Which of the following BEST describes the type of attack that is occurring? (Select TWO).
A.
DNS spoofing
B.
Man-in-the-middle
C.
Backdoor
D.
Replay
E.
ARP attack
F.
Spear phishing
G.
Xmas attack
Explanation:
We have a legit bank web site and a hacker bank web site. The hacker has a laptop connected to the
network. The hacker is redirecting bank web site users to the hacker bank web site instead of the legit
bank web site. This can be done using two methods: DNS Spoofing and ARP Attack (ARP Poisoning).
A: DNS spoofing (or DNS cache poisoning) is a computer hacking attack, whereby data is introduced into a
Domain Name System (DNS) resolver’s cache, causing the name server to return an incorrect IP address,
diverting traffic to the attacker’s computer (or any other computer).
A domain name system server translates a human-readable domain name (such as example.com) into a
numerical IP address that is used to route communications between nodes. Normally if the server doesn’t
know a requested translation it will ask another server, and the process continues recursively. To increase
performance, a server will typically remember (cache) these translations for a certain amount of time, so
that, if it receives another request for the same translation, it can reply without having to ask the other
server again.
When a DNS server has received a false translation and caches it for performance optimization, it is
considered poisoned, and it supplies the false data to clients. If a DNS server is poisoned, it may return an
incorrect IP address, diverting traffic to another computer (in this case, the hacker bank web site server).
E: Address Resolution Protocol poisoning (ARP poisoning) is a form of attack in which an attacker changes
the Media Access Control (MAC) address and attacks an Ethernet LAN by changing the target computer’s
ARP cache with a forged ARP request and reply packets. This modifies the layer -Ethernet MAC address
into the hacker’s known MAC address to monitor it. Because the ARP replies are forged, the target
computer unintentionally sends the frames to the hacker’s computer first instead of sending it to the
original destination. As a result, both the user’s data and privacy are compromised. An effective ARP
poisoning attempt is undetectable to the user.
ARP poisoning is also known as ARP cache poisoning or ARP poison routing (APR).
Incorrect Answers:
B: In cryptography and computer security, a man-in-the-middle attack (often abbreviated to MITM, MitM,
MIM, MiM or MITMA) is an attack where the attacker secretly relays and possibly alters the
communication between two parties who believe they are directly communicating with each other. One
example is active eavesdropping, in which the attacker makes independent connections with the victims
and relays messages between them to make them believe they are talking directly to each other over a
private connection, when in fact the entire conversation is controlled by the attacker. The attacker must
be able to intercept all relevant messages passing between the two victims and inject new ones. This is
straightforward in many circumstances; for example, an attacker within reception range of anunencrypted Wi-Fi wireless access point, can insert himself as a man-in-the-middle. This is not the attack
illustrated in this question.
C: A backdoor in a computer system (or cryptosystem or algorithm) is a method of bypassing normal
authentication, securing unauthorized remote access to a computer, obtaining access to plaintext, and so
on, while attempting to remain undetected. The backdoor may take the form of an installed program
(e.g., Back Orifice) or may subvert the system through a rootkit.
A backdoor in a login system might take the form of a hard coded user and password combination which
gives access to the system.
Although the number of backdoors in systems using proprietary software (software whose source code is
not publicly available) is not widely credited, they are nevertheless frequently exposed. Programmers
have even succeeded in secretly installing large amounts of benign code as Easter eggs in programs,
although such cases may involve official forbearance, if not actual permission. This is not the attack
illustrated in this question.
D: A replay attack (also known as playback attack) is a form of network attack in which a valid data
transmission is maliciously or fraudulently repeated or delayed. This is carried out either by the originator
or by an adversary who intercepts the data and retransmits it, possibly as part of a masquerade attack by
IP packet substitution (such as stream cipher attack).
For example: Suppose Alice wants to prove her identity to Bob. Bob requests her password as proof of
identity, which Alice dutifully provides (possibly after some transformation like a hash function);
meanwhile, Eve is eavesdropping on the conversation and keeps the password (or the hash). After the
interchange is over, Eve (posing as Alice) connects to Bob; when asked for a proof of identity, Eve sends
Alice’s password (or hash) read from the last session, which Bob accepts thus granting access to Eve. This
is not the attack illustrated in this question.
F: Spear phishing is an e-mail spoofing fraud attempt that targets a specific organization, seeking
unauthorized access to confidential data. As with the e-mail messages used in regular phishing
expeditions, spear phishing messages appear to come from a trusted source. Phishing messages usually
appear to come from a large and well-known company or Web site with a broad membership base, such
as eBay or PayPal. In the case of spear phishing, however, the apparent source of the e-mail is likely to be
an individual within the recipient’s own company and generally someone in a position of authority. This is
not the attack illustrated in this question.G: In information technology, a Christmas tree packet is a packet with every single option set for
whatever protocol is in use. The term derives from a fanciful image of each little option bit in a header
being represented by a different-colored light bulb, all turned on, as in, “the packet was lit up like a
Christmas tree.” It can also be known as a kamikaze packet, nastygram or a lamp test segment.
Christmas tree packets can be used as a method of divining the underlying nature of a TCP/IP stack by
sending the packets and awaiting and analyzing the responses. When used as part of scanning a system,
the TCP header of a Christmas tree packets has the flags SYN, FIN, URG and PSH set. Many operating
systems implement their compliance with the Internet Protocol standard (RFC 791) in varying or
incomplete ways. By observing how a host responds to an odd packet, such as a Christmas tree packet,
assumptions can be made regarding the host’s operating system. Versions of Microsoft Windows,
BSD/OS, HP-UX, Cisco IOS, MVS, and IRIX display behaviors that differ from the RFC standard when
queried with said packets.
A large number of Christmas tree packets can also be used to conduct a DoS attack by exploiting the fact
that Christmas tree packets require much more processing by routers and end-hosts than the ‘usual’
packets do.
Christmas tree packets can be easily detected by intrusion-detection systems or more advanced firewalls.
From a network security point of view, Christmas tree packets are always suspicious and indicate a high
probability of network reconnaissance activities. This is not the attack illustrated in this question.http://en.wikipedia.org/wiki/DNS_spoofing
http://www.techopedia.com/definition/27471/address-resolution-protocol-poisoning-arp-poisoning
http://en.wikipedia.org/wiki/Man-in-the-middle_attack
http://en.wikipedia.org/wiki/Backdoor_%28computing%29
http://en.wikipedia.org/wiki/Replay_attack
http://searchsecurity.techtarget.com/definition/spear-phishing
http://en.wikipedia.org/wiki/Christmas_tree_packet