#1. [a] What is the main purpose of DNS?

resolves domain names, to provide a distributed

database over the internet that stores various resource records for managing the names and IP
addresses of sites in a hierarchical manner.
[b] What are the three resource records stored in a DNS database?
Address, Mail exchange, name server
#2. DNS caches maintained by operating systems have privacy implications for users. Why?
some of them despite having the browsing history and cookies deleted the DNS cache will
preserve evidence of the recently viewed files.
#3. Why are pharming and phishing attacks often used in concert with each other? pharming is
the act of setting up sites to be directed to an IP on a server of the attackers choosing rather than
the actual server to lead a victim to view os download malicious content, while phishing is
doing this while also falsely representing an actual website in order to steal users information.
because of this its is often used in unison as you will send users to a malicious IP with a mock
site similar to the original waiting for you to enter valuable information.
#4. What is a DNS cache poisoning attack?
When an attacker attempts to trick a DNS server into caching a false DNS record, this will
cause all downstream clients issuing DNS requests to that server to to resolve to an attacker
supplied IP address. it send a query for the Domain to poison it the attacker send a reply to his
own request after successfully guessing the random query ID and caches the response where all
other requests to the server will be sent to the attacker supplied domain.
#5. Identify four techniques to prevent DNS cache poisoning.
Use random identifiers for queries, always check query identifiers, use source port
randomization for DNS requests. Have queries originate and be replied to on a random TCP or
UDP port , ensure local DNS servers are configured to only accept requests from within their
internal network.
#6. Recall the query ID for DNS queries are 16 bits, thus can take values from 1 to 65,536 and
is randomly chosen for each DNS request. If an attacker sends 2,048 false replies per request,
how many requests should he triggered to compromise the DNS cache of the victim with
probability 90%? (Hint: See Slide 16).
(1-n/216) (1-63488/216)
n

63488

~= .96 90% ~= .87 or 87 requests

#7. Suppose DNS IDs were extended from 16 bits to 32 bits. How many DNS requests and
equal number of fake responses would an attacker need to make in order to get a 50% chance of
succeeding in a DNS cache poisoning attack?
(1-n/232)

(1-2,147,483,648/232)

2,147,483,648

~=.50 2,147,483,648

#8. Briefly explain the way a DNS request is answered when DNSSEC is deployed on both the
client and server. The DNS is signed and passed along with the signed DS record (RRSIG) and
public (known) and private DNSkey to be validated at each level of the request. i.e.
book.example.com is checked and verified at each the book., example, and .com stage all the
way down the chain.
#9. List four properties of packets utilized by firewall policies.
Protocol used, source and destination IP addresses, source and destination ports, applicationlevel packet payload
#10. Briefly explain the two approaches to creating firewall policies.
Whitelist (default-deny) where packets are dropped unless the are specifically accepted by the
firewall and Blacklist (default-allow) where all packets are allowed through except those that fit
the rules defined in a blacklist.
#11. Explain how a stateless firewall would block all incoming and outgoing HTTP requests.
If the firewall isn't allowing outbound SYN packets to the destination port a user is trying to
connect, it may block requests not marked with SYN flag as part of its defense against internal
connection through TCP initialization. as it is merely a translation of the properties by which it
is set and doesn't hold a memory of requests but the requirements necessary for the request to be
connected. Its properties could be set to a whitelist rules policy and no defined SYN flag.
#12. Explain how an application-layer firewall would block all incoming and outgoing traffic to
the Ku Klux Klan website.
It inspects the content of the sites traffic and blocks what is inappropriate. If the website is
flagged then the application-layer firewall would then reject the requests for the site.
#13. Describe a firewall rule that can prevent IP spoofing on outgoing packets from its internal
network. Transport mode, a header is attached to the beginning of the packet payload
information. Only the information is encrypted at the destination the header is verified and the
data is accessed with successful authentication.
#14. [a] What is a tunneling protocol? An ecryption process that provides end-to-end encryption
automatically to TCP/IP communication between client and a server.
[b] Give one example of tunneling protocol.
SSH, uses symetric and public-key cryptogaphy to communicate across the internet using an
encrypted channel.
IPsec, transport or tunnel mode, security measures to ensure authenticity.

