CS 6250 Quiz 9 Exam (All Quizzes) | Georgia Institute of
Technology | Latest 2026/2027 Verified Questions and
Answers
2026/2027 | GRADED A+ | 100 out
... Show More
of 100
Question:
Client PCs typically obtain their subnet mask information from _____.
Answer
DHCP
Question:
Subnetting is _____.
Answer
a way of breaking down large blocks of IP addresses into smaller address blocks
Question:
An organization with a class B network address uses 8 bits for the subnet ID. Each subnet in this organization can have
_____ hosts.
Answer
254
Question:
An organization with a class B network address has 200 subnets. Each subnet in this organization can have at most
_____ hosts.
Answer
254
Question:
Subnetting is most useful for _____.
Answer
network administration
Question:
The number of subnets in the organization is best determined by _____.
Answer
the structure of the organization
Question:
Subnetting offers all of the following benefits except _____.
Answer
it helps DNS operation
Question:
If an organization has a subnet mask of 255.255.252.0, each subnet in the organization can have at most _____ hosts.
Answer
1,022
Question:
When the subnet mask 255.255.254.0 is applied to the IP address 192.168.151.45, the result is _____.
Answer
192.168.150.0
Question:
What are the properties of secure communication?
Answer
1. Confidentiality
2. Integrity
3. Authentication
4. Availability
Question:
How does Round Robin DNS (RRDNS) work?
Answer
This method is used by large websites to distribute the load of incoming requests to several servers at a single physical
location. It responds to a DNS request with a list of DNS A records, which it then cycles through in a round-robin
manner. The DNS client can then choose a record using different strategies - choose the first record each time, use the
closest record in terms of network proximity, etc.
Question:
How does DNS-based content delivery work?
Answer
Content Distribution Networks (CDNs) also use DNS-based techniques to distribute content but use more complex
strategies. For example, CDNs distribute the load amongst multiple servers at a single location but also distribute
these servers across the world. When accessing the name of the service using DNS, the CDN computes the 'nearest
edge server' and returns its IP address to the DNS client. It uses sophisticated techniques based on network topology
and current link characteristics to determine the nearest server. This results in the content being moved 'closer' to the
DNS client, which increases responsiveness and availability.
Question:
How do Fast-Flux Service Networks work?
Answer
Fast-Flux Service Networks (FFSN) are an extension of the ideas behind RRDNS and CDN. As its name suggests, it is
based on a 'rapid' change in DNS answers, with a TTL lower than that of RRDNS and CDN. One key difference
between FFSN and the other methods is that after the TTL expires, it returns a different set of A records from a larger
set of compromised machines. These compromised machines act as proxies between the incoming request and control
node/mothership, forming a resilient, robust, one-hop overlay network.
Question:
What are the main data sources used by FIRE (FInding Rogue nEtworks) to identify hosts that likely belong to rogue
networks?
Answer
1. Botnet command and control providers
2. Drive-by-download hosting providers
3. Phish hosting providers
Question:
The design of ASwatch is based on monitoring global BGP routing activity to learn the control plane behavior of a
network. Describe 2 phases of this system.
Answer
1. Training phase - The system learns control-plane behavior typical of both types of ASes. The system is given a list of
known malicious and legitimate ASes. It then tracks the behavior of these ASes over time to track their business
relationships with other ASes and their BGP update and withdrawal patterns. ASwatch then computes the statistical
features of each AS
2. Operational phase - Given an unknown AS, it then calculates the features for this AS. It then uses the model to
assign a reputation score to the AS. If the system assigns the AS a low reputation score for several days in a row
(indicating consistent suspicious behavior), it identifies it as malicious.
Question:
What are three classes of features used to determine the likelihood of a security breach within an organization?
Answer
1. Mismanagement symptoms
2. Malicious activities
3. Security incident reports
Question:
(BGP hijacking) What is the classification by affected prefix?
Answer
In this class of hijacking attacks, we are primarily concerned with the IP prefixes that are advertised by BGP. There are
different ways the prefix can be targeted, such as:
- Exact prefix hijacking - Sub-prefix hijacking - Squatting
Question:
(BGP hijacking) What is the classification by AS-Path announcement?
