Exam 2: Lesson 9 Flashcards
Lesson 9:
Determine which property of secure communication is violated in the event that a third-party pretends to be another entity on the network.
Group of answer choices
Confidentiality
Integrity
Authentication
Availability
Authentication
- When two parties are communicating, it is important to ensure that the two parties are who they say they are.
- For example, an intruder may try to steal information by impersonating another entity on the network. As a countermeasure against these attacks we use authentication mechanisms to verify the identity of a user.
Lesson 9:
Determine which property of secure communication is violated in the event that Trudy is able to access and modify the contents of a message between Alice and Bob. Select all that apply.
Group of answer choices
Confidentiality
Integrity
Authentication
Availability
Both are correct below:
Confidentiality
- We want to ensure that the message that is sent from the sender to the receiver is only available to the two parties.
- An attack scenario is that we have an intruder that can eavesdrop on the communication by sniffing or recording the exchanged messages.
- One measure to increase the chances that a communication is confidential is to encrypt the message so that even if the communication is intercepted, the message would be meaningless to the attacker.
Integrity
- It is important to ensure the message has not been somehow modified while in transit from the sender to the receiver.
- For example, an intruder could attack by modification, insertion or deletion of part of the messages send. As a countermeasure, we can introduce mechanisms that check for the integrity of the message.
Lesson 9 (T/F):
Round Robin DNS (RRDNS) is one of the “tools” that malicious parties can use to extend the time their content is accessible/hosted on the Internet.
True
Attackers have developed techniques abusing the DNS protocol so to extend the uptime of domains that are used for malicious purposes (e.g. Command and Control hosting infrastructure, phishing, spamming domains, hosting illegal businesses, illegal content). The ultimate goal of this abuse is to remain undetectable for longer.
Lesson 9 (T/F):
Fast-Flux Service Networks (FFSNs) can be leveraged by malicious actors to extend the availability of a scam.
True
- The previous two strategies (Round Robin and DNS based Content Delivery) provide reliability, scalability and resilience, which is great for larger websites. However, this also benefits spammers.
- Since using these techniques, a DNS request receives multiple A records (each containing a different IP address), this makes it harder to shut down online scams, as if even one IP address is functional, the scam is still working.
- Similarly, spreading across several servers makes the shutdown of these scams more complex!
Lesson 9 (T/F):
Using the fast flux technique to extend the availability of a scam domain name, it makes it impossible for the scam to be taken down.
False
Similarly, spreading across several servers makes the shutdown of these scams more complex!
Lesson 9:
What is the main qualitative difference between rogue and legitimate networks?
Group of answer choices
The persistence of malicious behavior
The type of malicious behavior (e.g. scam hosting, Command and Control servers hosting etc.).
The persistence of malicious behavior
From notes:
- The key difference between rogue and legitimate networks is the longevity of malicious behavior.
- Legitimate networks are usually able to remove the malicious content within a few days whereas rogue networks may let the content be up for weeks to more than a year!
Lesson 9 (T/F):
The FIRE system takes primarily a reactive approach to infer network reputation, relying on monitoring IP blacklists.
True
- With data plane monitoring only if a network has a large enough concentration of blacklisted IPs it will be flagged as malicious. We flag a network as malicious only after we have observed indications of malicious behavior for a long enough period of time.
- For example, let’s say we have access to a blacklist and we observe a large number of IPs that belong to an AS to be blacklisted for spamming, phishing, hijacking, etc.
Lesson 9 (T/F):
ASwatch takes primarily a proactive approach to infer network reputation by monitoring the routing behavior of networks.
True
This topic discusses a complementary approach – ASwatch which uses information exclusively from the control plane (ie. routing behavior) to identify malicious networks. Also, this approach aims to detect malicious networks that are likely run by cyber actors, or bulletproof as they are called, rather than networks that may be badly abused.
Lesson 9:
How can a rogue network remain undetected by ASwatch (stay under the radar)?
Group of answer choices
By switching frequently to a different upstream provider.
By lowering the ratio of malicious IP addresses to the total owned IP addresses.
By maintaining a stable control plane behavior.
By maintaining a stable control plane behavior
- These networks shown as red in the figures are found to be changing upstream providers more aggressively than most legitimate networks, also they are found to behave customer-provider or peering relationships with likely shady networks, rather than connecting with directly with legitimate networks.
- These behaviors help the bulletproof network to remain unnoticeable for longer, and when complaints may start, the bulletproof network can simply change an upstream provider.
Lesson 9:
Determine which system monitors routing behavior to determine the legitimacy of a network.
Group of answer choices
FIRE
ASwatch
ARTEMIS
Stellar
ASwatch
ASwatch which uses information exclusively from the control plane (ie. routing behavior) to identify malicious networks. Also, this approach aims to detect malicious networks that are likely run by cyber actors, or bulletproof as they are called, rather than networks that may be badly abused.
Lesson 9:
Determine which system uses routing behavior to detect BGP hijacking attacks.
Group of answer choices
FIRE
ASwatch
ARTEMIS
Stellar
ARTEMIS
ARTEMIS is a system that is run locally by network operators to safeguard its own prefixes against malicious BGP hijacking attempts. The authors of the ARTEMIS paper (Sermpezis et al) describe a self-operated manner of prefix hijacking detection.
Lesson 9 (T/F):
BGP Blackholing is a defense against prefix hijacking.
False
BGP blackholing, that is a countermeasure to mitigate a DDoS attack.
Lesson 9 (T/F):
The BGP blackholing technique can only be applied for traffic related to specific applications.
False
One of the major drawbacks of BGP blackholing is that the destination under attack becomes unreachable since all the traffic including the legitimate traffic is dropped.
Lesson 9:
Consider the reflection and amplification attack as shown in the figure below.
reflection-amplification
Which IP address is being spoofed in this attack?
Group of answer choices
IP Address of the Victim
IP address of the Reflector
IP address of the Master
IP address of the Slaves
IP Address of the Victim
See screenshot in notes
Here, the master directs the slaves to send spoofed requests to a very large number of reflectors, usually in the range of 1 million. The slaves set the source address of the packets to the victim’s IP address, thereby redirecting the response of the reflectors to the victim. Thus, the victim receives responses from millions of reflectors resulting in exhaustion of its bandwidth. In addition, the resources of the victim is wasted in processing these responses, making it unable to respond to legitimate requests. This forms the basis of a reflection attack. Let’s consider the below figure.
Lesson 9:
Suppose that you are designing a detection system to detect DNS reflection and amplification attacks. To accomplish that you need access to:
Group of answer choices
Control plane data
Data plane data
Both control plane and data plane data
Data plane data
??? Get the reasoning for this!!!
