CIS3360: Security in Computing Homework 2 1. (35 points) Knowledge - based Questions: a. Although the majority of current botnets use the centralized C&C communication architecture, why they are very hard to shut down even if defenders know all of the bot machines in a botnet? b. Give the name of a real rootkit that utilizes Direct Kernel Object Manipulation (DKOM) technique? c. What is Trojan malware? What is a backdoor? d. What is ARP? In what network layer is ARP being used? e. What is a Smurf attack? What is a SYN flooding attack? f. What are the two major DNS query modes? How many types of resource records are saved on a DNS server? g. Why it is easy for attacker to send out spoofed packets in the“thin pipe/thick pipe” method while it is very hard for an attacker to inject spoofed packets in a normal TCP communication session? • a. Even if defenders know all the infected bot machines in a botnet, shutting it down is difficult because of several reasons: 1. Bot machines can be distributed across many countries , making legal actions or takedowns complicated and time - consuming. 2. Botnets can use decentralized C&C (command - and - control) structures or peer - to - peer (P2P) networks , where nodes can act both as bots and controllers. This makes it harder to shut down the entire botnet by targeting a single C&C server. 3. Fast - flux techniques allow attackers to quickly change their C&C server’s IP address, making it harder for defenders to block the botnet effectively. 4. Infected machines are often spread across different ISPs and networks , making the identification and removal of infected hosts more challenging. • b. A well - known example of a rootkit that uses the Direct Kernel Object Manipulation (DKOM) technique is the Zeus rootkit . It manipulates the Windows kernel to hide its presence and prevent detection by antivirus software. o c. Trojan malware: A Trojan is a type of malicious software that pretends to be a legitimate program but actually contains harmful code designed to compromise the security of the victim’s system. It does not self - replicate like viruses but relies on the victim's actions to execute. o Backdoor: A backdoor is a method of bypassing normal authentication and security mechanisms in a system to gain unauthorized access. It allows an attacker to remotely control the system or inject further malicious actions without detection. d. ARP (Address Resolution Protocol) is a protocol used to map a known IP address to its corresponding MAC (Media Access Control) address in a local network. ARP operates in the Data Link layer (Layer 2) of the OSI model, allowing devices to locate each other on a local network by resolving IP addresses to MAC addresses. o e. Smurf attack: A Smurf attack is a type of DDoS (Distributed Denial of Service) attack where an attacker sends a large volume of ICMP Echo (ping) requests with a spoofed source IP address (the victim’s IP address) to a network's broadcast address. This causes all devices on the network to reply to the victim, overwhelming it. o SYN flooding attack: A SYN flood is a type of DoS attack in which an attacker sends a flood of TCP/SYN packets, usually with a spoofed sender address. This causes the target system to allocate resources waiting for a connection that never completes, leading to resource exhaustion and denial of service. o f. DNS Query Modes: 1. Iterative Query: The DNS resolver queries a DNS server for the requested domain name. If that server doesn't have the information, it will return a referral to another DNS server that may have the information. 2. Recursive Query: The DNS resolver asks a DNS server to fully resolve the query, meaning that the server takes responsibility for resolving the query, either returning the result or an error if it cannot find the information. o Resource Record Types: There are several types of DNS resource records, including: 1. A (Address record) – Maps a domain name to an IP address. 2. MX (Mail Exchange record) – Defines mail server for a domain. 3. CNAME (Canonical Name record) – Alias for a domain name. 4. NS (Name Server record) – Specifies authoritative DNS servers. 5. PTR (Pointer record) – Used for reverse DNS lookups. 6. SOA (Start of Authority record) – Indicates the authoritative information for a DNS zone. 7. TXT (Text record) – Holds arbitrary text information, such as SPF data. 8. AAAA (IPv6 address record) – Maps a domain name to an IPv6 address. • g. The "thin pipe/thick pipe" method involves an attacker sending packets using a simple UDP - based attack or ICMP flood where no session or connection needs to be established. Since there’s no TCP handshake, it is easy for an attacker to send spoofed packets to a target without having to maintain any session state. In contrast, in a normal TCP communication session , there is a three - way handshake (SYN, SYN - ACK, ACK), which makes it very hard for attackers to inject spoofed packets without proper sequence numbers or control over the session state. Spoofed packets in a TCP session will be rejected by the target since the sequence numbers and acknowledgment will not align, preventing successful injection of malicious packets. 2. (20 points) DNS Query: The following shows the result when I use “dig mx knights.ucf.edu” (unrelated text has been cut). Please answer the following questions: 1). What is the email server name that in charge of UCF student email account of username@knights.ucf.edu ? 2). What are the IP addresses used for this email server? 3). What are the IP addresses of UCF authoritative DNS servers? jlazar@eustis:~$ dig mx knights.ucf.edu