DOS

Question 1

Define DOS attack

Answer 1

an action that overwhelms target system with excessive traffic, preventing users from accessing services

Question 2

Resources that are targets of DOS attacks?

Answer 2

1. Network Bandwidth
2. System Resources
3. Application Resources

Question 3

How to respond to DOS attacks?

Answer 3

1. Implement antispoofing and rate limit or use CAPTCHA to filter human vs bot behavior
2. Monitor network traffic for abnormal patterns
3. Trace the source of the attack through ISPs then update incident response plans to prepare for future attacks

Question 4

Define DDOS attack

Answer 4

A coordinated assult where many systems flood a target with overwhelming traffic/requests, making it unavaliable to users

Question 5

Explain one or two defense mechanism against the SYN flooding attack

Answer 5

1. Blocking spoofed addresses
2. SYN cookies

Question 6

Could you explain the SYN flooding attack method? Also, what resource of the system does the SYN flooding attack exhaust?

Answer 6

The SYN flooding attack sends TCP SYN packets with spoofed addresses, leading the server to maintain half-open connections until its connection table overflows.

System’s network handling resources

Question 7

Describe the Session Initiation Protocol (SIP) flooding attack. Explain what resources are targeted by the attack.

Answer 7

Overloads SIP servers with too many session initiation requests.

Exhauses server’s memory and processing capacity.

Question 8

Explain DNS Amplification Attack. This attack method is based on a specific feature of DNS. Explain whether this is an attack using sex.

Answer 8

Attacker sends tiny DNS queries with spoofed source addresses then server replies with large responses to the target, overwhelming resources.

Question 9

What are the three common types of firewalls, and how do they function?

Answer 9

Packet-Filtering Firewall:
Checks each packet’s header against a set of rules.
Decides whether to allow or block the packet.

Application-Level Gateway:
Works as a middleman for specific applications.
Adds security by filtering traffic and requiring user authentication.

Circuit-Level Gateway:
Creates two separate TCP connections: one with the user and one with the external server.
Relays data between them without inspecting the actual content.

Question 10

What are the advantages and disadvantages of packet-filtering firewalls?

Answer 10

Advantages:
Simplicity.
Transparency to users.
High speed.

Disadvantages:
Difficult to set up rules correctly.
Lack of user authentication.
Cannot deal with applications at the packet-filtering level

Question 11

What is the key difference between stateful inspection firewalls and traditional packet filters?

Answer 11

Stateful Firewalls: Track connections and validate packets dynamically.
Packet-Filtering Firewalls: Use static rules without tracking connections.

Question 12

What are the advantages of an application-level gateway over packet filters?

Answer 12

1. Provides better security by scrutinizing traffic at the application level.
2. Can be configured to support specific application features only.
3. Makes it easier to log and audit incoming traffic

Question 13

What is a screened subnet firewall configuration, and what are its advantages?

Answer 13

A screened subnet firewall uses two packet-filtering routers to create an isolated subnet.

Advantages:
1. Provides three levels of defense.
2. Hides the internal network from the internet by advertising only the screened subnet.
3. Prevents direct routing between internal systems and the internet

Question 14

What are the advantages of host-based firewalls?

Answer 14

Filtering rules can be tailored to the host environment.
Provides protection independent of network topology.
Adds an extra layer of protection for individual hosts

Question 15

What is the primary function of an Intrusion Prevention System (IPS), and how does it differ from a firewall?

Answer 15

An IPS detects and attempts to block malicious activities in real time. Unlike a firewall, which uses static rules to filter traffic, an IPS uses algorithms to identify anomalous or known malicious behaviors and then acts to prevent them​

Question 16

What are the limitations of a firewall?

Answer 16

1. Cannot protect against attacks that bypass it, such as those using direct dial-up connections.
2. Does not protect against internal threats, like malicious insiders.
3. Cannot scan and block virus-infected files transferred via supported applications

Question 17

Explain the anomaly detection method and the signature-based detection method. What are their advantages and disadvantages?

Answer 17

Anomaly Detection: Spots unusual behavior.
Pros: Detects new attacks.
Cons: High false positives.

Signature Detection: Matches known attack patterns.
Pros: Accurate for known threats.
Cons: Misses new attacks.

Question 18

Define the terms ‘False Positive’ and ‘False Negative.’ What are the challenges if an IDS has a 1% false positive rate and a 1% false negative rate in real environments?

