Systems Security Certified Practitioner – SSCP – Question0826

You are running a packet sniffer on a network and see a packet containing a long string of "0x90 0x90 0x90 0x90…." in the middle of it traveling to an x86-based machine as a target. This could be indicative of what activity being attempted?

A.
Over-subscription of the traffic on a backbone.
B. A source quench packet.
C. A FIN scan.
D. A buffer overflow attack.

Correct Answer: D

Explanation:

A series of the same control characters, hexadecimal code, imbedded in the string is usually an indicator of a buffer overflow attack.
The Intel x86 processors use the hexadecimal number 90 to represent NOP (no operation). Many buffer overflow attacks use long strings of control characters and this is representative of that type of attack.
A buffer overflow takes place when too much data are accepted as input to a specific process. A buffer is an allocated segment of memory. A buffer can be overflowed arbitrarily with too much data, but for it to be of any use to an attacker, the code inserted into the buffer must be of a specific length, followed up by commands the attacker wants executed. So, the purpose of a buffer overflow may be either to make a mess, by shoving arbitrary data into various memory segments, or to accomplish a specific task, by pushing into the memory segment a carefully crafted set of data that will accomplish a specific task. This task could be to open a command shell with administrative privilege or execute malicious code.
Common threats to system availability, integrity, and confidentiality include hardware failure, misuse of system privileges, buffer overflows and other memory attacks, denial of service, reverse engineering, and system hacking.
Since many vulnerabilities result from insecure design and most threats are well known, it is the responsibility of the security architect to ensure that their designs are addressing security requirements appropriately while also ensuring that the system can continue to perform its intended function.
The following answers are incorrect: Over-subscription of the traffic on a backbone. Is incorrect because if there was Over-subscription of the traffic on a backbone, that would typically result in not being able to send or receive any packets, more commonly known as Denial of Service or DoS.
A source quench packet. This is incorrect because a source quench packet is an ICMP message that contains the internet header plus 64 bits of the original datagram.
A FIN scan. This is incorrect because a FIN scan is when a packet with the FIN flag set is sent to a specific port and the results are then analyzed.
Reference(s) used for this question:
Harris, Shon (2012-10-25). CISSP All-in-One Exam Guide, 6th Edition, Security Architecture and Design, Page 332, for people using the Kindle edition you will find it at Kindle Locations 7310-7315.
Schneiter, Andrew (2013-04-15). Official (ISC)2 Guide to the CISSP CBK, Third Edition : Security Architecture and Design (Kindle Locations 1403-1407). . Kindle Edition.
Wikipedia http://en.wikipedia.org/wiki/Port_scanner
ICMP http://security.maruhn.com/iptables-tutorial/x1078.html Wikipedia http://en.wikipedia.org/wiki/Buffer_overflow