Answer
In this class of attacks, an illegitimate AS announces the AS-path for a prefix for which it doesn't have ownership
rights. There are different ways this can be achieved: - Type-0 - This is simply an AS announcing a prefix not owned by itself. - Type-N - This is an attack where the counterfeit AS announces an illegitimate path for a prefix that it does not own to
create a fake link (path) between different ASes. - Type-U - In this attack the hijacking AS does not modify the AS-PATH but may change the prefix.
Question:
(BGP hijacking) What is the classification by data plane traffic manipulation?
Answer
In this class of attacks, the intention of the attacker is to hijack the network traffic and manipulate the redirected
network traffic on its way to the receiving AS. There are three ways the attack can be realized under this classification,
i.e. traffic intercepted by the hijacker can be - Dropped - Eavesdropped or manipulated - Impersonated
Question:
What are the causes or motivations behind BGP attacks?
Answer
1. Human error
2. Targeted attack
3. High impact attack
Question:
Explain the scenario of prefix hijacking.
Answer
Malicious autonomous system router advertises a prefix that it doesn't own, taking advantage of its shorter distance to
have peer / customer routers change their path for the prefix to the malicious autonomous system.
Question:
Explain the scenario of hijacking a path.
Answer
Malicious autonomous system receives a path and alters it, placing itself as the best path to reach a specific
autonomous system / prefix. This path will likely be shorter than the original, causing other ASes to use the new
hijacked path.
Question:
What are the key ideas behind ARTEMIS?
Answer
1. A configuration file: where all the prefixes owned by the network are listed here for reference. This configuration file
is populated by the network operator.
2. A mechanism for receiving BGP updates: this allows receiving updates from local routers and monitoring services.
This is built into the system.
Question:
What are the two automated techniques used by ARTEMIS to protect against BGP hijacking?
Answer
1. Prefix deaggregation - announcing more specific prefixes than the targeted one(s)
2. Mitigation with Multiple Origin AS - third party providers announce the hijacked prefixes, and then tunnels the
attracted traffic to the legitimate AS
What are two findings from ARTEMIS?
Answer
1. Outsource the task of BGP announcement to third parties: To combat against BGP hijacking attacks, having even
just one single external organization to mitigate BGP attacks is highly effective against BGP attacks.
2. Comparison of outsourcing BGP announcements vs. prefix filtering: When compared to prefix filtering, which is the
current standard defense mechanism, BGP announcements are more optimal according to the research
Explain the structure of a DDoS attack.
Answer
A Distributed Denial of Service (DDoS) attack is an attempt to compromise a server or network resources with a flood
of traffic. To achieve this, the attacker first compromises and deploys flooding servers (slaves).
Later, when initiating an attack, the attacker instructs these flooding servers to send a high volume of traffic to the
victim. This results in the victim host either becoming unreachable or in exhaustion of its bandwidth.
What is spoofing, and how is it related to a DDoS attack?
IP spoofing is the act of setting a false IP address in the source field of a packet with the purpose of impersonating a
legitimate server. In DDoS attacks, this can happen in two forms.
In the first form, the source IP address is spoofed, resulting in the response of the server sent to some other client
instead of the attacker's machine. This results in wastage of network resources and the client resources while also
causing denial of service to legitimate users.
In the second type of attack, the attacker sets the same IP address in both the source and destination IP fields. This
results in the server sending the replies to itself, causing it to crash.
Describe a Reflection and Amplification attack.
In a reflection attack, the attackers use a set of reflectors to initiate an attack on the victim. A reflector is any server
that sends a response to a request. Here, the master directs the slaves to send spoofed requests to a very large number
of reflectors, usually in the range of 1 million. The slaves set the source address of the packets to the victim's IP
address, thereby redirecting the response of the reflectors to the victim.
If the requests are chosen in such a way that the reflectors send large responses to the victim, it is a reflection and
amplification attack.
