Module Summary

  • Denial of Service (DoS) is an attack on a computer or network that reduces, restricts or prevents accessibility of system resources to its legitimate users.
  • A distributed denial-of-service (DDoS) attack involves a multitude of compromised systems attacking a single target, thereby causing denial of service for users of the targeted system.
  • Attacker uses various techniques to carry out DoS/DDoS attacks on the target but these attacks are basically categorized into: volumetric attacks, fragmentation attacks, TCP state-exhaustion attacks, and application layer attacks.
  • There are organized groups of cyber criminals who work in a hierarchical setup with a predefined revenue sharing model, like a major corporation that offers criminal services.
  • A botnet is a huge network of the compromised systems and can be used by an attacker to launch denial-of-service attacks.
  • Detection techniques are based on identifying and discriminating the illegitimate traffic increase and flash events from legitimate packet traffic.
  • The pen tester floods the target network with traffic, similar to hundreds of people repeatedly requesting the service in order to check the system stability.

Q1) One of the effective DoS/DDoS countermeasures is 'Throttling'. Which statement correctly defines this term?

  1. Set up routers that access a server with logic to adjust incoming traffic to levels that will be safe for the server to process
  2. Providers can increase the bandwidth on critical connections to prevent them from going down in the event of an attack
  3. Replicating servers that can provide additional failsafe protection
  4. Load balance each server in a multiple-server architecture

Q2) Bob was frustrated with his competitor, Brownies Inc., and decided to launch an attack that would result in serious financial losses. He planned the attack carefully and carried out the attack at the appropriate moment.

Meanwhile, Trent, an administrator at Brownies Inc., realized that their main financial transaction server had been attacked. As a result of the attack, the server crashed and Trent needed to reboot the system, as no one was able to access the resources of the company. This process involves human interaction to fix it.

What kind of Denial of Service attack was best illustrated in the scenario above?

  1. Simple DDoS attack
  2. DoS attacks which involves flooding a network or system
  3. DoS attacks which involves crashing a network or system
  4. DoS attacks which is done accidentally or deliberately

Q3) John is using a special tool on his Linux platform that has a database containing signatures to be able to detect hundreds of vulnerabilities in UNIX, Windows, and commonly used web CGI/ASPX scripts. Moreover, the database detects DDoS zombies and Trojans as well. What would be the name of this tool?

  1. hping2
  2. nessus
  3. nmap
  4. make

Q4) A distributed port scan operates by:

  1. Blocking access to the scanning clients by the targeted host
  2. Using denial-of-service software against a range of TCP ports
  3. Blocking access to the targeted host by each of the distributed scanning clients
  4. Having multiple computers each scan a small number of ports,then correlating the results

A4) Think of dDoS (distributed Denial of Service) where you use a large number of computers to create simultaneous traffic against a victim in order to shut them down.

Q5) What do Trinoo, TFN2k, WinTrinoo, T-Sight, and Stracheldraht have in common?

  1. All are hacking tools developed by the legion of doom
  2. All are tools that can be used not only by hackers,but also security personnel
  3. All are DDOS tools
  4. All are tools that are only effective against Windows
  5. All are tools that are only effective against Linux

Q6) You have been called to investigate a sudden increase in network traffic at XYZ. It seems that the traffic generated was too heavy that normal business functions could no longer be rendered to external employees and clients. After a quick investigation, you find that the computer has services running attached to TFN2k and Trinoo software. What do you think was the most likely cause behind this sudden increase in traffic?

  1. A distributed denial of service attack.
  2. A network card that was jabbering.
  3. A bad route on the firewall.
  4. Invalid rules entry at the gateway.

A6) In computer security,a denial-of-service attack (DoS attack) is an attempt to make a computer resource unavailable to its intended users. Typically the targets are high-profile web servers,and the attack attempts to make the hosted web pages unavailable on the Internet. It is a computer crime that violates the Internet proper use policy as indicated by the Internet Architecture Board (IAB). TFN2K and Trinoo are tools used for conducting DDos attacks.

Q7) Henry is an attacker and wants to gain control of a system and use it to flood a target system with requests, so as to prevent legitimate users from gaining access. What type of attack is Henry using?

