Reading...
Play button
Play button
Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
19 Cards in this Set
- Front
- Back
|
Chapter 7 - Review 7.8
Define a reflection attack. |
A reflection attack is when an attacker sends packets to a known intermediary service using a spoofed source address of the target system. The intermediary responds, and the response is then sent to the target. The intermediary system serves as the reflector and thus the name: reflection attack.
|
|
|
Chapter 7 - Review 7.9
Define an amplification attack. |
An amplification attack is similar to a reflection attack in that it sends a packet with a spoofed source address of the target system to intermediaries. The attack differs from a reflection attack in that multiple response packets for each original packet is sent. By directing the original request to the broadcast address of a network, all hosts on that network can potentially respond to the request. This results in a large amount of responses that will overwhelm the target.
|
|
|
Chapter 7 - Problem 7.1
In order to implement the classic DoS flood attack, the attacker must generate a sufficiently large volume of packets to exceed the capacity of the link to the target organization. Consider an attack using ICMP echo request packets that are 500 bytes in size. How many of these packets per second must the attacker send to flood a target organization using a 0.5-Mbps link? How many per second if the attacker uses a 2-Mbps link? 10-Mbps? |
Each packet = 500 bytes = 4000 bits
1 Mbps = 1,000,000 bits per second 0.5-Mbps - >= 125 packets per second 2.0-Mbps - >= 500 packets per second 10-Mbps - >= 2500 packets per second |
|
|
Chapter 7 - Problem 7.2
Using a TCP SYN spoofing attacker, the attacker aims to flood the table of TCP connection requests on a system so that it is unable to respond to legitimate connection requests. Consider a server system with a table for 256 connection requests. This system will retry sending the SYN-ACK packet five times when it fails to receive an ACK packet in response, at 30 second intervals, before purging the request from its table. Assume that no additional countermeasures are used against this attack and that the attacker has filled this table with an initial flood of connection requests . At what rate must the attacker continue to send TCP connection requests to this system in order to ensure that the table remains full? Assuming that the TCP SYN packet is 40 bytes in size, how much bandwidth does the attacker consume to continue this attack? |
Total time request is in table - 180 seconds (30 seconds + 5 attempts to retry)
Entry occupies table for 3 minutes 256 entries total. 256/3 = ~86 requests per minute Each request is 40 bytes = 320 bits 27520 bits per minute or 459 bits per second. |
|
|
Chapter 7 - Problem 7.3
Consider a distributed variant of the attack we explore in Problem 7.1. Assume the attacker has compromised a number of broadband-connected residential PCs to use as zombie systems. Also assume each such system has an average uplink capacity of 128 kbps. What is the maximum number 500-byte ICMP echo request (ping) packets a single zombie PC can send per second? How many such zombie systems would the attacker need to flood a target organization using a 0.5-Mbps link, 2-Mbps link, and 10-Mbps link? |
The maximum number of 500-byte ICMP echo request packets a single zombie pic can send per second is: 32 packets per second.
500 byte message = 4000 bits Uplink capacity of zombie = 128 kbps = 128,000 bits per second 128,000/4000 = 32 packets per second ~4 zombies to flood 0.5-Mbps ~16 zombies to flood 2-Mbps ~79 zombies to flood 10-Mbps |
|
|
Chapter 7 - Problem 7.4
In order to implement a DNS amplification attack, the attacker must trigger the creation of a sufficiently large volume of DNS response packets from the intermediary to exceed the capacity of the link to the target organization. Consider an attack where the DNS response packets are 500 bytes in size. How many of these packets per second must the attacker trigger to flood a target organization using a 0.5-Mbps link? 2-Mbps link? 10-Mbps link? If the DNS request packet to the intermediary is 60 bytes, how much bandwidth does the attacker consume to send the necessary rate of DNS request packets for each of these three cases. |
DNS Response packet = 500 bytes or 4000 bits
0.5-Mbps : 125 packets of DNS response 2-Mbps: 500 packets of DNS response 10-Mbps: 2500 packets of DNS response DNS request = 60 bytes or 480 bits 0.5-Mbps: 60kbps uplink 2-Mbps: 240kbps uplink 10-Mbps: 1200kbps uplink |
|
|
Chapter 8 - Review 8.6
What is the difference between anomaly detection and signature intrusion detection? |
Anomaly detection uses the collection of data relating to behavior of users over a period of time. Tests are then applied to determine whether the behavior is normal or malicious. Signature detection defines a set of rules or patterns of attack that can be used to decide if behavior is malicious or not.
