6. A malicious hacker is trying to crash your web site by using various Denial of Service attacks. Which two flaws should you protect against for this specific threat?
A. XSS attacks
B. Authentication failures
C. Man in the middle
D. Session hijacking
E. Weak password exploits
F. Authorization failures
Correct Answers: C and D
Another mock exam (from the Web):
64. Your competitor is trying to crash your web site by using various Denial of Service attacks. Which two flaws should you protect against for this specific threat? (Choose two.)
A. SQL injection
B. buffer overflow
C. Man in the middle
D. session hijacking
E. weak password exploits
Correct Answers: A, B
Who is right? The former or the latter?
Disclaimer: The following is a discussion around the subject, not an answer.
Under the section Methods of Attack in the article on Denial of Service attacks we can read that there are two basic forms of attack:
Crashing a service
Flooding a service
XSS Attacks The main purpose of Cross Site Scripting attacks is to bypass security.
This itself does not lead to neither crashing nor flooding the service, but may be a first step in such an attempt.
Man in the Middle Man in the Middle attacks enables listening to encrypted communication and injection of new and/or manipulated messages.
Passive listening to communication will neither flood nor crash a service. Injection of new or manipulated messages may.
I still feel that the Man in the Middle attack is more a step in the direction of crashing or flooding a service, not the form of attack that actually crashes/floods the service.
For instance, in order to know that the injection of a new/manipulated message actually has some effect, an attacker may construct the message as to take advantage of a buffer overflow flaw.
Session Hijacking Session hijacking enables access to a service using some other person or system's credentials.
Again, this attack may indirectly facilitate crashing or flooding a system but only in combination with other attacks.
SQL Injection SQL injection enables execution of arbitrary SQL code in the target system.
Commonly not used to crash or flood services, but rather to gain unauthorized access to a system and steal information.
However, may be used as a means to crash a service by, for instance, injecting a SQL statement that deletes all the users of the system or some other, vital, data.
Buffer Overflow A buffer overflow flaw allows writing of arbitrary data, or code, to memory - for instance the stack.
A buffer overflow attack could overwrite the stack or program memory and thereby disrupt the execution of a service - crashing it.
Buffer overflow attacks may also allow for execution of code crafted by the attacker which purpose may be to crash the service.
My personal conclusion is that SQL Injection and Buffer Overflow are the forms of attack closest related to Denial of Service attacks.
Thanks for your reply Ivan.
I agree with you that Man in the middle and Session hijacking are more a step in the direction of crashing or flooding a service, not the form of attack that actually crashes/floods the service.
As we can read here (http://en.wikipedia.org/wiki/Session_hijacking), it is more a "component" of such attacks:
"A common component of such an attack (Session hijacking) is to execute a denial-of-service (DoS) attack against one end-point to stop it from responding. This attack can be either against the machine to force it to crash, or against the network connection to force heavy packet loss."
I know Mark Cade uses this forum, would be great if he could give us his opinion on the subject.
I agree with Cade that it is C and D. Both are ways someone can stop a user from getting to the site. The actual site doesn't need to be down to mount a denial of service attack. Users just have to be stopped from getting to it or keep getting forceably logged out.