Midterm 426 Flashcards
_____ defines list of reserved ports.
Internet Assigned Numbers Authority
Briefly explain TCP’s three-way handshake. (2 points)
- Each party selects Initial Sequence Number
- shows both parties are capable of receiving data
Briefly explain SYN flooding. (3 points)
- attacker sends many TCP SYN packets without responding to the SYN-ACK
- victim allocates resources
- once resources exhausted, requests from legitimate clients are denied
Briefly explain TCP Reset (RST) attack. (3 points)
- If RST header is set, the TCP connection is dropped
- Attackers can forge TCP packets from sender with RST header set
- Must set source IP, port IP, dest IP and port sequence number correct
What is the RST attack used for?
To stop traffic.
Briefly explain what is port scanning. (2 points)
To determine: 1) hosts on a network and 2) services they run.
Briefly explain what is SYN scanning. (3 points)
- generates raw IP packets with SYN flag
- monitor responses
- but does not open full TCP connection
Briefly explain what is UDP scanning.
When UDP port is not open, system responds with ICMP port unreachable message.
Briefly explain ACK scanning.
Determines if port is filtered or unfiltered by a firewall.
Briefly explain FIN scanning.
Closed ports reply to a FIN packet with the appropriate RST header.
Briefly explain X-MAS scan.
Similar to FIN scan, but sends packets with FIN, URG, and PUSH flags turned on.
What is the easiest way to create custom packets?
Using hping3.
What is device fingerprinting?
Information collected about the software and hardware of a remote computing device for the purpose of identification.
What does the Internet Protocol allows network and applications to do? (2 points)
Allows network to interoperate.
Allows applications to function on all networks.
Briefly explain what is IP - Spoofing (Blind)? (2 points)
Occurs when the attacker is not on the same subnet as the destination. Sends an IP packet with a source route specified.
Briefly explain what is IP-Spoofing (non-blind) ? (3 points)
- Attacker needs to know the TCP sequence numbers used in the TCP segments to hijack a session
- Successful guesses of TCP sequence numbers, the attacker can send a properly constructed ACK segment to the destination
- If the attacker’s ACK segment reaches the destination before the originator’s, the attacker becomes trusted
Why is IP fragmentation perfect for resource exhaustion attacks? (3 points)
- Difficult reassembly (must keep track of all fragments until packet is reassembled)
- Resource allocation is necessary
- Lots of fragments
Mention some important fields of IP fragmentation. (3 points)
- Total length
- Fragment offset
- Fragment ID
What does ARP do?
Locates a host’s link-layer (MAC) address.
Briefly explain ARP spoofing. (3 points)
- Each ARP response overwrites the previous entry in ARP table
- Forge ARP response
- Attacker impersonates the switch (Middle-person attacks)
Briefly mention the ARP spoofing defenses. (2 points)
- Smart switches that remember MAC addresses
- Switches that assign hosts to specific ports
What does DHCP do?
Dynamically assigning IP addresses to hosts in a network.
Which 4 types of messages does DHCP use?
Discover, Request (Client)
Offer, ACK (Server)
Briefly explain DHCP server spoofing. (3 points)
- Attacker operates a rogue DHCP server
- User can blindly start a DHCP communication with the attacker instead of the legitimate DHCP server on the network
- Host now has an IP address assigned not by the DHCP server, but by the attacker
Briefly explain DHCP starvation. (3 points)
Goal: exhaust the address space available to the DHCP server.
- Attacker sends a flood of fake DHCP Discover messages with spoofed MAC addresses
- All available IP addresses are then reserved
How does DHCP snooping protect the network from the man-in-middle attack? (4 points)
- DHCP server is connected to the port Fa0/11
- Configure DHCP snooping to allow Offer/ACK messages only on this port
- The switch will accept Offer/ACK messages only on the ports that are configured as the allowed ports
- If it receives Offer/ACK messages that are not configured as the allowed ports, messages are discarded
How does DHCP snooping prevent DoS attack? (3 points)
- Maintain a record of all offered/leased IP addresses in the DHCP binding table
- When it receives a Discovery/Request message on an untrusted port, it reads the MAC address of the message
- If it finds an entry in the DHCP binding table, it discards the message
What is a DNS zone?
A distinct part of the domain namespace which is delegated to a legal entity – a person, organization or company responsible for maintaining the DNS zone
What are some DNS record types? (6 points)
A: IPv4
AAAA: IPv6
CNAME: alias
MX: MTA
SOA: Authoritative info
TXT: notes + machine-readable data
What are the bailiwick rules? (3 points)
- Root servers can return any record
- TLD servers can return anything within that TLD
- Ns.bank.com can return anything for bank.com
Briefly explain key exchange/management.
Allows A and B to agree on a shared (session) key, which is then used for communication during that session in the authenticated manner.
What are some attacks against RSA? (2 points)
- Probably message attack (encrypt all possible plaintext messages). Solution: pad the plaintext messages with random message
- Timing attacks. Recover the private key from the runtime of the decryption algorithm.
Digital signatures: expected to be ____ under ____.
existentially unforgeable; adaptive chosen-message attack
What attack can be used against DH?
Middle-person attack.
3 ways of distributing public keys?
- Public announcement or public directory
- Public-key certificate
- Certificate Authority (CA)
X.509 certificates are used in ___ and ___.
IPsec; SSL/TLS
What is X.509 for? (2 points)
- specifies certificate directory service
- specifies a set of authentication protocols
What are some characteristics of certificate logs? (4 points)
- public auditable, append-only records of certificate
- anyone (including CA) can submit certificates to a log
- anyone can query a log for a cryptographic proof
- the number of log servers is small
What does monitors do (CA)? (2 points)
- Periodically contact all of the log servers
- watch for suspicious certificates
What does auditors do (CA)? (2 points)
- Verify that the log is behaving properly
- verify that a particular certificate has been logged
What are some weaknesses of shared secret authentication? (2 points)
- Authentication is not mutual
- off-line password guessing attack (if shared key from password)
What are some weaknesses of public key authentication? (2 points)
- the adversary can trick A into signing
- A must use a different key for authentication
How to avoid reflection attacks (web authentication)? (2 points)
- A and B must do different things
- the initiator should be the first to prove its identity
What are some limitation for KDC issuing ticket E to B relayed through A? (2 points)
- the adversary can replay E
- must still be followed by mutual authentication using Kab
Briefly smurf attack. (5 points)
- generate fake Echo request containing a spoof source IP
- the request is sent to an intermediate IP broadcast network
- the request is transmitted to all of network hosts in the network
- each host sends an ICMP response to the spoofed source address
- with enough ICMP responses forwarded, the target server is brought down
