Docsity
Log inSign up
Docsity
Prepare for your exams
Prepare for your exams

Study with the several resources on Docsity

Earn points to download
Earn points to download

Earn points by helping other students or get them with a premium plan

Guidelines and tips
Guidelines and tips
Sell on Docsity
Sell on Docsity
Docsity AI
Docsity AI
Log inSign up

Prepare for your exams

Study with the several resources on Docsity

Find documents

Prepare for your exams with the study notes shared by other students like you on Docsity

Search for your university

Find the specific documents for your university's exams

Docsity AINEW

Summarize your documents, ask them questions, convert them into quizzes and concept maps

Explore questions

Clear up your doubts by reading the answers to questions asked by your fellow students

Earn points to download

Earn points by helping other students or get them with a premium plan

Share documents
download point icon20 Points

For each uploaded document

Answer questions
download point icon5 Points

For each given answer (max 1 per day)

All the ways to get free points
Get points immediately

Choose a premium plan with all the points you need

Study Opportunities

Choose your next study program

Get in touch with the best universities in the world. Search through thousands of universities and official partners

Community

Ask the community

Ask the community for help and clear up your study doubts

Free resources

Our save-the-student-ebooks!

Download our free guides on studying techniques, anxiety management strategies, and thesis advice from Docsity tutors

Defending Against DoS Attacks: Techniques, Actors, Mitigation, Exams of Computer Science

Harvard UniversityComputer Science

An in-depth analysis of denial of service (dos) attacks, their methods, and the actors involved. It discusses various defense mechanisms such as syn cookies, client puzzles, ingress filtering, and trace-back methods. The document also covers reflection attacks, web threat models, browser sandboxes, and dns rebinding attacks. It offers insights into the roles of exploit developers, botnet masters, spammers, phishers, counterfeiters, 'bulletproof' hosting providers, and crowdturfers.

Typology: Exams

2023/2024

Available from 04/30/2024

Advancewrighter
Advancewrighter 🇺🇸

4.2

(13)

3.9K documents

1 / 10

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
CS6262 Exam Lecture Exam Study Guide Questions
& Answers.
RPKI - Correct answer • Secure AS for BGP
• AS obtain a cert (ROA) from regional authority (RIR)
Name two types of amplification attacks and describe them. - Correct answer do’s
Bug: Design flaw allowing one Machine to disrupt a service
Do’s Flood: Command botnet to generate flood of requests.
Describe a Do’s attack at the link layer (L2) - Correct answer simply sends a
significant amount of traffic to saturate the link.
Describe a Do’s attack at the TCP/UDP layer. - Correct answer Send a significant
amount of TCP traffic to consume resources (memory) of the server.
Describe a Do’s attack at the application layer. - Correct answer Send many
requests for data to exhaust server resources.
Compare and contrast UDP and TCP - Correct answer TCP - UDP
Session Based - Connectionless
Congestion control - Unreliable
In order delivery - Best Effort
Well known SYN flood attack - Correct answer MS Blaster work (2003)
• SYN flood on port 80 to windowsupdate.com
• 50 seed packets per second at 40 bytes a piece
What methods can be used to defend against low rate SYN flood defenses? -
Correct answer • Syncookies: remove state from server
What is a syncookie? What does it prevent? - Correct answer A SYN cookie is a
specific choice of initial TCP sequence number by TCP software
Prevents low rate SYN flood.
Idea: use secret key and data in packet to generate server SYN
What advantage does a proxy (Prolific/Cloud Fare) provide in case of a Do’s attack?
- Correct answer the proxy will only forward established connections (three way
handshake) to the back end server thus preventing TCP SYN floods.
P a g e 1 | 10
pf3
pf4
pf5
pf8
pf9
pfa

Partial preview of the text

Download Defending Against DoS Attacks: Techniques, Actors, Mitigation and more Exams Computer Science in PDF only on Docsity!

CS6262 Exam Lecture Exam Study Guide Questions

& Answers.