Answer 18

False Positive: When the IDS incorrectly classifies legitimate activity as malicious.

False Negative: When the IDS fails to detect an actual attack.

Challenges:
A 1% false positive rate in high-traffic environments could overwhelm administrators with alerts, leading to alert fatigue.
A 1% false negative rate leaves the system vulnerable to undetected attacks, potentially causing severe damage​

Question 19

When a hacker attacks a system, explain the general behavior pattern step by step.

Answer 19

1. Gather info about the target
2. use identified weaknesses to gain access
3. Increase access rights to perform more actions
4. Delete logs and evidence

Question 20

List at least five IDS requirements and explain them.

Answer 20

Accuracy: Minimize false positives and negatives.
Scalability: Handle high volumes of data in large networks.
Real-Time Detection: Identify attacks as they happen.
Robustness: Operate effectively under attack.
Ease of Management: Allow for straightforward configuration and updates.

Question 21

Compare a stateless firewall (packet filtering firewall) and a stateful firewall.

Answer 21

Stateless Firewall: Filters individual packets.
Pros: Simple, fast.
Cons: Can’t track connections, spoofing risk.

Stateful Firewall: Tracks connections.
Pros: Blocks SYN floods.
Cons: Higher overhead.

Question 22

Describe an attack that can be blocked by a stateful firewall but not by a stateless firewall.

Answer 22

A SYN Flood Attack can be blocked by a stateful firewall because it tracks incomplete TCP handshakes and can drop excessive SYN packets. A stateless firewall, which only inspects individual packets, would not recognize the incomplete connections​

Question 23

Explain the TL and Fragment Offset fields among the fields in the IP header.

Answer 23

TTL: Limits packet lifespan; decrements at each hop. Used in traceroute.
Fragment Offset: Indicates a fragment’s position for proper reassembly.

Question 24

Compare and explain the advantages and disadvantages of the signature-based method and the anomaly-based method in intrusion detection.

Answer 24

Signature-Based Detection:
Advantages: Accurate for known threats, low false positives.
Disadvantages: Cannot detect new, unknown threats. Requires constant updates to the signature database.

Anomaly-Based Detection:
Advantages: Can detect unknown attacks by monitoring deviations from normal behavior.
Disadvantages: High false-positive rate, as legitimate activities might deviate from the baseline.

Question 25

Discuss about the tunnel and transport modes of the IPsec protocol.

Answer 25

Tunnel Mode: Encrypts the entire IP packet (headers and payload). Commonly used for site-to-site VPNs. Protects against traffic analysis since the original packet is entirely encapsulated. Transport Mode: Encrypts only the payload, leaving the IP header intact. Used for end-to-end communication between two hosts.

Question 26

Answer the following questions about the Probabilistic Packet Masking method. (a) What is the purpose of this method? (b) Explain the packet masking method. (c) What are the advantages of this method over other methods?

Answer 26

(a) Purpose: Protects packet data by introducing probabilistic alterations that make attacks less effective. (b) Packet Masking Method: Masks specific parts of a packet to prevent attackers from fully reconstructing sensitive data. Involves randomization or selective encryption of packet fields. (c) Advantages: Adds unpredictability, making reconnaissance difficult for attackers. More efficient compared to full encryption.

Question 27

As for DNS cache poisoning, in what conditions is poisoning possible.

Answer 27

1. DNS server accepts incorrect responses without validating authenticity. 2. The attacker can predict the transaction ID of DNS queries. 3. Lack of proper DNS security extensions (DNSSEC).

Question 28

DNSSEC method can be used to respond to DNS-related attacks such as DNS Cache poisoning. What are the problems with DNSSEC method?

Answer 28

1. Complexity in implementation and management. 2. Increased computational overhead due to cryptographic operations. 3. DNSSEC does not prevent all forms of DNS attacks

Question 29

Answer the following questions about ARP. (a) Explain about the ARP protocol. (b) What is the ARP Cache Poisoning attack?

Answer 29

(a) ARP Protocol: Maps IP addresses to MAC addresses within a local network. Operates by broadcasting ARP requests and receiving ARP replies. (b) ARP Cache Poisoning: Attacker sends fake ARP replies to associate their MAC address with the victim's IP address. Results in man-in-the-middle attacks or denial of service by intercepting or disrupting traffic.

