CSCI 530 - Sample Final Exam

CSCI 530 - Sample Final Exam

1. DDoS

I propose a DDoS defense that collects history of a client’s behavior (client is identified by his/her IP address) and runs some sophisticated but public algorithm on this to infer which clients are well-behaved. During DDoS attacks these clients’ traffic get preferential treatment and the rest of traffic is served as best effort.

a)Can I use this approach to protect a DNS server. Why/why not?

DNS runs over UDP, so this traffic may be spoofed. DNS can also run over TCP and in that case it cannot be spoofed. If we use DNS over UDP we cannot use this approach to protect the server because of IP spoofing. The attacker may assume good client’s identity and either use it to get good service or behave badly and make us degrade service to legitimate client. The attacker can also create many new identities using IP spoofing.

b)Can I use this approach to protect a Web server. Why/why not?

Web traffic runs over TCP, which is hard to spoof. We can use this approach to protect a Web server.

c)How can the attacker trick this defense to still send attack traffic to the victim (at least for a while)?

Attacker can behave well for a while (algorithm to detect good behavior is public) and then when they are moved onto a good client list they can misbehave and send attack traffic. At some point each client’s behavior may be re-evaluated and they can be caught.

d)What happens to new legitimate clients that are first seen during the attack?

New clients get best effort service until they produce enough behavior history for the algorithm to classify them. This means they share the service with the attack for a while.

1. Worms

Explain how worm signatures can be derived automatically (e.g. as proposed in EarlyBird or Autograph or Polygraph papers).

-Idea is to detect content prevalence (worms have same content that appears in lot of packets while legitimate traffic has diverse content)

-There may be a pool of suspicious traffic or we can try to detect content prevalence on all traffic. Some signatures may be whitelisted.

-Traffic is segmented and Rabin fingerprints are calculated on each segment (hashes of segments and subsegments are calculated). Hashes (fingerprints) are used to detect content prevalence – we keep counters with each hash to show how often we observe it. Most frequent hashes become signatures of worms.

-Polygraph introduces idea of sequence vs set signatures vs probabilistic (Bayesian) signatures.

1. Botnets

Explain what is Fast Flux and why botnets use it. What is single flux and what is double flux?

-Fast flux = change DNS name to IP mapping

-Botnets use it so they can advertise one name (in spam or phishing) but use different servers so if one is caught or offline others can take over – use for resiliency. These different servers are proxies for one mothership server.

-Single flux: change DNS name to IP mapping for a server

-Double flux: change name server for the domain too

1. TC

Explain what is TPM, what functionalities it provides and why is it important to have these functionalities in hardware.

-TPM is a piece of hardware connected to the computer that provides some cryptographic operations and secure storage.

-Store hashes, calculate hashes, store keys, generate keys, sign, verify, encrypt, decrypt (limited resources) – attestation and secure storage

-Software implementation, memory and disk storage can all be compromised by the attacker. Having these functionalities in hardware provides root of trust.

1. Privacy

What is onion routing and how it can be used to protect privacy?

-There is a network of routers that helps hide the source and destination for each communication

-The sender selects a route through this network – say A, B, C

-The sender encrypts the message to the destination with the key shared between sender and destination – encrypt whole message and header with the public key of C, then encrypt this whole message and header with public key of B and finally with public key of A and send the message to A. This creates layers of encryption like in an onion.

-A decrypts (peels a layer of the onion), sees message is from sender going to B, sends it to B

-B decrypts, sees message is from A going to C, sends it to C

-C decrypts, sees message is from B going to destination sends it there

-Destination decrypts and can read it. Knows it is from sender

1. Human element

A company wants to introduce key cards as a way to prevent physical access to a room where their product planning occurs. They also keep all finalized plans in a computer there which supports remote access with a password. The administrators force employees to change their passwords each month. Explain how social engineering could be used to break through this company’s strong technical defenses.

-Two ideas from below

-Key pieces of technical protection: key cards, passwords and computer with remote access – passwords change each month

-Lie that you’re some maintenance guy or contractor and ask to be let into the room with key card access

-Lie that you’re a new employee and you forgot your key card

-Impersonate sysadmin, ask someone to tell you their password

-Impersonate an employee, call sysadmin, say you forgot your password, you’re on travel, need temporary access …