CCSS - Center for Computer Systems Security



Name: ____________________________Points: _________/60CSCI 430 - Final Exam(10 pts) IntrusionsAn attacker wants to gain access to a host in the “CheapDogFood” company. The attacker does not know anything about this company, other than its name. (8 pts) List the approach(es) that the attacker can take to achieve his goal, starting from the scarce information they have at the beginning. List each source/approach used, and specify what the attacker can learn from that approach.- Use a registrar (e.g., ARIN WHOIS) to get IP ranges assigned to the company- Use scanning to get list of live machines and open ports- Use some exploit (e.g., buffer overflow) to break inEach highlighted item (blue) carried 2 points. I also took alternative answers and awarded full points if they went in the right direction. For example, I accepted “applications” instead of “open ports” and I accepted answers which mention registrar even if they don’t mention that one can learn all the IP ranges, which belong to CheapDogFood from this source.If someone listed the right info (e.g., open ports) but the wrong tool (e.g., traceroute) they got 1 out of 2 points for that item.Unfortunately many students listed using traceroute to learn about the network topology instead of WHOIS for IP ranges. These students got 0 points. Traceroute requires an IP, You cannot use it unless you know the IP to trace to. (2 pts) The “CheapDogFood” company has a firewall device. They would like to put in some filtering rules that would make it harder for them to get attacked via approaches listed in a). What kind of rules could they put in and how do these rules help minimize the chance of attack success? (Consider the entire attack trajectory from the start of reconnaissance stage)- Filter outgoing ICMP trafficOr- Use a stateful firewall and allow only established connection traffic inOr- Use firewall proxyHere most students said one of the three accepted answers and got full points. Some students listed many more answers like “patch the machines”. These students got 0 points if they only listed non-firewall solutions. Otherwise, I just graded the firewall part. The question was asking only about firewalls.(10 pts) DDoSA company “InternetPhoneBook” runs a business, where they host other companies’ authoritative DNS servers. An attacker wants to target a specific server (for ) hosted by the InternetPhoneBook. (5 pts) What kind of DDoS traffic should the attacker send and to which destination, to ensure that it’s very hard to differentiate between the legitimate and the attack traffic? Specify the reasoning behind your answer.- They should send DNS queries about . These queries will go to the DNS server for hosted by InternetPhoneBook. Since this server handles DNS queries normally, it would have a hard time distinguishing attack queries from legitimate queries.I awarded full points if you mentioned both blue highlighted items. I you mentioned only one you lost 1 point. For example if you said Web requests to you would lose 1 point. Or if you said “flash-crowd attack” but not the type of traffic (the question was explicitly asking about type of traffic) you lost 1 point.If you mentioned any attack on that had nothing to do with DNS, like TCP SYN flood, you got only 1 out of 5 points.(2 pts) If the attacker launches the attack from part a) what kind of defense can the “InternetPhoneBook” apply to minimize the attack’s effects?- The only possible defense is to replicate resources. InternetPhone book would replicate the DNS server for to withstand the attack. They could also try to analyze queries and see if they can identify large senders, but DNS queries come over UDP and can be spoofed.I awarded 1 point if you mentioned some other flash-crowd defense, like human modeling. Human modeling works for Web requests, because they cannot be spoofed (they come over TCP) and they are issued by humans. DNS requests can be spoofed (come over UDP) and are issued by resolvers. Most students mentioned human behavior modeling and thus got 1 point.If you mentioned just a DDoS defense, which could not work for flash crowds, like TCP SYN cookies, you got 0 points.