Which of the following techniques is used to identify attacks originating from a botnet?
A.
Passive OS fingerprinting
B.
Recipient filtering
C.
IFilter
D.
BPF-based filter
Explanation:
Passive OS fingerprinting can identify attacks originating from a botnet. Network
Administrators can configure the firewall to take action on a botnet attack by using information
obtained from passive OS fingerprinting. Passive OS fingerprinting (POSFP) allows the sensor to
determine the operating system used by the hosts. The sensor examines the traffic flow between
two hosts and then stores the operating system of those two hosts along with their IP addresses.
In order to determine the type of operating system, the sensor analyzes TCP SYN and SYN ACK
packets that are traveled on the network. The sensor computes the attack relevance rating to
determine the relevancy of victim attack using the target host OS. After it, the sensor modifies the
alert’s risk rating or filters the alert for the attack. Passive OS fingerprinting is also used to improve
the alert output by reporting some information, such as victim OS, relevancy to the victim in the
the number of packets seen by tcpdump; this renders the output more usable on networks with a
files that are crawled. IFilters also remove application-specific formatting before the content of a
document is indexed by the search engine.