Instant Download
Sample Chapters
1
Chapter 1: Introducing TCP/IP
TRUE/FALSE
1. When two or more RFCs cover the same topic, they usually also share the same title.
ANS: T PTS: 1 REF: 7
2. RFC 3300 describes how an RFC is created and what processes it must go through to become an
official standard, adopted by the IETF.
ANS: F PTS: 1 REF: 7
3. A divide and conquer approach permits concerns related to networking hardware to be completely
separated from those related to networking software.
ANS: T PTS: 1 REF: 8-9
4. PDUs typically include 揺nvelope information? in the form of specific headers and trailers.
ANS: T PTS: 1 REF: 11
5. The Session layer is equipped to request retransmission of all erroneous or missing PDUs when
reassembly is underway, so that it can guarantee reliable delivery of data from sender to receiver.
ANS: F PTS: 1 REF: 14
MULTIPLE CHOICE
1. The term ____ refers to a single logical network composed of multiple physical networks, which
may all be at a single physical location, or spread among multiple physical locations.
a. internetwork c. connection-oriented
b. session d. checksum
ANS: A PTS: 1 REF: 3
2. The ____ is the parent organization for all the various Internet boards and task forces.
a. ICANN c. Internet Architecture Board
b. Internet Engineering Task Force d. Internet Society
ANS: D PTS: 1 REF: 6
3. The ____ is the group responsible for drafting, testing, proposing, and maintaining official Internet
Standards, in the form of RFCs, through the agencies of multiple working groups under its
purview.
a. ICANN c. Internet Architecture Board
b. Internet Engineering Task Force d. Internet Society
ANS: B PTS: 1 REF: 6
2
4. The ____ is responsible for the more forward-looking activities of the ISOC, and handles research
and development work for topics too far-out or impractical for immediate implementation, but
which may (or may not) have a role to play on the Internet some day.
a. ICANN c. Internet Research Task Force
b. Internet Engineering Task Force d. Internet Society
ANS: C PTS: 1 REF: 6
5. The ____ is ultimately responsible for managing all Internet domain names, network addresses,
and protocol parameters and behaviors.
a. ICANN c. Internet Research Task Force
b. Internet Engineering Task Force d. Internet Society
ANS: A PTS: 1 REF: 6
6. The ____ includes the physical transmission medium (cables or wireless media) that any network
must use to send and receive the signals that constitute the physical expression of networked
communications.
a. Data Link layer c. Network layer
b. Physical layer d. Transport layer
ANS: B PTS: 1 REF: 11
7. It is the job of the ____ to enable reliable transmission of data through the Physical layer at the
sending end, and to check such reliability upon reception at the receiving end.
a. Data Link layer c. Network layer
b. Physical layer d. Transport layer
ANS: A PTS: 1 REF: 12
8. The ____ is where notions of network location are addressed and where the intricacies involved in
directing a PDU from sender to receiver are handled.
a. Data Link layer c. Network layer
b. Application layer d. Transport layer
ANS: C PTS: 1 REF: 12
9. The ____ is where ongoing communications between a sender and a receiver, somewhat like a
telephone conversation, are set up, maintained, and then terminated, or torn down,as needed.
a. Session layer c. Network layer
b. Physical layer d. Presentation layer
ANS: A PTS: 1 REF: 14
10. The ____ manages the way data is presented to the network (on its way down the protocol stack),
and to a specific machine/application combination (on its way up the protocol stack).
a. Session layer c. Network layer
b. Physical layer d. Presentation layer
ANS: D PTS: 1 REF: 14
11. The ____ defines an interface that applications can use to request network services, rather than
referring directly to applications themselves.
a. Application layer c. Session layer
b. Physical layer d. Presentation layer
ANS: A PTS: 1 REF: 15
3
12. The TCP/IP Application layer also is known as the ____ layer because this is where the protocol
stack interfaces with applications or processes on a host machine.
