Section 15 - Network Attacks Flashcards

Question

Give the answer for the following information: Port Number - 443 Protocol - TCP/UDP -

Answer 1

Port Number - 443 Protocol - (HTTPS) Hyper Text Transfer Protocol Secure is used to transmit web page data to a client over an SSL/TLS encrypted connection TCP/UDP -TCP

Answer 2

Port Number - 445 Protocol - (SMB) Server Message Block is used to provide shared access to files and other resources on a network TCP/UDP - TCP

Answer 3

Port Number - 465/587 Protocol - SMTP with SSL/TLS is Simple Mail Transfer Protocol used to send email over the internet with an SSL and TLS secured connection TCP/UDP - TCP

Answer 4

Port Number - 514 Protocol - Syslog is used to conduct computer message logging, especially for routers and firewall logs TCP/UDP - UDP

Answer 5

Port Number - 636 Protocol - LDAP SSL/TLS is used to maintain directories of users and other objects over an encrypted SSL/TLS connection TCP/UDP - Both

Answer 6

Port Number - 860 Protocol - iSCSI is used for linking data storage facilites over IP TCP/UDP - TCP

Answer 7

Port Number - 989/990 Protocol - (FTPS) File Transfer Protocol Secure is used to transfer files from host to host over an encrypted connection TCP/UDP - TCP

Answer 8

Port Number - 993 Protocol - IMAP4 with SSL/TLS is used to receive email from a mail server over an SSL/TLS encrypted connection TCP/UDP - TCP

Answer 9

Port Number - 995 Protocol - (POP3 with SSL/TLS) is used to receive email from a mail server using an SSL/TLS encrypted connection TCP/UDP - TCP

Answer 10

Port Number - 1433 Protocol - (Ms-sql-s) Microsoft SQL server is used to receive SQL database queries from clients TCP/UDP - TCP

Answer 11

Port Number - 1645/1646 Protocol - (RADIUS alternative) Remote Alternative Dial-In User Service is used for authentication and authorization (1645) and accounting (1646) TCP/UDP - UDP

Answer 12

Port Number - 1701 Protocol - (L2TP) Layer 2 Tunnel Protocol is used as an underlying VPN protocol but has no inherent security TCP/UDP - UDP

Answer 13

Port Number - 1723 Protocol - (PPTP) Point to Point Tunneling Protocol is an underlying VPN protocol with built in security TCP/UDP - Both

Answer 14

Port Number - 1812/1813 Protocol - (RADIUS) Remote Authentication Dial-In User Service is used for authentication and authorization (1812) and accounting (1813) TCP/UDP - UDP

Answer 15

Port Number - 3225 Protocol - (FCIP) Fibre Channel IP is used to encapsulate Fibre Channel frames within TCP/IP packets TCP/UDP - Both

Answer 16

Port Number - 3260 Protocol - iSCSI Target is a listening port for a iSCSI targeted devices when linking data storage facilities over IP TCP/UDP - TCP

Answer 17

Port Number - 3389 Protocol - (RDP) Remote Desktop Protocol is used to remotely view and control other Windows systems via Graphical User Interface TCP/UDP - Both

Answer 18

Port Number - 3868 Protocol - Diameter is a more advanced AAA protocol that is a replacement for RADIUS TCP/UDP - TCP

Answer 19

Port Number - 6514 Protocol - Syslog over TLS it is used to conduct computer message logging, especially for routers and firewall logs, over a TLS encrypted connection TCP/UDP - TCP

Answer 20

Any port that is associated with a service or function that is non-essential to the operation of your computer or network

Answer 21

Any port represents a possible vulnerability that might be exposed

Answer 22

Scan their servers, their routers and their firewalls

Answer 23

1. The operating system's graphic user interface - To do this in Windows, open up the computer management console, select services and applications and then select services. Double click on what you want to turn off. 2. Command line interface - "C:\ net stop service" you can turn off a service by using the net stop command and the name of the service. On a Linux server, you can do this by entering sudo stop and the name of the service at the command line (ex. # sudo stop service) 3. Block the ports at your firewall, whether this is a software or a hardware-based firewall, or on the server itself.

