Reading...
Play button
Play button
Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
38 Cards in this Set
- Front
- Back
|
Most DoS attacks take advantage of this functionality of the UDP protocol
|
The most common DoS attacks use UDP echos (Fraggle),
|
|
|
With this DoS attack, the attacker sends a flood of ICMP messages to a reflector or sets of reflectors, with the source IP address in the ICMP echo messages spoofed to the address of the actual victim device or devices. The reflectors then innocently reply to the echo messages, inadvertently sending the replies to the victim.
|
ICMP echo and echo replies (Smurf),
|
|
|
This command does not prevent a network from becoming the target of Smurf attack; it merely prevents the network from "attacking" other networks, or, better said, taking part in a Smurf attack
|
no ip directed-broadcast command on your router's interfaces
Router(config-if)# no ip directed-broadcast http://en.wikipedia.org/wiki/Smurf_attack |
|
|
What is the difference between a Fraggle DoS attack and a Smurf attack?
|
The Fraggle DoS attack is similar to the Smurf attack, except that Fraggle uses UDP echo and echo reply messages instead of ICMP
messages. |
|
|
This command turn the following services off on Cisco routers. These services are commonly targeted for Fraggle attacks:
Echo: Echoes back whatever you type through the telnet x.x.x.x echo command. Chargen: Generates a stream of ASCII data. Use the telnet x.x.x.x chargen command. Discard: Throws away whatever you type. Use the telnet x.x.x.x discard command. Daytime: Returns system date and time, if it is correct. It is correct if you run Network Time Protocol (NTP), or have set the date and time manually from the exec level. Use the telnet x.x.x.x daytime command. |
how to defeat a Fraggle attack by configuring the no service tcp-small-servers and no service udp
small-servers commands). |
|
|
Which Cisco IOS command is used to examine the router's CPU utilization
|
show processes cpu
|
|
|
needs question
|
the main difference between these two commands is that the log-input parameter displays the input interface of the received packet and
the Layer 2 source address in the packet. |
|
|
In either situation, remember that using either of these two parameters disables this router feature, which seriously impacts
the performance of the router. Therefore, use the log function to pinpoint the attack, including the victim and the attacker, and then remove the log or log-input parameters from your ACL statement(s). |
CEF Switching
|
|
|
needs question
|
clearing the route cache to force packets to be
process-switched |
|
|
a network-layer switching method that switches packets at high speeds and captures statistics for traffic analysis. It is
supported on IP and IP-encapsulated traffic types over a variety of interfaces, including interfaces with input ACLs. |
NetFlow switching
|
|
|
Here is the basic configuration to enable
NetFlow |
Router(config)# interface type [slot_#/]port_#
Router(config-if)# ip route-cache flow |
|
|
This Cisco command enables NetFlow switching on a router's interface.
|
The ip route-cache flow command
|
|
|
This command causes the router to stop handling interrupt requests at the configured interval and handle other tasks. For example, you
might set the value to 250 milliseconds, which tells the Cisco IOS to handle process-level tasks for no more than 250 milliseconds at a time. |
Router(config)# scheduler interval #_of_milliseconds
|
|
|
. With this configuration, interrupts are handled for 3 seconds, but for the next second, the router performs other tasks
|
scheduler allocate 3000 1000
|
|
|
an input function on an interface that can be set to check if the source address is reachable by the interface that received it, or is reachable by any interface. Unicast RFP is a defense against spoofing and DoS attacks
|
Unicast Reverse Path Forwarding (RPF)
|
|
|
The UDP small servers are:
|
Chargen, Echo, and Discard
Echo: Echoes the payload of the datagram you send. Discard: Silently pitches the datagram you send. Chargen: Pitches the datagram you send, and responds with a 72-character string of ASCII characters terminated with a CR+LF |
|
|
To Configure routers not to forward packets directed to broadcast addresses, enter this command
|
Router(config-if)# no ip directed-broadcast
|
|
|
Use this command on all interfaces connected to the Internet to prevent spoofed IP address attacks
|
Use the command “ip verify source reachable-via interface” on all interfaces connected to the Internet to prevent spoofed IP address attacks
|
|
|
This is an example of?
access-list 152 permit tcp any host eq www access-list 153 permit tcp any host eq www established interface {int} rate-limit output access-group 153 45000000 100000 100000 conform-action transmit exceed-action drop rate-limit output access-group 152 1000000 100000 100000 conform-action transmit exceed-action drop |
rate limiting
|
|
|
This is an example of?
