Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Computer Networks

two

advertisement 
CSCI 530 – Sample Final Exam
1. (10 pts) DDoS
I propose a DDoS defense in which the victim server under attack instructs all its
clients to send a lot of traffic to the server. The server then flags those clients that
did send required (high) traffic volume as legitimate. The assumption here is that
attackers already send at max capacity and cannot increase their sending rate so
the server will easily flag them as malicious.
(2 pts) What are the advantages of this approach?
-
Simple
If the assumption is correct it should work for bandwidth attacks
(2 pts) What are the disadvantages of this approach?
-
It increases traffic in the network and at the server
Requires changes at clients
(3 pts) If you were the attacker how would you trick this defense into flagging
you as a legitimate client? Assume you have unlimited resources at your
disposal.
-
Use lot of bots, each sends at less than max capacity. When server asks for
more each can send more and be flagged as legitimate
(3 pts) Imagine that instead of instructing clients to send lot of traffic the
server sent them a computational puzzle to solve. Does this solve any of the
disadvantages you listed? Does it introduce any new disadvantages?
-
The disadvantage that there was more traffic in the network is solved.
Puzzles are small and do not consume much bandwidth.
This defense is more complex/costly for the server. CPU power of clients
differs a lot more than their bw. (either one of these would be enough)
2. (10 pts) Worms
In DOMINO paper the authors proposed an overlay for intrusion detection.
a) (5 pts) Describe the architecture: what are the different kinds of nodes and
what do they do?
-
Terrestrial nodes (sensors) – feed information about scans into dark space,
firewall logs, to one or few axis nodes
Axis nodes organized into P2P network – collect this local information,
compile reports, exchange reports with other axis nodes to create global
view of scanning activity
b) (5 pts) What were the findings in DOMINO paper (e.g. can DOMINO work
well, how much participation is needed, how often do nodes have to
exchange data, how should nodes be distributed to achieve good
performance)?
-
It can work well with a few axis nodes and their sensors (at the order of
several tens of nodes)
Nodes need to exchange data monthly, more often leads to better accuracy
but even monthly is enough
Nodes should be distributed across different /16 networks
3. (10 pts) Botnets
There are two ways to enumerate botnets: passive observation of traffic (e.g.,
infiltrate and then observe all reports passing through the node) and active
traversal of P2P structure (e.g. querying each node for its peers and then
repeating this for each peer).
a) (3 pts) Which approach gives higher counts and why?
-
Passive monitoring gives higher counts because it can see traffic from
private addresses
b) (7 pts) Both approaches may miscount since they assume that one IP =
one bot. Explain why this assumption is not true (multiple reasons exist)
and how it reflects on a total count (does it make it smaller or larger than
the true count).
-
NAT – undercount since one IP = many bots
DHCP – undercount or overcount depending on how many IPs are there in
the network and how many bots
Churn – overcounts
4. (10 pts) Trusted Computing
This question talks about TPM - Trusted Platform Module.
a) (7 pts) Explain how remote attestation works and what can be attested.
-
Use AIK (attestation key) to sign hashes of applications and modules
Attest for the machine configuration (OS and applications that are running
are the ones that remote site cares for and they have not been changed)
b) (3 pts) Why do we use a separate attestation key for this process and not
the endorsement key?
-
EK would uniquely identify the machine, hurts privacy
AIK can be given to CPU to perform signing and verification
5. (10 pts) Privacy
This question talks about sanitization of network traces as a way to address
privacy concerns that stem from sharing trace data.
a) (3 pts) What does sanitization mean? What happens in that process?
-
We remove private data such as packet contents
Anonymize IP addresses
b) (7 pts) Give an example attack on sanitization/anonymization which uses
auxiliary information to compromise privacy. You may assume that the
attack is on a sanitized traffic trace or, if you prefer, on a sanitized data
from other source like census or medical records.
-
I could use information about web page sizes and object count and sizes on
those pages. This makes unique fingerprint for each Web page. Use it to
identify presence of their Web servers in a trace. I can extract packet sizes
from trace, look only at those sent from Web source port, group packets into
sessions based on source IP/destination IP and source/destination port, and
timing, calculate size of each session. Match that size with the fingerprint
sizes extracted from public Web servers.
6. (10 pts) Human element
This question talks about social engineering in general.
a) (5 pts) List five key steps that are needed for a successful social
engineering attack.
-
Steps from slides
b) (5 pts) Describe two defenses against social engineering (choose any two
you like).
-
Educate employees how to preserve secret data (such as not disclose
passwords to anyone, not open doors to unknown people)
Teach employees how they can confirm anybody’s identity (ask for ID, ask
for employee ID, ask to call back using phone number from the company’s
directory, ask for secret pass code)
Related documents
Mock Exam for Test #1 - Gordon State College
Mock Exam for Test #1 - Gordon State College
Career Research Notes
Career Research Notes
Triangle Pre-Test
Triangle Pre-Test
Physics Lab Report Rubric Edited
Physics Lab Report Rubric Edited
Lab: Collection of Particulate Matter (PM)
Lab: Collection of Particulate Matter (PM)
ATOD PROJECT
ATOD PROJECT
Report Format to be Used in Laboratory
Report Format to be Used in Laboratory
Exam 1 - IR
Exam 1 - IR
Download
advertisement