428 Appendix A ■ Answers to Review Questions
- D. Throttling network traffic will slow down a potential DoS attack; however, an ingress
filter will check for internal addresses coming in from the public side. This is a good indica-
tor of a spoofed IP. - A. A land attack fits this description. Smurf attacks deal with ICMP echo requests going
back to a spoofed target address. SYN floods use custom packets that barrage a target with
requests. Teardrop attacks use custom fragmented packets that have overlapping offsets. - B. Adding an item to the stack is known as pushing, and removing an item from the stack is
known as popping. Remember that adding and removing occurs only at the top. - C. Reverse proxies are implemented to protect the destination resource, not the client or
user. In this scenario, a reverse proxy will field all outside requests, thereby preventing
direct traffic to the web server and reducing the risk of a DoS attack. - A. A DDoS attacker commonly uses IRC to communicate with handlers, which in turn send
the attack signal to the infected clients (zombies). - B. Along with the stack, the heap provides a program with a dynamic memory space that
can serve as a nonsequential storage location for variables and program items. - A, B, C, D. All of these C functions are considered dangerous because they do not check
memory bounds. Thus, code containing any of these can be part of a buffer overflow
attack. - B. The stack uses a last-in, first-out scheme. Items are pushed onto or popped from the top,
so at any time the only accessible item on the stack is the last one pushed there. - B. Looking at the amount of SYN flags without a full handshake, it appears a SYN flood is
occurring. - C. The DDoS tool Low Orbit Ion Cannon (LOIC) is a single-button utility that is suspected
of being used in large-scale DDoS attacks. - B. Targa has eight different DoS attacks included in its capabilities. TFN2K and Trinoo are
designed to carry out DDoS attacks and be a part of a botnet. - D. Although nmap and zenmap utilities can activate specific TCP flags based on the custom
scan desired, the hping3 utility was designed for creating custom packets and manipulating
TCP flags. - C. UDP is the protocol that is used to carry out a fraggle attack. ICMP plays a role in ping
floods, which is a different type of attack. TCP and IPX do not play any role in this type of
attack. - A. A smurf attack uses the TCP protocol to carry out its action whereas the UDP protocol
is used during fraggle attacks. ICMP is not used in either attack. - B. The main difference between the two types of attacks is the number of attackers. The
goal is the same and the scale is different but hard to define. Protocols have no bearing and
are irrelevant.
bapp01.indd 428 22-07-2014 10:56:36