What are the defenses against DDoS attacks? - Traffic scrubbing services - ACL filters - BGP Flowspec
Explain provider-based blackholing.
With this mechanism, all the attack traffic to a targeted DDoS destination is dropped to a null location. The premise of
this approach is that the traffic is stopped closer to the source of the attack and before it reaches the targeted victim.
With this technique, the victim AS uses BGP to communicate the attacked destination prefix to its upstream AS, which
then drops the attack traffic towards this prefix. Then either the provider (or the IXP) will advertise a more specific
prefix and modify the next-hop address that will divert the attack traffic to a null interface. The blackhole messages are
tagged with a specific BGP blackhole community attribute, usually publicly available, to differentiate it from the
regular routing updates.
Explain IXP blackholing.
Similar to the provider method, only the attacked AS sends the blackholing messages to the IXP route server when a
member connects to the route server. The route server then announces the message to all the connected IXP member
ASes, which then drops the traffic towards the blackholed prefix. The null interface to which the traffic should be sent
is specified by the IXP.
What is one of the major drawbacks of BGP blackholing?
One of the major drawbacks of BGP blackholing is that the destination under attack becomes unreachable since all the
traffic including the legitimate traffic is dropped.
What are the properties of secure communication?
Confidentiality
Integrity
Authentication
Availability
Round Robin DNS
Each time the DNS server is queried, it sends the IP address to which it most recently responded with to the back of
the queue, operating on a loop.
Used by large websites to distribute the load of incoming requests
(larger TTL)
DNS-based content delivery
When accessing the name of the service using DNS, the CDN computes the 'nearest edge server' and returns its IP
address to the DNS client. It determines the nearest server, which results in the content being moved 'closer' to the
DNS client which increases responsiveness and availability.
(lower TTL)
Fast-Flux Service Networks
Based on a rapid change in DNS answers, in order to prevent spammers for injecting bad IP addresses into the DNS
resolution lifecycle
(lowest TTL)
What are the main data sources to identify hosts that likely belong to rogue networks, used by FIRE (FInding Rogue
nEtworks system)?
1. Botnet command and control providers:
2. Drive-by-download hosting providers: is a method of malware installation user interaction. Occurs when the victim
visits a web page that contains an exploit for the browser
3. Phish housing providers: This data source contains URLs of servers that host phishing pages
Key difference between rogue and legitimate networks
Legitimate networks are usually able to remove the malicious content within a few days whereas rogue networks may
let the content be up for weeks to more than a year!
ASWatch
uses information exclusively from the control plane (ie. routing behavior) to identify malicious networks. Based on
monitoring global BGP routing activity to learn the control plane behavior of a network.
Phase 1 of ASWatch: Training phase
ASwatch learns the control-plane behavior of a normal AS and a malicious one and learns to differentiate between
them
Phase 2 of ASWatch: Operational Phase
ASwatch takes an unknown AS and calculates the features for it, assigning it a reputation score.
What are 3 classes of features used to determine the likelihood of a security breach within an organization?
1) Rewiring activity - changes in the AS connecting activity, multiple changes in providers / customers looks suspicious
2) IP Space Fragmentation and Churn - inspects advertised prefixes of an autonomous system. Malicious ASes are
likely to use small BGP prefixes to partition their IP address space and only exposes a small section of them
3) BGP Routing Dynamics - tracks announcements and withdrawals, which usually follow different patterns for
malicious ASes
How to infer network reputation (Random Forest)
1. Mismanagement Symptoms -
2. Malicious Activities
3. Security Incident Reports
3 groups of BGP Hijacking Attacks
1. Classification by Affected Prefix
2. Classification by AS-Path announcement
3. Classification by Data-Plane traffic manipulation
1. Classification by Affected Prefix
we are primarily concerned with the IP prefixes that are advertised by BGP
1A. Exact prefix hijacking
When two different ASes (one is genuine and the other one is counterfeit) announce a path for the same prefix. This
disrupts routing in such a way that traffic is routed towards the hijacker wherever the AS-path route is shortest,
thereby disrupting traffic.
