Podcast
Questions and Answers
What happens if the number of TCP retransmissions reaches 5 on the server?
What happens if the number of TCP retransmissions reaches 5 on the server?
- The half-open connection is expired. (correct)
- The TCP stack resets the connection automatically.
- The connection remains active indefinitely.
- The server conserves resources by ignoring retransmissions.
What is the default value of the parameter 'net.ipv4.tcp_synack_retries', which influences the duration of half-open connections?
What is the default value of the parameter 'net.ipv4.tcp_synack_retries', which influences the duration of half-open connections?
- 2
- 10
- 3
- 5 (correct)
In virtualized environments, what cause does VM NAT dropping with an RST response indicate?
In virtualized environments, what cause does VM NAT dropping with an RST response indicate?
- The SYN/ACK packet has no corresponding SYN record. (correct)
- The VM is running out of memory resources.
- The TCP connection is established successfully.
- The NAT cloud is overloading the VM.
What is the significance of the round trip time displayed by 'ip tcp_metrics show'?
What is the significance of the round trip time displayed by 'ip tcp_metrics show'?
How does reducing the size of the SYN queue affect SYN flooding attacks?
How does reducing the size of the SYN queue affect SYN flooding attacks?
What is a primary method used in TCP session hijacking?
What is a primary method used in TCP session hijacking?
In the context of TCP reset attacks, what is essential for spoofing a reset packet?
In the context of TCP reset attacks, what is essential for spoofing a reset packet?
Which scenario describes an action that would NOT typically occur during a TCP session hijacking attack?
Which scenario describes an action that would NOT typically occur during a TCP session hijacking attack?
What does the 'receiver window' refer to in the context of fast-moving ACK numbers during video streaming?
What does the 'receiver window' refer to in the context of fast-moving ACK numbers during video streaming?
What is the main goal of a TCP reset attack?
What is the main goal of a TCP reset attack?
What is a primary method through which an attacker can gain unauthorized access to a TCP session?
What is a primary method through which an attacker can gain unauthorized access to a TCP session?
What role does the Seq# play in a TCP session?
What role does the Seq# play in a TCP session?
What is required for a TCP RST attack concerning the Seq#?
What is required for a TCP RST attack concerning the Seq#?
For session hijacking, how should the Seq# be provided?
For session hijacking, how should the Seq# be provided?
What is a key characteristic of manual spoofing in session hijacking?
What is a key characteristic of manual spoofing in session hijacking?
What happens if the Seq# is too large during an attack?
What happens if the Seq# is too large during an attack?
In automatic spoofing for session hijacking, what information is necessary?
In automatic spoofing for session hijacking, what information is necessary?
What is a common method used to find the next Seq# for packet injection?
What is a common method used to find the next Seq# for packet injection?
What is a consequence of triggering the SYN Cookie countermeasure?
What is a consequence of triggering the SYN Cookie countermeasure?
What happens when SYN Cookie is enabled during a TCP connection attempt?
What happens when SYN Cookie is enabled during a TCP connection attempt?
What is the primary purpose of using a SYN Cookie in TCP connections?
What is the primary purpose of using a SYN Cookie in TCP connections?
How does the TCP Reset Attack typically function?
How does the TCP Reset Attack typically function?
What role does the sequence number play when SYN Cookies are used?
What role does the sequence number play when SYN Cookies are used?
What is the consequence of not reserving resources for a SYN packet in the SYN queue?
What is the consequence of not reserving resources for a SYN packet in the SYN queue?
What mechanism is employed to compute the SYN Cookie?
What mechanism is employed to compute the SYN Cookie?
What does it mean when a connection is marked as a 'proven destination' in TCP?
What does it mean when a connection is marked as a 'proven destination' in TCP?
What happens to the session during a session hijacking attack?
What happens to the session during a session hijacking attack?
What is the purpose of redirecting standard input and standard output in a reverse shell?
What is the purpose of redirecting standard input and standard output in a reverse shell?
What does the command '0&1' represent in the context of a reverse shell on Unix?
What does the command '0&1' represent in the context of a reverse shell on Unix?
Why won’t a firewall allow an attacker to connect to the victim's machine through usual connections?
Why won’t a firewall allow an attacker to connect to the victim's machine through usual connections?
What is a significant risk associated with attempting session hijacking techniques on unauthorized targets?
What is a significant risk associated with attempting session hijacking techniques on unauthorized targets?
Study Notes
VirtualBox and VM NAT
- VM NAT can drop packets by responding with RST because SYN/ACK lacks the SYN record.
SYN Flooding Attack Countermeasures
- TCP retransmission on the server resets half-open connections after 5 retries (
net.ipv4.tcp_synack_retries = 5
). - A SYN flood attack must send multiple packets faster than the server resets connections.
- The SYN queue size can be modified (
net.ipv4.tcp_max_syn_backlog = 512
) to reduce defenses against attacks.
TCP Cache and SYN Cookies
- TCP cache keeps a quarter of its queue available for proven connections, preventing resource reservation without active connections.
- SYN cookie helps mitigate SYN flooding by avoiding storage of SYN packets until resources are actually needed.
- A hash is computed from the IP address and port before sending the SYN/ACK; it matches with an incoming ACK to reserve resources.
TCP Reset Attack
- Closing TCP connections can be likened to completing a phone call.
- Fast-moving ACK numbers in streaming require guessing to fit into the receiver's window.
Constructing RST Packets
- Sniffing TCP packets allows creating and spoofing RST packets to terminate active connections.
- Effectiveness diminishes in encrypted connections like SSH.
TCP Session Hijacking
- An attacker can take over an existing TCP session, inserting malicious data or gaining unauthorized access.
- Once the session is established, security relies on the sequence number defined in TCP packets.
- Process includes sniffing, guessing or predicting the sequence number, injecting packets, and taking over the session.
Sequence Number Importance
- Sequence numbers in packets must be accurate for both TCP RST attacks and session hijacking.
- For RST attacks, an attacker needs to provide
x+1
as the sequence number.
Session Hijacking Techniques
- Manual spoofing requires the acknowledgment bit to be set to include the correct Ack#.
- Automatic spoofing can use previously known values to replicate sequence accuracy, easing the injection process.
Impacts on TCP Sessions
- During hijacking, continuous packet exchanges freeze the client's side, manipulating the session dynamics.
Reverse Shell Exploits
- Attackers can bypass firewalls using reverse shells obtained via successful session hijacking, creating a shell on the attacker's machine.
- With Unix, standard input and output can be redirected allowing remote execution of commands that transmit error messages back to the attacker.
Studying That Suits You
Use AI to generate personalized quizzes and flashcards to suit your learning preferences.
Related Documents
Description
This quiz covers various aspects of network security focusing on TCP attacks such as SYN flooding and TCP reset attacks. It also discusses countermeasures like SYN cookies and adjusting TCP settings to mitigate these vulnerabilities. Test your understanding of how these concepts relate to network performance and security.