EC-COUNCIL EC-COUNCIL Certifications 312-38 Questions & Answers

• Question 421:

  With which of the following forms of acknowledgment can the sender be informed by the data receiver about all segments that have arrived successfully?

  A. Block Acknowledgment

  B. Negative Acknowledgment

  C. Cumulative Acknowledgment

  D. Selective Acknowledgment

  Correct Answer: D

  Selective Acknowledgment (SACK) is one of the forms of acknowledgment. With selective acknowledgments, the sender can be informed by a data receiver about all segments that have arrived successfully, so the sender retransmits only those segments that have actually been lost. The selective acknowledgment extension uses two TCP options: The first is an enabling option, "SACK-permitted", which may be sent in a SYN segment to indicate that the SACK option can be used once the connection is established. The other is the SACK option itself, which can be sent over an established connection once permission has been given by "SACK-permitted". Answer option A is incorrect. Block Acknowledgment (BA) was initially defined in IEEE 802.11e as an optional scheme to improve the MAC efficiency. IEEE 802.11n capable devices are also referred to as High Throughput (HT) devices. Instead of transmitting an individual ACK for every MPDU, multiple MPDUs can be acknowledged together using a single BA frame. Block Ack (BA) contains bitmap size of 64*16 bits. Each bit of this bitmap represents the status (success/ failure) of an MPDU. Answer option B is incorrect. With Negative Acknowledgment, the receiver explicitly notifies the sender which packets, messages, or segments were received incorrectly that may need to be retransmitted. Answer option C is incorrect. With Cumulative Acknowledgment, the receiver acknowledges that it has correctly received a packet, message, or segment in a stream which implicitly informs the sender that the previous packets were received correctly. TCP uses cumulative acknowledgment with its TCP sliding window.

• Question 422:

  Which of the following are the distance-vector routing protocols? Each correct answer represents a complete solution. Choose all that apply.

  A. IS-IS

  B. OSPF

  C. IGRP

  D. RIP

  Correct Answer: DC

  Following are the two distance-vector routing protocols:

  RIP: RIP is a dynamic routing protocol used in local and wide area networks. As such, it is classified as an interior gateway protocol (IGP). It uses the distance-vector routing algorithm. It employs the hop count as a routing metric. RIP

  prevents routing loops by implementing a limit on the number of hops allowed in a path from the source to a destination. It implements the split horizon, route poisoning, and hold-down mechanisms to prevent incorrect routing information from

  being propagated.

  IGRP: Interior Gateway Routing Protocol (IGRP) is a Cisco proprietary distance vector Interior Gateway Protocol (IGP). It is used by Cisco routers to exchange routing data within an autonomous system (AS). This is a classful routing protocol

  and does not support variable length subnet masks (VLSM). IGRP supports multiple metrics for each route, including bandwidth, delay, load, MTU, and reliability.

  Answer options B and A are incorrect. OSPF and IS-IS are link state routing protocols.

• Question 423:

  Which of the following types of cyberstalking damages the reputation of their victim and turns other people against them by setting up their own Websites, blogs, or user pages for this purpose?

  A. False accusation

  B. Attempts to gather information about the victim

  C. Encouraging others to harass the victim

  D. False victimization

  Correct Answer: A

  In false accusations, many cyberstalkers try to damage the reputation of their victim and turn other people against them. They post false information about them on Websites. They may set up their own Websites, blogs, or user pages for this

  purpose. They post allegations about the victim to newsgroups, chat rooms, or other sites that allow public contributions.

  Answer option D is incorrect. In false victimization, the cyberstalker claims that the victim is harassing him/her.

  Answer option C is incorrect. In this type of cyberstalking, many cyberstalkers try to involve third parties in the harassment. They claim that the victim has harmed the stalker in some way, or may post the victim's name and telephone number

  in order to encourage others to join the pursuit.

  Answer option B is incorrect. In an attempt to gather information, cyberstalkers may approach their victim's friends, family, and work colleagues to obtain personal information. They may advertise for information on the Internet. They often will

  monitor the victim's online activities and attempt to trace their IP address in an effort to gather more information about their victims.

• Question 424:

  You work as the network administrator for uCertify Inc. The company has planned to add the support for IPv6 addressing. The initial phase deployment of IPv6 requires support from some IPv6-only devices. These devices need to access servers that support only IPv4. Which of the following tools would be suitable to use?

  A. Multipoint tunnels

  B. NAT-PT

  C. Point-to-point tunnels

  D. Native IPv6

  Correct Answer: B

  NAT-PT (Network address translation-Protocol Translation) is useful when an IPv4-only host needs to communicate with an IPv4-only host. NAT-PT (Network Address Translation-Protocol Translation) is an implementation of RFC 2766 as specified by the IETF. NAT-PT was designed so that it can be run on low-end, commodity hardware. NAT-PT runs in user space, capturing and translating packets between the IPv6 and IPv4 networks (and vice-versa). NAT-PT uses the Address Resolution Protocol (ARP) and Neighbor Discovery (ND) on the IPv4 and IPv6 network systems, respectively.

