Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
44 Cards in this Set
- Front
- Back
|
Lets start off with some network attacks.
There are a couple so we'll begin with some terminology. What is TCP? |
TCP stands for Transmission Control Protocol, it is a way to communicate from one computer to another over an IP network. |
|
|
To establish a TCP connection what sort of method do you use? |
TCP-3-way handshake |
|
|
What is the TCP-3-way handshake process? |
1. Host A sends a TCP SYNchronize packet to Host B 2. Host B sends a SYNchronize-ACKnowledgement 3.Host A sends ACKnowledge 4.TCP socket connection is ESTABLISHED. |
|
|
What kind of DOS attack can be used against this handshake? |
SYN Flood attack |
|
|
How does the SYN Flood attack work? |
Hacker sends a large number of SYN packets and never acknowledge any of the replies. (Doesn't send ACK code)
Victim tries to establish TCP connection starting by sending SYN. This fails because all space for connections are allocated, leaving the victim without service. |
|
|
What are some countermeasures for the SYN flood attack? |
1.Filtering 2.Increasing Backlog 3.Reducing SYN-RECEIVED Timer 4.Recycling the Oldest Half-Open TCP 5.SYN Cache 6.SYN cookies 7.Hybrid Approaches 8.Firewalls and Proxies |
|
|
A DOS SYN Flood attack is between 2 hosts that effect everyone else, if I want to cripple the victims server (aka ONLY their computer) what would I do? |
Amplification Attack |
|
|
What is an Amplified Network Attack? |
exploit network protocol vulnerabilities to increase the traffic sent to a victim’s system
|
|
|
What is a type of Amplified Network (DOs) Attack? |
The Smurf Attack |
|
|
How does the Smurf Attack work? |
Back in the day Internet Control Message Protocol (ICMP) packets were used to check if computers on a LAN were alive (pinging). The attack works when the intended victim's spoofed source IP are broadcast to a computer network using an IP Broadcast address. Most devices on a network will, by default, respond to this by sending a reply to the source IP address. If the number of machines on the network that receive and respond to these packets is very large, the victim's computer will be flooded with traffic. This can slow down the victim's computer to the point where it becomes impossible to work on. |
|
|
Once Denial of Service attacks (Dos) slowly were stopped/came to a close what did hackers turn to? |
Distributed Denial of Service Attacks |
|
|
What is a Distributed Denial of Service attack? |
A brute force method, for example by sending floods of UDP packets from infected machines |
|
|
In DDoS, the attacker subverts a large number of machines over a period of time and, or on a given signal, these machines all start to bombard the target with traffic... What are these infected machines called? |
Botnets |
|
|
What is a botnet? |
a network of private computers infected with malicious software and controlled as a group without the owners' knowledge |
|
|
What is a DNS? |
Domain Name Servers (DNS) are the Internet's equivalent of a phone book. They maintain a directory of domain names and translate them to Internet Protocol (IP) addresses. This is necessary because, although domain names are easy for people to remember, computers or machines, access websites based on IP addresses. |
|
|
what is an Amplified DNS attack? |
A Domain Name Server (DNS) amplification attack is a popular form of distributed denial of service (DDoS) that relies on the use of publically accessible open DNS servers to overwhelm a victim system with DNS response traffic. |
|
|
How does an amplified DNS attack work? |
A hacker will send queries with a forged IP address (the victim’s) to a DNS server, in turn, reply to that forged address, and overwhelm the victims system |
|
|
what is another form of an amplified DOS attack? |
Amplification Attacks using SNMP |
|
|
What is SNMP? |
Simple Network Management Protocol (SNMP) - a common network management protocol used for configuring and collecting information from network devices like servers, hubs, switches, routers and printers. |
|
|
How does the SNMP amplification attack work? |
The same as a DNS amplification attack, except it uses a SNMP instead of a DNS, whereby numerous connected devices will respond overwhelming the victims server |
|
|
In summary, the attacks discussed so far affected 1 of the three CIA triads. What attacks discussed affected Availability? |
