Which of the following is a reasonable response from the Intrusion Detection System (IDS) when it detects Internet Protocol (IP) packets where the IP source address and port is the same as the destination IP address and port?
Correct Answer: B
Explanation/Reference:
Explanation:
In this question, a land attack has been detected by the IDS. A reasonable response from the IDS would be to record selected information about the packets and drop the packets.
Knowledge is accumulated by the IDS vendors about specific attacks and how they are carried out. Models of how the attacks are carried out are developed and called signatures. Each identified attack has a signature, which is used to detect an attack in progress or determine if one has occurred within the network. Any action that is not recognized as an attack is considered acceptable.
An example of a signature is a packet that has the same source and destination IP address. All packets should have a different source and destination IP address, and if they have the same address, this means a Land attack is under way. In a Land attack, a hacker modifies the packet header so that when a receiving system responds to the sender, it is responding to its own address. Now that seems as though it should be benign enough, but vulnerable systems just do not have the programming code to know what to do in this situation, so they freeze or reboot.
Incorrect Answers:
A: A land attack is an old and well known attack so the IDS would know what it is. Knowing the packets are an attack, the IDS should not allow the packet to be processed by the network.
C: When the IP source address and port is the same as the destination IP address and port, this is a land attack. It is not necessary to resolve the IP address and the packets should not be processed.
D: When the IP source address and port is the same as the destination IP address and port, this is a land attack. The source address should not be translated and the packet should not be resent.
References:
Harris, Shon, All In One CISSP Exam Guide, 6th Edition, McGraw-Hill, 2013, p. 257
http://searchsecurity.techtarget.com/answer/What-is-a-land-attack
http://www.symantec.com/connect/articles/understanding-ids-active-response-mechanisms
http://www.sans.org/security-resources/idfaq/active.php