RPKI - Correct answer • Secure AS for BGP

  • AS obtain a cert (ROA) from regional authority (RIR) Name two types of amplification attacks and describe them. - Correct answer do’s Bug: Design flaw allowing one Machine to disrupt a service Do’s Flood: Command botnet to generate flood of requests. Describe a Do’s attack at the link layer (L2) - Correct answer simply sends a significant amount of traffic to saturate the link. Describe a Do’s attack at the TCP/UDP layer. - Correct answer Send a significant amount of TCP traffic to consume resources (memory) of the server. Describe a Do’s attack at the application layer. - Correct answer Send many requests for data to exhaust server resources. Compare and contrast UDP and TCP - Correct answer TCP - UDP Session Based - Connectionless Congestion control - Unreliable In order delivery - Best Effort Well known SYN flood attack - Correct answer MS Blaster work (2003)
  • SYN flood on port 80 to windowsupdate.com
  • 50 seed packets per second at 40 bytes a piece What methods can be used to defend against low rate SYN flood defenses? - Correct answer • Syncookies: remove state from server What is a syncookie? What does it prevent? - Correct answer A SYN cookie is a specific choice of initial TCP sequence number by TCP software Prevents low rate SYN flood. Idea: use secret key and data in packet to generate server SYN What advantage does a proxy (Prolific/Cloud Fare) provide in case of a Do’s attack?
  • Correct answer the proxy will only forward established connections (three way handshake) to the back end server thus preventing TCP SYN floods.

What is a disadvantage (to the attacker) of performing an HTTP Do’s attack? - Correct answer Attacker can no longer use random source IPs Reveals location of bot zombies. Proxy can now block or rate-limit bots. Do’s via route hijacking - Correct answer Intentionally advertising more specific BGP routes to force traffic intended for a service to be destined for a different end point. Pakistan accidentally did this when creating a BGP route that covered you tube’s IP address causing all traffic intended for YouTube to route to Pakistan. List and describe common Do’s mitigation methods - Correct answer Client Puzzles CAPTCHA Source identification Trace back Edge Sampling What are some limitations to client puzzles for Do’s mitigation? - Correct answer requires changes to both clients and servers Hurts low power legit clients during attack (cell phones, tablets, etc., cannot connect) What is the main idea behind a CAPTCHA? - Correct answer Verify that the connection is from a human What layer does a CAPTCHA apply to? - Correct answer Application Layer Do’s Describe what ingress filtering does to mitigate do’s attacks: - Correct answer Drop all packets with a specific source IP ISP only forwards packets with legit source IP What is a limitation of Do’s ingress filtering? - Correct answer ALL ISPs must do this or the defense is severely weakened. If 10% of ISPs do not implement there is no defense. Describe a simple trace-back method: - Correct answer Write path into a network packet Each router adds its own IP address to the packet Victim reads path from packets. Problem: requires modification to IP format since there isn't enough space within an IP packet to accommodate the information. What two data fields are used in edge sampling? - Correct answer Edge: start and end IP addresses

Develop and sell exploits packets and kits Describe four C&C communication structures: - Correct answer IRC Channels: Single point of failure, easy to locate and take down. P2P Botnets: Distributed, master servers talk to the bots Fast Flux DNS: Bots communicate back to a single domain name. The domain name DNS: IP mapping changes every 10 seconds. Random Domain Generation: What tasks do spammers perform? - Correct answer • Build, curate, buy, and sell lists of email addresses

  • Send mail on behalf of other actors for a fee
  • Traffic-PPI services looking to acquire traffic and infections
  • Phishers looking to steal personal information What is performed during "foot printing"? - Correct answer • Reconnaissance and information gathering
  • Find out target IP address/phone number range
  • Namespace acquisition
  • Network Topology (visual Route)
  • Essential to a "surgical" attack What are common "foot printing" tools? - Correct answer • Google, search engine, Edgar
  • Whose
  • Lookup, dig, Sam Spade What is the goal of "scanning"? - Correct answer • which machine is up and what ports are open
  • Which services are running?
  • Their versions and configurations
  • Look up corresponding vulnerability info on the web
  • Focus on most promising avenues of entry
  • Reduce frequency of scanning and randomize the ports or IP addresses to be scanned in the sequence What are common tools used in "scanning"? - Correct answer Ping sweep - Fling, icmpenum, Swapping, Prepacks, nap TCP/UDP port scan - Nap, supers can, scan OS Detection - Nap, quest, siphon What is the goal of "enumeration"? - Correct answer • Identify valid user accounts or poorly protected resource shares
  • More intrusive probing than scanning step

