Which evasion method involves performing actions slower than normal to prevent detection?
A. traffic fragmentation
B. tunneling
C. timing attack
D. resource exhaustion
Which evasion method involves performing actions slower than normal to prevent detection?
Cisco CCNA Cyberops only mention Traffic fragmentation.
The answer is C: Timing Attack
2.1.2
Timing Attacks: Attackers can evade detection by
performing their actions slower than normal, not exceeding the
thresholds inside the time windows the signatures use to correlate
different packets together. These evasion attacks can be mounted
against any correlating engine that uses a fixed time window and a
threshold to classify multiple packets into a composite event. An
example of this type of attack would be a very slow
reconnaissance attack sending packets at the interval of a couple
per minute. In this scenario, the attacker would likely evade
detection simply by making the scan possibly unacceptably long
Why Not Traffic Fragmentation??:
2.1.4Traffic Fragmentation: Fragmentation of traffic
was one of the early network IPS evasion techniques
used to attempt to bypass the network IPS sensor. Any
evasion attempt where the attacker splits malicious
traffic to avoid detection or filtering is considered a
fragmentation-based evasion
As the above states, a Fragmentation of Traffic is to SPLIT the payload, not slowly mill the payload out as in a Timing Attack.
In my point of view it should be traffic fragmentation.
Wrong, Its C
Timing Attacks
Attackers can evade detection by performing their actions slower than normal, not exceeding the thresholds inside the time windows the signatures use to correlate different packets together. These evasion attacks can be mounted against any correlating engine that uses a fixed time window and a threshold to classify multiple packets into a composite event. An example of this type of attack would be a very slow reconnaissance attack sending packets at the interval of a couple per minute. In this scenario, the attacker would likely evade detection simply by making the scan possibly unacceptably long.