a. Session c. Process
b. Network d. Transport
ANS: C PTS: 1 REF: 20
13. Combining the various sources of outgoing data into a single output data stream is called ____.
a. segmentation c. protocol analysis
b. demultiplexing d. multiplexing
ANS: D PTS: 1 REF: 21
14. ____ assign a series of numbers to represent a sizable collection of TCP/IP-based network
services, such as file transfer (FTP), terminal emulation (Telnet), and e-mail.
a. Well-known protocols c. Data frames
b. Daemons d. Datagrams
ANS: A PTS: 1 REF: 21
15. TCP/IP application processes are sometimes called ____ and are identified by port numbers.
a. well-known protocols c. network services
b. hosts d. display filters
ANS: C PTS: 1 REF: 23
16. Many PDUs include a characteristic closing component called a ____ that provides data integrity
checks for the data portion of the PDU, known as the payload.
a. well-known protocol c. network service
b. trailer d. host
ANS: B PTS: 1 REF: 24
17. ____ is the process of tapping into the network communications system, capturing packets that
cross the network, gathering network statistics, and decoding the packets into readable form.
a. Segmentation c. Encapsulation
b. Multiplexing d. Protocol analysis
ANS: D PTS: 1 REF: 24
18. A(n) ____ is a holding area for packets copied off the network.
a. trace buffer c. packet
b. payload d. layer
ANS: A PTS: 1 REF: 27
19. ____ are applied to the packets that are captured into the trace buffer.
a. Ports c. Filters
b. Runts d. Decodes
ANS: D PTS: 1 REF: 27
20. Many analyzers have configurable ____ that indicate unusual network events or errors.
a. ports c. sockets
b. alarms d. sessions
ANS: B PTS: 1 REF: 27
4
21. Remote Monitoring (RMON) uses the ____ to collect traffic data at a remote switch and send the
data to a management device.
a. Simple Network Management Protocol c. Virtual Private Network
b. User Datagram Protocol d. Wide Area Information Service
ANS: A PTS: 1 REF: 29
COMPLETION
1. The ____________________ layer also coordinates the sending and receiving of signals across
the networking medium, and determines what kinds of cables, connectors, and network interfaces
must be used to access a specific area on a network.
ANS: Physical
PTS: 1 REF: 11
2. The primary function of the ____________________ layer is to provide a globally unique address
to every host on the Internet and paths to and from hosts.
ANS: Network
PTS: 1 REF: 12
3. ____________________ involves cutting up a big message into a numbered sequence of chunks,
called segments, in which each chunk represents the maximum data payload that the network
media can carry between sender and receiver.
ANS: Segmentation
PTS: 1 REF: 13
4. The Session layer includes mechanisms to maintain reliable ongoing conversations, called
____________________.
ANS: checkpoints
PTS: 1 REF: 14
5. The most important TCP/IP Network Access layer protocol is ____________________.
ANS:
PPP
Point-to-Point Protocol
point-to-point protocol
point to point protocol
PTS: 1 REF: 17
5
MATCHING
Match each item with a statement below.
a. 1978 f. Packet
b. 1983 g. TCP/IP Network Access layer
c. NSFNET h. Datagrams
d. Data link layer i. Hosts
e. Frames
1. a long-haul, high-speed network launched in 1986 by the NSF
2. manages point-to-point transmission across the networking medium, from one computer to another
on a single logical or physical cable segment
3. the PDU associated with the Network layer
4. Internet Protocol version 4 came into existence
5. devices that operate on the Internet
6. the layer where LAN technologies, such as Ethernet, token ring, and wireless media and devices,
come into play
7. the Defense Communications Agency took over operation of the ARPANET from DARPA
8. PDUs at the TCP/IP Network Access Layer
9. Data Link layer PDUs
1. ANS: C PTS: 1 REF: 4
2. ANS: D PTS: 1 REF: 12
3. ANS: F PTS: 1 REF: 13
4. ANS: A PTS: 1 REF: 3
5. ANS: I PTS: 1 REF: 19
6. ANS: G PTS: 1 REF: 16
7. ANS: B PTS: 1 REF: 3
8. ANS: H PTS: 1 REF: 16
9. ANS: E PTS: 1 REF: 12
SHORT ANSWER
1. What is the purpose of the Internet Architecture Board?
ANS:
The Internet Architecture Board (IAB), a.k.a. Internet Activities Board, is the arm of the ISOC that
is the parent organization for the standards-making and research groups that handle current and
future Internet technologies, protocols, and research. As such, the IAB抯 most important task is to
provide oversight for the architecture for all Internet protocols and procedures, and to supply
editorial oversight over the documents known as Requests for Comments (RFCs), wherein Internet
Standards are stated, and so forth.
