Ethical 11

Question 1

When a DDoS attack starts, which forensic tool can be used to stop the system from being flooded by packets?

Answer 1

Zombie Zapper tool

Question 2

A client has asked you for assistance with deploying DDoS countermeasures. What recommendations are valid?

Answer 2

• Egress filtering should be used to scan IP packets going out of a network, and should only be forwarded if packets meet predefined specifications.
• Handlers should be quickly detected and disabled to disrupt DDoS attacks.

Question 3

A client’s web host is currently experiencing a massive DoS attack from a specific source IP. What countermeasure(s) could be used to mitigate the effects of the DoS attack while minimizing the inconvenience to end users?

Answer 3

• Routers can be configured to drop packets with a specific destination address.
• ISPs can drop the transmission of falsely addressed packets within their controlled networks.

Question 4

Which tool used to create a DoS attack targets a vulnerability in Windows networking code that allows remote attackers to consume 100% of the CPU time?

Answer 4

Jolt2

Question 5

Your client has asked you to implement a decoy network with the intent to steer attacks away from more sensitive networks. What type of honeypot system is this?

Answer 5

High-interaction honeypot

Question 6

In which type of attack does an attacker typically use a botnet to send a large number of queries to open DNS servers?

Answer 6

Reflective DNS attack

Question 7

Once Agobot is in the system directory, where does it place autorun entries in the registry?

Answer 7

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Question 8

A SYN flood is an example of what mode of DoS attack?

Answer 8

Network Connectivity

Question 9

In which attack does an attacker deliberately sends an ICMP echo packet of more than the 65,536 bytes?

Answer 9

Ping of death

Question 10

In the second step of an Agobot attack, the Agobots can use network shares to infect other systems. Which method is the Agobot employing in this spreading stage?

Answer 10

Via the network

Question 11

Which of the following are software applications that run automated tasks over the internet?

Answer 11

Bots

Question 12

What two DDoS utilities are IRC based, and both provide the ability to use SYN attacks?

Answer 12

Knight

Kaiten

Question 13

Regarding an IRC based DDoS model versus an agent/handler model, what statements are accurate?

Answer 13

The IRC method enables simple file sharing capabilities for agent code allotment.

Legitimate IRC ports can be utilized for communication with agents.

Question 14

Which method can be an effective countermeasure against SYN attacks?

Answer 14

Decreasing the SYN RECEIVED time-out period

Question 15

A computer on your client’s network has been detected as running listening services on port 6667 and 33270. What DDoS tool is being utilized?

Answer 15

Trinity

Question 16

Which type of attack uses the TCP three-way handshake to create incomplete connections?

Answer 16

SYN

Question 17

What DoS tool can be used to generate random packets with spoofed source IPs?

Answer 17

Nemesy

Question 18

You are attempting to perform a DDoS attack utilizing forged UDP packets to link the echo service on one target machine with the character generator on another machine. What type of DDoS attack is this?

Answer 18

Fraggle attack

Question 19

What are the “secondary victims” of a DDoS attack called?

Answer 19

Zombies

Question 20

Which registry entry can be used to automatically start a program when Windows boots?

Answer 20

HKLM\Software\Microsoft\Windows\CurrentVersion\Run