4.4.2 Attacking What We Do Quiz Answers
1. Which action best describes a MAC address spoofing attack?
- altering the MAC address of an attacking host to match that of a legitimate host
- bombarding a switch with fake source MAC addresses
- forcing the election of a rogue root bridge
- flooding the LAN with excessive traffic
Explanation: The attacker commonly runs a program or script that sends a stream of frames to the switch so the switch keeps the incorrect (spoofed) information in the MAC address table.
2. What is an objective of a DHCP spoofing attack?
- to gain illegal access to a DHCP server and modify its configuration
- to attack a DHCP server and make it unable to provide valid IP addresses to DHCP clients
- to intercept DHCP messages and alter the information before sending to DHCP clients
- to provide false DNS server addresses to DHCP clients so that visits to a legitimate web server are directed to a fake server
Explanation: In DHCP spoofing attacks, an attacker configures a fake DHCP server on the network to provide false DNS server addresses to clients. When a client tries to access a server using a server domain name (for example, a web server), the name to IP resolution request is sent to a DNS server that is under the control of the attacker, which provides the IP address of a fake server.
3. What is the primary means for mitigating virus and Trojan horse attacks?
- antivirus software
- encryption
- antisniffer software
- blocking ICMP echo and echo-replies
Explanation: Antivirus software is the primary means of mitigating both virus and Trojan horse attacks. By using up-to-date antivirus software, the spread of viruses and Trojan horse attacks can be reduced.
4. What method can be used to mitigate ping sweeps?
- blocking ICMP echo and echo-replies at the network edge
- deploying antisniffer software on all network devices
- using encrypted or hashed authentication protocols
- installing antivirus software on hosts
Explanation: To mitigate ping sweeps, ICMP echo and echo-reply messages can be blocked on network edge routers. This does come at a cost. Because ICMP is also used for network diagnostic data, this diagnostic data will be blocked as well.
5. What worm mitigation phase involves actively disinfecting infected systems?
- quarantine
- inoculation
- treatment
- containment
Explanation: The four phases of worm mitigation are:
- Containment
- Inoculation
- Quarantine
- Treatment
Disinfecting systems is accomplished in the treatment phase and involves terminating the worm process, removing infected files, and patching vulnerabilities exploited by the worm.
6. What is the result of a DHCP starvation attack?
- Legitimate clients are unable to lease IP addresses.
- Clients receive IP address assignments from a rogue DHCP server.
- The attacker provides incorrect DNS and default gateway information to clients.
- The IP addresses assigned to legitimate clients are hijacked.
Explanation: DCHP starvation attacks are launched by an attacker with the intent to create a DoS for DHCP clients. To accomplish this goal, the attacker uses a tool that sends many DHCPDISCOVER messages to lease the entire pool of available IP addresses, thus denying them to legitimate hosts.
7. Which term is used for bulk advertising emails flooded to as many end users as possible?
- Phishing
- Brute force
- Spam
- Adware
Explanation: Spam is annoying and unwanted bulk email that is sent to as many end users as possible.
8. Which type of DNS attack involves the cybercriminal compromising a parent domain and creating multiple subdomains to be used during the attacks?
- cache poisoning
- amplification and reflection
- tunneling
- shadowing
Explanation: Two threats to DNS are DNS shadowing and DNS tunneling attacks. DNS shadowing attacks compromise a parent domain and then the cybercriminal creates subdomains to be used in attacks. DNS tunneling attacks build botnets to bypass traditional security solutions. Three threats to DNS open resolvers are cache poisoning, amplification and reflection, and resource utilization attacks.
9. Which protocol would be the target of a cushioning attack?
- DNS
- HTTP
- ARP
- DHCP
Explanation: The HTTP 302 cushioning attack is used by cybercriminals to take advantage of the 302 Found HTTP response status code to redirect the browser of the user to a new location, usually a malicious site.
10. Which language is used to query a relational database?
- Python
- C++
- Java
- SQL
Explanation: Cybercriminals use SQL injections to breach a relational database, create malicious SQL queries, and obtain sensitive data.
11. Which two attacks target web servers through exploiting possible vulnerabilities of input functions used by an application? (Choose two.)
- SQL injection
- port scanning
- port redirection
- trust exploitation
- cross-site scripting
Explanation: When a web application uses input fields to collect data from clients, threat actors may exploit possible vulnerabilities for entering malicious commands. The malicious commands that are executed through the web application might affect the OS on the web server. SQL injection and cross-site scripting are two different types of command injection attacks.
12. In which type of attack is falsified information used to redirect users to malicious Internet sites?
- DNS cache poisoning
- ARP cache poisoning
- DNS amplification and reflection
- domain generation
Explanation: In a DNS cache poisoning attack, falsified information is used to redirect users from legitimate to malicious internet sites.
13. What is a characteristic of a DNS amplification and reflection attack?
- Threat actors use DNS open resolvers to increase the volume of attacks and to hide the true source of an attack.
- Threat actors use a DoS attack that consumes the resources of the DNS open resolvers.
- Threat actors hide their phishing and malware delivery sites behind a quickly-changing network of compromised DNS hosts.
- Threat actors use malware to randomly generate domain names to act as rendezvous points.
Explanation: Threat actors use DNS open resolvers to increase the volume of attacks and to hide the true source of an attack by sending DNS messages to the open resolvers and using the IP address of a target host (victim).