1B. Sub-prefix hijacking
the hijacking AS works with a sub-prefix of the genuine prefix of the real AS. This exploits the characteristic of BGP to
favor more specific prefixes, and as a result route large/entire amount of traffic to the hijacking AS.
1C. Squatting
In this type of attack, the hijacking AS announces a prefix that has not yet been announced by the owner AS.
2. Classification by AS-Path announcement
An illegitimate autonomous system announces the AS path for a prefix for which it doesn't have ownership rights.
2A. Type-0 hijacking
This is simply an AS announcing a prefix not owned by itself.
2B. Type-N hijacking:
counterfeit AS announces an illegitimate path for a prefix that it does not own to create a fake link (path) between
different ASes.
2C. Type-U hijacking
In this attack the hijacking AS does not modify the AS-PATH but may change the prefix.
3. Classification by Data-Plane traffic manipulation
In this classification of attacks, the attacker attempts to hijack the network traffic and manipulate the redirected
network traffic on its way to the receiving AS
3A. Dropped (blackholing)
The traffic intercepted by the hijacker can be Dropped, so that it never reaches the intended destination
3B. Man-in-the-middle
The traffic intercepted by the hijacker can be Eavesdropped or manipulated before it reaches the receiving AS
3C. Impersonation
The traffic intercepted by the hijacker can be Impersonated, e.g. In this case the network traffic of the victim AS is
impersonated and the response to this network traffic is sent back to the sender.
What are the causes or motivations behind BGP attacks?
1) Human error - misconfiguration / accidents
2) Targeted attack - intentional interception of network traffic (man-in-the-middle) (stealthy)
3) High impact attack - obvious attempt to cause widespread disruption
Explain the scenario of prefix hijacking
Malicious autonomous system router advertises a prefix that it doesn't own, taking advantage of its shorter distance to
have peer / customer routers change their path for the prefix to the malicious autonomous system.
Explain the scenario of hijacking a path.
Malicious autonomous system receives a path and alters it, placing itself as the best path to reach a specific
autonomous system / prefix. This path will likely be shorter than the original, causing other ASes to use the new
hijacked path.
ARTEMIS
a system that is run locally by network operators to safeguard its own prefixes against malicious BGP hijacking
attempts.
2 key ideas behind Artemis
A configuration file where all prefixes owned by the network are listed for reference.
A mechanism for receiving BGP updates, allows the system to receive updates from local routers and monitoring
services
What are the two automated techniques used by ARTEMIS to protect against BGP hijacking?
1) Prefix deaggregation - announcing more specific prefixes in order to mitigate prefix hijacking
2) Mitigation with multiple origin AS (MOAS) - third party organizations and service providers do BGP
announcements for a given network
What are two findings from ARTEMIS?
1. Outsource the task of BGP announcements to third parties
2. Filtering of prefixes is less optimal when compared against BGP announcements
Explain the structure of a DDoS attack.
An attempt to compromise a server or network resources with a flood of traffic
Attack compromises and deploys flooding servers that send high volumes of traffic to a victim
What is spoofing, and how is related to DDoS attack?
Impersonating a legitimate server with a spoofed IP address. One method causes a server to flood a target with
unsolicited responses to spoofed requests. The other uses the spoofed IP address in the both the source and
destination IP, causing the server to send responses / requests to itself.
Describe a Reflection and Amplification attack.
A reflective attack is sending a bunch of spoofed requests to a server which will then DDoS the target on behalf of the
attacker.
What are the defenses against DDoS attacks?
1) Traffic Scrubbing Services - diverts the incoming traffic to a specialized server, where the traffic is "scrubbed"
2) Access Control List filters - filter out unwanted traffic
3) BGP Flowspec - mitigate DDoS attacks by supporting the deployment of fine-grained filters across AS domain
borders
Explain provider-based blackholing.
A customer autonomous system announces a blackholing message to the provider with the host name of the DDoS
victim. This usually contains a special community field - the provider will then stop advertising the prefix of the
affected host.
Explain IXP blackholing.
Same as the above, but on an autonomous system scale. The IXP will handling the blackholing and advertise the NULL
address to the other ASes peered in the IXP.