Question 30

Answer the following questions about the TL field in the IP Packet header. (a) Describe the TTL field (purpose, how to use, ). (b) Give an example of a typical application implemented using the TTL field and explain how it works.

Answer 30

(a) Purpose: Prevents infinite packet looping in the network. Used for diagnostic purposes (e.g., traceroute). (b) Example Application: Traceroute: Sends packets with incremental TTL values to discover each hop along the path to the destination. The TTL expiration generates an ICMP "Time Exceeded" message, revealing the intermediate router's address.

Question 31

When running a program, how is the stack used?

Answer 31

The stack is a region of memory used for managing function calls and local variables during program execution. It stores: Function parameters. Return addresses. Local variables. Saved registers and bookkeeping information

Question 32

What data does a stack buffer overflow overwrite?

Answer 32

Local variables. Return addresses. Frame pointers (saved base pointers).

Question 33

What does an attacker mainly want to change through stack buffer overflow?

Answer 33

Targeted Data: The return address in the stack. Why: By modifying the return address, an attacker can redirect the program's execution flow to malicious code (e.g., shellcode injected into the stack). Goal: Execute arbitrary code, escalate privileges, or cause a denial of service​

Question 34

Define a Buffer Overflow Attack.

Answer 34

A buffer overflow attack occurs when a program writes more data into a buffer than it can hold, overwriting adjacent memory locations​

Question 35

Techniques to Prevent Stack Buffer Overflow

Answer 35

(a) Random Canary Method: Inserts a "canary" value before the return address in the stack. The canary is checked before returning from a function; any modification indicates an overflow. Advantage: Effective at detecting basic buffer overflows. Disadvantage: Does not prevent more advanced attacks like Return-Oriented Programming (ROP)​ (b) Guard Page Method: Places non-accessible memory pages (guard pages) around critical stack regions. Any attempt to overflow into these pages causes a segmentation fault. Advantage: Prevents overwriting beyond stack boundaries. Disadvantage: Increased memory overhead

Question 36

Response Methods for Buffer Overflow

Answer 36

Compile-Time Defenses: Using High-Level Languages: Enforces range checks and reduces vulnerabilities. Static Analysis Tools: Identifies unsafe functions and buffer-related bugs. Compiler Extensions (e.g., StackGuard): Adds runtime checks for stack integrity​ Run-Time Defenses: Data Execution Prevention (DEP): Marks stack regions as non-executable. Address Space Layout Randomization (ASLR): Randomizes memory addresses to make exploitation harder​

Question 37

Four Stages of Execution for a Virus or Worm?

Answer 37

Propagation: Spreads to other systems through vulnerabilities or user interaction. Trigger: Waits for a specific condition (e.g., date or user action) to activate. Payload Execution: Carries out the intended malicious action (e.g., data theft, destruction). Stealth/Concealment: Hides its activity to avoid detection (e.g., rootkits or obfuscation techniques)​

Question 38

Metamorphic vs. Polymorphic Viruses

Answer 38

Polymorphic Virus: Changes its code slightly (e.g., using encryption) with each replication to evade signature detection. Metamorphic Virus: Rewrites its entire code structure during replication, making it even harder to detect as its behavior and structure constantly change​

Question 39

Describe the "packing" technique used to prevent analysis of malware.

Answer 39

1. Packing compresses or encrypts malware code to make static analysis difficult. 2. When executed, the packed code decompresses or decrypts itself in memory before execution. 3. Used to evade antivirus and other analysis tools

Question 40

Answer the following questions about malware analysis methods. (a) Explain the static analysis method and the dynamic analysis method. (b) What is the biggest problem with the tatic analysis method?

Answer 40

(a) Static Analysis: Involves analyzing the malware's code without executing it. Examples: Disassembling the code, analyzing file structure, checking for known signatures. (b) Dynamic Analysis: Involves executing the malware in a controlled environment to observe its behavior. Examples: Using sandboxes or virtual machines to track file system changes, registry edits, or network communication. Biggest Problem with Static Analysis: Obfuscation: Malware often uses techniques like packing or encryption to hide its code, making static analysis challenging and sometimes ineffective​

Question 41

Answer the following questions about botnets. (a) Describe the four components that make up a botnet and explain the role of each component. (b) Write at least three reasons why botnet attacks are difficult to respond to on personal computers, unlike existing malware. (c) Explain how to use "dynamic DNS" as a rally mechanism for botnets.