PTS: 1 REF: 6
6
2. What is the purpose of the Internet Engineering Task Force (IETF)?
ANS:
The Internet Engineering Task Force (IETF) is the group responsible for drafting, testing,
proposing, and maintaining official Internet Standards, in the form of RFCs, through the agencies
of multiple working groups under its purview. The IETF and the IAB use a process accurately
described as 搑ough consensus? to create Internet Standards. This means that all participants in the
standards-making process, a type of peer review process, must more or less agree before a
standard can be proposed, drafted, or approved. Sometimes that consensus can be pretty rough
indeed! For more information about the IETF, visit www.ietf.org.
PTS: 1 REF: 6
3. The reference model described in ISO Standard 7498 breaks network communication into seven
layers. List each layer from top to bottom.
ANS:
The seven layers, from top to bottom, are:
Application layer
Presentation layer
Session layer
Transport layer
Network layer
Data Link layer
Physical layer
PTS: 1 REF: 10
4. Provide brief descriptions of the following protocols: High-level Data Link Control (HDLC)
protocol and frame relay.
ANS:
High-level Data Link Control (HDLC) protocol: Based on IBM抯 original SNA Data Link Control
(SDLC) protocol. HDLC uses data frames to manage network links and data transmission.
Frame relay: A telecommunications service designed to support intermittent data transmission
between local area networks and wide area network end points. Frame relay uses data frames to
manage network links and data transmission.
PTS: 1 REF: 17
7
5. Briefly describe the three primary tasks that the Internet layer handles for TCP/IP.
ANS:
MTU fragmentation:When a route carries data from one type of network to another, the largest
chunk of data that the network can carry, an MTU, can vary. When data moves from a medium
that supports a larger MTU to a medium that supports a smaller MTU, that data must be reduced
to smaller pieces to match the smaller of the two MTUs involved.
Addressing:This defines the mechanism whereby all network interfaces on a TCP/IP network must
be associated with specific, unique bit patterns that identify each interface individually, and also
identify the network (or even network locale) to which that interface belongs.
Routing:This defines the mechanism that forwards packets from sender to receiver, in which
numerous intermediate relays may be involved in achieving delivery from sender to receiver.
PTS: 1 REF: 18
6. What is the purpose of the following protocols: Internet Protocol, Internet Control Message
Protocol, and Address Resolution Protocol.
ANS:
Internet Protocol (IP): Routes packets from sender to receiver.
Internet Control Message Protocol (ICMP): Handles information about IP-based routing and
network behavior, especially as they relate to 搕raffic conditions? and errors.
Address Resolution Protocol (ARP): Address Resolution Protocol (ARP) converts between
numeric IP network addresses and Media Access Control (MAC) addresses on a specific cable
segment (always used for the final step of packet delivery).Routing:This defines the mechanism
that forwards packets from sender to receiver, in which numerous intermediate relays may be
involved in achieving delivery from sender to receiver.
PTS: 1 REF: 18
7. What is the difference between the Open Shortest Path First protocol and the Border Gateway
Protocol?
ANS:
Open Shortest Path First (OSPF): Defines a widely used, link-state routing protocol for local or
interior routing regions within local internetworks.
Border Gateway Protocol (BGP): Defines a widely used routing protocol that connects to
common Internet backbones, or other routing domains within the Internet where multiple parties
jointly share responsibility for managing traffic.
