Chat with AI
Deck 3: Network Traffic Signatures
Full screen (f)
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Unlock Deck
Sign up to unlock the cards in this deck!
Unlock Deck
Unlock Deck
1/49
Play
Full screen (f)
Deck 3: Network Traffic Signatures
1
All devices interpret attack signatures uniformly.
False
2
Packet fragmentation is not normal,and can only occur if an attack has been initiated.
True
3
Under which attack category does a UNIX Sendmail exploitation fall?
A) bad header information
B) single-packet attack
C) multiple-packet attack
D) suspicious data payload
A) bad header information
B) single-packet attack
C) multiple-packet attack
D) suspicious data payload
D
4
Which of the following is an accurate set of characteristics you would find in an attack signature?
A) IP address, attacker's alias, UDP options
B) protocol options, TCP ports, region of origin
C) IP address, TCP flags, port numbers
D) IP number, MAC address, TCP options
A) IP address, attacker's alias, UDP options
B) protocol options, TCP ports, region of origin
C) IP address, TCP flags, port numbers
D) IP number, MAC address, TCP options
Unlock Deck
Unlock for access to all 49 flashcards in this deck.
Unlock Deck
k this deck
5
How does the CVE standard make network security devices and tools more effective?
A) the layered approach makes attacks nearly impossible
B) they can share information about attack signatures
C) it requires you to use compatible devices from one vendor
D) it warns an attacker that your site is being monitored
A) the layered approach makes attacks nearly impossible
B) they can share information about attack signatures
C) it requires you to use compatible devices from one vendor
D) it warns an attacker that your site is being monitored
Unlock Deck
Unlock for access to all 49 flashcards in this deck.
Unlock Deck
k this deck
6
Newer Trojans listen at a predetermined port on the target computer so that detection is more difficult.
Unlock Deck
Unlock for access to all 49 flashcards in this deck.
Unlock Deck
k this deck
7
What type of attack does a remote-access Trojan attempt to perpetrate?
A) worm
B) back door
C) remote denial of service
D) composite attack
A) worm
B) back door
C) remote denial of service
D) composite attack
Unlock Deck
Unlock for access to all 49 flashcards in this deck.
Unlock Deck
k this deck
8
The signature of a normal FTP connection includes a three-way handshake.
Unlock Deck
Unlock for access to all 49 flashcards in this deck.
Unlock Deck
k this deck
9
What is the sequence of packets for a successful three-way handshake?
A) SYN, ACK, ACK
B) SYN, SYN ACK, RST
C) SYN, SYN ACK, ACK
D) SYN, ACK, FIN
A) SYN, ACK, ACK
B) SYN, SYN ACK, RST
C) SYN, SYN ACK, ACK
D) SYN, ACK, FIN
Unlock Deck
Unlock for access to all 49 flashcards in this deck.
Unlock Deck
k this deck
10
Of what category of attack is a DoS attack an example?
A) bad header information
B) single-packet attack
C) multiple-packet attack
D) suspicious data payload
A) bad header information
B) single-packet attack
C) multiple-packet attack
D) suspicious data payload
Unlock Deck
Unlock for access to all 49 flashcards in this deck.
Unlock Deck
k this deck
11
Which TCP flag can be the default response to a probe on a closed port?
A) RST
B) URG
C) PSH
D) SYN
A) RST
B) URG
C) PSH
D) SYN
Unlock Deck
Unlock for access to all 49 flashcards in this deck.
Unlock Deck
k this deck
12
An atomic attack is a barrage of hundreds of packets directed at a host.
Unlock Deck
Unlock for access to all 49 flashcards in this deck.
Unlock Deck
k this deck
13
Which of the following is NOT a category of suspicious TCP/IP packet?
A) bad header information
B) single-packet attacks
C) suspicious data payload
D) suspicious CRC value
A) bad header information
B) single-packet attacks
C) suspicious data payload
D) suspicious CRC value
Unlock Deck
Unlock for access to all 49 flashcards in this deck.
Unlock Deck
k this deck
14
Which of the following correctly represents the port used by FTP control traffic and FTP file transfer traffic respectively?
