Homework 6 - Extra Credit
Due: Friday June 8, 2012 at midnight
Chapter 23: "The Bleeding Edge" from the second edition may also be helpful
for this assignment. This chapter is one of the free chapters from the second
edition that is available on the author's website.
- When using SYN cookies to guard against a SYN flood, how is the Maximum
Segment Size (MSS) recovered from the ACK packet's acknowledgement number?
- A distributed denial of service attack often uses a botnet, which is a large
network of machines that are controlled by the attacker. If you are a
system administrator, how would you look for bots in your network?
- A port scanner can be used to identify open ports on a server. An attacker
often uses port scanners to determine which attacks to launch. Give a
legitimate use of port scanners, such as by a system administrator.
- Why is segmentation (either physical or logical separation) recommended
for network design?
- Give one reason why an organization may have multiple firewalls in their
network.
- Why does a stealth mode IDS (IDS that can only listen to the network that
it is monitoring) need a separate network to communicate alarms
and to accept management commands?
- Some have argued that as more network data becomes encrypted, network-based
IDS will be rendered useless. Argue for or against this statement. Justify
your answer.
- Describe a non-malicious situation where a half-open TCP connection
(received the SYN, sent the SYN/ACK, waiting for the ACK from the client)
may occur. How does an IDS rule writer distinguish between such a
non-malicious event and a SYN flood?
- One argument is that a lack of diversity in systems is itself a
vulnerability since so many people use the same OS/application. Describe
how having 10 equally popular desktop web browsers instead of just Chrome,
IE and Firefox would change the way attackers use web bugs to attack.
- Tor networks claim to allow users to browse the web anonymously. What are
some of the risks of using an unencrypted protocol over a Tor network?