Which of the following threats has a dedicated FirePOWER preprocessor engine? (Select the best answer.)
A. Back Orifice
B. distributed port scan
C. port sweep
D. SYN flood
Explanation:
Of the choices provided, only Back Orifice is a threat that has a dedicated FirePOWER preprocessor engine. A FirePOWER Intrusion Prevention System (IPS) has several predefined preprocessor engines that can be used in network policies to detect specific threats? the preprocessors focus on detecting Back Orifice attacks, detecting port scan attacks, preventing ratebased attacks, and detecting sensitive data.
Back Orifice and its variants exploit a vulnerability in Microsoft Windows hosts to gain complete administrative control of the host. Back Orifice traffic can be identified by the presence of a specific token, known as a magic cookie, in the first eight bytes of a User Datagram Protocol (UDP) packet.
The ratebased prevention preprocessor detects traffic abnormalities, including SYN flood attacks, based on the frequency of certain types of traffic. The following traffic patterns can trigger ratebased attack prevention:
– Traffic containing excessive incomplete Transmission Control Protocol (TCP) connections
– Traffic containing excessive complete TCP connections
– Excessive rule matches for a particular IP address or range of IP addresses
– Excessive rule matches for one particular rule regardless of IP address
Distributed port scan traffic and port sweep traffic can be detected by the portscan detection preprocessor. Port scanning traffic can be an indicator that an attacker is conducting network reconnaissance prior to an attack. Although legitimate port scanning traffic can periodically exist on a network, the portscan detection preprocessor can distinguish between legitimate scanning and potentially malicious traffic based on the activity patterns found in the analysis of port scanning traffic.
Reference:
Cisco: Detecting Specific Threats: Detecting Back Orifice