Cyber and Infrastructure Defense Final Exam: Questions and References

Question 1 (10 points)

I want correct answers for each and every question in the file of the final exam(please give more and correct explanations) and the other two ppt files are references for the final exam.

 

Cyber and Infrastructure Defense Final Exam

Question 1 (10 points). Design a centralized authentication system like Kerberos which does not include the ticket-granting server and only includes the authentication server. Show a schematic of entities, show the exchanged messages (same as we discussed in class) and explain each. Use the same notations as those used in explaining the Kerberos protocol in class. Make sure to exclude any unnecessary information from the exchanged messages and ensure security of the system against replay attacks and other security goals discussed regarding cryptographic protocols.

Question 2 (10 points). Using DES and AES, design a new symmetric cipher called 2DES-AES, which uses DES two times and AES-128 once. The block size of the new cipher is 128 bits. What is the key size for this new cipher? Show the encryption and decryption steps of this algorithm.
Note that the block size for DES is 64-bits while for AES, the block size is 128 bits.

Hint: you may need to use two DES encryption/decryption functions in parallel.

Question 3 (10 points). To exchange a shared key using a symmetric cipher (called E), Alice and Bob are using the following protocol where S is a trusted third party. The goal is to establish a session key Kab between A and B. Kas and Kbs denote the pre-shared master keys of A and B with S respectively (Refer to Protocol Design slides for a discussion of other notations and important security goals for key exchange).

 

Identify three security weaknesses in this protocol.

Question 4 (10 points – 2.5 points each). Explain the impact of these defense methods briefly.

4.1.How can changing the default SSID and disabling its broadcast enhance security of Wireless LANs? Mention one attack that this strategy could mitigate.

4.2.Discuss how SYN cookies defends servers against spoofed TCP SYN flooding attack.

4.3.Explain how Content Delivery Networks raise the bar against DDoS attacks on Internet services.

4.4.Discuss why DNS TTL pinning can defeat DNS rebinding attack.

Question 5 (15 points, 7.5 points each). For each question below, explain the parameter values that the attacker needs to guess (i.e., brute-force), and the difficulty of those guesses based on the birthday attack.

 

5.1.Discuss the difficulty of doing an off-path TCP Reset attack (on modern Operating Systems) using the concept of birthday attack.

Question 2 (10 points)

5.2.Discuss the difficulty of doing DNS cache poisoning with response forgery using the concept of birthday attack.

Question 6 (10 points). An attacker is planning to launch a DNS reflection attack on a Web server. To flood this server, the attacker needs to generate 1 Gigabit per second rate of traffic. The average size of DNS response to DNS query is 73/1 (aka amplification factor), and the average size of a DNS query is 64 bytes.

6.1. Explain how this could be achieved? In other words, how many queries need to be sent out to public resolvers (in total) per each second to achieve this rate? Include your calculations.

6.2. Assume each public resolver will block a source that is sending more than 100 DNS queries/second. How many public resolvers need to be included (minimum number) in the attack without the attack being detected or blocked by any resolver? Include your calculations.

Question 7 (5 points). Assume two machines, called A and B, are 10 hops away on Internet (excluding the source and the destination). To traceroute machine A from machine B, how many packets are needed?

What is the TTL value of these packets? Explain.

Question 8 (10 points). To scan a class C network (/24), we develop a new scanner which first uses ICMP ping requests to see if an IP address is live or not, and then uses TCP SYN scan to see if any of the ports in the range [1,1024] is open.

8.1. If there are only 5 active machines in this network, how many probes the scanner needs to send? Justify your numbers.

8.2. Assume we’re sending one scan every 15 seconds in serial mode. How long does it take for the scanner to finish scanning this address space?

Question 9 (20 points). Write the following firewall rules. For each rule, you must mention whether this rule is defined on egress or ingress interface.

9.1.(5 points) Write firewall rules that prevent any packet with spoofed source IP address from leaving our network.

9.2.(5 points) Write firewall rules that allow network machines inside a network to ping machines on the Internet and receive replies to these ping messages but prohibit machines on the Internet to ping the machines inside our network, and also drops any other type of ingress/egress ICMP traffic.

9.3.(10 points) Assume a web server can only receive TCP connections on port 80 (HTTP) and 22 (SSH), but not on any other ports. The web server can only establish connection to a database server hosted on private IP 192.168.100.100 on port 3000, but to no other machines inside or outside the network. Imagine this web server is running Linux, and we’re using iptables to define host-based firewall rules for it. Show the set of iptables commands to install necessary rules for this security policy.

Question 10 (10 points). During a volumetric DDoS attack on a Web server, the IDS would observe lots of network connections with abnormally high rate (bit per sec) established with that Web server, compared to when the Web server is not under DDoS. Design a simple anomaly-based solution (for example using entropy or relative entropy, or any other statistical or Machine Learning model) to use this observation in order to detect if a Web server is currently under DDoS or not. Explain steps of your algorithm for training and detection.