CSCI 499 – Sample Final Exam
- Intrusions
Explain how split-horizon DNS works and how it helps protect a network from DNS reconnaissance.
- DDoS
I propose a DDoS defense in which the victim server under attack instructs all its clients to send a lot of traffic to the server. The server then flags those clients that did send required (high)traffic volume as legitimate. The assumption here is that attackers already send at max capacityand cannot increase their sending rate so the server will easily flag them as malicious.
a)What are the advantages of this approach?
b)What are the disadvantages of this approach?
c)If you were the attacker how would you trick this defense into flagging you as a legitimate client? Assume you have unlimited resources at your disposal.
d)Imagine that instead of instructing clients to send lot of traffic the server sent them a computational puzzle to solve. Does this solve any of the disadvantages you listed? Does it introduce any new disadvantages?
- Worms
In DOMINO paper the authors proposed an overlay for intrusion detection.
a)Describe the architecture: what are the different kinds of nodes and what do they do?
b)What were the findings in DOMINO paper (e.g. can DOMINO work well, how much participation is needed, how often do nodes have to exchange data, how should nodes be distributed to achieve good performance)?
- Botnets
There are two ways to enumerate botnets: passive observation of traffic (e.g., infiltrate and then observe all reports passing through the node) and active traversal of P2P structure (e.g.querying each node for its peers and then repeating this for each peer).
a)Which approach gives higher counts and why?
b)Both approaches may miscount since they assume that one IP = one bot. Explain why this assumption is not true (multiple reasons exist) and how it reflects on a total count (does it make it smaller or larger than the true count).
- Privacy
Alice configures Tor to use 4 Tor routers for her route: T1, T2, T3, T4. Alice's outgoing connection goes through these Tor routers in order of lowest to highest (Alice->T1->T2->T3->T4->Destination).
a) If we represent the layers of Tor encryption with parenthesis, Alice's encrypted message looks like this: ((((message)K_a)K_b)K_c)K_d
whereK_x is the public key for Tor router "x".
For Alice's outgoing path (T1->T2->T3->T4), replace a, b, c and d with the appropriate number (1-4) to show how Alice's message is encrypted.
b) Normally Tor routes only "bounce" through three Tor routers. What is the downside of Alice using four?
c) If Eve can only see TCP/IP headers (ie. no application payload) which go between T4 and Alice's final destination, does Eve know which connection is Alice's?Justify your answer.
d) If Eve can see full packets (headers + payload) which go between T4 and Alice's final destination, does Eve know which connection is Alice's? Justify your answer.