Users report connections to the enterprise information portal (EIP) often timed out because of poor network performance. As a security analyst, you suspect it can be resulted from denial-of-service (DOS) or distributed DOS (DOS) attacks. You connect your laptop to the mirror port of the core switching hub and start capturing traffic in promiscuous mode. Which of the following attack targets is least likely to appear in the captured traffic? (Source: Wentz QOTD)
A. 10.10.255.255/22
B. 10.10.254.0/22
C. 10.10.253.255/22
D. 10.10.252.0/22
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is D. 10.10.252.0/22.
The IP addresses of the subnet, 10.10.252.0/22:
- Broadcast: 10.10.255.255/22
- Unicast: 10.10.254.0/22 and 10.10.253.255/22
- Subnet/Network address: 10.10.252.0/22
The subnet IP address, 10.10.252.0/22, won’t be delivered and captured on the network. IP packets are delivered in the forms of unicast, broadcast, and multicast. Subnet IP addresses won’t be assigned to the IP field, Destination IP Addresses, and delivered as IP packets on the network; they are typically used when configuring routers and transmitted as payloads of routing protocols, e.g., RIP, OSPF, etc.
Subnetting
Is Subnetting Too Deep for CISSP?
IMHO, it’s a no. I’m afraid it’s the essential concept that a CISSP should know, let alone the ISC2 claims in the CISSP Exam Outline that “CISSP validates an information security professional’s deep technical and managerial knowledge and experience to effectively design, engineer, and manage the overall security posture of an organization.”
CISSP Certification Exam Outline
Mirror Port
The mirror port of a switching hub support port mirroring, “also known as SPAN (Switched Port Analyzer), is a method of monitoring network traffic. With port mirroring enabled, the switch sends a copy of all network packets seen on one port (or an entire VLAN) to another port, where the packet can be analyzed.” (MiaRec)
Promiscuous Mode
In computer networking, promiscuous mode is a mode for a wired network interface controller (NIC) or wireless network interface controller (WNIC) that causes the controller to pass all traffic it receives to the central processing unit (CPU) rather than passing only the frames that the controller is specifically programmed to receive. This mode is normally used for packet sniffing that takes place on a router or on a computer connected to a wired network or one being part of a wireless LAN. Interfaces are placed into promiscuous mode by software bridges often used with hardware virtualization.
Source: Wikipedia
Source: Wireshark User’s Guide
DoS and DDoS Attacks
DoS
A “Denial of Service,” or “DoS” attack, is a category of advanced cyberattack in which a single malicious user denies legitimate users access to a service by blocking or exhausting the resources of a victim system. The DoS is commonly carried out through some form of flooding mechanism, which generates a large volume of network traffic around the area of the target system, resulting in undesirable network congestion and bandwidth utilization. This flooding causes the system to perform too much processing and responding, an aspect called “amplification.”
- Physical DoS
- The Smurf Attack
- The Fraggle Attack
- The LAND Attack
- The Tear Drop Attack
- The Ping of Death
- DNS Amplification Attack
- Logical DoS
- The Permanent DoS Attack
DDoS
The “Distributed Denial of Service (DDoS) attack differs from a regular DoS attack in that it’s a large-scale, coordinated attack originating from MANY attacking computers. Most DDoS attacks are launched from a bot herder who uses his botnet (hundreds or thousands of compromised “zombie” computers) to attack a target system. Compared to a DoS attack that uses just one attacker, the DDoS attack gives the attacker the ability to wage a larger and more disruptive attack.
Source: DoS and DDoS Attacks: How They’re Executed, Detected, and Prevented
Reference
- IP Subnet Calculator
- Using 31-Bit Prefixes on IPv4 Point-to-Point Links
- Do routers forward broadcast traffic?
- Changing the Default for Directed Broadcasts in Routers
- Requirements for IP Version 4 Routers (Limited and Directed Broadcast)
- BROADCASTING INTERNET DATAGRAMS
- BROADCASTING INTERNET DATAGRAMS IN THE PRESENCE OF SUBNETS
- Unicast Broadcast Multicast | IP Address
- Port mirroring
- What is port mirroring?
- DoS and DDoS Attacks: How They’re Executed, Detected, and Prevented
- Wireshark User’s Guide
- Port Mirroring – A Definition & How It Works (Tutorial) & LAB!
使用者反應連線公司入口網站(EIP)時常因網絡效能不佳而逾時。 作為安全分析人員,您懷疑這可能是由於阻斷式(DoS)或DDoS攻擊造成的。 您將筆電連接到核心交換器的鏡像端口,並開始以混雜(promiscuous)模式截取流量。 以下哪個攻擊目標最不可能出現在截獲的流量中?
A. 10.10.255.255/22
B. 10.10.254.0/22
C. 10.10.253.255/22
D. 10.10.252.0/22
A BLUEPRINT FOR YOUR SUCCESS IN CISSP
My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and informative reference for security professionals.
- It is available on Amazon.
- Readers from countries or regions not supported by Amazon can get your copy from the author’s web site.