PTS: 1 REF: 19
8
8. Briefly discuss two elements that TCP/IP services depend on to operate.
ANS:
In UNIX terminology, a special 搇istener process,? called a daemon, operates on a server to handle
incoming user requests for specific services. On Windows Server 2008, a process called
INETINFO.EXE appears in the Task Manager抯 Processes tab whenever the Web server, IIS, or
FTP server is running.
Each TCP/IP service has an associated port address that uses a 16-bit number to identify a specific
process or service. Addresses in the range from 0 to 1024 are often called well-known port
addresses and associate a specific port address with a specific service.
PTS: 1 REF: 20
9. List five basic elements found on most protocol analyzers.
ANS:
The basic elements are:
Promiscuous mode card and driver
Packet filters
Trace buffer
Decodes
Alarms
Statistics
PTS: 1 REF: 25
10. Briefly describe three options for analyzing switched networks.
ANS:
Hubbing out: By placing a hub between a device of interest (such as a server) and the switch, and
connecting the analyzer to the hub, you can view all traffic to and from the server.
Port redirection: Many switches can be configured to redirect (actually, to copy) the packets
traveling through one port to another port. By placing your analyzer on the destination port, you
can listen in on all the conversations that cross the network through the port of interest.
Remote Monitoring (RMON): Uses Simple Network Management Protocol (SNMP) to collect
traffic data at a remote switch and send the data to a management device.
PTS: 1 REF: 29
1
Chapter 5: Internet Control Message Protocol
TRUE/FALSE
1. The value 0 in the IP header Protocol field denotes that an ICMP header follows the IP header.
ANS: F PTS: 1 REF: 256
2. ICMP packets contain only three required fields after the IP header: Type, Code, and Checksum.
ANS: T PTS: 1 REF: 257
3. Routers send ICMP Redirect messages to hosts to indicate that a preferable route exists.
ANS: T PTS: 1 REF: 270
4. Routers can use ICMP to provide a default gateway setting to a host (if the host requests
assistance).
ANS: T PTS: 1 REF: 298
5. With router advertising, the default Lifetime value for route entries is 10 minutes.
ANS: F PTS: 1 REF: 301
MULTIPLE CHOICE
1. For any network node to communicate and exchange data with another network node, some way
of forwarding packets from the sender to receiver must exist. This concept is called ____.
a. response time c. reachability
b. route tracing d. network congestion
ANS: C PTS: 1 REF: 254
2. ____ messages serve to keep hosts apprised of networking conditions and problems, and equipped
to use best paths around the network.
a. NTP c. ICMP
b. Path MTU d. GMT
ANS: C PTS: 1 REF: 254
3. The message type ____ supports functionality for reachability utilities like Ping and Tracert;
essential when installing, configuring, and troubleshooting IP networks.
a. ICMP Echo/Echo Reply c. ICMP Time Exceeded
b. ICMP Source Quench d. ICMP Destination Unreachable
ANS: A PTS: 1 REF: 255
4. The message type ____ documents when routing or delivery errors prevent IP datagrams from
reaching their destinations.
a. ICMP Echo/Echo Reply c. ICMP Time Exceeded
b. ICMP Source Quench d. ICMP Destination Unreachable
ANS: D PTS: 1 REF: 255
2
5. The message type ____ permits a gateway (router) on a nonoptimal route between sender and
receiver to redirect traffic to a more optimal path.
a. ICMP Echo/Echo Reply c. ICMP Redirect
b. ICMP Source Quench d. ICMP Destination Unreachable
ANS: C PTS: 1 REF: 255
6. The ICMP packet field____ provides error detection for the ICMP header only.
a. Checksum c. Host
b. Type d. Code
ANS: A PTS: 1 REF: 260
7. ICMP Type ____ is used for Echo Request packets.
a. 2 c. 6
b. 4 d. 8
ANS: D PTS: 1 REF: 264
8. A host or router can send the ____ error message to indicate that the protocol defined in the IP
header cannot be processed.
