Ethical Hacking and Countermeasures
Question No: 281 – (Topic 8)
The SYN Flood attack sends TCP connections requests faster than a machine can process them.
Attacker creates a random source address for each packet. SYN flag set in each packet is a request to open a new connection to the server from the spoofed IP Address Victim responds to spoofed IP Address then waits for confirmation that never arrives (timeout wait is about 3 minutes) Victim’s connection table fills up waiting for replies and ignores new connection legitimate users are ignored and will not be able to access the server
How do you protect your network against SYN Flood attacks?
SYN cookies. Instead of allocating a record, send a SYN-ACK with a carefully constructed sequence number generated as a hash of the clients IP Address port number
and other information. When the client responds with a normal ACK, that special sequence number will be included, which the server then verifies. Thus the server first allocates memory on the third packet of the handshake, not the first.
RST cookies – The server sends a wrong SYN|ACK back to the client. The client should then generate a RST packet telling the server that something is wrong. At this point, the server knows the client is valid and will now accept incoming connections from that client normally.
Micro Blocks. Instead of allocating a complete connection, simply allocate a micro- record of 16-bytes for the incoming SYN object.
Stack Tweaking. TCP can be tweaked in order to reduce the effect of SYN floods. Reduce the timeout before a stack frees up the memory allocated for a connection.
Explanation: All above helps protecting against SYN flood attacks. Most TCP/IP stacks today are already tweaked to make it harder to perform a SYN flood DOS attack against a target.
Question No: 282 – (Topic 8)
What happens during a SYN flood attack?
TCP connection requests floods a target machine is flooded with randomized source address amp; ports for the TCP ports.
A TCP SYN packet, which is a connection initiation, is sent to a target machine, giving the target host’s address as both source and destination, and is using the same port on the target host as both source and destination.
A TCP packet is received with the FIN bit set but with no ACK bit set in the flags field.
A TCP packet is received with both the SYN and the FIN bits set in the flags field.
Answer: A Explanation:
To a server that requires an exchange of a sequence of messages. The client system begins by sending a SYN message to the server. The server then acknowledges the SYN message by sending a SYN-ACK message to the client. The client then finishes establishing the connection by responding with an ACK message and then data can be exchanged. At the point where the server system has sent an acknowledgment (SYN-ACK) back to client but has not yet received the ACK message, there is a half-open connection.
A data structure describing all pending connections is in memory of the server that can be made to overflow by intentionally creating too many partially open connections. Another common attack is the SYN flood, in which a target machine is flooded with TCP connection requests. The source addresses and source TCP ports of the connection request packets are randomized; the purpose is to force the target host to maintain state information for many connections that will never be completed. SYN flood attacks are usually noticed because the target host (frequently an HTTP or SMTP server) becomes extremely slow, crashes, or hangs. It#39;s also possible for the traffic returned from the target host to cause trouble on routers; because this return traffic goes to the randomized source addresses of the original packets, it lacks the locality properties of quot;realquot; IP traffic, and may overflow route caches. On Cisco routers, this problem often manifests itself in the router running out of memory.
Question No: 283 – (Topic 8)
When working with Windows systems, what is the RID of the true administrator account?
Explanation: The built-in administrator account always has a RID of 500.
Question No: 284 – (Topic 8)
Bryce the bad boy is purposely sending fragmented ICMP packets to a remote target. The tool size of this ICMP packet once reconstructed is over 65,536 bytes. From the information given, what type of attack is Bryce attempting to perform?
Ping of Death
Explanation: A ping of death (abbreviated quot;PODquot;) is a type of attack on a computer that involves sending a malformed or otherwise malicious ping to a computer. A ping is normally 64 bytes in size (or 84 bytes when IP header is considered); many computer systems cannot handle a ping larger than the maximum IP packet size, which is 65,535 bytes.
Sending a ping of this size can crash the target computer. Traditionally, this bug has been relatively easy to exploit. Generally, sending a 65,536 byte ping packet is illegal according to networking protocol, but a packet of such a size can be sent if it is fragmented; when the target computer reassembles the packet, a buffer overflow can occur, which often causes a system crash.
Question No: 285 – (Topic 8)
What would best be defined as a security test on services against a known vulnerability database using an automated tool?
