Lesson 11.1 - 11.3 - Internet Worms, Spam & Denial of Service Flashcards

1
Q

What is a virus and how is it spread?

A
  • Its when a programs behavior is modified because of an “infection”
  • Spread by some user action/something the user did
  • MANUAL
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What is a worm?

A
  • Code that replicates itself across the network
  • Spread automatically by exploiting flaws in existing services/programs
  • AUTOMATIC
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What types of viruses are there and what does each type do?

A
  • Parasitic Virus - infects executable files
  • Memory-Resident Virus - infects running programs
  • Boot-Sector Virus - spreads when system is booted
  • Polymorphic Virus - self encrypt their code using randomly generated key and then makes modified copies of itself that does basically the same thing
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What does the worm lifecycle look like?

A
  • Discover/Scan for vulnerable hosts
  • Infect vulnerable machines through remote exploits
  • Remain undiscovered
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What was the first internet worm ever made?

A
  • Morris worm by Robert Morris in 1988
  • No malicious payload, but it exhausted resources
  • Spread through multiple vectors:
    • Cracking passwords with a small dictionary and remote execution
    • Buffer overflow
    • Debug command in sendmail
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What 3 major worms were released in the summer of 2001?

A
  • Code Red 1 version 2 - modern worm in IIS that spread from 1st to 20th of each month using random scan of IP address space. PAYLOAD was DNS attack on Whitehouse.gov
  • Code Red 2 - same as above but fixed random scan bug. Scanned nearby addresses. PAYLOAD was IIS backdoor
  • Nimda - Spread through multiple vectors (email, network shares, webpages, scanned for backdoors from Code Red
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Fast spreading worms use a high initial compromise rate. T/F

A

True

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

How do we increase initial compromise rate?

A
  • Create a hit list which is a list of vulnerable hosts

* Permutation scanning: shared permutation of IP address list. They start with their IP address and work down

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What was the Slammer worm?

A
  • Code fit in small UDP packet
  • Buffer overflow + random scanning
  • Connectionless! Meaning it wasn’t limited by latency only by bandwidth
  • Didn’t have payload, just caused resource exhaustion
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Since most spam ends up in a spam folder, why is spam still a problem?

A
  • Filters - someone has to design them and keep them up to date
  • Storage - they take up a lot of space
  • Security Problems - malware, phishing attack
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

How do we differentiate spam from “ham”?

A
  • Content based filtering —> easy to evade
  • IP address of sender (blacklisting)
  • Behavioral features (sent at same time of day, etc)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

How does IP Blacklisting work?

A

The sender has an IP address and the receiver can see that address so when a message is incoming from an unknown IP address the receiver can query a DNS Blacklist and check if the IP address has been blacklisted. If it hasn’t it accepts it, if it has it won’t even accept the email.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What are some behaviors we can track to help us filter spam?

A
  • Geographic location
  • Set of target recipients
  • Upstream ISPs
  • If a sender is a member of a Botnet
  • In single packets
    • Distance b/w sender & receiver + AS
    • Density
    • Time of day
  • In a single message
    • # of recipients
    • Length of the message
  • In a group of messages
    • Variation in message length
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What is a surprise BGP Agility attack?

A
  • The attacker hijacks a BGP router
  • The attacker sends spam
  • Because the router has been hijacked it can use an ephemeral (temporary) IP address and the Blacklist is rendered useless!
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What is SNARE?

A

A behavioral network spam filter that achieves a 70% detection rate

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What is a Denial of Service attack?

A
  • An attempt to exhaust resources like
    • Network bandwidth
    • TCP connections
    • Server resources
17
Q

What are some defenses against DOS attacks?

A
  • Ingress filtering
  • uRPF checks (reverse path filtering checks)
  • Syn Cookies (TCP)
18
Q

What is Ingress filtering and what are the pros/cons of it?

A
  • Its a way to stop DOS attacks
  • If a “stub” router is at an edge of the internet and is attacking we can just stop accepting connections from it
  • Doesn’t work in the core of the internet
19
Q

What is uRPF?

A
  • Reverse Path Filtering checks - Its a way to prevent DOS attacks
  • It essentially checks to the path of the packets to determine the “truthfulness” of the packet’s source/destination
  • It requires symmetric routing, so it won’t work in asymmetric routing
20
Q

What is are Syn Cookies (TCP) good for?

A

They prevent the server from exhausting state after a TCP Syn by NOT allocating a buffer, but instead hashing a sequence value based on the the packet IPs, and ports and then returning the sequence value.

If the initial sender acknowledges the sequence number in a followup then the syn cookie is just hashed again to check it.

21
Q

What is Backscatter?

A
  • It is a way to infer DOS activity.

* When an attacker spoofs the IP address