1|Page
CS6262 Final Exam UPDATED ACTUAL Questions
and CORRECT Answers 2026
George P. Burdell properly implemented a name server on his local
machine. His browser uses this local name server to resolve domain
names. George's friend sends him a link on Slack that points to
www.w3schools.com. George clicks on the link, which then causes his
browser to resolve www.w3schools.com. Assuming George has visited
www.w3schools.com before, no packets are lost, and all name servers
use a TTL of 86400 seconds, which of the following statements is
CORRECT? ......ANSWER......None of the other answer choices are
correct.
Which of the following defenses would make a DNS Cache poisoning
attacks like Kaminsky's impossible? ......ANSWER......Deploy DNSSEC
According to the BGP protocol, an autonomous system can learn
multiple autonomous system routes to an IP prefix.
......ANSWER......True
Which of the following techniques is MOST responsible for making
Kaminsky's DNS cache poisoning attack more successful than traditional
cache poisoning attacks? ......ANSWER......Query random subdomains
Which of the following types of DNS records contain the address of the
domain name in the original query? ......ANSWER......NS Record
pg. 1
,2|Page
BotMiner is a system that performs vertical dialog correlation. It
correlates multiple events that belong to the life cycle of a bot.
......ANSWER......False - it is BotHunter
As a cost saving measure, BotHunter does not produce a
comprehensive bot profile. ......ANSWER......False - BotHunter does
produce a comprehensive bot profile. See slide 15 and BotHunter:
Detecting Malware Infection Through IDS-Driven Dialog Correlation.
If a domain name is a random-looking (e.g., we can't find any part of it
in a dictionary), it's always the case that the domain name belongs to a
botnet C&C server. ......ANSWER......False - Botnet detection
An important benefit of directing botnet C&C traffic to a DNS sinkhole is
"capturing of bot IP addresses". ......ANSWER......True
A limitation to BotMiner is that a well designed botnet can evade A-
Plane monitoring. ......ANSWER......True - Botnets can evade A-plane
monitoring by performing slow spamming and using undetectable
activities. See slide 34 of the lectures and BotMiner: Clustering
Analysis of Network Traffic for Protocol- and Structure-Independent
Botnet Detection.
pg. 2
, 3|Page
Which of the following is NOT a challenge faced by botnet detection
researchers? ......ANSWER......Bots are stealthy on the infected
machines
Bot infection is usually a multi-faceted and multi-phased process
Bots are dynamically evolving
Botnets can have very flexible design of C&C channels
While scanning the IPv4 space using a tool such as Zmap, every scan
(with the same parameters) should return the same results.
......ANSWER......False
Zmap uses widely (and randomly) dispersed scanning targets to achieve
high speed. ......ANSWER......True
The goal of a domain reputation system such as Notos is to identify
newly created or previously unclassified malicious domains.
......ANSWER......True
If an IP address (i.e., an Internet host) is known to have hosted
malicious domains, then the reputation of any domain that is resolved
to (i.e., hosted by) this IP address is also tainted (i.e., more likely than
others to be malicious). ......ANSWER......True
pg. 3
CS6262 Final Exam UPDATED ACTUAL Questions
and CORRECT Answers 2026
George P. Burdell properly implemented a name server on his local
machine. His browser uses this local name server to resolve domain
names. George's friend sends him a link on Slack that points to
www.w3schools.com. George clicks on the link, which then causes his
browser to resolve www.w3schools.com. Assuming George has visited
www.w3schools.com before, no packets are lost, and all name servers
use a TTL of 86400 seconds, which of the following statements is
CORRECT? ......ANSWER......None of the other answer choices are
correct.
Which of the following defenses would make a DNS Cache poisoning
attacks like Kaminsky's impossible? ......ANSWER......Deploy DNSSEC
According to the BGP protocol, an autonomous system can learn
multiple autonomous system routes to an IP prefix.
......ANSWER......True
Which of the following techniques is MOST responsible for making
Kaminsky's DNS cache poisoning attack more successful than traditional
cache poisoning attacks? ......ANSWER......Query random subdomains
Which of the following types of DNS records contain the address of the
domain name in the original query? ......ANSWER......NS Record
pg. 1
,2|Page
BotMiner is a system that performs vertical dialog correlation. It
correlates multiple events that belong to the life cycle of a bot.
......ANSWER......False - it is BotHunter
As a cost saving measure, BotHunter does not produce a
comprehensive bot profile. ......ANSWER......False - BotHunter does
produce a comprehensive bot profile. See slide 15 and BotHunter:
Detecting Malware Infection Through IDS-Driven Dialog Correlation.
If a domain name is a random-looking (e.g., we can't find any part of it
in a dictionary), it's always the case that the domain name belongs to a
botnet C&C server. ......ANSWER......False - Botnet detection
An important benefit of directing botnet C&C traffic to a DNS sinkhole is
"capturing of bot IP addresses". ......ANSWER......True
A limitation to BotMiner is that a well designed botnet can evade A-
Plane monitoring. ......ANSWER......True - Botnets can evade A-plane
monitoring by performing slow spamming and using undetectable
activities. See slide 34 of the lectures and BotMiner: Clustering
Analysis of Network Traffic for Protocol- and Structure-Independent
Botnet Detection.
pg. 2
, 3|Page
Which of the following is NOT a challenge faced by botnet detection
researchers? ......ANSWER......Bots are stealthy on the infected
machines
Bot infection is usually a multi-faceted and multi-phased process
Bots are dynamically evolving
Botnets can have very flexible design of C&C channels
While scanning the IPv4 space using a tool such as Zmap, every scan
(with the same parameters) should return the same results.
......ANSWER......False
Zmap uses widely (and randomly) dispersed scanning targets to achieve
high speed. ......ANSWER......True
The goal of a domain reputation system such as Notos is to identify
newly created or previously unclassified malicious domains.
......ANSWER......True
If an IP address (i.e., an Internet host) is known to have hosted
malicious domains, then the reputation of any domain that is resolved
to (i.e., hosted by) this IP address is also tainted (i.e., more likely than
others to be malicious). ......ANSWER......True
pg. 3
