Homework 6 - Extra Credit

Due: Tuesday June 3, 2008 at 5:00pm
This homework is worth 20 points.

  1. When using SYN cookies to guard against a SYN flood, how is the Maximum Segment Size (MSS) recovered from the ACK packet's acknowledgement number?
  2. A distributed denial of service attack often uses a botnet, which is a large network of machines that are controlled by the attacker. If you are a system administrator, how would you look for bots in your network?
  3. A port scanner can be used to identify open ports on a server. An attacker often uses port scanners to determine which attacks to launch. Give a legitimate use of port scanners, such as by a system administrator.
  4. Why is segmentation recommended for network design?
  5. Give one reason why an organization may have multiple firewalls in their network.
  6. Why does a stealth mode IDS need a separate network to communicate alarms and to accept management commands?
  7. Some have argued that as more network data becomes encrypted, network-based IDS will be rendered useless. Argue for or against this statement. Justify your answer.
  8. Describe a non-malicious situation where a half-open TCP connection may occur. How does an IDS rule writer distinguish between such a non-malicious event and a SYN flood?
  9. One argument is that a lack of diversity in systems is itself a vulnerability since so many people use the same OS/application. Describe how having 10 equally popular web browsers instead of just IE and Firefox would change the way attackers use web bugs to attack.
  10. Firewalls are critical components for creating a segmented network, so one would assume they would be targets of attack. Why are so few firewalls successfully compromised by attackers?