a. Code 2: Protocol Unreachable
b. Code 3:Port Unreachable
c. Code 4: Fragmentation Needed and Don抰 Fragment Was Set
d. Code 5: Source Route Failed
ANS: A PTS: 1 REF: 267
9. There are two versions of the ____ ICMP reply – the standard version that simply states the packet
had the Don抰 Fragment bit set when it reached a router that needed to fragment it, and the PMTU
version that includes information about the restricting link.
a. Code 2: Protocol Unreachable
b. Code 3:Port Unreachable
c. Code 4: Fragmentation Needed and Don抰 Fragment Was Set
d. Code 5: Source Route Failed
ANS: C PTS: 1 REF: 268
10. A router sends the ____ ICMP reply to indicate that the router cannot use the strict or loose source
routing path specified in the original packet.
a. Code 2: Protocol Unreachable
b. Code 3:Port Unreachable
c. Code 4: Fragmentation Needed and Don抰 Fragment Was Set
d. Code 5: Source Route Failed
ANS: D PTS: 1 REF: 268
11. A router or host may use ____ as a way to indicate that it is becoming congested or overloaded.
a. Checksum c. GMT
b. Source Quench d. PMTU
ANS: B PTS: 1 REF: 270
12. The ____ utility uses route tracing to identify a path from the sender to the target host.
a. gateway c. firewalking
b. Traceroute d. auto-recovery
ANS: B PTS: 1 REF: 293
3
13. Using ICMP ____ and some manipulation of the TTL value in the IP header, Traceroute results
provide a list of routers along a path, as well as the round-trip latency time to each router.
a. Echo Requests c. metrics
b. paths d. query messages
ANS: A PTS: 1 REF: 293
14. The ____ utility is a command-line utility that uses ICMP Echo packets to test router and link
latency, as well as packet loss.
a. NTP c. Path MTU
b. Pathping d. Traceroute
ANS: B PTS: 1 REF: 294
15. ____ defines a method for discovering a Path MTU (PMTU) using ICMP.
a. RFC 1191 c. RFC 1542
b. RFC 1241 d. RFC 1577
ANS: A PTS: 1 REF: 294
16. ____ enables a source to learn the currently supported MTU across an entire path, without
requiring fragmentation.
a. Firewalking c. Pathping
b. Traceroute d. PMTU Discovery
ANS: D PTS: 1 REF: 294-295
17. ____ typically learn about routes through manual configuration of the default gateway parameter
and redirection messages.
a. Packets c. Ports
b. Firewalls d. IP hosts
ANS: D PTS: 1 REF: 298
18. Although RFC ____ dictates that IP routers搈ust support the router part of the ICMP Router
Discovery protocol on all connected networks on which the router supports either IP multicast or
IP broadcast addressing,? many do not.
a. 1812 c. 1955
b. 1900 d. 1972
ANS: A PTS: 1 REF: 299
19. If configured to do so, routers periodically send unsolicited ICMP Router Advertisements to the
all-hosts multicast address ____.
a. 224.0.0.1 c. 224.255.0.1
b. 255.255.0.0 d. 255.224.0.1
ANS: A PTS: 1 REF: 301
20. Hackers can use ____ as part of a reconnaissance process to learn about active network addresses
and active processes.
a. availability c. auto recovery
b. ICMP d. presence
ANS: B PTS: 1 REF: 302
4
21. A(n) ____ process is one method of obtaining a list of the active hosts on a network.
a. ICMP query c. IP address scanning
b. query d. firewalking
ANS: C PTS: 1 REF: 303
COMPLETION
1. ICMP Type ____________________ is used for Echo Reply packets.
ANS:
0 zero
PTS: 1 REF: 264
2. Two of the most well-known utilities, Ping and Traceroute, rely on ICMP to perform connectivity
tests and ____________________.
ANS: path discovery
PTS: 1 REF: 291
3. The PMTU specification defined in RFC 1191 requires the PMTU host to try periodically a larger
MTU to see if the ____________________ has increased.
ANS: allowable data size
PTS: 1 REF: 297
4. An IP ____________________ is performed by sending a ping packet (ICMP Echo Request
packet) to each host within a range and noting the responses.
