Shared Flashcard Set

Details

CCIE Security 6
Attacks, Vulnerabilities, Exploits, Mitigation
28
Engineering
Professional
11/15/2009

Additional Engineering Flashcards

 


 

Cards

Term
What are the common types of malware?
Definition

Virus - hidden code carrying out destructive task

 

Worm - replicates itself using host resources

 

Trojan horse - disguised as normal file to be installed

 

Spyware - gathers info from system

 

Hoax - social engineering

Term
What are the characteristics of a DHCP starvation attack?
Definition

Broadcast of DHCP requests with spoofed MAC.

 

Goal is to exhaust addresses on DHCP server and set up rogue DHCP server to provide network info to clients and result in man-in-the-middle attack.

Term

What are the two categories of network access attacks?

 

(Give examples)

Definition

Data access - unauthorized data retrieval of info

Eg. privilege escalation

 

System Access - unauthorized access to system resources & devices (programs, cameras, etc)

Eg. malware, password attacks.

Term

What are the characteristics of a simple DoS aiming at resource exhaustion?

 

Give most common examples.

Definition

Single attacker sending large number of packets for victim to process.

 

Spoofing, SYN flood

Term
Describe the ping of death attack.
Definition

Last fragment of ICMP packet contains offset such that reconstructed packet is larger than 65535 byte limit of IP packet size.

 

Causes buffer overruns.

Term
Describe the Land (Land.c) attack.
Definition

Attacker sends TCP SYN where

srcIP=dstIP=victim's host IP

and srcPort=dstPort

 

Victim tries to open TCP connection to itself and goes into infinite loop

Term

Describe the Smurf attack.

 

(How can it be avoided?)

Definition

Spoofed broadcast ICMP to flood victim with requests where

dstIP=broadcast & srcIP=victim's spoofed IP

 

(no ip directed-broadcast)

Term
Describe the Fraggle attack.
Definition
Large amount of UDP echo traffic sent to IP broadcast address with spoofed source address.
Term
Describe the Teardrop attack
Definition

Sending IP fragments with overlapping oversized payloads.

 

Captializes on bugs in TCP/IP fragementation & reassembly code to crash or compromise OS.

Term
Describe the Banana attack.
Definition
Redirecting outgoing messages from client back to itself, thus preventing access and flooding client.
Term
Describe the Pulsing zombie attack.
Definition
Pinging host/network from many attackers over time, degrading network quality and consuming CPU/bandwidth resources.
Term
What are the common characteristics of DDoS attacks?
Definition

Distributed Denial of Service - launched from large number of attackers

 

attacker ->{ masters ->{ slaves/zombies -> victim

 

 

Term
Describe the BOINK attack.
Definition
CPU-intensive attack that sends a file with 1 data byte per packet out of sequence, forcing host to spend cycles on reassembly
Term
Describe the Chargen attack and how to mitgate it.
Definition

Attempts to connect to host via TCP or UDP ports to attempt to generate a data stream.

 

Command used is: telnet <ip> chargen

 

Mitigation:

no service udp-small-servers

no service tcp-small-servers

Term
Describe the Birthday Attack
Definition

Attacker presents digital signature form that looks trusted (via hash collision). After host signs it, it is used in a fraudulent contract.

 

Based on probability of generating a valid hash using invalid/fraudulent information.

Term
What are the characteristics of the slammer worm?
Definition

Exploited buffer overflow bug in MS SQL Server Desktop Engine (MSDE) and caused DoS on hosts.

 

Attacks UDP port 1434 (MSDE)

 

Entire worm fit in 1 UDP packet.

Term
What are the characteristics of the Code Red worm?
Definition

Attacked computers running MS IIS web server via buffer overflow vulnerability

 

Attacks used TCP port 80 (HTTP GET)

Term
Describe the TTL Expiry Attack
Definition

Attack using a flood of icmp type 3 (destination unreachable) packets with TTL <= 1.

 

This creates a DoS attack against network equipment, as it takes more CPU for IOS to process the response ICMP than to forward the packet.

Term
What is the purpose of ingress(/egress) filtering? What standards does it come from?
Definition

RFC 2827

BCP 38

 

Technique to filter incoming (outgoing) packets to prevent IP Spoofing (and resulting DDoS) attacks.

Term

What is the purpose and characteristics of

 

SYN Cookies?

Definition

Technique against SYN flood attacks

 

Particular choice in initial TCP sequence numbers.

 

Allows server to avoid dropping connections when SYN queue fills up: Server sends SYN_ACK to client but discards SYN queue entry. If receives subsequent ACK from client, server reconstructs the entry.

Term
What solutions does Anti-X refer to?
Definition
Refers to, as a whole, the various anti-virus, anti-spyware, anti-spam and anti-phishing solutions
Term

What is the purpose of :

 

1. dynamic access lists (aka lock-and-key)

 

2. time-based access lists

 

3. reflexive access lists

Definition

1. Create specific, temporary openings in response to user authentication.

 

2. Create specific, temporary openings for a certain amount of time.

 

3. Temporary entries/filters for network traffic based on IP upper-layer protocol session information; nested in extended named ACL on interface

Term

What does the "established" option signify at the end of an access list?

 

eg. access-list xxx permit ... tcp established

Definition

A match occurs if the TCP datagram has the ACK or RST control bits set.

 

Blocks the initial TCP datagram used to form a connection (SYN).

Term

What is the purpose of pvlans?

 

What problems does it resolve?

Definition

Private vlans - allows restrictions on L2 traffic for vlan

 

Resolves ARP spoofing attack (attacker uses gratuitous ARP to fake addresses to see traffic or cause DoS)

Term
What is directed broadcast and how should it be secured?
Definition

Allows packets to be broacast to all devices on attached subnet.

 

Feature should be disabled to prefent smurf attacks and packet floods.

 

no ip directed-broadcast

Term
What is the purpose of dynamic arp inspection and how does it work?
Definition

Protects against arp cache poisoning.

 

Intercepts and validates ARP packets received before updating ARP cache and forwarding packet. Checks against MAC to IP bindings stored in trusted database (built w/ DHCP snooping) and user configured ACLs. Invalid ARPs are dropped.

Term

What is the purpose of DNSSec?

 

How does it work?

Definition

DNS Security Extension

 

Detect spoof attacks to DNS & cache-poisoning on DNS servers

 

Adds data origin authentication (via PKI and trusted/anchor keys) and integrity protection

Term
What are the characteristics of TCP intercept?
Definition

Used to intercept all requests to a server with ACL of any source and list of destinations to protect.

 

Watch mode - connection requests allowed to pass but are reset if does not go EST in 30 seconds

 

Prevents SYN floods/attacks

Supporting users have an ad free experience!