Answer 24

Term used to describe many different attacks which attempt to make a computer or server's resources unavailable

Answer 25

1. Flooding Attacks 2. Ping of Death 3. the Teardrop 4. the Permanent Denial of Service attack 5. the Fork Bomb

Answer 26

A specialized type of DoS which attempts to send more packets to a single server or host than they can handle

Answer 27

1. Ping Flood 2. Smurf Attack 3. Fraggle 4. SYN Flood 5. Christmas Attack

Answer 28

An attacker attempts to flood the server by sending too many ICMP echo request packets (which are known as pings)

Answer 29

This is like a Ping Flood but instead of trying to flood a server by sending out pings directly to it the attack instead tries to amplify this attack by sending a ping to a subnet broadcast address instead, using the spoofed IP of the target server. This causes all the devices on that subnet to reply back to the victimized server with those ICMP echo replies, and it's going to eat up a lot of bandwidth and processing power.

Answer 30

Attacks send a UDP echo packet to port 7 (ECHO) and port 19 (CHARGEN) to flood a server with UDP packets *** Fraggle attacks are uncommon today due to this ports generally being closed however, a UDP Flood Attack, which is a variant of Fraggle is still heavily used. It works basically the same but it uses different UDP ports.

Answer 31

Variant on a Denial of Service (DoS) attack where attacker initiates multiple TCP sessions but never completes the 3-way handshake

Answer 32

1. Flood guards 2. Time outs 3. IPS

Answer 33

These devices will detect when a SYN flood is being attempted and will block the request at the network boundary, freeing up the server.

Answer 34

A specialized network scan that sets the FIN, PSH, and URG flags and can cause a device to crash or reboot *** This will cause a device to crash or reboot anytime that packet's received because it's a nonstandard format. This name was given from the way the packets look inside of a protocol analyzer like Wireshark because all of the flags are turned on (looking like a Christmas Tree.)

Answer 35

An attack that sends an oversized and malformed packet to another computer or server *** When received, these systems wouldn't know what to do with it and they would crash. This is an older attack that modern operating systems aren't vulnerable to anymore. This was one of the first DoS attacks that was very effective in the field.

Answer 36

Attack that breaks apart packets into IP fragments, modifies them with overlapping and oversized payloads and sends them to a victim machine. ** This attack gets its name because with enough "teardrops" you could form a puddle but this attack creates numerous smaller packets that can't be reformed into this larger puddle, and when they're trying to put those back together, the system simply crashes or reboots itself because it doesn't understand how to handle it.

Answer 37

Attack which exploits a security flaw to permanently break a networking device by reflashing its firmware ** This is an attack which exploits a security flaw to permanently break a networking device by reflashing its firmware. This can cause a device to be unable to reboot itself because its operating system is overwritten. Also, a quick reboot won't bring the system back online hence its name.

Answer 38

Attack that creates a large number of processes to use up the available processing power of a computer ** This attack gets its name because a process is called a fork, and it can be forked into two processes, and then four processes and so on, until it eats up all of the resources. Now, some people think of this as a worm because of the self-replicating nature, but they're not a worm, because they don't infect programs, and they don't use the network to spread. Instead, Fork Bombs only spread out inside the processor's cache on a single computer that it's being attacked with, and it causes a Denial of Service attack, and a Denial of Service condition, which is why it's considered not to be a worm.

Answer 39

Any attack that causes a system to go offline, and to stop providing the service that it's really suppose to do to its real users or it can permanently cause a system to be broken

Answer 40

A group of compromised systems attack a single target simultaneously to create a Denial of Service (DoS) *** Usually, these machines that conduct the attack don't even realize that they're a part of it. Generally, they have become zombies or bots inside of a large botnet and then when they receive that command to attack they all simultaneously send all their payloads against a single victim.

Answer 41

Attack which relies on the large amount of DNS information that is sent in response to a spoofed query on behalf of the victimized server *** This specialized attack allows an attacker to generate a high volume of packets that's intended to flood a victim's website by initiating DNS requests from a spoof version of the target's IP address. This causes the DNS servers to respond to that request and send the response back to the server, thinking that it's valid. Because a DNS request uses very little bandwidth to send, but the response usually takes up a lot more bandwidth, this allows the attack to be amplified against the victim's server.

Answer 42

1. Blackholing/Sinkholing 2. IPS (can prevent small scale DDoS) 3. Elastic Cloud Infrastructure (this infrastructure will scale up when demand increases allowing you to ride out an attack.)