A) 20, 25
B) 21, 23
C) 20, 23
D) 21, 20
A) 20, 25
B) 21, 23
C) 20, 23
D) 21, 20
Unlock Deck
Unlock for access to all 49 flashcards in this deck.
Unlock Deck
k this deck
15
What is the term used when an IDPS doesn't recognize that an attack is underway?
A) false negative
B) true positive
C) negative activity
D) positive signature
A) false negative
B) true positive
C) negative activity
D) positive signature
Unlock Deck
Unlock for access to all 49 flashcards in this deck.
Unlock Deck
k this deck
16
What can an IDPS check to try to determine whether a packet has been tampered with or damaged in transit?
A) parity bit
B) CRC value
C) checksum
D) fragment offset
A) parity bit
B) CRC value
C) checksum
D) fragment offset
Unlock Deck
Unlock for access to all 49 flashcards in this deck.
Unlock Deck
k this deck
17
Which of the following is NOT among the items of information that a CVE reference reports?
A) attack signature
B) name of the vulnerability
C) description of vulnerability
D) reference in other databases
A) attack signature
B) name of the vulnerability
C) description of vulnerability
D) reference in other databases
Unlock Deck
Unlock for access to all 49 flashcards in this deck.
Unlock Deck
k this deck
18
Which of the following is an element of the TCP header that can indicate that a connection has been established?
A) Flags
B) Stream index
C) SEQ/ACK analysis
D) Sequence number
A) Flags
B) Stream index
C) SEQ/ACK analysis
D) Sequence number
Unlock Deck
Unlock for access to all 49 flashcards in this deck.
Unlock Deck
k this deck
19
Which element of an ICMP header would indicate that the packet is an ICMP echo request message.
A) Code
B) Type
C) Identifier
D) Data
A) Code
B) Type
C) Identifier
D) Data
Unlock Deck
Unlock for access to all 49 flashcards in this deck.
Unlock Deck
k this deck
20
What is the typical packet sequence for closing a TCP session?
A) FIN, FIN ACK, RST
B) FIN, ACK, FIN ACK, ACK
C) FIN ACK, FIN, ACK, RST
D) FIN, FIN ACK
A) FIN, FIN ACK, RST
B) FIN, ACK, FIN ACK, ACK
C) FIN ACK, FIN, ACK, RST
D) FIN, FIN ACK
Unlock Deck
Unlock for access to all 49 flashcards in this deck.
Unlock Deck
k this deck
21
MATCHING
a.back door
b.MTU
c.ping sweep
d.scan throttling
e.packet injection
f.signature
g.vanilla scan
h.RPC
i.FIN packet
j.RST packet
sent when one computer want to stop and restart the connection
a.back door
b.MTU
c.ping sweep
d.scan throttling
e.packet injection
f.signature
g.vanilla scan
h.RPC
i.FIN packet
j.RST packet
sent when one computer want to stop and restart the connection
Unlock Deck
Unlock for access to all 49 flashcards in this deck.
Unlock Deck
k this deck
22
MATCHING
a.back door
b.MTU
c.ping sweep
d.scan throttling
e.packet injection
f.signature
g.vanilla scan
h.RPC
i.FIN packet
j.RST packet
a series of ICMP echo request packets in a range of IP addresses
a.back door
b.MTU
c.ping sweep
d.scan throttling
e.packet injection
f.signature
g.vanilla scan
h.RPC
i.FIN packet
j.RST packet
a series of ICMP echo request packets in a range of IP addresses
Unlock Deck
Unlock for access to all 49 flashcards in this deck.
Unlock Deck
k this deck
23
MATCHING
a.back door
b.MTU
c.ping sweep
d.scan throttling
e.packet injection
f.signature
g.vanilla scan
h.RPC
i.FIN packet
j.RST packet
all ports from 0 to 65,535 are probed one after another
a.back door
b.MTU
c.ping sweep
d.scan throttling
e.packet injection
f.signature
g.vanilla scan
h.RPC
i.FIN packet
j.RST packet
all ports from 0 to 65,535 are probed one after another
Unlock Deck
Unlock for access to all 49 flashcards in this deck.
Unlock Deck
k this deck
24
In which type of scan does an attacker scan only ports that are commonly used by specific programs?
