17. Denial of Service

Flashcard 1
Q: What is a Denial-of-Service (DoS) attack

A: A DoS attack is an attempt to make a machine or network resource unavailable to its intended users by overwhelming it with excessive traffic or exploiting vulnerabilities.

Flashcard 2
Q: What are the primary security goals related to DoS attacks

A: The key goals include ensuring availability, maintaining network integrity, and protecting systems from being overwhelmed by malicious traffic.

Flashcard 3
Q: What is source address spoofing in the context of DoS attacks

A: It is a technique where attackers forge the source IP address in packets to hide their identity or redirect responses, complicating traceability and mitigation.

Flashcard 4
Q: What is the TCP handshake, and why is it important

A: The TCP handshake is a three-step process (SYN, SYN-ACK, ACK) used to establish a reliable connection between two devices; understanding it is crucial for grasping how SYN-based attacks work.

Flashcard 5
Q: What is SYN spoofing

A: SYN spoofing involves sending numerous TCP SYN packets with forged source addresses, creating many half-open connections that can exhaust server resources.

Flashcard 6
Q: How do SYN spoofing attacks affect a target system

A: They can significantly slow down or completely deny legitimate access by filling the connection queue with incomplete sessions, leading to resource exhaustion.

Flashcard 7
Q: What are flooding attacks

A: Flooding attacks overwhelm a target with a high volume of traffic—such as ICMP, UDP, or TCP requests—disrupting its ability to process legitimate traffic.

Flashcard 8
Q: What is an ICMP flooding attack

A: It is a DoS attack that bombards the target with ICMP (ping) packets, causing network congestion and overloading the system.

Flashcard 9
Q: What is a UDP flooding attack

A: This attack floods the target with UDP packets, forcing it to process or drop the excessive traffic, which can lead to service degradation or failure.

Flashcard 10
Q: What is a TCP SYN flooding attack

A: A TCP SYN flood involves sending a massive number of SYN requests to a target server, exhausting its resources by keeping numerous half-open connections active.

Flashcard 11
Q: What is the difference between single-source and multiple-source (DDoS) attacks

A: Single-source attacks originate from one system, whereas Distributed Denial-of-Service (DDoS) attacks use multiple compromised systems (botnets) to launch a coordinated assault, making mitigation more challenging.

Flashcard 12
Q: What are the key characteristics of flooding attacks

A: Flooding attacks are characterized by extremely high traffic volume, rapid resource exhaustion, and a lack of valid responses from the target.

Flashcard 13
Q: What distinguishes a Distributed Denial-of-Service (DDoS) attack from a DoS attack

A: A DDoS attack uses many sources (often via botnets) to flood the target, making it harder to block the attack because traffic comes from diverse, often geographically dispersed, origins.

Flashcard 14
Q: How do botnets facilitate DDoS attacks

A: Botnets are networks of compromised devices that attackers control remotely, using them collectively to send massive amounts of traffic toward a target.

Flashcard 15
Q: What is meant by the DDoS attack command structure

A: It refers to the hierarchical setup, typically involving a command and control (C&C) server, that coordinates the actions of a botnet during an attack.

Flashcard 16
Q: What are application-based bandwidth attacks

A: These attacks target the application layer by sending what appear to be legitimate requests, consuming server bandwidth and resources to deny service.

Flashcard 17
Q: What is a SIP flood attack

A: A SIP flood attack targets VoIP systems by overwhelming SIP servers with excessive signaling messages, disrupting voice communications.

Flashcard 18
Q: How does a SIP flood attack impact services

A: It can disrupt or disable voice services by overloading the SIP infrastructure, making it difficult for legitimate calls to be processed.

Flashcard 19
Q: What is an HTTP flood attack

A: An HTTP flood attack overwhelms a web server with numerous HTTP requests, potentially exhausting server resources and denying access to genuine users.

Flashcard 20
Q: What is a recursive HTTP flood

A: It is an attack where each HTTP request triggers additional requests, further amplifying the traffic and the attack’s impact on the target server.

Flashcard 21
Q: What is a Slowloris attack

A: A Slowloris attack holds many connections open by sending partial HTTP requests, thereby exhausting the server’s connection pool without flooding it with complete requests.

Flashcard 22
Q: What are the characteristics of a Slowloris attack

A: It maintains open connections with incomplete requests, slowly consuming server resources and making it unavailable for legitimate users.

Flashcard 23
Q: What are reflector attacks

A: Reflector attacks exploit third-party servers by sending requests with the victim’s IP address, causing the servers to send responses to the target, thus masking the attack’s origin.

Flashcard 24
Q: How do reflector attacks work

A: Attackers send requests to legitimate services using spoofed source addresses, resulting in those services unintentionally directing their responses toward the victim.

Flashcard 25
Q: What are the advantages of reflector attacks for attackers

A: They hide the attacker’s identity and can amplify the attack by leveraging the responses from multiple third-party servers.

Flashcard 26
Q: What is an amplification attack

A: An amplification attack exploits a protocol or service to generate a disproportionately large response from a small request, thereby increasing the attack traffic aimed at the target.

Flashcard 27
Q: How do DNS amplification attacks work

A: By sending small DNS queries with a spoofed source IP (the victim’s), attackers cause DNS servers to send large responses to the target, overwhelming its network.

Flashcard 28
Q: What are the consequences of DNS amplification attacks

A: They can flood a target with traffic, leading to severe network congestion and service disruption.

Flashcard 29
Q: What are NTP amplification attacks

A: Similar to DNS amplification, these attacks abuse vulnerabilities in Network Time Protocol servers to generate large responses that overwhelm the target system.

Flashcard 30
Q: What key characteristics define amplification attacks

A: They feature a high amplification factor, reliance on reflection, and the exploitation of UDP-based services that do not require a connection handshake.

Flashcard 31
Q: What are some common defenses against DoS attacks

A: Defenses include filtering spoofed packets, employing SYN cookies, implementing selective packet drops, using load balancing, and performing traffic analysis.

Flashcard 32
Q: How do SYN cookies defend against SYN flooding attacks

A: SYN cookies encode the connection state in the TCP sequence number and only allocate resources after a legitimate connection is confirmed, mitigating resource exhaustion.

Flashcard 33
Q: What is selective packet drop

A: It is a technique to reduce attack impact by identifying and dropping suspicious packets based on predefined criteria, such as abnormal source addresses or traffic patterns.

Flashcard 34
Q: How can reflection and amplification attacks be mitigated

A: They can be countered by filtering spoofed traffic, securing server configurations, implementing rate-limiting, and using protocols designed to resist abuse.

Flashcard 35
Q: What measures can organizations take to prevent their systems from being used in DoS attacks

A: Organizations should secure system configurations, patch vulnerabilities, and apply proper network segmentation to avoid being exploited as reflectors or amplifiers.

Flashcard 36
Q: How does load balancing help mitigate DoS attacks

A: Load balancing distributes incoming traffic across multiple servers, reducing the strain on any single system and enhancing overall resilience during an attack.

Flashcard 37
Q: How is a DoS attack typically identified

A: It is identified through traffic analysis and filtering, which detect abnormal patterns such as sudden surges in traffic or unusual packet types.

Flashcard 38
Q: What is the role of post-attack forensics and recovery

A: This process involves analyzing the attack to understand its vectors, learning from the incident, and implementing measures to prevent future occurrences while restoring services.

Flashcard 39
Q: What are the overall goals of a DoS attack

A: The primary goal is to disrupt service availability by exhausting system resources, thereby denying legitimate users access to network or application services