A penetration test
A privacy review
A server audit
A vulnerability assessment
Explanation: Vulnerability assessment is the process of identifying and quantifying vulnerabilities in a system. The system being studied could be a physical facility like a nuclear power plant, a computer system, or a larger system (for example the
communications infrastructure or water infrastructure of a region).
Question No: 286 – (Topic 8)
A Buffer Overflow attack involves:
Using a trojan program to direct data traffic to the target host#39;s memory stack
Flooding the target network buffers with data traffic to reduce the bandwidth available to legitimate users
Using a dictionary to crack password buffers by guessing user names and passwords
Poorly written software that allows an attacker to execute arbitrary code on a target system
Answer: D Explanation:
B is a denial of service. By flooding the data buffer in an application with trash you could get access to write in the code segment in the application and that way insert your own code.
Question No: 287 – (Topic 8)
Henry is an attacker and wants to gain control of a system and use it to flood a target system with requests, so as to prevent legitimate users from gaining access. What type of attack is Henry using?
Henry is executing commands or viewing data outside the intended target path
Henry is using a denial of service attack which is a valid threat used by an attacker
Henry is taking advantage of an incorrect configuration that leads to access with higher- than-expected privilege
Henry uses poorly designed input validation routines to create or alter commands to
gain access to unintended data or execute commands
Explanation: Henry’s intention is to perform a DoS attack against his target, possibly a DDoS attack. He uses systems other than his own to perform the attack in order to cover the tracks back to him and to get more “punch” in the DoS attack if he uses multiple systems.
Question No: 288 – (Topic 8)
How does a denial-of-service attack work?
A hacker tries to decipher a password by using a system, which subsequently crashes the network
A hacker attempts to imitate a legitimate user by confusing a computer or even another person
A hacker prevents a legitimate user (or group of users) from accessing a service
A hacker uses every character, word, or letter he or she can think of to defeat authentication
Explanation: In computer security, a denial-of-service attack (DoS attack) is an attempt to make a computer resource unavailable to its intended users. Typically the targets are high- profile web servers, and the attack attempts to make the hosted web pages unavailable on the Internet. It is a computer crime that violates the Internet proper use policy as indicated by the Internet Architecture Board (IAB).
Question No: 289 – (Topic 8)
When working with Windows systems, what is the RID of the true administrator account?
Explanation: Because of the way in which Windows functions, the true administrator account always has a RID of 500.
Question No: 290 – (Topic 8)
What happens when one experiences a ping of death?
This is when an IP datagram is received with the “protocol” field in the IP header set to 1 (ICMP) and the “type” field in the ICMP header is set to 18 (Address Mask Reply).
This is when an IP datagram is received with the “protocol” field in the IP header set to 1 (ICMP), the Last Fragment bit is set, and (IP offset ‘ 8) (IP data length) gt;65535.
In other words, the IP offset (which represents the starting position of this fragment in the original packet, and which is in 8-byte units) plus the rest of the packet is greater than the maximum size for an IP packet.
This is when an IP datagram is received with the “protocol” field in the IP header set to 1 (ICMP) and the source equal to destination address.
This is when an the IP header is set to 1 (ICMP) and the “type” field in the ICMP header is set to 5 (Redirect).
Answer: B Explanation:
A hacker can send an IP packet to a vulnerable machine such that the last fragment contains an offest where (IP offset *8) (IP data length)gt;65535. This means that when the packet is reassembled, its total length is larger than the legal limit, causing buffer overruns in the machine#39;s OS (becouse the buffer sizes are defined only to accomodate the maximum allowed size of the packet based on RFC 791)…IDS can generally recongize such attacks by looking for packet fragments that have the IP header#39;s protocol field set to 1 (ICMP), the last bit set, and (IP offset *8) (IP data length)gt;65535quot; CCIE Professional Development Network Security Principles and Practices by Saadat Malik pg 414 quot;Ping of
Deathquot; attacks cause systems to react in an unpredictable fashion when receiving oversized IP packets. TCP/IP allows for a maximum packet size of up to 65536 octets (1 octet = 8 bits of data), containing a minimum of 20 octets of IP header information and zero or more octets of optional information, with the rest of the packet being data. Ping of Death attacks can cause crashing, freezing, and rebooting.
|Lowest Price Guarantee||Yes||No||No|
|Free VCE Simulator||Yes||No||No|