  1. Henry is executing commands or viewing data outside the intended target path
  2. Henry is using a denial of service attack which is a valid threat used by an attacker
  3. Henry is taking advantage of an incorrect configuration that leads to access with higher-than-expected privilege
  4. Henry uses poorly designed input validation routines to create or alter commands to gain access to unintended data or execute commands

A7) Henry’s intention is to perform a DoS attack against his target,possibly a DDoS attack. He uses systems other than his own to perform the attack in order to cover the tracks back to him and to get more “punch” in the DoS attack if he uses multiple systems.

Q8) What is a zombie?

  1. A compromised system used to launch a DDoS attack
  2. The hacker’s computer
  3. The victim of a DDoS attack
  4. A compromised system that is the target of a DDoS attack

Q9) What is the first phase of a DDoS attack?

  1. Intrusion
  2. Attack
  3. DoS
  4. Finding a target system

A9) The intrusion phase compromises and recruits zombie systems to use in the coordinated attack phase.

Q10) In a DDoS attack, what communications channel is commonly used to orchestrate the attack?

  1. Internet Relay Chat (IRC)
  2. MSN Messenger
  3. ICMP
  4. Google Talk

A10) A DDoS attacker commonly uses IRC to communicate with handlers, which in turn send the attack signal to the infected clients (zombies).

Q11) What is a single-button DDoS tool suspected to be used by groups such as Anonymous?

  1. Trinoo
  2. Crazy Pinger
  3. LOIC
  4. DoSHTTP

A11) The DDoS tool Low Orbit Ion Cannon (LOIC) is a single-button utility that is suspected of being used in large-scale DDoS attacks.

Q12) What is the main difference between DoS and DDoS?

  1. Scale of attack
  2. Number of attackers
  3. Goal of the attack
  4. Protocols in use

A12) The main difference between the two types of attacks is the number of attackers. The goal is the same and the scale is different but hard to define. Protocols have no bearing and are irrelevant.

Q13) TCP SYN Flood attack uses the three-way handshake mechanism.

  1. An attacker at system A sends a SYN packet to victim at system B.
  2. System B sends a SYN/ACK packet to victim A.
  3. As a normal three-way handshake mechanism system A should send an ACK packet to system B, however, system A does not send an ACK packet to system B. In this case client B is waiting for an ACK packet from client A.

This status of client B is called _

  1. "half-closed"
  2. "half open"
  3. "full-open"
  4. "xmas-open"

Q14) SYN Flood is a DOS attack in which an attacker deliberately violates the three-way handshake and opens a large number of half-open TCP connections. The signature of attack for SYN Flood contains:

  1. The source and destination address having the same value
  2. A large number of SYN packets appearing on a network without the corresponding reply packets
  3. The source and destination port numbers having the same value
  4. A large number of SYN packets appearing on a network with the corresponding reply packets

Q15) The SYN flood attack sends TCP connections requests faster than a machine can process them.

  • Attacker creates a random source address for each packet
  • SYN flag set in each packet is a request to open a new connection to the server from the spoofed IP address
  • Victim responds to spoofed IP address,then waits for confirmation that never arrives (timeout wait is about 3 minutes)
  • Victim's connection table fills up waiting for replies and ignores new connections
  • Legitimate users are ignored and will not be able to access the server

How do you protect your network against SYN Flood attacks?

  1. SYN cookies. Instead of allocating a record,send a SYN-ACK with a carefully constructed sequence number generated as a hash of the clients IP address,port number,and other information. When the client responds with a normal ACK,that special sequence number will beincluded,which the server then verifies. Thus,the server first allocates memory on the third packet of the handshake,not the first.
  2. RST cookies - The server sends a wrong SYN/ACK back to the client. The client should then generate a RST packet telling the server that something is wrong. At this point,the server knows the client is valid and will now accept incoming connections from that client normally.
  3. Check the incoming packet's IP address with the SPAM database on the Internet and enable the filter using ACLs at the Firewall.
  4. Stack Tweaking. TCP stacks can be tweaked in order to reduce the effect of SYN floods. Reduce the timeout before a stack frees up the memory allocated for a connection.
  5. Micro Blocks. Instead of allocating a complete connection, simply allocate a micro record of 16-bytes for the incoming SYN object.