A) random scan
B) vanilla scan
C) ping sweep
D) strobe scan
A) random scan
B) vanilla scan
C) ping sweep
D) strobe scan
Unlock Deck
Unlock for access to all 49 flashcards in this deck.
Unlock Deck
k this deck
25
MATCHING
a.back door
b.MTU
c.ping sweep
d.scan throttling
e.packet injection
f.signature
g.vanilla scan
h.RPC
i.FIN packet
j.RST packet
a standard set of communications rules that allows one computer to request a service from another computer
a.back door
b.MTU
c.ping sweep
d.scan throttling
e.packet injection
f.signature
g.vanilla scan
h.RPC
i.FIN packet
j.RST packet
a standard set of communications rules that allows one computer to request a service from another computer
Unlock Deck
Unlock for access to all 49 flashcards in this deck.
Unlock Deck
k this deck
26
A TCP packet with no flags set is referred to as a _________ packet.
Unlock Deck
Unlock for access to all 49 flashcards in this deck.
Unlock Deck
k this deck
27
MATCHING
a.back door
b.MTU
c.ping sweep
d.scan throttling
e.packet injection
f.signature
g.vanilla scan
h.RPC
i.FIN packet
j.RST packet
crafted packets that are inserted into network traffic
a.back door
b.MTU
c.ping sweep
d.scan throttling
e.packet injection
f.signature
g.vanilla scan
h.RPC
i.FIN packet
j.RST packet
crafted packets that are inserted into network traffic
Unlock Deck
Unlock for access to all 49 flashcards in this deck.
Unlock Deck
k this deck
28
In the three-way handshake,the first packet in the sequence has the ________ flag set.
Unlock Deck
Unlock for access to all 49 flashcards in this deck.
Unlock Deck
k this deck
29
In an RPC _________,a targeted host receives an RPC set request from a source IP address of 127.0.0.1.
Unlock Deck
Unlock for access to all 49 flashcards in this deck.
Unlock Deck
k this deck
30
Under which suspicious traffic signature category would a port scan fall?
A) informational
B) reconnaissance
C) denial of service
D) unauthorized access
A) informational
B) reconnaissance
C) denial of service
D) unauthorized access
Unlock Deck
Unlock for access to all 49 flashcards in this deck.
Unlock Deck
k this deck
31
A ______________ is made up of IP numbers and options,TCP flags,and port number that define a type of network activity.
Unlock Deck
Unlock for access to all 49 flashcards in this deck.
Unlock Deck
k this deck
32
MATCHING
a.back door
b.MTU
c.ping sweep
d.scan throttling
e.packet injection
f.signature
g.vanilla scan
h.RPC
i.FIN packet
j.RST packet
used by attackers to delay the progression of a scan
a.back door
b.MTU
c.ping sweep
d.scan throttling
e.packet injection
f.signature
g.vanilla scan
h.RPC
i.FIN packet
j.RST packet
used by attackers to delay the progression of a scan
Unlock Deck
Unlock for access to all 49 flashcards in this deck.
Unlock Deck
k this deck
33
MATCHING
a.back door
b.MTU
c.ping sweep
d.scan throttling
e.packet injection
f.signature
g.vanilla scan
h.RPC
i.FIN packet
j.RST packet
an undocumented hidden opening through which an attacker can access a computer
a.back door
b.MTU
c.ping sweep
d.scan throttling
e.packet injection
f.signature
g.vanilla scan
h.RPC
i.FIN packet
j.RST packet
an undocumented hidden opening through which an attacker can access a computer
Unlock Deck
Unlock for access to all 49 flashcards in this deck.
Unlock Deck
k this deck
34
Which type of scan has the FIN,PSH,and URG flags set?
A) Xmas scan
B) Null scan
C) FIN scan
D) SYN Scan
A) Xmas scan
B) Null scan
C) FIN scan
D) SYN Scan
Unlock Deck
Unlock for access to all 49 flashcards in this deck.
Unlock Deck
k this deck
35
What is the packet called where a Web browser sends a request to the Web server for Web page data?
