Lecture 9

Question 1

Define Intrusion Detection Systems

Answer 1

Intrusion Detection Systems Monitor network traffic for malicious packets or patterns.

They are passive, i.e., monitor only (and maybe raise alarm) but do not filter/block.

Just detect!

Question 2

Intrusion Prevention Systems

Answer 2

Unlike Intrusion Detection Systems, Intrusion Prevention Systems take actions to filter or block malicious traffic.

They disable the port / link and is dynamically setting rules to block traffic flow.

Question 3

Define a Firewall:

• How does it handle packets
• Where are they placed within a network

Answer 3

• Inspects packets entering or leaving a network/computer
• Can be hardware or software
• Hardware firewall are usually placed between the LAN and WAN
• Software firewalls are installed on the system and inspect packets in/out
• Uses rules to allow or deny packets based on protocols - IP, TCP/UDP, Port, etc.
• Content filter can inspect the data in a packet and filter out malicious content.
• Block based on protocol or IP. Ex. Block web browsing from 8-4 work hours.

Question 4

Honeypot (or Host-based Intrusion Detection System)

Answer 4

• A decoy server to lure potential attackers
• Configured with HIDS installed to log info about attacker and attack techniques.
• Logs can be studied to set up proper counter measures.

Question 5

VIRUS:

Answer 5

• A program that replicates itself into other documents or programs
• Designed to disrupt computer / network operations.
• Needs the virus file to be open or a program to run before it becomes active (Dormant until you open the file)
  browser to a different URL than intended. Precursor to Ransomware

Question 6

Types of virus

Answer 6

• Types
  - File infector – targets files, altering or deleting files
  - Boot sector – loads on system power on and targets the boot sector
  - Macro – infects documents containing macros*.
  - Browser hijack / phishing – cameo pages that redirects the

Question 7

Anti-virus.

Answer 7

• They also have a database of known viruses
• watch out for suspicious patterns, mostly for file/boot/Macro viruses

Question 8

Worms

Answer 8

• Unlike Viruses, Worms do not need to be attached to another file to spread.
• Self-contained program that simply needs a computer to be connected to a network.
• Spread via emails or Instant Messaging
• Performs similar destruction as Virus, with the main difference being how it spreads.
• Worms are notorious for creating “backdoors” into a computer
• Backdoor – a program that permits access into a computer bypassing the normal authentication process.
• Worms have in history caused damages valued in billions $

Question 9

Spyware:

Answer 9

• allows monitoring of activities on a system by third parties
• Noticeable strange increase in network activates
• Not all are “bad”, some focus on your web activities in order to provide targeted advertisement. (Not always harmful) (log in details)
• They do not install themselves like Worms, instead are installed by computer users either mistakenly (just clicking ok ..ok.. Ok, without reading in full)
• Installing Free software - be wary of free music, movies sites!

Question 10

Spams

Answer 10

• mostly annoying nuisances, such as unsolicited emails
• They do not delete or damage files, rather just take up storage space
• Bloatware on laptops and phones could also be classified as a form of spam*
• Be careful on the web and do not open strange emails or FREEBIES!!

Question 11

Denial of Service (DoS) :

Answer 11

• An attempt to clog up or bottle neck network bandwidth with bogus traffic, thereby preventing legitimate users from accessing the network.

Ola used people loitering at a bank as a example

Question 12

Packet storm (DoS)

Answer 12

– runs on UDP (being connection-less) and sends streams of UDP packets with spoofed host address (different computer’s host address), preventing that computer from being able to respond to other traffic.

Question 13

Ping Flood (DoS)

Answer 13

• large number of PING messages sent to a host.
• The host is kept busy responding to PING. * An alternative called SMURF ATTACK
• The attacker sends pings to a broadcast address using the IP address of another host in the network as the source address
• All computers in the network then reply to the “victim host” (the one who’s IP address was used)
• The victim host is then overwhelmed with PING response traffic

Question 14

Half-open SYN

Answer 14

• Exploits the 3-way handshake of TCP.
• The attacker sends series of SYN messages with spoofed (or fake) source address to a server in a bid to start a conversation.
• The server then keeps waiting for the acknowledgement packet to arrive from the fake source address.
• When multiple SYNs are sent, the server could use all available connections to attend to all these fake requests and not be able to deal with legitimate requests.
• Timeouts can be specified to help deal with this

Question 15

Distributed Denial of Service (DDoS) :

Answer 15

• Use of multiple systems to carry out DoS.
• Sometimes carried out by Malwares that have earlier been installed on a system

Question 16

Man-in-the-Middle Attack:

Answer 16

• A type of attack where an attacker gets in between a client and server.

Question 17

Man-in-the-Middle Attack Type:

WiFi Eavesdropping:

Answer 17

• attackers set up a legit looking Wi-Fi connection and wait for users to connect their device.
• this is also commonly called “Evil Twin”
• common in public places (coffee shops, parks) - you might connect to an unpassworded free WiFi and the attacker is able to snoop/sniff on all packets go through the network

Question 18

Man-in-the-Middle Attack Type:

Session Hijacking:

Answer 18

• Hijacking web sessions between clients and servers.
• Commonly done by stealing browser cookies.
• Cookie contain information that provide good browsing experience such as not having to re-login every minute.
• Can contains login credentials, online activities, pre-filled forms