interface xy rate-limit output access-group 2020 3000000 512000 786000 conform-action transmit exceed-action drop access-list 2020 permit icmp any any echo-reply |
Using CAR to rate limit ICMP packets
|
|
|
This access list will filter all RFC-1918 addresses
|
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any access-list 101 deny ip 172.16.0.0 0.15.255.255 any access-list 101 permit ip any any interface xy ip access-group 101 in |
|
|
Modular Quality of Service is enabled in these three steps
|
1. Classify the traffic (class map)
2. What will happen to the traffic (policy map) 3. Apply to an interface (service-policy) Modular Quality of Service Command Line Interface (MQC) to apply the policing. To review this, it involves three steps. First, we classify the traffic that we want to impact (class-map). Second, we dictate what will happen with this traffic (policy-map), and third, we apply this policy to an interface in a specific direction (service-policy) |
|
|
This awesome command allows you to confirm the constructs you have implemented of the MQC, and it also allows you to see just how many packets are being permitted and denied by this powerful protection mechanism
|
show policy-map interface serial 0/0
|
|
|
This access-list keyword indicates that packets belong to an existing connection if the Transmission Control Protocol (TCP) datagram has the Acknowledgment (ACK) or Reset (RST) bit set
|
The established keyword indicates that packets belong to an existing connection if the Transmission Control Protocol (TCP) datagram has the Acknowledgment (ACK) or Reset (RST) bit set
|
|
|
The TCP Intercept feature is configured with the following command:
|
ip tcp intercept list access-list-number
|
|
|
This Cisco security feature captures SYN packets from clients to servers that match an extended access list. The software establishes a connection with the client on behalf of the destination server. If the connection attempt is legitimate, the TCP Intercept device can then establish the connnection between the client and the actual server in the protected network
|
TCP Intercept
|
|
|
What does the first number in the IOS "rate-limit" command represent?
|
Average rate in bits per second. The value must be in increments of
8 kbps. rate-limit {input | output} [access-group [rate-limit] acl-index] bps burst-normal burst-max conform-action action exceed-action action |
|
|
Displays information about rate-limit access lists that are configured on an IOS device.
|
show access-lists rate-limit
|
|
|
Displays information about CAR for an interface on an IOS device.
|
show interfaces rate-limit
|
|
|
What does the second number in the IOS "rate-limit" command represent?
|
burst-normal
Normal burst size in bytes. The minimum value is bps divided by 2000. rate-limit {input | output} [access-group [rate-limit] acl-index] bps burst-normal burst-max conform-action action exceed-action action |
|
|
What does the third number in the IOS "rate-limit" command represent?
|
burst-max
Excess burst size in bytes. rate-limit {input | output} [access-group [rate-limit] acl-index] bps burst-normal burst-max conform-action action exceed-action action http://www.cisco.com/en/US/docs/ios/12_0/qos/command/reference/qrcmdr.html#wp1017761 |
|
|
To configure committed access rate (CAR) and Distributed CAR (DCAR) policies, use this interface configuration command
|
rate-limit
|
|
|
This rate-limit keyword will Set the IP precedence and transmit the packet.
|
set-prec-transmit new-prec—
|
|
|
This rate-limit keyword will Set the IP precedence and evaluate the next rate-limit command
|
set-prec-continue new-prec—
|
|
|
All World Wide Web traffic is transmitted. However, the IP precedence for Web traffic that conforms to the first rate policy is set to 5. For nonconforming traffic, the IP precedence is set to 0 (best effort).
|
router(config-if)# access-list 101 permit tcp any any eq www
router(config-if)# rate-limit input access-group 101 20000000 24000 32000 conform-action set-prec-transmit 5 exceed-action set-prec-transmit 0 |
|
|
•FTP traffic is transmitted with an IP precedence of 5 if it conforms to the second rate policy. If the FTP traffic exceeds the rate policy, it is dropped.
|
router(config-if)# access-list 102 permit tcp any any eq ftp
router(config-if)# rate-limit input 8000000 16000 24000 conform-action set-prec-transmit 5 exceed-action drop |
|
|
Any remaining traffic is limited to 8 Mbps, with a normal burst size of 16000 bytes and an excess burst size of 24000 bytes. Traffic that conforms is transmitted with an IP precedence of 5. Traffic that does not conform is dropped.
|
router(config-if)# rate-limit input 8000000 16000 24000 conform-action
set-prec-transmit 5 exceed-action drop ** Notice that the command does not reference an access-list * |
|
|
What is meant by ip precedence?
|
Needs Answer
|