#15. List two security issues with IP which are resolved with IPsec.
Lack of a built in security for authenticity and privacy insurances of each IP packet,
No encryption of data or attempt, and IP header has checksum for header integrity verification
but none for the payload. Transport and tunneling mode are introduced to solve these problems.
#16. [a] When IPsec is used in transport mode, what is encrypted? Only the payload [b] When
IPsec is used in tunnel mode, what is encrypted? The entire original packet because it is
encapsulated as the payload of a new packet with IPsec header.
#17. What is the purpose of the Authentication Header (AH) in IPsec? It is used to authenticate
the origin and guarantee the data integrity of IPsec packets.
What is the purpose of the Encapsulating Security Payload (ESP) header in IPsec? it provides
encryption requirements by encapsulating the payload with a header and a trailer and uses a
specified block cipher to encrypt based on the mode it is set in.
#18. Explain why deep packet inspection cannot be performed on protocols such as IPsec, SSL
and SSH.
It takes a large amount of time to observe each packet causing performance issues since data is
not exposed explicitly in the tunnel as it is secured by encryption.
#19. The coupon collector problem characterizes the expected number of days that it takes to
get n coupons if one receives one of these coupons at random every day in the mail. This
number is approximately n ln n. Use this fact to compare the number of TCP connections that
are initiated in a sequential port scan, going from port 1 to 65535, directed at some host, to the
expected number that are requested in a random port scan, which requests a random port each
time (uniformly and independently) until it has probed all of the ports.
n log n = 65535 log 65535 = 315648
sequential: 65535
random:315648
#20. Describe a modification to the random port scan, as described in problem 19, so that it still
uses a randomly generated sequence of port numbers but will now have exactly the same
number of attempted TCP connections as a sequential port scan.
O (n log n) this will apply a sort not changing the number of attempts but only the sequence.
#21. What is the difference between a misfeasor and a clandestine user?
Misfeasor: Internal intruder, an authorized user performing unauthorized actions.
Clandestine: Internal attacker, insider or outsider taking control of a system, who overrides false
action by deleting or editing files that are meant to be confidential.

#22. What technique is used by Host-based Intrusion Detection Systems (HIDS) to [a] detect a
masquerader, by monitoring audit files and system logs for deviationg from normal behaviors
[b] detect a misfeasor, by locating unauthorized actions that are set by rules defined to each user
and [c] detect a clandestine user, who are trying to delete or change system logs by monitoring
and logging how changes are made to the audit files and system logs themselves.
#23. How can an attacker evade an intrusion detection system (IDS)?
By Launching a DOS attack on the IDS to overwhelm and under detect malicious logs
#24. [a] What is a true positive alarm in an intrusion detection system? When an alarm is
sounded on a malicious event that is actually an intrusion [b] What is a true negative alarm in
an intrusion detection system? When an alarm is not sounded on benign activity which is not an
intrusion
#25. Explain why a port scan might be a preliminary indication that an attack is on its way.
It can be used to determine all the available ports and their status, based upon which can be used
to gather information from the network through open TCP connections. This by scanning can be
found and protected by network technicians.
#26. What are two techniques to scan TCP ports?
TCP scan to test each port on a target machine, if connection is complete the port is open
SYN scan issue a TCP packet marked with the SYN flag for each port on the target if port is
open a SYN-ACK flag will be marked on the returning packet or no response at all.
UDP scan, idle scanning
#27. List two techniques used by IDS to detect port scans.
Looking for a sequencing of connection attempts made from same IP source to multiple
destination points or by noting TCP connection attempts to ports that are known to be closed.
#28. Eve mounted an attack on a wireless network using WEP. She captures packet 300 with
Initialization Vector (IV) 6789 and ciphertext 11001111. She also captures packet 500 with IV
6789 and ciphertext 10101011. Eve was also able to capture part of the plaintext for packet 300
which is 11101101. What is the plaintext for packet 500?
300 PT
11101101
500 PT
10001001 C300 11001111 PT300 11101101
x
00100010
x
00100010 C500 10101011 PT500 10001001
Cipher 300
11001111 Cipher 500 10101011
01100100
01100100

#29. In step 2 of the WEP encryption process, the IV is combined with the secret key and this
combined value is entered as the seed for the pseudo-random number generator (PRNG) in Step
3. What is the advantage of combining the IV with the secret key to serve as the seed, instead
of using the secret key alone as the seed? By combining them you are able to use the IV as a
random number that will be used as the seed it will also be used in the end as part of the
cyphertext for uniformity
#30. Briefly explain the shared key authentication method used by WEP.
The key is shared between the user and the access point, the client has to prove possession of
the WEP key before being able to associate with the access port, the access point sends a
plaintext challenge to the client who encrypts and sends ciphertext back to the access point if
decrypted correctly client is granted access.
#31. Give two advantages of WPA over WEP.
Cost, WPA is more cost effective.
WPA is protected access using the Temporal Key Integrity Protocol meaning it is not as
susceptible to attacks as WEP key. as well as keys being more easily distributed for WPA
#32. What is the main advantage of Temporal Key Integrity Protocol (TKIP) encryption?
It generates a new key for each packet created, per-packet keys, extends the IV to 48 bits and a
64 bit MIC as MAC
#33. Identify two management weaknesses of the Preshared key (PSK) used in WPA.
Distribution and sharing of PSK keys is performed manually without any technology security
protections, security practices call for keys to be changed regularly causing extra work and time
if not informed of change, and for a guest user to have access to a PSK WLAN, the key must be
given to that guest