  • SYN Cookie: 防範syn flood中最著名的一種,在TCP服務器收到TCP SYN包並返回TCP SYN+ACK包時,不分配一個專門的數據區,而是根據這個SYN包計算出一個cookie值。在收到TCP ACK包時,TCP服務器在根據那個cookie值檢查這個TCP ACK包的合法性。如果合法,再分配專門的數據區進行處理未來的TCP連接。SYN Cookie的原理比較簡單。到實際的應用中,它有多種不同的實現方式。一開始不在緩衝區中保留空間,利用 cookie 驗證客戶端的回應,驗證成功後才會在緩衝區中保留空間,非常損耗資源 (因為必須伺服器必須做加密hash)
  • RST Cookies: 反向確認,送回一個假的 SYNACK 封包,應該收到 RST 回應,驗證此主機是合法的,不相容於 Windows 95
  • Stack Tweaking: 複雜的方法,修改 TCP 協定堆疊,只是增加了攻擊的難度而不是變為不可能
  • Micro Blocks: Administrators can allocate a micro-record (as few as 16 bytes) in the server memory for each incoming SYN request instead of a complete connection object.

Q16) Jacob is looking through a traffic log that was captured using Wireshark. Jacob has come across what appears to be SYN requests to an internal computer from a spoofed IP address. What is Jacob seeing here?

  1. Jacob is seeing a Smurf attack.
  2. Jacob is seeing a SYN flood.
  3. He is seeing a SYN/ACK attack.
  4. He has found evidence of an ACK flood.

Q17) Which of the following network attacks relies on sending an abnormally large packet size that exceeds TCP/IP specifications?

  1. Ping of death
  2. SYN flooding
  3. TCP hijacking
  4. Smurf attack

Q18) Which of the following network attacks takes advantage of weaknesses in the fragment reassembly functionality of the TCP/IP protocol stack?

  1. Teardrop
  2. SYN flood
  3. Smurf attack
  4. Ping of death

Q19) Tess King, the evil hacker, is purposely sending fragmented ICMP packets to a remote target. The total size of this ICMP packet once reconstructed is over 65, 536 bytes. From the information given, what type of attack is Tess King attempting to perform?

  1. Syn flood
  2. Smurf
  3. Ping of death
  4. Fraggle

Q20) Which one of the following instigates a SYN flood attack?

  1. Generating excessive broadcast packets.
  2. Creating a high number of half-open connections.
  3. Inserting repetitive Internet Relay Chat (IRC) messages.
  4. A large number of Internet Control Message Protocol (ICMP) traces.

A20) A SYN attack occurs when an attacker exploits the use of the buffer space during a Transmission Control Protocol (TCP) session initialization handshake.The attacker floods the target system's small "in-process" queue with connection requests,but it does not respond when a target system replies to those requests.This causes the target system to time out while waiting for the proper response,which makes the system crash or become unusable.

Q21) What happens during a SYN flood attack?

  1. TCP connection requests floods a target machine is flooded with randomized source address & ports for the TCP ports.
  2. A TCP SYN packet,which is a connection initiation,is sent to a target machine,giving the target host’s address as both source and destination,and is using the same port on the target host as both source and destination.
  3. A TCP packet is received with the FIN bit set but with no ACK bit set in the flags field.
  4. A TCP packet is received with both the SYN and the FIN bits set in the flags field.

Q22) Which kind of attack is designed to overload a system or resource, taking it temporarily or permanently offline?

  1. Spoofing
  2. Trojan
  3. Man in the middle
  4. Syn flood

A22) Syn floods are a form of denial of service (DoS). Attacks of this type are designed to overwhelm a resource for a period of time.

Q23) Which DoS attack sends traffic to the target with a spoofed IP of the target itself?