  

  NAT-Protocol Translation can be used to translate both the source and destination IP addresses.

  Answer option D is incorrect. Native IPv6 is of use when the IPv6 deployment is pervasive, with heavy traffic loads.

  Answer option C is incorrect. Point-to-point tunnels work well when IPv6 is needed only in a subset of sites. These point-to-point tunnels act as virtual point-to-point serial link. These are useful when the traffic is of very high volume. Answer

  option A is incorrect. The multipoint tunnels are used for IPv6 deployment even when IPv6 is needed in a subset of sites and is suitable when the traffic is infrequent and of less predictable volume.

• Question 425:

  Which of the following is a management process that provides a framework for promoting quick recovery and the capability for an effective response to protect the interests of its brand, reputation, and stakeholders?

  A. Log analysis

  B. Incident handling

  C. Business Continuity Management

  D. Patch management

  Correct Answer: C

  Business Continuity Management is a management process that determines potential impacts that are likely to threaten an organization. It provides a framework for promoting quick recovery and the capability for an effective response to protect the interests of its brand, reputation, and stakeholders. Business continuity management includes disaster recovery, business recovery, crisis management, incident management, emergency management, product recall, contingency planning, etc. Answer option D is incorrect. Patch management is an area of systems management that involves acquiring, testing, and installing multiple patches (code changes) to an administered computer system. Patch management includes the following tasks: Maintaining current knowledge of available patches Deciding what patches are appropriate for particular systems Ensuring that patches are installed properly Testing systems after installation, and documenting all associated procedures, such as specific configurations requiredA number of products are available to automate patch management tasks, including RingMaster's Automated Patch Management, PatchLink Update, and Gibraltar's Everguard. Answer option A is incorrect. This option is invalid. Answer option B is incorrect. Incident handling is the process of managing incidents in an Enterprise, Business, or an Organization. It involves the thinking of the prospective suitable to the enterprise and then the implementation of the prospective in a clean and manageable manner. It involves completing the incident report and presenting the conclusion to the management and providing ways to improve the process both from a technical and administrative aspect. Incident handling ensures that the overall process of an enterprise runs in an uninterrupted continuity.

• Question 426:

  Which of the following IP class addresses are not allotted to hosts? Each correct answer represents a complete solution. Choose all that apply.

  A. Class A

  B. Class B

  C. Class D

  D. Class E

  E. Class C

  Correct Answer: CD

  Class addresses D and E are not allotted to hosts. Class D addresses are reserved for multicasting, and their address range can extend from 224 to 239. Class E addresses are reserved for experimental purposes. Their addresses range from 240 to 254. Answer option A is incorrect. Class A addresses are specified for large networks. It consists of up to 16,777,214 client devices (hosts), and their address range can extend from 1 to 126. Answer option B is incorrect. Class B addresses are specified for medium size networks. It consists of up to 65,534 client devices, and their address range can extend from 128 to 191. Answer option E is incorrect. Class C addresses are specified for small local area networks (LANs). It consists of up to 245 client devices, and their address range can extend from 192 to 223.

• Question 427:

  Which of the following organizations is responsible for managing the assignment of domain names and IP addresses?

  A. ISO

  B. ICANN

  C. W3C

  D. ANSI

  Correct Answer: B

  ICANN stands for Internet Corporation for Assigned Names and Numbers. ICANN is responsible for managing the assignment of domain names and IP addresses. ICANN's tasks include responsibility for IP address space allocation, protocol identifier assignment, top-level domain name system management, and root server system management functions. Answer option A is incorrect. The International Organization for Standardization, widely known as ISO, is an international-standard-setting body composed of representatives from various national standards organizations. Founded on 23 February 1947, the organization promulgates worldwide proprietary industrial and commercial standards. It has its headquarters in Geneva, Switzerland. While ISO defines itself as a non-governmental organization, its ability to set standards that often become law, either through treaties or national standards, makes it more powerful than most non-governmental organizations. In practice, ISO acts as a consortium with strong links to governments. Answer option C is incorrect. The World Wide Web Consortium (W3C) is an international industry consortium that develops common standards for the World Wide Web to promote its evolution and interoperability. It was founded in October 1994 by Tim Berners-Lee, the inventor of the Web, at the Massachusetts Institute of Technology, Laboratory for Computer Science [MIT/LCS] in collaboration with CERN, where the Web had originated, with support from DARPA and the European Commission. Answer option D is incorrect. ANSI (American National Standards Institute) is the primary organization for fostering the development of technology standards in the United States. ANSI works with industry groups and is the U.S. member of the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). Long-established computer standards from ANSI include the American Standard Code for Information Interchange (ASCII) and the Small Computer System Interface (SCSI).