Anomaly Detection: Create a baseline (usually you behave like this). Look for deviations. Signature: I knew the following things are bad. Could be deviation from norm or not. We are looking for a specific pattern. |
|
|
Chapter 8 - Problem 8.4
One of the non-payload options in Snort is flow. This option distinguishes between clients and servers. This option can be used to specify a match only for packets flowing in one direction (client to server or vice versa) and can specify a match only on established connections. Consider the following Snort rule: alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS\ (msg: "ORACLE create databse attemp:;\ flow: to_server, established; content: "create database"; nocase;\ classtype: protocl-command-decode;) a.) What does the rule do? b.) Comment on the significance of this rule if the Snort devices is placed inside or outside of the external firewall. |
a.) This rule is sued to detect an attack at the TCP level. The rule's source is any external net at any port and the direction tells snort to address/port pairs as source followed by destination. The destination is SQL servers and their associated oracle ports. The rule will detect an attempt to create an oracle database. The rule uses flow to match packets flowing to server with an established connection and a message content that signifies a database creation attempt. The class type indicates a protocol-command-decode.
b.) (Answer not entirely correct FYI) The rule is most significant if placed outside the firewall as it will detect any outside traffic that attempts to enter the SQL server and create a database. If it were placed inside the firewall, its significance would diminish because there would not be as much traffic passing through the network firewall that rule could detect when compared to being outside the firewall. |
|
|
Chapter 9 - Review 9.5
What is the difference between a packet filtering firewall and a stateful inspection firewall? |
A packet filtering firewall uses a set of rules that it applies to incoming and outgoing IP packets. Based on this rules, it will then discard or forward the packet. A stateful inspection firewall has tighter rules for TCP traffic. This is done by keeping track of the state of the TCP connections in a table while applying packet filtering as well.
Packet filtering firewall - Look at packet yes/no? Stateful inspection firewall - More work, more powerful, addition state. |
|
|
Chapter 9 - Problem 9.4
See table 9.5 |
Rule 1: Allow any traffic with a destination address of 192.168.1.0 and a port greater than 1023.
Rule 2: Deny traffic from 192.168.1.1 at any port to any address and any port. Rule 3: Deny traffic from any address/port with a destination address of 192.168.1.1 any any port. Rule 4: Allows traffic from 192.168.1.0 at any port with a destination of any address/port with the exception of the destination address 192.168.1.1 as it was denied by the previous rule. Rule 5: Allows traffic from any source address/port with a destination of the SMTP port of 192.168.1.2 (mail port). Rule 6: Allows any source to access the web port on 192.168.1.3 with the exception of 192.168.1.1 which was blocked in a previous rule. Rule 7: Denies any source with a destination of any address/port with the exception of the allowances state above. |
|
|
Chapter 9 - Problem 9.5
See 9.5 in textbook |
a.)
Rule A - Allows incoming external TCP packets destined for the internal SMTP port. Rule B - Allows internal outgoing TCP packets with an external destination and port higher than 1023. Rule C - Allows outgoing TCP external packets with an internal destination and a port greater than 1023. Rule D -Allows incoming TCP external packets with an internal destination and a port greater than 1023. Rule E - Denies outgoing and incoming traffic from any source/destination on any protocol. b.) Packet 1 - permitted (rule A) Packet 2 - permitted (rule B) Packet 3 - permitted (rule C) Packet 4 - permitted (rule D) c.) Yes the attack will succeed. Both packets are permitted. This is because we are only filtering based on the destination port not both source and destination port. Packet 5 falls under rule D. Packet 6 falls under rule B. |
|
|
Chapter 9 - Problem 9.7
See in textbook |
See answer to homework
|
|
|
Chapter 9 - Problem 9.11
See in textbook |
See answer to homework
|
|
|
Chapter 10 - Review 10.2
List the three distinct types of locations in a processes address space that buffer overflow attacks typically target. |
The three types of locations in a processes address space that buffer overflow attacks typically target are the stack, the head, or data section of the process.
|
|
|
Chapter 10 - Review 10.4
What are the two key elements that must be identified in order to implement a buffer overflow? |
The two key elements that must be identified in order to implement a buffer overflow are: 1) Identify the vulnerability for a buffer overflow in a program that can result from data that is sources externally and under the control of the attacker. 2) Know how the buffer is stored in the memory space of the process. This opens the possibility for memory corruption in adjacent locations as well as the potential to alter the execution flow of the program.
|
|
|
Chapter 10 - Review 10.9
Describe what a NOP sled is and how it is used in a buffer overflow attack. |
A NOP sled is a series of NOP instructions that is used to move the CPU's execution flow to a desired destination. In a buffer overflow attack a NOP sled is used when the starting address of an attacker's code cannot be determined. If the return address to enter the attacker's code is within the NOPs the attack will still succeed because the machine will run through the NOPs until it hist the attacker's code.
|
|
|
Chapter 10 - Problem 10.3
|
answer
|
|
|
Chapter 10 - Problem 10.10
|
answer
|
|
|
Chapter 10 - Problem 10.11
|
answer
|