(3 pts) The “InternetPhoneBook” is considering switching to DNS-over-TCP to make DDoS attacks on itself harder. Discuss how this approach could help make the attack from part a) hard or ineffective. - Switching to TCP would eliminate spoofing. Attackers, which spoof could only send TCP SYN flood to the server. The server could easily deal with this using SYN cookies. Attackers, which do not spoof, would proceed to send their queries. The server could then identify large senders and block them.I awarded full points if you talked about 3-way handshake or established connections, even if you didn’t mention that this eliminates the attacker’s ability to spoof. If you said something like “TCP helps because we can use TCP SYN cookies” then you got 0 points, because a lot of information is missing from this. (10 pts) PasswordsThe facts below summarize the current state of security, as it relates to passwords:users have many password-protected accountsusers tend to create weak passwordsusers tend to reuse passwords on multiple accountsFor each of the following proposed solutions to the password problem list at least one pro and one con argument. SolutionProConDraw a passwordShould be more diversePeople reuse patterns in drawingSystem-suggested passwordStrongHard to rememberYubi key* instead of a passwordNo need to remember anythingCan be lostFingerprint instead of a passwordNo need to remember anythingLow diversity, hard to change your password, can be stolen from areas you touchPassword+SMSTwo factors better than oneAnnoying to usersLastpass**Remember only one passSingle point of failurePassphrase instead of a passwordLonger and strongerPeople tend to use popular phrasesLife-experience passwordGood strength and recallTakes a long time to create and authenticateStrict password policy (e.g., very long password with 4 char classes)StrongHard to rememberForce users to change their passwords oftenIf compromised, attackers have little time to make use of the passHard to remember*Yubi key is a small hardware device that one plugs into a USB port on a computer/laptop. The Yubi then transmits a password or uses public-key authentication to the device.**Lastpass stores all of the user’s passwords online, like an online password manager. The user just remembers the one password for Lastpass.I awarded full points if you gave me any plausible answer (not just the ones listed above). Each red item carried 0.5 points. Most students got full points on this one. (10 pts) DNS SecurityCompare and contrast DNS and ARP with regard to the features listed below. For each feature, describe what DNS does, and what ARP does.(2 pts) What is mapped to what by DNS vs ARPDNS: Name to IPARP: IP to MAC addressEach line carried 1 point. Most students got full points (2 pts) An attacker wants to poison DNS/ARP cache. Can he just send unsolicited messages, which will be accepted by the cache?DNS will not accept unsolicited messagesARP will accept themEach line carried 1 point. Most students got full points(4 pts) An attacker wants to poison DNS/ARP cache. He has managed to have the cache issue a request for the record he wants to poison. Now the attacker will provide the fake reply. Which conditions does the attacker’s reply have to meet to be accepted by the cache? DNS: be faster than true reply, and guess the correct source port and request IDARP: be faster than true replyEach line carried 2 points. Most students got full points. If you forgot to mention “be faster” in both cases, you lost 2 out of 4 points.(2 pts) List one defense against ARP poisoning and one defense against DNS hijackingDNS: DNSSEC (I also accepted randomize source ports)ARP: have static bindings between IP and MACEach line carried 1 point. Most students got 1 point. Because the slides did not talk about ARP poisoning defenses (although Homework 4 materials did) I ended up adding to everyone’s total score (after all the calculations for the class) 1 point. (10 pts) Routing SecurityRead the snippet below from an article about a recent route hijack:Google lost control of several million of its IP addresses for more than an hour on Monday in an event that intermittently made its search and other services unavailable to many users and also caused problems for Spotify and other Google cloud customers. While Google said it had no reason to believe the mishap was a malicious hijacking attempt, the leak appeared suspicious to many, in part because it misdirected traffic to China Telecom, the Chinese government-owned provider that was recently caught?improperly routing traffic?belonging to a raft of Western carriers though mainland China.The leak started at 21:13 UTC when?MainOne Cable Company, a small ISP in Lagos, Nigeria, suddenly updated tables in the Internet’s global routing system to improperly declare that its?autonomous system 37282?was the proper path to reach?212 IP prefixes belonging to Google. Within minutes, China Telecom improperly accepted the route and announced it worldwide. The move by China Telecom, aka AS4809, in turn caused Russia-based?Transtelecom, aka AS20485, and other large service providers to also follow the route.Then answer the following questions:1943100368935It’s wrong because it is a peer route. It is for AS 37282 to use but not to propagate to other peersIf you talked