  1. Land
  2. Smurf
  3. Teardrop
  4. SYN flood

A23) A land attack fits this description. Smurf attacks deal with ICMP echo requests going back to a spoofed target address. SYN floods use custom packets that barrage a target with requests. Teardrop attacks use custom fragmented packets that have overlapping offsets.

Q24) What response is missing in a SYN flood attack?

  1. ACK
  2. SYN
  3. SYN-ACK
  4. URG

A24) During a SYN flood, the last step of the three-way handshake is missing, which means that after the SYN, SYN-ACK are performed, the final ACK is not received.

Q25) Lee is using Wireshark to log traffic on his network. He notices a number of packets being directed to an internal IP from an outside IP where the packets are ICMP and their size is around 65,536 bytes. What is Lee seeing here?

  1. Lee is seeing activity indicative of a Smurf attack.
  2. Most likely, the ICMP packets are being sent in this manner to attempt IP spoofing.
  3. Lee is seeing a Ping of death attack.
  4. This is not unusual traffic,ICMP packets can be of any size.

Q26) What is a successful method for protecting a router from potential smurf attacks?

  1. Placing the router in broadcast mode
  2. Enabling port forwarding on the router
  3. Installing the router outside of the network's firewall
  4. Disabling the router from accepting broadcast ping messages

Q27) While performing ping scans into a target network you get a frantic call from the organization’s security team. They report that they are under a denial of service attack. When you stop your scan, the smurf attack event stops showing up on the organization’s IDS monitor. How can you modify your scan to prevent triggering this event in the IDS?

  1. Scan more slowly.
  2. Do not scan the broadcast IP.
  3. Spoof the source IP address.
  4. Only scan the Windows systems.

A27) Scanning the broadcast address makes the scan target all IP addresses on that subnet at the same time.

Q28) What is the term 8 to describe an attack that falsifies a broadcast ICMP echo request and includes a primary and secondary victim?

  1. Fraggle Attack
  2. Man in the Middle Attack
  3. Trojan Horse Attack
  4. Smurf Attack
  5. Back Orifice Attack

Q29) Clive has been monitoring his IDS and sees that there are a huge number of ICMP Echo Reply packets that are being received on the external gateway interface. Further inspection reveals that they are not responses from the internal hosts’ requests but simply responses coming from the Internet.

What could be the most likely cause?

  1. Someone has spoofed Clive’s IP address while doing a smurf attack.
  2. Someone has spoofed Clive’s IP address while doing a land attack.
  3. Someone has spoofed Clive’s IP address while doing a fraggle attack.
  4. Someone has spoofed Clive’s IP address while doing a DoS attack.

A29) The smurf attack,named after its exploit program,is a denial-of-service attack that uses spoofed broadcast ping messages to flood a target system. In such an attack,a perpetrator sends a large amount of ICMP echo (ping) traffic to IP broadcast addresses,all of it having a spoofed source address of the intended victim. If the routing device delivering traffic to those broadcast addresses performs the IP broadcast to layer 2 broadcast function,most hosts on that IP network will take the ICMP echo request and reply to it with an echo reply,multiplying the traffic by the number of hosts responding. On a multi-access broadcast network,hundreds of machines might reply to each packet.

Q30) Eve decides to get her hands dirty and tries out a Denial of Service attack that is relatively new to her. This time she envisages using a different kind of method to attack Brownies Inc. Eve tries to forge the packets and uses the broadcast address. She launches an attack similar to that of fraggle. What is the technique that Eve used in the case above?

  1. Smurf
  2. Bubonic
  3. SYN Flood
  4. Ping of Death

A30) A fraggle attack is a variation of the smurf attack for denial of service in which the attacker sends spoofed UDP packets instead of ICMP echo reply (ping) packets to the broadcast address of a large network.

Q31) Peter is a Network Admin. He is concerned that his network is vulnerable to a smurf attack. What should Peter do to prevent a smurf attack?

Select the best answer.

