AP Cybersecurity Unit 3 Lesson 2 Exercise 1
Exercise 1 — Network Attack Classification
6 questions — Identify attack types from network incident descriptions
Harborview Regional Bank operates 12 branches across the Pacific Northwest, serving 45,000 customers. The bank runs a centralized data center with customer-facing online banking, internal teller systems, and a SWIFT terminal for international transfers. The security operations center (SOC) has flagged six network anomalies in the past 48 hours.
(A) Incorrect — SYN floods target the TCP handshake, not HTTP layer traffic. The description specifies HTTP requests.
(C) Incorrect — DNS amplification uses UDP, not HTTP requests, and targets bandwidth rather than application layer.
(D) Incorrect — ARP poisoning operates on the local LAN segment, not from 92,000 external IPs.
DE:AD:BE:EF:00:01) before reaching the default gateway. The ARP tables on affected workstations show this MAC address mapped to the gateway’s IP. Which of the following BEST describes this attack?(A) Incorrect — DNS poisoning alters domain-to-IP mappings, not MAC-to-IP mappings in ARP tables.
(B) Incorrect — passive sniffing does not alter ARP tables; the scenario shows active manipulation.
(D) Incorrect — VLAN hopping exploits switch trunk ports; the evidence points specifically to ARP table corruption.
harborviewbank.com in their browser takes them to a page that looks identical to the real site but has a slightly different URL in the address bar. The fake site has a valid TLS certificate. Which of the following statements about this attack are correct?I. The attacker likely poisoned a DNS resolver’s cache to return a malicious IP for harborviewbank.com.
II. The presence of a valid TLS certificate (padlock icon) guarantees that the site is operated by Harborview Bank.
III. Customers who verify the URL in their address bar before entering credentials would avoid this attack.
(A) Incomplete — Statement III is also correct.
(B) Incorrect — Statement II is false; TLS does not guarantee site legitimacy.
(D) Incorrect — Statement II is false.
(A) Likely captured — HTTP transmits credentials in plaintext, fully visible to a sniffer.
(B) Likely captured — unencrypted SMTP sends email content as readable text.
(D) Likely captured — standard DNS queries are unencrypted and reveal browsing patterns.
(A) Incorrect — no password guessing occurred; the attacker captured an active session token.
(B) Incorrect — XSS involves injecting scripts into a web page; the cookie was captured from network traffic.
(D) Incorrect — SQL injection targets database queries; no database manipulation is described.
(A) Incorrect — a compromised bot would send various attack traffic, not specifically SYN/ACK responses to addresses that never sent SYN packets.
(C) Incorrect — firewalls do not forward traffic back to senders as a misconfiguration pattern.
(D) Incorrect — port scanning sends SYN packets, not SYN/ACK packets; the traffic pattern is responses, not initiations.
AP® is a registered trademark of the College Board, which was not involved in the production of this content.
Get in Touch
Whether you're a student, parent, or teacher — I'd love to hear from you.
Just want free AP CS resources?
Enter your email below and check the subscribe box — no message needed. Students get daily practice questions and study tips. Teachers get curriculum resources and teaching strategies.
Message Sent!
Thanks for reaching out. I'll get back to you within 24 hours.
Prefer email? Reach me directly at [email protected]