EECS 354
Homework 2
Student Name:
Student NetID:
Submission instructions: please email your solutions in a Word or PDF file to eecs354staff@cs.northwestern.edu by 11:59pm 12/2 (Tue).
1. KPS 25-8
A Uniform Resource Locator (URL) is a type of Uniform Resource Indentifier
(URI). The format of a URL explains where to obtain a resource and how to
obtain it. Here is the anatomy of the URL above:
o “http” describes the scheme to use.
o “www.respectablestockbroker.com!rated_AAA_by_US-TreasuryDept@” is a username because it ends with the @ [at] symbol.
o “gg.tv” is the DNS entry for the domain and root domain. This describes
where the resource is. That is, where the request will be sent to.
o “/” It does not end with a file name so the undisclosed default file is used
from the web server.
2. Please compare the web attacks in the table below. For each blank, please select
between client browser or server for the most appropriate location.
Stored
XSS
Attack
execution
location
Vulnerability
location
Defense
location
XSRF
SQL
injection
Shell
atacks
Client
Server
browser
Server
Server
Server
Server
Server
Server
Server
Server (with cliet Server
cooperation)
Server
Drive-bydownload
attacks
Client
browser
Client
browser
Client
browser
3. Now suppose a new worm break out. The feature of the worm is:
1) It targets the TCP 8008 or UDP port 4004
2) It contains the signature “03 0E FE CC A0” follow by “PASS : RECV” within
the 20 bytes of the first one.
3) The worm is coming from outside of our network (129.105.100.0/24).
Page 1 of 5
Add a firewall rule to block that worm. Suppose the firewall use this kind of rule format:
Action
Src
allow/block IPsubnet,
use * to
refer any
host
port
port
number
or *
(refer
any)
dest
IPsubnet,
use * to
refer any
host
port
port
number
or *
(refer
any)
flags
flag can
be TCP,
UDP
comment
The
description
of this rule
Write firewall rules based on the above format to the Ditty worm traffic towards our
network (129.105.100.0/24).
Hint: assume that we do not have benign traffic on those services which the ditty worm
rely on to propagate.
Action
Src
allow/block IPsubnet,
use * to
refer any
host
block
*
port
port
number
or *
(refer
any)
*
block
*
*
dest
IPsubnet,
use * to refer any
host
port
port
number
or *
(refer
any)
129.105.100.0/24 8008
flags
flag
can
be
TCP,
UDP
TCP
129.105.100.0/24
UDP
4004
comment
The
description
of this rule
Blocks
any
incoming
traffic on
TCP 8008
Blocks
any
incoming
traffic on
UDP
40004
4. In this question, we explore some applications and limitations of a packet filtering
firewall. For each of the question, briefly explain
1) can stateless firewall be configured to defend against the attack and how?
2) if not, what about stateful firewall ?
3) if neither can, what about application-level proxy?
1. Can the firewall prevent an online password dictionary attack from the external
network on the telnet port of an internal machine?
Neither a Stateless or stateful packet filter can read the payload to recognize
it is a login attempt, especially when the attacker uses the same TCP connection
to launch the dictionary attack.
Page 2 of 5
An application proxy will recognize multiple unsuccessful login attempt
requests and block them.
2. Can the firewall prevent a user on the external network from opening a window
on an X server in the internal network? Recall that by default an X server listens
for connections on port 6000
Stateless firewall can defend against this attack by blocking port 6000
(default port used by X server) or any other port that X server listens to for
display commands.
3. Can the firewall block a virus embedded in an incoming email?
Stateless and Stateful firewalls will not be able to block the virus as they only
inspect the header.
Viruses are detected at Application level and that is why an application
proxy would be the best way to block it.
4. Can the firewall be used to block users on the internal network from browsing a
specific external IP address?
A stateless firewall rule can block any traffic with the source on the internal
network and destination that specific external IP.
5. Can the firewall prevent external users from exploiting a security bug in a CGI
script on an internal web server (the web server is serving requests from the
Internet)?
Firewalls are supposed to allow traffic that reaches the internal web server.
None of the packet filters can check payload to detect the CGI script exploit.
An Application proxy would be the best solution in this situation and allow
prevention at the Application layer.
5. Please give the major classifications for existing IDS/IPS systems.
Based on different feature selection and modeling approaches, it can be classified as
misuse detection and anomaly detection. What is the major advantage and disadvantage
for each of the two approaches (just list the most important one advantage and the most
important one disadvantage for each)?
Misuse detection
Advantage: accurate identification of previously known attacks
Disadvantage: cannot detect new attacks
Anomaly detection
Page 3 of 5
Advantage: can detect new and unknown attacks, check against “normal”
Disadvantage: relatively high false positives
6. In this question, we explore some applications and limitations of a network and
host based IDS/IPS. For each of the question, briefly explain 1) can network
based IDS/IPS detect such attacks and how? and 2) if not, what about host-based
IDS/IPS?
a. An unknown malware infection to a host
The host-based IDS is effective because it needs to analyze its system level
behaviors for anomaly based detection. The network based IDS does not have
signature or abnormal traffic pattern for detection.
b. Botnet scans for machines having a vulnerability associated with a certain
service with fixed port numbers
Botnet scans: The network-based IDS can be effective, it can detect abnormal
network traffic patterns caused by botnet scans. For example, the large number of
TCP SYN packets, with much less SYN ACK packets.
7. KS problem 9-2
It is secure for eavesdropping attack, but it is not secure against server database
reading attack because it can generate the hash(Z,R) when Z is known.
8. Problem 8
Page 4 of 5
It is not secure against eavesdropping (playback) attack because Trudy can replay the
same packet that Alice sent to Bob earlier. Bob will accept the packet because it does not
remember what nonce R was sent. It is not secure against server database reading attack
because when K_AB is known, Trudy can generate K_AB(R) for any given R.
9. Consider the KDC and CA servers. Suppose a KDC goes down. What is the
impact on the ability of parties to communicate securely; that is, who can and
cannot communicate? Justify your answer. Suppose now a CA goes down. What
is the impact of this failure?
When KDC goes down, no parties can communicate with each other because they
all need to go to KDC to get the session key. When CA goes down, no new party
can get a certificate. But those who have certificates can authenticate with their
clients.
Page 5 of 5