You have captured some packets in Ethereal. You want to view only packets sent from 10.0.0.22. What filter will you apply?
A. ip = 10.0.0.22
B. ip.src == 10.0.0.22
C. ip.equals 10.0.0.22
D. ip.address = 10.0.0.22
ip.src tells the filter to only show packets with 10.0.0.22 as the source.
Tess King, the evil hacker, is purposely sending fragmented ICMP packets to a remote target. The total size of this ICMP packet once reconstructed is over 65, 536 bytes. From the information given, what type of attack is Tess King attempting to perform?
A. Syn flood
C. Ping of death
Which one of the following instigates a SYN flood attack?
A. Generating excessive broadcast packets.
B. Creating a high number of half-open connections.
C. Inserting repetitive Internet Relay Chat (IRC) messages.
D. A large number of Internet Control Message Protocol (ICMP) traces.
A SYN attack occurs when an attacker exploits the use of the buffer space during a Transmission Control Protocol (TCP) session initialization handshake.The attacker floods the target system’s small “in-process” queue with connection requests,but it does not respond when a target system replies to those requests.This causes the target system to time out while waiting for the proper response,which makes the system crash or become unusable.
Global deployment of RFC 2827 would help mitigate what classification of attack?
A. Sniffing attack
B. Denial of service attack
C. Spoofing attack
D. Reconnaissance attack
E. Prot Scan attack
RFC 2827 – Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing
What happens when one experiences a ping of death?
A. This is when an IP datagram is received with the pprotocolq field in the IP header set to 1 (ICMP) and the ptypeq field in the ICMP header is set to 18 (Address Mask Reply).
B. This is when an IP datagram is received with the pprotocolq field in the IP header set to 1 (ICMP),the Last Fragment bit is set,and (IP offset n 8) + (IP data length) >65535. In other words,the IP offset (which represents the starting position of this fragment in the original packet,and which is in 8-byte units) plus the rest of the packet is greater than the maximum size for an IP packet.
C. This is when an IP datagram is received with the pprotocolq field in the IP header set to 1 (ICMP) and the source equal to destination address.
D. This is when an the IP header is set to 1 (ICMP) and the ptypeq field in the ICMP header is set to 5 (Redirect).
A hacker can send an IP packet to a vulnerable machine such that the lastfragment contains an offest where (IP offset *8) + (IP data length)>65535.This means that when the packet is reassembled,its total length is largerthan the legal limit,causing buffer overruns in the machine’s OS (becousethe buffer sizes are defined only to accomodate the maximum allowed size ofthe packet based on RFC 791)…IDS can generally recongize such attacks bylooking for packet fragments that have the IP header’s protocol field set to1 (ICMP),the last bit set,and (IP offset *8) +(IP data length)>65535″ CCIE Professional Development Network Security Principles and Practices by Saadat Malik pg 414 “Ping of Death” attacks cause systems to react in an unpredictable fashion when receiving oversized IP packets. TCP/IP allows for a maximum packet size of up to 65536 octets (1 octet = 8 bits of data),containing aminimum of 20 octets of IP header information and zero or more octets ofoptional information,with the rest of the packet being data. Ping of Deathattacks can cause crashing,freezing,and rebooting.
Which one of the following network attacks takes advantages of weaknesses in the fragment reassembly functionality of the TCP/IP protocol stack?
C. Ping of Death
D. SYN flood
E. SNMP Attack
The teardrop attack uses overlapping packet fragments to confuse a target system and cause the system to reboot or crash.
A denial of Service (DoS) attack works on the following principle:
A. MS-DOS and PC-DOS operating system utilize a weaknesses that can be compromised and permit them to launch an attack easily.
B. All CLIENT systems have TCP/IP stack implementation weakness that can be compromised and permit them to lunch an attack easily.
C. Overloaded buffer systems can easily address error conditions and respond appropriately.
D. Host systems cannot respond to real traffic,if they have an overwhelming number of incomplete connections (SYN/RCVD State).
E. A server stops accepting connections from certain networks one those network become flooded.
Denial-of-service (often abbreviated as DoS) is a class of attacks in which an attacker attempts to prevent legitimate users from accessing an Internet service,such as a web site.This can be done by exercising a software bug that causes the software running the service to fail (such as the pPing of Deathq attack against Windows NT systems),sending enough data to consume all available network bandwidth (as in the May,2001 attacks against Gibson Research),or sending data in such a way as to consume a particular resource needed by the service.
What happens during a SYN flood attack?
A. TCP connection requests floods a target machine is flooded with randomized source address & ports for the TCP ports.
B. A TCP SYN packet,which is a connection initiation,is sent to a target machine,giving the target hostos address as both source and destination,and is using the same port on the target host as both source and destination.
C. A TCP packet is received with the FIN bit set but with no ACK bit set in the flags field.
D. A TCP packet is received with both the SYN and the FIN bits set in the flags field.
To a server that requires an exchange of a sequence of messages. The clientsystem begins by sending a SYN message to the server. The server thenacknowledges the SYN message by sending a SYN-ACK message to the client. Theclient then finishes establishing the connection by responding with an ACKmessage and then data can be exchanged. At the point where the server systemhas sent an acknowledgment (SYN-ACK) back to client but has not yet receivedthe ACK message,there is a half-open connection. A data structuredescribing all pending connections is in memory of the server that can bemade to overflow by intentionally creating too many partially openconnections. Another common attack is the SYN flood,in which a target machine isflooded with TCP connection requests. The source addresses and source TCP ports of the connection request packets are randomized; the purpose is to force the target host to maintain state information for many connections that will never be completed. SYN flood attacks are usually noticed because the target host (frequently an HTTP or SMTP server) becomes extremely slow,crashes,or hangs. It’s also possible for the traffic returned from the target host to cause trouble on routers; because this return traffic goes to the randomized source addresses of the original packets,it lacks the locality properties of “real” IP traffic,and may overflow route caches. On Cisco routers,this problem often manifests itself in the router running out of memory.
What is the term 8 to describe an attack that falsifies a broadcast ICMP echo request and includes a primary and secondary victim?
A. Fraggle Attack
B. Man in the Middle Attack
C. Trojan Horse Attack
D. Smurf Attack
E. Back Orifice Attack
Trojan and Back orifice are Trojan horse attacks.Man in the middle spoofs the Ip and redirects the victems packets to the cracker The infamous Smurf attack. preys on ICMP’s capability to send traffic to the broadcast address. Many hosts can listen and respond to a single ICMP echo request sent to a broadcast address. Network Intrusion Detection third Edition by Stephen Northcutt and Judy Novak pg 70 The “smurf” attack’s cousin is called “fraggle”,which uses UDP echo packets in the same fashion as the ICMP echo packets; it was a simple re-write of “smurf”.
What is the goal of a Denial of Service Attack?
A. Capture files from a remote computer.
B. Render a network or computer incapable of providing normal service.
C. Exploit a weakness in the TCP stack.
D. Execute service at PS 1009.
In computer security,a denial-of-service attack (DoS attack) is an attempt to make a computer resource unavailable to its intended users. Typically the targets are high-profile web servers,and the attack attempts to make the hosted web pages unavailable on the Internet. It is a computer crime that violates the Internet proper use policy as indicated by the Internet Architecture Board (IAB).