about AS relationships at all, or you said something like “AS 37282 is small and should not advertise itself as being on the path to a large AS like Google” you got full points. If you just said “it’s wrong because this is BGP hijacking” you got 0 points. AS 37282 did not make up a fake route. It actually had a route, but it was for its use, not to advertise further.Most students got 0 points on this question.00It’s wrong because it is a peer route. It is for AS 37282 to use but not to propagate to other peersIf you talked about AS relationships at all, or you said something like “AS 37282 is small and should not advertise itself as being on the path to a large AS like Google” you got full points. If you just said “it’s wrong because this is BGP hijacking” you got 0 points. AS 37282 did not make up a fake route. It actually had a route, but it was for its use, not to advertise further.Most students got 0 points on this question.(3 pts) AS 37282 peers with Google and China Telecom, like illustrated below. AS 37282 announced its routes for Google prefixes to China Telecom. Why was this a wrong thing to do?(3 pts) China Telecom accepted the AS37282 -Google route and propagated it further. What kind of defense could China Telecom have deployed to detect that this route is fake? Explain how would this defense help.45720097155They could learn which relationships exist in the historical data (who is usually connected to whom) and distrust new advertisements, which have new linksThey could also detect that the route advertises going to a small AS to reach a large AS, and this is unusualIf you talked about any of the above approaches you got full points.If you talked about Secure BGP or RPKI you got 0 points. The question asks what China Telecom can do, by itself, in this particular case. Secure BGP or RPKI need collaboration with the origin. About half of the students got full points and another half got 000They could learn which relationships exist in the historical data (who is usually connected to whom) and distrust new advertisements, which have new linksThey could also detect that the route advertises going to a small AS to reach a large AS, and this is unusualIf you talked about any of the above approaches you got full points.If you talked about Secure BGP or RPKI you got 0 points. The question asks what China Telecom can do, by itself, in this particular case. Secure BGP or RPKI need collaboration with the origin. About half of the students got full points and another half got 0(4 pts) Imagine that Google is considering using RPKI, where the origin of the route attaches the signature to its route advertisements. All other routers, which receive this route, can verify that the true origin advertised it. Discuss whether this approach would help in the case of the above-described attack. Why or why not? 1143006350This would not help. RPKI protects from origin attacks, but AS 37282 did a closeness attack.Students who got this right, got full points and those who said “yes RPKI would help” got 0.About half of the students got full points and another half got 000This would not help. RPKI protects from origin attacks, but AS 37282 did a closeness attack.Students who got this right, got full points and those who said “yes RPKI would help” got 0.About half of the students got full points and another half got 0(10 pts) BotnetsResearchers attempt to enumerate botnets either through passive observation of their traffic (PPM) or through active probing of botnet’s P2P infrastructure (crawling) to learn all the peer identities. For the phenomena listed below, discuss how and why they can affect the accuracy of bot count (e.g., cause overcounting, undercounting, etc).PhenomenonUndercount (yes/no)Overcount (yes/no)WhyDHCPYesyesIf same machine gets two IPs -> overcount, if two machines get same IP -> undercountNATsYesNoMany machines counted as one IPNon-uniform bot dist.YesYesIf we are observing very populated part of botnet, we’re overcounting. Otherwise we may be undercounting.Churn (e.g., bots cleaned)NoYesCount old infected bots, even though they may be clean nowFirewallsYes (crawling)NoCrawling undercouts because it cannot reach behind firewalls0120650Every row carried 2 points. A mistake in one cell was worth 0.5 points. Everyone got one mistake for free (i.e., one mistake did not incur penalty for each student for this question)Most students got full or near full points on this question.00Every row carried 2 points. A mistake in one cell was worth 0.5 points. Everyone got one mistake for free (i.e., one mistake did not incur penalty for each student for this question)Most students got full or near full points on this question. ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download