Answer 41

(a) Four Components of a Botnet: Bots: Infected devices that perform tasks for the botnet controller. Role: Execute malicious commands like DDoS attacks or spamming. Command and Control (C&C) Server: Central server used to control the botnet. Role: Issues commands to the bots and receives stolen data. Botmaster: The operator controlling the botnet. Role: Plans and executes malicious activities through the botnet. Targets: The systems or services under attack. Role: Victims of data theft, service disruption, or other malicious activities​ . (b) Reasons Botnet Attacks Are Hard to Respond To: Distributed Nature: Bots are spread across multiple personal computers, making detection and takedown difficult. Dynamic Membership: Bots can join or leave the botnet dynamically, complicating its detection. Encrypted Communication: Modern botnets use encrypted channels to communicate with the C&C server, hiding their activities. (c) Dynamic DNS as a Rally Mechanism: Dynamic DNS allows botmasters to update domain name mappings to IP addresses dynamically. When a C&C server changes location or IP, bots can still connect using the updated DNS record, maintaining the botnet’s functionality​

Question 42

Describe the Generic Decryption (GD) scanner.

Answer 42

A GD scanner is a tool used to analyze encrypted malware. How It Works: Executes the malware in a controlled environment. Allows the malware to decrypt itself during runtime. Captures the decrypted code for analysis.

Question 43

Describe data permission and output permission

Answer 43

Data Permission: Refers to access controls determining who can read, write, or modify specific data. Implemented using access control lists (ACLs) or role-based access control (RBAC). Output Permission: Refers to restrictions on what outputs are generated and who can access them, preventing unauthorized data leaks.

Question 44

Explain what reference attack is and how to defend against interference attacks with perturbation tech.

Answer 44

Reference Attack: Repeated queries analyze patterns to infer sensitive data. Perturbation Defense: Adds noise to outputs to protect individual data.

Question 45

What is SQL injection attack and how to defend against reference attack

Answer 45

Exploits vulnerabilities in input validation to inject malicious SQL queries into a database. Input validation and sanitization. Use of parameterized queries (prepared statements). Implementing least privilege for database users

Question 46

Defending Against Reference Attacks in Statistical Databases (SDB)

Answer 46

Query Restrictions: Limiting the number and type of queries users can perform. Noise Addition: Introduce statistical noise to query results (e.g., perturbation). Partitioning Data: Avoid queries that allow accessing small data subsets​

Question 47

Comparing Anomaly Detection and Signature-Based Detection

Answer 47

Signature-Based Detection: Matches known attack patterns in data. Pros: High accuracy for known threats, low false positives. Cons: Ineffective against new or unknown attacks. Anomaly Detection: Identifies deviations from normal behavior to detect potential threats. Pros: Can identify novel attacks. Cons: High false-positive rate if the normal baseline is not well-defined

Question 48

Polymorphic vs. Metamorphic Malware

Answer 48

Polymorphic Malware: Changes its appearance (e.g., encrypted payload) with each infection to evade signature detection. The underlying functionality remains unchanged. Metamorphic Malware: Rewrites its entire code structure during replication, completely altering its appearance. Harder to detect as it lacks a consistent pattern

Question 49

Why It Is Difficult to Respond to Botnet Attacks

Answer 49

Distributed Nature: Botnets operate across thousands of compromised systems, making them hard to take down. Dynamic Infrastructure: Bots can reconnect to new command-and-control (C&C) servers, often using dynamic DNS or peer-to-peer networks. Encrypted Communication: Modern botnets use encrypted traffic, concealing malicious commands from detection​

Question 50

Malware Analysis Methods

Answer 50

(a) Static Analysis: Examines the malware code without executing it. Advantages: No risk of infection, quicker for initial assessment. Disadvantages: Obfuscated or packed malware may hinder analysis. (b) Dynamic Analysis: Observes malware behavior during execution in a controlled environment. Advantages: Can identify runtime behavior, such as system changes and network activity. Disadvantages: Requires safe and isolated environments (e.g., sandboxes)

Question 51

Avoiding Dynamic Analysis:

Answer 51

Detecting virtualized environments. Delayed execution to bypass time-limited analyses. Using encrypted payloads to hide malicious behavior until specific conditions are met