Homework 6 - Extra Credit

Chapter 23: "The Bleeding Edge" from the second edition may also be helpful for this assignment. This chapter is one of the free chapters from the second edition that is available on the author's website.

1. When using SYN cookies to guard against a SYN flood, how is the Maximum Segment Size (MSS) recovered from the ACK packet's acknowledgement number?
2. A distributed denial of service attack often uses a botnet, which is a large network of machines that are controlled by the attacker. If you are a system administrator, how would you look for bots in your network?
3. A port scanner can be used to identify open ports on a server. An attacker often uses port scanners to determine which attacks to launch. Give a legitimate use of port scanners, such as by a system administrator.
4. Why is segmentation (either physical or logical separation) recommended for network design?
5. Give one reason why an organization may have multiple firewalls in their network.
6. Why does a stealth mode IDS (IDS that can only listen to the network that it is monitoring) need a separate network to communicate alarms and to accept management commands?
7. Some have argued that as more network data becomes encrypted, network-based IDS will be rendered useless. Argue for or against this statement. Justify your answer.
8. Describe a non-malicious situation where a half-open TCP connection (received the SYN, sent the SYN/ACK, waiting for the ACK from the client) may occur. How does an IDS rule writer distinguish between such a non-malicious event and a SYN flood?
9. One argument is that a lack of diversity in systems is itself a vulnerability since so many people use the same OS/application. Describe how having 10 equally popular desktop web browsers instead of just Chrome, IE and Firefox would change the way attackers use web bugs to attack.
10. Tor networks claim to allow users to browse the web anonymously. What are some of the risks of using an unencrypted protocol over a Tor network?