College of Engineering & CS Wright State University Dayton, Ohio 45435-0001

CEG 499/699: Internet Security Mid Term Exam 1 Feb 2000   100 points max   75 minutes Prabhaker Mateti, Winter Quarter 2000

This is a closed book/notes/... exam, except for the three papers by

• A Simple Active Attack Against TCP (PostScript file)
• Security Problems in the TCP/IP Protocol Suite
• Using Domain Name System for System Break-ins (PostScript file)

You are free to refer to copies of the above papers, but be careful that you do not use up your time.  It is hard to answer all the questions in 75 minutes.

1. (6 points each) Explain/Discuss/Dispute/Answer, in a few lines, the following.
   1. If an attacker causes your machine to crash, that attack can be labeled a denial of service attack.
   2. Masquerading, spoofing, and smurfing are related terms.
   3. Nonrepudiation is a security service.
   4. Inserting oneself into a communication link between two other users, without their knowledge, is ok to do if the two users are terrorists.
   5. For a malicious program to be called a virus, it must not embed in such a way that it is executed intermittently.
2. (5*3 points) (a) Write, in pseudo-code, the structure of a virus.  (b) Name and describe any two types of viruses.  (c) Describe how the two types may be detected.
3. (15 points) Assume that passwords are limited to using the 26 lowercase letters, and the 10 digits.  Assume that all passwords are between 5 to 10 characters in length.  Assume a password cracker with an encryption rate of 6.4 million encryptions per second.  How long will it take to test exhaustively all possible passwords?  Show all your work.
4. (15+10 points) Suppose that an attacker has acquired privileges to read/write/execute any file on a Unix system.   Suppose his/her goal is to obtain the  userid-password combinations from the first one hundred logins, and replace what ever changes he/she may have made with their originals so that this activity has a greater chance of unnoticed.  (a) Describe (algorithmically,  in pseudo code) what files are changed where and how. (b) What steps could a system administrator have taken so that this activity was noticed?
5. (15 points) In the context of  TCP sequence numbers, one of the papers describe an attack.  The following is a quote from the section on defending from such an attack.  Please note the bold faced items, and answer the questions posed below.

Let us consider whether a counter that operated at a true 250,000 Hz rate would help. For simplicity's sake, we will ignore the problem of other connections occurring, and only consider the fixed rate of change of this counter.

To learn a current sequence number, one must send a SYN packet, and receive a response, as follows:

X -> S:SYN(ISN X)

S -> X:SYN(ISN S) , ACK(ISN X)                                        (1)

The first spoof packet, which triggers generation of the next sequence number, can immediately follow the server's response to the probe packet:

X -> S:SYN(ISN X) , SRC = T                                             (2)

The sequence number ISN S used in the response

S -> T:SYN(ISN S) , ACK(ISN X)

is uniquely determined by the time between the origination of message (1) and the receipt at the server of message (2). But this number is precisely the round-trip time between X and S. Thus, if the spoofer can accurately measure (and predict) that time, even a 4 micro-second clock will not defeat this attack.

(2+3+5+5 points) Is the S on the left of arrow -> the same as on the right of the arrow?  What are SYN? ACK?  ISN? What is meant by SRC=T?  Explain why it is uniquely determined?