ANS: host probe
PTS: 1 REF: 303
5. ____________________ describes the concept of walking a firewall ACL or ruleset to determine
what it filters, and how.
ANS: Firewalking
PTS: 1 REF: 304
MATCHING
Match each item with a statement below.
a. Network congestion f. Black hole router
b. RFC 792 g. IPv6-AUTH
c. ICMP Source Quench h. Code 6: Destination Network Unknown
d. Ping i. RFC 1885
e. ICMP Echo Request
1. first published in 1981, defines the primary functions of, and blueprints for, ICMP messages to
this day
5
2. a form of ICMP Echo communication
3. manages authentication for ICMPv6 packet exchanges
4. occurs when network traffic starts to exceed handling capacities
5. silently discards packets without indicating any cause, thereby thwarting auto-recovery or
auto-reconfiguration attempts
6. this ICMP packet is obsolete
7. a connectionless process with no guarantee of delivery
8. original specification of ICMPv6
9. permits a gateway to instruct a sending host to adjust (lower) its sending rate to ease congestion
problems
1. ANS: B PTS: 1 REF: 256
2. ANS: D PTS: 1 REF: 291
3. ANS: G PTS: 1 REF: 304
4. ANS: A PTS: 1 REF: 254
5. ANS: F PTS: 1 REF: 298
6. ANS: H PTS: 1 REF: 269
7. ANS: E PTS: 1 REF: 292
8. ANS: I PTS: 1 REF: 276
9. ANS: C PTS: 1 REF: 255
SHORT ANSWER
1. What is the purpose of the following ICMP message types: ICMP Redirect, ICMP Time Exceeded,
and ICMP Parameter Problem?
ANS:
ICMP Redirect: Permits a gateway (router) on a nonoptimal route between sender and receiver to
redirect traffic to a more optimal path.
ICMP Time Exceeded: Indicates that an IP datagram抯 TTL, or a fragmented IP datagram抯
reassembly timer, has expired; can indicate either a too-short TTL, or the presence of a routing
loop on a network (which must be removed).
ICMP Parameter Problem: Indicates some error occurred while processing the IP header of an
incoming datagram, causing that datagram to be discarded; catchall for ambiguous or
miscellaneous errors, it indicates further investigation is required.
PTS: 1 REF: 255
6
2. According to RFC 792, what is the relationship between IP and ICMP?
ANS:
ICMP provides a mechanism for gateways (routers) or destination hosts to communicate with
source hosts.
ICMP messages take the form of specially formatted IP datagrams, with specific associated
message types and codes.
ICMP is a required element in some implementations of TCP/IP, most notably those TCP/IP
protocol stacks judged suitable for sale to the U.S. government, and ICMP is usually present to
provide an essential part of IP抯 support fabric.
ICMP reports errors only about processing of non-ICMP IP datagrams. To prevent an endless loop
of messages about error messages, ICMP conveys no messages about itself and provides
information only about the first fragment in any sequence of fragmented datagrams.
PTS: 1 REF: 256
3. What are the characteristics of the following packets: Windows 2008, Windows Vista, and
Windows 7 Ping?
ANS:
Windows Server 2008, Windows Vista, and Windows 7 ping packets contain the following
characteristics:
The Identifier field is set to 512 decimal (or 0x200).
On the first echo sent, the Sequence Number field value is set to a multiple of 512 decimal
(0x200). In each subsequent echo, this field is incremented by 256 decimal (02100).
The data field contains the value 揳bcdefghijklmnopqrstuvwabcdefghi.?
PTS: 1 REF: 265
4. Briefly define the following codes, currently assigned to the ICMP Destination Unreachable type
number: Code 2: Protocol Unreachable, Code 3:Port Unreachable, and Code 5: Source Route
Failed.
ANS:
Code 2: Protocol Unreachable: A host or router can send this error message to indicate that the
protocol defined in the IP header cannot be processed.
Code 3:Port Unreachable: A host or router can send this reply to indicate that the sender does not
support the process or application you are trying to reach.