• Question 428:

  Which of the following recovery plans includes specific strategies and actions to deal with specific variances to assumptions resulting in a particular security problem, emergency, or state of affairs?

  A. Contingency plan

  B. Disaster recovery plan

  C. Business continuity plan

  D. Continuity of Operations Plan

  Correct Answer: A

  A contingency plan is a plan devised for a specific situation when things could go wrong. Contingency plans are often devised by governments or businesses who want to be prepared for anything that could happen. Contingency plans include specific strategies and actions to deal with specific variances to assumptions resulting in a particular problem, emergency, or state of affairs. They also include a monitoring process and "triggers" for initiating planned actions. They are required to help governments, businesses, or individuals to recover from serious incidents in the minimum time with minimum cost and disruption. Answer option D is incorrect. It includes the plans and procedures documented that ensure the continuity of critical operations during any period where normal operations are impossible. Answer option B is incorrect. Disaster recovery planning is a subset of a larger process known as business continuity planning and should include planning for resumption of applications, data, hardware, communications (such as networking), and other IT infrastructure. A business continuity plan (BCP) includes planning for non-IT related aspects such as key personnel, facilities, crisis communication, and reputation protection, and should refer to the disaster recovery plan (DRP) for IT-related infrastructure recovery/continuity. Answer option C is incorrect. Business continuity planning (BCP) is the creation and validation of a practiced logistical plan for how an organization will recover and restore partially or completely interrupted critical (urgent) functions within a predetermined time after a disaster or extended disruption. The logistical plan is called a business continuity plan. The BCP lifecycle is as follows:

  

• Question 429:

  Alice wants to prove her identity to Bob. Bob requests her password as proof of identity, which Alice dutifully provides (possibly after some transformation like a hash function); meanwhile, Eve is eavesdropping the conversation and keeps the password. After the interchange is over, Eve connects to Bob posing as Alice; when asked for a proof of identity, Eve sends Alice's password read from the last session, which Bob accepts. Which of the following attacks is being used by Eve?

  A. Replay

  B. Fire walking

  C. Cross site scripting

  D. Session fixation

  Correct Answer: A

  Eve is using Replay attack. A replay attack is a type of attack in which attackers capture packets containing passwords or digital signatures whenever packets pass between two hosts on a network. In an attempt to obtain an authenticated connection, the attackers then resend the captured packet to the system. In this type of attack, the attacker does not know the actual password, but can simply replay the captured packet. Session tokens can be used to avoid replay attacks. Bob sends a one-time token to Alice, which Alice uses to transform the password and send the result to Bob (e.g. computing a hash function of the session token appended to the password). On his side Bob performs the same computation; if and only if both values match, the login is successful. Now suppose Mallory has captured this value and tries to use it on another session; Bob sends a different session token, and when Mallory replies with the captured value it will be different from Bob's computation. Answer option C is incorrect. In the cross site scripting attack, an attacker tricks the user's computer into running code, which is treated as trustworthy because it appears to belong to the server, allowing the attacker to obtain a copy of the cookie or perform other operations. Answer option B is incorrect. Firewalking is a technique for gathering information about a remote network protected by a firewall. This technique can be used effectively to perform information gathering attacks. In this technique, an attacker sends a crafted packet with a TTL value that is set to expire one hop past the firewall. Answer option D is incorrect. In session fixation, an attacker sets a user's session id to one known to him, for example by sending the user an email with a link that contains a particular session id. The attacker now only has to wait until the user logs in.

• Question 430:

  Which of the following examines network traffic to identify threats that generate unusual traffic flows, such as distributed denial of service (DDoS) attacks, certain forms of malware, and policy violations?

  A. Network Behavior Analysis

  B. Network-based Intrusion Prevention

  C. Wireless Intrusion Prevention System

  D. Host-based Intrusion Prevention

  Correct Answer: A

  Network Behavior Analysis examines network traffic to identify threats that generate unusual traffic flows, such as distributed denial of service (DDoS) attacks, certain forms of malware, and policy violations. Answer option B is incorrect. Network-based Intrusion Prevention (NIPS) monitors the entire network for suspicious traffic by analyzing protocol activity. Answer option C is incorrect. Wireless Intrusion Prevention System (WIPS) monitors a wireless network for suspicious traffic by analyzing wireless networking protocols. Answer option D is incorrect. Host-based Intrusion Prevention (HIPS) is an installed software package that monitors a single host for suspicious activity by analyzing events occurring within that host.