DoS (Denial of Service) DDoS (Distributed Denial of Service) SYN Flood |
|
|
What attacks often rely on the need tolook up resources by some name or ID? |
Attacks on Confidentiality and Integrity |
|
|
What are three DNS attacks? |
1) ID Spoofing with Sniffing
2) Proving your own answer 3) DNS cache poisoning |
|
|
Explain ID spoofing with sniffing |
|
|
|
Explain "providing your own answer" DNS attack? |
1. Attacker floods local DNS server with hundreds of queriesfor www.CIBC.com 2. Attacker then floods DNS server with hundreds of spoofedreplies that appear to come from ns.cibc.com (CIBC’sauthoritative name server) 3. Local DNS server is now “poisoned” with false data |
|
|
What is DNS cache poisoning? |
DNS spoofing (or DNS cache poisoning) is a computer hacking attack, whereby data is introduced into a Domain Name System (DNS) resolver's cache, causing the name server to return an incorrect IP address, diverting traffic to the attacker's computer (or any other computer). |
|
|
Explain cache poising steps (summary) |
-Attacker sends a request to your local DNS asking it to resolvewww.attacker.net -Your local DNS server queries ns.attacker.net for the data -ns.attacker.net replies, but also includes false information onwww.cnn.com -Your DNS server caches the false data on www.cnn.com |
|
|
Attacks are easy to be pulled off because certain network tools are available. Name one of them... |
shrinkwrapped |
|
|
What is ARP spoofing? |
ARP spoofing is a type of attack in which a malicious actor sends falsified ARP (Address Resolution Protocol) messages over a local area network. This results in the linking of an attacker's MAC address with the IP address of a legitimate computer or server on the network. |
|
|
How is a Bot recruited? |
Drive-by-download |
|
|
What is a Drive-by-download? |
A malicious program whichmisrepresents itself as useful,routine, or interesting in order topersuade a victim to inVstall it. |
|
|
What is the difference between a Trojan, a Worm and a Virus?
|
Trojan - a program thatdoes something malicious (such as capturing passwords) when run by anunsuspecting user Worm - something that replicates Virus - is aworm which replicates by attaching itself to other programs. |
|
|
What is a rootkit? |
a piece of softwarethat once installed on a machine surreptitiously places it under remotecontrol. |
|
|
What is an example of a dangerous trojan virus? |
Zeus |
|
|
What are the two major components of a virus/worm? |
A virus or worm typically has two components: 1) Replication Mechanism 2) Payload |
|
|
How does a worm execute it's replication mechanism? |
The worm located on the infected computer will scan the network (or internet) to locate computers with security flaw that have not been patched. Worm repeats cycle on that computer to locate more computers to infect |
|
|
How does a virus execute it's replication mechanism? |
thecommonest way for a virus to replicate was to append itself to an executablefile and patch itself in, so that the execution path jumps to the virus code andthen back to the original program. |
|
|
What is the payload of a virus/worm? |
Doing a certain number of malicious activities, usually activated after a trigger (ie. a certain date) |
|
|
What is a C&C server? |
command-and-control server (C&C server) is the centralized computer that issues commands to a botnet (zombie army) and receives reports back from the coopted computers. |
|
|
What kinds of C&C architectures are there? |
1. Traditional 2. Peer-2-peer |
|
|
What are fast-flux networks? |
a weapon against decapitation |
|
|
What are the two kinds of fast-flux?
|
Single Flux - multiple nodes register and deregister their IP addresseswith the same DNS name Double Flux - multiple nodes register and deregister their IP addresseswith Name Server records |
|
|
How would you detect malicious fast-flux networks? |
1. For single flux the logic would be One Domain - Large IP records in a day 2. For double flux the logic would be One Domain - Large NS records in a day 3. Correlation with the ANS data collection would give a clear picture of weather the Fast flux trigger is false positive or not |
|
|
How would you defend against botnets? |
• Prevent recruitment • patch vulnerabilities • intrusion detection / anti-malware measures • signature based • anomaly based • Detect and recover from malware• Take out C&C |