Answer 43

Identifies any attacking IP addresses and routes all their traffic to a non-existent server through the null interface

Answer 44

Occurs when an attacker masquerades as another person by falsifying their identity

Answer 45

The best way is to user proper authentication, preferably multi-factor.

Answer 46

The exploitation of a computer session in an attempt to gain unauthorized access to data, services, or other resources on a computer or server.

Answer 47

1. Session Theft 2. TCP/IP hijacking 3. Blind hijacking 4. Clickjacking 5. Man-In-The-Middle 6. Man-In-The-Browser 7. Watering Hole 8. Cross Site Scripting

Answer 48

Attacker guesses the session ID for a web session, enabling them to takeover the already authorized session of the client

Answer 49

Occurs when an attack takes over a TCP session between two computers without the needs of a cookie or other host access

Answer 50

Occurs when an attack blindly injects data into the communication stream without being able to see if it is successful or not

Answer 51

Attack that uses multiple transparent layers to trick a user into clicking on a button or link on a page when they were intending to click on the actual page

Answer 52

Attack that causes data to flow through the attacker's computer where they can intercept or manipulate the data

Answer 53

Occurs when a trojan infects a vulnerable web browser and modifies the web pages or transactions being done within the browser ** This is similar to a Man in the Middle attack except it's limited to your browser's web communication

Answer 54

Occurs when malware is placed on a website that the attacker knows his potential victims will access

Answer 55

Network-based attack where a valid data transmission is fraudulently or maliciously rebroadcast, repeated or delayed

Answer 56

Ensure that websites and devices are using session tokens to uniquely identify when an authentication session is occurring in addition to using multi-factor authentication

Answer 57

A connection to the Windows interprocess communications share (IPC$) ** This is an administrative share that you don't see as a normal user, but it allows computers across the network to send information that they know about files, folders, users, groups, computers and servers to each other.

Answer 58

These aren't really an actual type of attack but more of a conceptual method. It gets its names from the transitive property we learned back in math. Essentially, this says that A = B = C then A also equals C. For the exam, this is the idea of trust. If one network trusts a second network and the second network trusts the third network, then that first network really trusts the third network. So if an attacker can get into any one of those three networks, he can then get into the other two as well.

Answer 59

DNS Poisoning Unauthorized Zone Transfers Altered Hosts Files Domain Name Kiting

Answer 60

Occurs when the name resolution information is modified in the DNS server's cache

Answer 61

Occurs when an attacker requests replication of the DNS information to their systems for use in planning future attacks

Answer 62

1. Secure DNS (DNSSEC) was created using encrypted digital signatures when passing DNS information between servers to help protect it from poisoning 2. Ensure you are running the latest patches and updates

Answer 63

Occurs when an attacker requests replication of the DNS information to their systems for use in planning future attacks

Answer 64

Occurs when an attacker modifies the host files to have the client bypass the DNS server and redirects them to an incorrect or malicious website *** Every computer has a file on it called the host file. This is a plain text file and it contains IP addresses and names. This is a reference that the operating system is going to check every time a DNS lookup is requested prior to going to a DNS server.

Answer 65

It should always be set to read-only On a windows machine, your host file's located in the systemroot\system32\drivers\etc directory

Answer 66

Occurs when attacker redirects one website's traffic to another website that is bogus or malicious

Answer 67

Attack that exploits a process in the way a domain name is registered so that the domain name is kept in limbo and cannot be registered by an authenticated buyer ** You're normally given a five-day grace period when you're adding a domain name, but if you delete it before that five days is up and you re-add it again, the five day restarts. So this lets an attacker gobble up domain names without ever having to pay for them and they can be kept in a limbo state.

Answer 68

Address Resolution Protocol is for mapping an internet protocol address (IP address) to a physical machine address that is recognized in the local network *** used to convert IP address into a MAC addresss

Answer 69

Attack that exploits the IP address to MAC resolution in a network to steal, modify, or redirect frames within the local area network ** The concept here is that the attacker is going to associate their MAC address with the IP address of another device within their network. This way, whenever a router asks for the MAC address that's associated with that IP, they get the attacker's MAC address instead of the legitimate user's.

Answer 70

1. Set up good VLAN segmentation within your network 2. Set up DHCP snooping to ensure that IP addresses aren't being stolen and taken over by an attacker