Code 5: Source Route Failed: A router sends this ICMP reply to indicate that the router cannot
use the strict or loose source routing path specified in the original packet.
PTS: 1 REF: 267-268
7
5. Briefly describe the fields that are included in the ICMPv4 Router Advertisement packets (after
the ICMP Checksum field).
ANS:
The ICMP Router Advertisement packets include the following fields after the ICMP Checksum
field:
# of Addresses:The number of router addresses advertised in this packet.
Address Size: The number of four-byte increments used to define each router address advertised.
Because this version includes a four-byte Precedence field, as well as a four-byte IP Address field,
the Address Size value is 2 (2+2+4 bytes).
Lifetime:The maximum number of seconds that this router information may be considered valid.
Router Address 1: Sending router抯 local IP address.
Precedence Level 1: Preference value of each router address advertised. Higher values indicate
greater preferences. A higher precedence level may be configured at a router (if the router
supports the option) to ensure that one router is more likely to become the default gateway for
local hosts.
Router Address 2 and Precedence Level 2: If there are additional router values, they will follow
with their precedence levels.
PTS: 1 REF: 271-272
6. Briefly describe an ICMP redirect attack.
ANS:
ICMP can be used to manipulate traffic flow between hosts. An attacker can just as easily redirect
traffic to his machine and perform any number of man-in-the-middle style attacks, which usually
consist of trust-based service exploitation. At this point, the attacker is now able to perform many
forms of network-based attacks on the target machine, such as connection hijacking, denial of
service, and can potentially obtain login credentials by sniffing.
PTS: 1 REF: 303
7. Briefly describe an ICMP router discovery attack.
ANS:
During the discovery process, a router solicitation message finds its way to an attacker抯 machine.
Timing is critical, as the attacker must cleanly intercept the solicitation, stifle the original response
from the immediate router, or race back to the target host with a forged response before the router
does. The attacker spoofs a response back to the target host, indicating that his machine is actually
the immediate router in question, and not the actual router on the network segment. No
authentication is performed during this process, so the recipient has no way of knowing that this
response is bogus.
PTS: 1 REF: 303
8
8. How does inverse mapping determine live targets on a network?
ANS:
When a filtering device is detected between an attacker and his potential target, he can interrogate
the routing device in an unusual way – he intentionally sends packets to vacant network addresses.
Upon receipt of a packet destined for a non existent host, the intermediary router will gladly pass
it on anyway (ICMP being a stateless protocol, the router knows no better). Once that packet
reaches an internal router,however,one more knowledgeable in the valid and available network
addresses, it will promptly reply with a Host Unreachable message for every bogus entry
requested. The attacker then may logically deduce which addresses correspond to a live target.
PTS: 1 REF: 303
9. What is firewalking?
ANS:
This is a two-phase attack method, involving an initial TRACEROUTE to discover hop count to a
firewall appliance.Once this filtering device is identified by the TRACEROUTE,a second wave of
attack follows, and this one consists of sending a packet with a TTL of one greater than the final
hop count (between attacker and firewall). The goal is to elicit a Time Exceeded response from
beyond the firewall, indicating a live and responsive target.
PTS: 1 REF: 304
10. Describe some of the security issues for ICMPv6.
ANS:
ICMPv6 has built-in security features that are designed to prevent attacks sent from another
network segment. These features include the value in the Hop Limit field being set at 255. Also,
the source address of ICMPv6 packets must be either link-local or unspecified (::/128) for all
Router Advertisement and Neighbor Solicitation messages. However, no mechanism is currently
specified that would prevent an attacker on the local network from exploiting ICMPv6 to
compromise the network.
Authentication for ICMPv6 packet exchanges is managed using the IP Authentication Header
(IPv6-AUTH) or the IP Encapsulating Security Payload Header (IPv6-ESP). IPv6-ESP also
provides confidentiality for these exchanges.
ICMPv6 is protected by IPsec, but this presents a security bootstrap problem because IPsec is not
available when a computer is at this state.
PTS: 1 REF: 304