What is one of the major drawbacks of BGP blackholing?
The destination under attack becomes unreachable.
The mitigation technique is also ineffective if peer autonomous systems neglect / don't respect BGP Blackholing
request.
Learn More
You can also click on terms or definitions to blur or reveal them
Determine which property of secure communication is primarily violated in the event that a third party pretends to be
another entity on the network.
Confidentiality
Integrity
Authentication
Availability
Authentication
Determine which property of secure communication is primarily violated in the event that Trudy is able to access (but
not modify) the contents of a message between Alice and Bob.
Confidentiality
Integrity
Authentication
Availability
Confidentiality
Round Robin DNS (RRDNS) is one of the "tools" that malicious parties can use to extend the time their content is
accessible/hosted on the Internet. True or false?
False
Fast-Flux Service Networks (FFSNs) can be leveraged by malicious actors to extend the availability of a scam. True or
false?
True
Which statement best describes the primary qualitative difference between rogue and legitimate networks based on
the evidence of abuse and the findings of the FIRE system?
Rogue networks actively seek out and support malicious activities, while legitimate networks unintentionally host
malicious content due to security lapses.
Rogue networks primarily exist for hosting and distributing pirated software, while legitimate networks focus on
genuine content distribution.
The longevity of malicious behavior on rogue networks is significantly longer, often lasting weeks to over a year,
whereas legitimate networks usually remove malicious content within a few days.
The primary distinction is based on the geographical location of the network servers, with rogue networks
predominantly located in regions with lax cyber regulations.
The longevity of malicious behavior on rogue networks is significantly longer, often lasting weeks to over a year,
whereas legitimate networks usually remove malicious content within a few days.
The FIRE system takes primarily a reactive approach to infer network reputation, relying on monitoring IP blacklists.
True
ASwatch takes primarily a proactive approach to infer network reputation by monitoring the routing behavior of
networks.
True
How can a rogue network remain undetected by ASwatch (stay under the radar)?
By switching frequently to a different upstream provider.
By lowering the ratio of malicious IP addresses to the total owned IP addresses.
By maintaining a stable control plane behavior.
By maintaining a stable control plane behavior.
Determine which system monitors routing behavior to determine the legitimacy of a network.
FIRE
ASwatch
ARTEMIS
Stellar
ASwatch
Determine which system uses routing behavior to detect BGP hijacking attacks.
FIRE
ASwatch
ARTEMIS
Stellar
ARTEMIS
BGP Blackholing is a defense against prefix hijacking.
True
False
False
The BGP blackholing technique can only be applied for traffic related to specific applications.
True
False
False
Consider the reflection and amplification attack as shown in the figure below. (figure of master controlling traffic via
directing slaves at victim and using reflectors)
Which of the following statements is true?
The slaves send packet requests to the reflectors, spoofing the source IP address of the victim and, therefore, making it
seem as if the requests are sent from the victim.
The reflectors spoof the IP address of the slaves when responding to the victim.
The attacker, using the master and the slaves' servers, directly floods the victim with packets using their own IP
address.
The reflectors send their responses back to the slaves.
The slaves send packet requests to the reflectors, spoofing the source IP address of the victim and, therefore, making it
seem as if the requests are sent from the victim.
When designing a system to identify DNS reflection and amplification attacks, which network operation plane(s) is
essential to monitor for effective detection?
Control Plane
Data Plane
Management Plane
Control Plane and Data Plane
Data Plane
To effectively identify BGP hijacking incidents, specifically targeting BGP path and prefix manipulations, which
network operation plane(s) should you primarily monitor?
Control Plane
Data Plane
Management Plane
Control Plane and Data Plane
Control Plane
Which of the following techniques can help an attacker to attract more traffic when attempting to hijack a prefix?
Select all that apply.
Advertise a more specific prefix than the original owner AS
Advertise a shorter path to the prefix.
Advertise the same path as the original owner AS but change the origin AS.
Advertise a more specific prefix than the original owner AS
Advertise a shorter path to the prefix.
Show Less
Google