  1. He should disable unicast on all routers
  2. Disable multicast on the router
  3. Turn off fragmentation on his router
  4. Make sure all anti-virus protection is updated on all systems
  5. Make sure his router won't take a directed broadcast

A31) Unicasts are one-to-one IP transmissions, by disabling this he would disable most network transmissions but still not prevent the smurf attack. Turning of multicast or fragmentation on the router has nothing to do with Peter’s concerns as a smurf attack uses broadcast, not multicast and has nothing to do with fragmentation. Anti-virus protection will not help prevent a smurf attack. A smurf attack is a broadcast from a spoofed source. If directed broadcasts are enabled on the destination all the computers at the destination will respond to the spoofed source, which is really the victim. Disabling directed broadcasts on a router can prevent the attack.

Q32) What is a smurf attack?

  1. Sending a large amount of ICMP traffic with a spoofed source address
  2. Sending a large amount of TCP traffic with a spoofed source address
  3. Sending a large number of TCP connection requests with a spoofed source address
  4. Sending a large number of TCP connection requests

Q33) What is the key difference between a smurf and a fraggle attack?

  1. TCP vs. UDP (應該是ICMP vs. UDP)
  2. TCP vs. ICP
  3. UDP vs. ICMP
  4. TCP vs. ICMP

Q34) Who are the primary victims of SMURF attacks on the Internet?

  1. IRC servers
  2. IDS devices
  3. Mail servers
  4. SPAM filters

A34) In a Smurf attack a large amount of ICMP echo request (ping) traffic is send to an IP broadcast address, with a spoofed source IP address of the intended victim. IRC servers are commonly used to perpetuate this attack so they are considered primary victims.

Q35) Which of the following Trojans would be considered 'Botnet Command Control Center'?

  1. YouKill DOOM
  2. Damen Rock
  3. Poison Ivy
  4. Matten Kit

Q36) A botnet can be managed through which of the following?

  1. IRC
  2. E-Mail
  3. Linkedin and Facebook
  4. A vulnerable FTP server

Q37) Botnets are networks of compromised computers that are controlled remotely and surreptitiously by one or more cyber criminals. How do cyber criminals infect a victim's computer with bots? (Select 4 answers)

  1. Attackers physically visit every victim's computer to infect them with malicious software
  2. Home computers that have security vulnerabilities are prime targets for botnets
  3. Spammers scan the Internet looking for computers that are unprotected and use these "open-doors" to install malicious software
  4. Attackers use phishing or spam emails that contain links or attachments
  5. Attackers use websites to host the bots utilizing Web Browser vulnerabilities

Q38) A hacker has successfully infected an internet-facing server, which he will then use to send junk mail, take part in coordinated attacks, or host junk email content. Which sort of trojan infects this server?

  1. Botnet Trojan
  2. Banking Trojans
  3. Ransomware Trojans
  4. Turtle Trojans

Q39) Which of the following is a botnet command and control tool?

  1. Netcat
  2. Poison Ivy
  3. RAT
  4. LOIC

A39) Poison Ivy works as a botnet controller.

Q40) Charlie is the network administrator for his company. Charlie just received a new Cisco router and wants to test its capabilities out and to see if it might be susceptible to a DoS attack resulting in its locking up. The IP address of the Cisco switch is What command can Charlie use to attempt this task?

  1. Charlie can use the commanD. ping -l 56550 -t.
  2. Charlie can try using the commanD. ping 56550
  3. By using the command ping Charlie would be able to lockup the router
  4. He could use the commanD. ping -4 56550

-l: Send buffer size

Q41) A denial of Service (DoS) attack works on the following principle:

  1. MS-DOS and PC-DOS operating system utilize a weaknesses that can be compromised and permit them to launch an attack easily.
  2. All CLIENT systems have TCP/IP stack implementation weakness that can be compromised and permit them to lunch an attack easily.
  3. Overloaded buffer systems can easily address error conditions and respond appropriately.
  4. Host systems cannot respond to real traffic,if they have an overwhelming number of incomplete connections (SYN/RCVD State).
  5. A server stops accepting connections from certain networks one those network become flooded.

Q42) What is the goal of a Denial of Service Attack?

  1. Capture files from a remote computer.
  2. Render a network or computer incapable of providing normal service.
  3. Exploit a weakness in the TCP stack.
  4. Execute service at PS 1009.

results matching ""

    No results matching ""