What tools are used for "enumeration"? - Correct answer List user accounts: Null sessions, Dumas, Sid2usre, onSiteAdmin List file shares: Show mount, NAT, legion Identify applications: Banner grabbing with telnet or net cat, rpcinfo What tools are used for "gaining access"? - Correct answer Password eavesdropping: tcpdump/slump, lophtcrack, reads File share brute force: NAT, legion Password file grabbing: tuft, pwddump Buffer Overflow: tad, bind, IIS, .HT/ISM.DLL How does one gain access? (Pen testing) - Correct answer Identify and exploit a vulnerability. What tools can be used for privilege escalation? - Correct answer Password cracking: John the ripper, L0phtcrack Known Exploits: Lc_messages, Getadmin, sec hole What is "pilfering"? (Pen testing) - Correct answer Gather info to allow access of trusted systems. What tools are used in "pilfering"? - Correct answer Evaluate Trusts: hosts, LSA secrets Search for clear text passwords: User data, Comfit files, Registry What tools are used to "cover tracks"? - Correct answer Clear logs: Zap, Event Log GUI Hide tools: Rootkits, file streaming (Web threat models) Web Attacker - Correct answer • Control attacker.com, user visits the site (Web threat models) Network attacker - Correct answer Passive: wireless eavesdropping Active: evil router, DNS poisoning (Web threat models) Malware attacker - Correct answer Attacker escapes browser isolation mechanisms and runs separately under control of the OS List the following web threat models from most to least lethal:

  • Web attacker
  • Malware attacker
  • Network attacker - Correct answer • Malware attacker (most)

SBGP: sign every hop of a path advertisement What are the three components in S-BGP? - Correct answer IPSEC: secure point-to- point router communication Public Key Infrastructure: authorization for all S-BGP entities Attestations: digitally-signed authorizations S-BGP Address Attestation - Correct answer indicates that the final AS listed in the UPDATE is authorized by the owner of those address blocks. What identification does S-BGP address attestation include? - Correct answer Includes identification of:

  • Owner’s certificate
  • AS to be advertising the address blocks
  • Address blocks
  • Expiration date S-BGP Route Attestation - Correct answer indicates that the speaker or its AS authorizes the listener's AS to use the route in the UPDATE What identification does S-BGP route attestation include? - Correct answer • AS's or BGP speaker's certificate issued by owner of the AS
  • The address blocks and the list of Assassin the UPDATE
  • The neighbor
  • Expiration date List and describe the four common DNS record types: - Correct answer NS: name server (points to other server) A: address record (contains IP address) MX: address in charge of handling email TXT: generic text (e.g. used to distribute site public keys (DKIM) DNS cache poisoning - Correct answer Give DNS server’s false records and get it cached List common DNS defenses: - Correct answer • Increase query ID size
  • Randomize sec port, additional 11 bits.
  • Ask every DNS query twice
  • DNSSEC What are browser and server mitigations for DNS rebinding attacks? - Correct answer Browser: DNS Pinning Server-side defenses: Check host header for unrecognized domains, Authenticate users with something other than IP

What is a DNS rebinding attack? - Correct answer DNS rebinding allows a remote attacker to bypass a victim's network firewall and use their web browser as a proxy to communicate directly with devices on their private home network. By following the wrong link, or being served a malicious banner advertisement, you could inadvertently provide an attacker with access to the thermostat that controls the temperature in your home. When analyzing malware should the analysis software have lower, equal or higher privilege than the malware? - Correct answer Higher What are the five formal requirements for malware analysis software? - Correct answer • Higher privilege

  • No non-privileged side-effects - minimal side effects
  • Identical basic instruction execution semantics - hardware semantics and emulation
  • Exception handling should be transparent or same
  • Identical measure of time. What are three challenges to reverse engineering? - Correct answer No knowledge of byte code program No knowledge of emulator's code Intentional variations List and describe the four Mobile Malware Detection apps listed in the lectures: - Correct answer Kirin - System that checks for suspicious combinations of permissions Risk Ranker - Simple static analysis tool Droid Ranger - Based on both static and dynamic analysis, manually defined heuristics. Deben - Lightweight static analysis tool Define cloud computing - Correct answer a model for enabling convenient, on- demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction What are the four cloud deployment models? - Correct answer Private Community Public Hybrid Define private cloud - Correct answer the cloud infrastructure is operated solely for a single organization.

What is DNSBL? - Correct answer DNS Black Hole What is Notes? - Correct answer a system that dynamically assigns reputation scores to domain names What does Kepis do? - Correct answer passive monitoring in the upper levels of the DNS hierarchy; Internet-wide visibility What is pens? - Correct answer harvesting of successful DNS resolutions that can be observed in a given network. Used in research. What a decision tree is in regards to machine learning? - Correct answer the training data is repeatedly petitioned until all examples in each petition belong to one class. The decision tree can also be thought of as a set of rules that describe the decision logic. What is clustering used for in regards to machine learning? - Correct answer • in clustering, we assigned training examples into different clusters based on some distance measure.

  • That is examples in the same cluster are more similar to each other than examples from different clusters.
  • Typically, we defined some distance function to measure similarity.