A) HTML SEND
B) HTTP XFER
C) HTTP GET
D) HTML RELAY
A) HTML SEND
B) HTTP XFER
C) HTTP GET
D) HTML RELAY
Unlock Deck
Unlock for access to all 49 flashcards in this deck.
Unlock Deck
k this deck
36
Which of the following is the description of a land attack?
A) the local host source address occurs in the packet
B) source and destination IP address/port are the same
C) an illegal TCP flag is found in the segment header
D) the attacker uses an undefined protocol number
A) the local host source address occurs in the packet
B) source and destination IP address/port are the same
C) an illegal TCP flag is found in the segment header
D) the attacker uses an undefined protocol number
Unlock Deck
Unlock for access to all 49 flashcards in this deck.
Unlock Deck
k this deck
37
MATCHING
a.back door
b.MTU
c.ping sweep
d.scan throttling
e.packet injection
f.signature
g.vanilla scan
h.RPC
i.FIN packet
j.RST packet
the maximum packet size that can be transmitted
a.back door
b.MTU
c.ping sweep
d.scan throttling
e.packet injection
f.signature
g.vanilla scan
h.RPC
i.FIN packet
j.RST packet
the maximum packet size that can be transmitted
Unlock Deck
Unlock for access to all 49 flashcards in this deck.
Unlock Deck
k this deck
38
The _______________ part of a packet is the actual data sent from an application on one computer to an application on another.
Unlock Deck
Unlock for access to all 49 flashcards in this deck.
Unlock Deck
k this deck
39
MATCHING
a.back door
b.MTU
c.ping sweep
d.scan throttling
e.packet injection
f.signature
g.vanilla scan
h.RPC
i.FIN packet
j.RST packet
lets the other computer know it is finished sending data
a.back door
b.MTU
c.ping sweep
d.scan throttling
e.packet injection
f.signature
g.vanilla scan
h.RPC
i.FIN packet
j.RST packet
lets the other computer know it is finished sending data
Unlock Deck
Unlock for access to all 49 flashcards in this deck.
Unlock Deck
k this deck
40
MATCHING
a.back door
b.MTU
c.ping sweep
d.scan throttling
e.packet injection
f.signature
g.vanilla scan
h.RPC
i.FIN packet
j.RST packet
a set of characteristics that define a type of network activity
a.back door
b.MTU
c.ping sweep
d.scan throttling
e.packet injection
f.signature
g.vanilla scan
h.RPC
i.FIN packet
j.RST packet
a set of characteristics that define a type of network activity
Unlock Deck
Unlock for access to all 49 flashcards in this deck.
Unlock Deck
k this deck
41
What are the signatures of malformed packets that misuse the SYN and FIN flags? Briefly describe each.
Unlock Deck
Unlock for access to all 49 flashcards in this deck.
Unlock Deck
k this deck
42
What is the difference between a vanilla port scan and a strobe port scan?
Unlock Deck
Unlock for access to all 49 flashcards in this deck.
Unlock Deck
k this deck
43
What is the result of packets that are created which exceed the MTU of the network? How can this process be exploited?
Unlock Deck
Unlock for access to all 49 flashcards in this deck.
Unlock Deck
k this deck
44
What is signature analysis?
Unlock Deck
Unlock for access to all 49 flashcards in this deck.
Unlock Deck
k this deck
45
What is a multiple-packet attack and what is needed by an IDPS to detect one? Provide an example.
Unlock Deck
Unlock for access to all 49 flashcards in this deck.
Unlock Deck
k this deck
46
What is a selective acknowledgement and how does it affect transmissions?
Unlock Deck
Unlock for access to all 49 flashcards in this deck.
Unlock Deck
k this deck
47
Describe the SYN flag and how it is used in the three-way handshake.
Unlock Deck
Unlock for access to all 49 flashcards in this deck.
Unlock Deck
k this deck
48
Describe the purpose of the CVE and how it works.
Unlock Deck
Unlock for access to all 49 flashcards in this deck.
Unlock Deck
k this deck
49
List the four categories of suspicious traffic categories.
Unlock Deck
Unlock for access to all 49 flashcards in this deck.
Unlock Deck
k this deck
Unlock Deck
Unlock for access to all 49 flashcards in this deck.
