Lesson 9 - Internet Security Flashcards

1
Q

What are the properties of secure communication?

A
  1. Confidentiality
  2. Integrity
  3. Authentication
  4. Availability
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

How does Round Robin DNS (RRDNS) work?

A

a method to distribute the load of incoming requests to several servers at a single physical location. Servers respond to a DNS request with a list of DNS A records, which it then cycles through in a round robin manner.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

How does DNS-based content delivery work?

A

When accessing the name of the service using DNS, the CDN computes the ‘nearest edge server’ and returns its IP address to the DNS client.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

How does Fast-Flux Service Networks work?

A

A fucking complicated attack. Suggest answer.

having multiple IP addresses associated with a domain name, and then constantly changing them in quick succession.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What are the main data sources to identify hosts that likely belong to rogue networks, used by FIRE (FInding Rogue nEtworks system)?

A
  1. Botnet command and control providers
  2. Drive-by-download hosting providers
  3. Phish housing providers
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

The design of ASwatch is based on monitoring global BGP routing activity to learn the control plane behavior of a network. What are the 2 phases of this system.

A
  1. Training phase

2. Operational phase

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

ASwatch computes statistical models using which three features of each AS.

A
  1. Rewiring activity - frequent changes and less popular providers are suspicious.
  2. IP Space Fragmentation and Churn - small BGP prefixes are suspicious
  3. BGP Routing Dynamics - annoucing for short periods is suspicious.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

BGP hijacking. What is the classification by AS-Path announcement?

A

an illegitimate AS announces the AS-path for a prefix for which it doesn’t have ownership rights.
Type-0, Type-N, & Type-U are all AS-Path hijacking.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

BGP hijacking. What is the classification by Data-Plane traffic manipulation?

A

In Data-Plane traffic manipulation, the intention of the attacker is to hijack the network traffic and manipulate the redirected network traffic on its way to the receiving AS.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What are the causes or motivations behind BGP attacks?

A

Human Error
Targeted Attack
High Impact Attack

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What is prefix hijacking?

A

When a hijacker announces that it owns some or part of the prefixes owned by another AS.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Explain the scenario of hijacking a path

A

hijacker modifies the path, so that AS’s are more likely to route traffic through the hijacker.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What are the key ideas behind ARTEMIS?

A
  1. configuration file: where all the prefixes owned by the network are listed here for reference. This configuration file is populated by the network operator.
  2. mechanism for receiving BGP updates: this allows receiving updates from local routers and monitoring services. This is built into the system
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

For a system that protects against BGP hijacking attacks with less manual intervention, we need automated ways of mitigation from BGP hijacking attacks. The ARTEMIS system uses two automated techniques in mitigating these attacks. What are these techniques?

A
  1. Prefix deaggregation: announce more specific prefixes of a certain prefix. (instead of 10.10.10.0/24, announce 10.10.10.128/25 and 10.10.10.0/25)
  2. Mitigation with Multiple Origin AS (MOAS) - external third party announces the hijacked address and routes traffic to the correct location. (hijack the hijacker)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Explain the structure of a DDoS attack

A

A Distributed Denial of Service (DDoS) attack is an attempt to compromise a server or network resources with a flood of traffic. To achieve this, the attacker first compromises and deploys flooding servers (slaves).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What is spoofing?

A

IP spoofing is the act of setting a false IP address in the source field of a packet with the purpose of impersonating a legitimate server.

17
Q

Explain, how DDoS reflection and amplification work

A

slaves of a master send request to servers (or reflectors) but set the source address as the victim’s. The reflectors send responses to the victim and overload it’s resources.

Amplification can occur when the reflector’s send a large request to the victim. Not only would the victim receive traffic from millions of servers, the response sent would be large in size, making it further difficult for the victim to handle it.

18
Q

What are the defences against DDoS attacks?

A

Traffic Scrubbing Services
Access Control List filters
BGP Flowspec
BGP blackholing

19
Q

Explain provider-based black-holing

A

The victim AS uses BGP to communicate the attacked destination prefix to its upstream AS, which then drops the attack traffic towards this prefix. Then either the provider (or the IXP) will advertise a more specific prefix and modifying the next-hop address that will divert the attack traffic to a null interface.

20
Q

Explain IXP black-holing

A

In IXP black-holing a victim’s black-hole message is sent to any AS’s that connect to the IXP. Those AS’s in turn black-hole requests directed to the specified IP.

21
Q

What is one of the major drawbacks of BGP black-holing?

A

the destination under attack becomes unreachable since all the traffic including the legitimate traffic is dropped.

22
Q

What is a rogue network

A

networks whose main purpose is malicious activity such as phishing, hosting spam pages, hosting pirated software, etc.

23
Q

Describe ASwatch’s Training phase.

A
  1. Training phase - The system is given a list of known malicious and legitimate ASes, then learns control-plane behavior typical of both types of ASes.
24
Q

Describe ASwatch’s Operational phase.

A
  1. Operational phase - Given an unknown AS, it then calculates the features for this AS. It uses the model to then assign a reputation score to the AS. If the system assigns the AS a low reputation score for several days in a row, it identifies it as malicious.
25
Q

ASwatch is based on monitoring global BGP routing activity to learn the _______ plane behavior of a network.

A

control

26
Q

What is a Type-0 hijacking?

A

Type 0 - AS announcing a prefix not owned by itself.

27
Q

What is a Type-N hijacking?

A

Type-N - AS falsifies path between AS1 & AS2 as going through ASn
The N denotes the position of the rightmost fake link in the illegitimate announcement, e.g. {AS2, ASy, AS1 – 10.0.0.0/23} is a Type-2 hijacking

28
Q

What is a Type-U hijacking

A

In this attack the hijacking AS does not modify the AS-PATH but may change the prefix

29
Q

How is spoofing used in DDOS attacks?

A

Spoofing is utilized in two ways:
In the first form, the source IP address is spoofed, resulting in the response of the server sent to some other client instead of the attacker’s machine. This results in wastage of network resources and the client resources while also causing denial of service to legitimate users.

In the second type of attack, the attacker sets the same IP address in both the source and destination IP fields. This results in the server sending the replies to itself, causing it to crash.