CSCI 430 - Sample Final Exam
1.
Authorization and Policy
Define the following terms and give an example of a system where each would
work well:
a) Discretionary access control
For each user and each object we have the notion if this user can access this
object – UNIX file system
b) Mandatory access control
Each user has a clearance, each object has classification. There are rules
which clearance is needed to read/write objects of a given classification. System
enforces those rules – government files/network elements …
c) Role-based access control
Each user has a role, system enforces rules for each object what roles can
read/write/access it – forum, hospital
2.
Intrusions
Explain how scanning works, what can attacker learn from it and what are
different scanning strategies. What would be a good defense against scanning?
-
-
Attacker sends some traffic to the victim, learns from replies
Open ports, which machines are live, which machines are servers, OS
type and version, which apps are running, if there are any
vulnerabilities in apps, network topology, firewall rules
Traceroute, firewalking, SYN scan or UDP scan, ping scan,
fingerprinting, vulnerability scan
Drop malformed TCP packets, use NAT, close unused ports, patch
apps, drop ICMP replies that go to external addresses
3. DDoS
I propose a DDoS defense that collects history of a client’s behavior (client
is identified by his/her IP address) and runs some sophisticated but public
algorithm on this to infer which clients are well-behaved. During DDoS attacks
these clients’ traffic get preferential treatment and the rest of traffic is served as
best effort.
a) Can I use this approach to protect a DNS server. Why/why not?
No, because DNS traffic uses UDP and it can be spoofed. So attacker can
assume IP address of a good client and bypass the filter.
b) Can I use this approach to protect a Web server. Why/why not?
Yes, Web uses TCP, it cannot be spoofed in established connections.
Attacker can still spoof TCP SYNs, he cannot create established
connection through spoofing.
c) How can the attacker trick this defense to still send attack traffic to
the victim (at least for a while)?
Because classification algorithm is public attacker knows how to behave to
get “good” classification. He can then send bad traffic until defense tries to
reclassify him.
d) What happens to new legitimate clients that are first seen during the
attack?
They compete with attack for resources until they manage to demonstrate
“good” behavior.
4. Worms
Explain how Early Warning system for worm detection works
System collects scans. It tries to see if scan increase over time fits exponential
model for contagious diseases – if scans are increasing exponentially over time.
(no need to show formulas).
5. Botnets
Explain what is Fast Flux and why botnets use it. What is single flux and what is
double flux?
Fast flux = changing mapping of domain name to IP address.
Botnets use it because it helps confuse the defenders. If defenders try to take
down servers that perform phishing or selling of bad products these server
identities change so often that defenders cannot keep up.
Single flux = changing mapping of name-to-IP for Web servers advertised in
phishing messages or spam …
Double flux = single flux + changing mapping of name-to-IP for nameservers of
attacker domains
6. Privacy
If Tor did not use encryption at all (all payload is in plain text) would Tor offer
*any* privacy advantages over a regular direct connection, assuming that Eve
can only see TCP/IP headers and not packet payload.
Yes because Eve can only see headers between router hops and cannot
correlate them if there’s a lot of traffic but routers can tell who’s talking to whom.