition: Introduce statistical noise to query results (e.g., perturbation).
Partitioning Data: Avoid queries that allow accessing small data subsets
Comparing Anomaly Detection and Signature-Based Detection
Signature-Based Detection:
Matches known attack patterns in data.
Pros: High accuracy for known threats, low false positives.
Cons: Ineffective against new or unknown attacks.
Anomaly Detection:
Identifies deviations from normal behavior to detect potential threats.
Pros: Can identify novel attacks.
Cons: High false-positive rate if the normal baseline is not well-defined
Polymorphic vs. Metamorphic Malware
Polymorphic Malware:
Changes its appearance (e.g., encrypted payload) with each infection to evade signature detection.
The underlying functionality remains unchanged.
Metamorphic Malware:
Rewrites its entire code structure during replication, completely altering its appearance.
Harder to detect as it lacks a consistent pattern
Why It Is Difficult to Respond to Botnet Attacks
Distributed Nature: Botnets operate across thousands of compromised systems, making them hard to take down.
Dynamic Infrastructure: Bots can reconnect to new command-and-control (C&C) servers, often using dynamic DNS or peer-to-peer networks.
Encrypted Communication: Modern botnets use encrypted traffic, concealing malicious commands from detection
Malware Analysis Methods
(a) Static Analysis:
Examines the malware code without executing it.
Advantages: No risk of infection, quicker for initial assessment.
Disadvantages: Obfuscated or packed malware may hinder analysis.
(b) Dynamic Analysis:
Observes malware behavior during execution in a controlled environment.
Advantages: Can identify runtime behavior, such as system changes and network activity.
Disadvantages: Requires safe and isolated environments (e.g., sandboxes)
Avoiding Dynamic Analysis:
Detecting virtualized environments.
Delayed execution to bypass time-limited analyses.
Using encrypted payloads to hide malicious behavior until specific conditions are met
