Effective CISSP Questions

The E-commerce web site of your company is suffering a DoS attack by flooding Christmas tree packets on Christmas day when the incident response team members are going home for a family reunion. Which of the following best describes this attack?
A. A Christmas tree packet is an IP packet with flags FIN, PSH, and URG turned on
B. A Christmas tree attack comes from the logic bomb on zombies triggered on Chrismas day
C. A Christmas tree attack is one type of cryptoanalysis attack
D. A Christmas tree packet affects both routers and the endpoints

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is D. A Christmas tree packet affects both routers and the endpoints.

The wording of the “Christmas tree packet” is commonly used, e.g., Wikipedia, but it is inappropriate as the Christmas tree attack is a TCP-level attack. The TCP “segment” is typically encapsulated as a payload of the IP packet.

TCP Header

In information technology, a Christmas tree packet is a packet with every single option set for whatever protocol is in use.  The term derives from a fanciful image of each little option bit in a header being represented by a different-colored light bulb, all turned on, as in “the packet was lit up like a Christmas tree”.

When used as part of scanning a system, the TCP header of a Christmas tree packet has the flags FIN, URG and PSH set.

A Christmas tree attack is NOT only triggered on Chrismas day but anytime.

OS Inferences

A Christmas tree attack is NOT a cryptoanalysis attack.

By observing how a host responds to an odd packet, such as a Christmas tree packet, inferences can be made regarding the host’s operating system.

Routers and Endpoints

A large number of Christmas tree packets can also be used to conduct a DoS attack by exploiting the fact that Christmas tree packets require much more processing by routers and end-hosts than the “usual” packets do.



Leave a Reply