Homework 6 - Extra Credit

Due: Monday June 7, 2010 at 5:00pm
Since this is an extra credit assignment, no late submissions will be accepted. The solutions will be posted in the evening of Monday June 7th so you can study them before the final.

  1. When using SYN cookies to guard against a SYN flood, how is the Maximum Segment Size (MSS) recovered from the ACK packet's acknowledgement number?
  2. A distributed denial of service attack often uses a botnet, which is a large network of machines that are controlled by the attacker. If you are a system administrator, how would you look for bots in your network?
  3. A port scanner can be used to identify open ports on a server. An attacker often uses port scanners to determine which attacks to launch. Give a legitimate use of port scanners, such as by a system administrator.
  4. Why is segmentation recommended for network design?
  5. Give one reason why an organization may have multiple firewalls in their network.
  6. Why does a stealth mode IDS need a separate network to communicate alarms and to accept management commands?
  7. Some have argued that as more network data becomes encrypted, network-based IDS will be rendered useless. Argue for or against this statement. Justify your answer.
  8. Describe a non-malicious situation where a half-open TCP connection may occur. How does an IDS rule writer distinguish between such a non-malicious event and a SYN flood?
  9. One argument is that a lack of diversity in systems is itself a vulnerability since so many people use the same OS/application. Describe how having 10 equally popular web browsers instead of just IE and Firefox would change the way attackers use web bugs to attack.
  10. Firewalls are critical components for creating a segmented network, so one would assume they would be targets of attack. Why are so few firewalls successfully compromised by attackers?