Читаем CISSP Practice полностью

c. Ethernet

d. WAN

249. c. Connectionless data communications does not require that a connection be established before data can be sent or exchanged. X.25, TCP, and WAN are examples of connection-oriented data communications that requires that a connection first be established.

250. Which of the following protocols provides cellular/mobile wireless security?

a. WSP

b. WTP

c. WTLS

d. WDP

250. c. Wireless transport layer security (WTLS) is a communications protocol that enables cellular/mobile phones to send and receive encrypted information over the Internet, thus providing wireless security. Wireless session protocol (WSP), wireless transaction protocol (WTP), WTLS, and wireless datagram protocol (WDP) are part of wireless access protocol (WAP). WAP is an Internet protocol that defines the way in which cell phones and similar devices can access the Internet.

251. In border gateway protocol (BGP), prefix filters help to limit the damage to the routes in which of the following ways?

a. The egress filters of an autonomous system (AS) is matched with the ingress filters of BGP peers.

b. The ingress filters of BGP peers is matched with the ingress filters of an autonomous system (AS).

c. The ingress filters of an autonomous system (AS) is matched with the ingress filters of BGP peers.

d. The egress filters of BGP peers is matched with egress filters of an autonomous system (AS).

251. a. Normally, border gateway protocol (BGP) peers should have matching prefix filters with the autonomous system (AS). This means, the egress filters of an AS should be matched by the ingress filters of BGP peers with which it communicates. This matching approach helps to reduce the risk from attackers that seek to inject false routes by pretending to send updates from the AS to its peers. Attackers can of course still send faulty routes, but filtering limits the damage to these routes.

252. Which of the following border gateway protocol (BGP) attacks does not use Time To Live (TTL) hack as a countermeasure?

a. Peer spoofing and TCP resets

b. Denial-of-service via resource exhaustion

c. Route flapping

d. Session hijacking

252. c. Because border gateway protocol (BGP) runs on transmission control protocol/Internet protocol (TCP/IP), any TCP/IP attack can be applied to BGP. Route flapping is a situation in which BGP sessions are repeatedly dropped and restarted, normally as a result of router problems. Examples of countermeasures for route flapping attacks include graceful restart and BGP route-flap damping method, not TTL hack.

Route-flap damping is a method of reducing route flaps by implementing an algorithm that ignores the router sending flapping updates for a configurable period of time. Each time a flapping event occurs, peer routers add a penalty value to a total for the flapping router. As time passes, the penalty value decays gradually; if no further flaps are seen, it reaches a reuse threshold, at which time the peer resumes receiving routes from the previously flapping router.

The other three choices use TTL hack. The Time To Live (TTL) or hop count is an 8-bit field in each IP packet that prevents packets from circulating endlessly in the Internet. TTL is based on the generalized TTL security mechanism (RFC 3682), often referred to as the TTL hack, which is a simple but effective defense that takes advantage of TTL processing. At each network node, the TTL is decremented by one and is discarded when it is reduced to zero without reaching its destination point.

In peer spoofing attack, the goal is to insert false information into a BGP peer’s routing tables. A special case of peer spoofing, called a reset attack, involves inserting TCP RESET messages into an ongoing session between two BGP peers. Examples of countermeasures against peer spoofing and TCP resets include using strong sequence number randomization and TTL hack.

In a denial-of-service attack via resource exhaustion, routers use a large amount of storage for path prefixes. These resources are exhausted if updates are received too rapidly or if there are too many path prefixes to store due to malicious prefixes. Examples of countermeasures against denial-of-service via resource exhaustion attacks include using rate limit synchronization processing, increasing queue length, route filtering, and TTL hack.