CIS3360: Security in Computing
A course focusing on security principles, methodologies, and technologies used to protect computer systems and networks.
Olivia Smith
Contributor
4.3
35
about 1 month ago
Preview (3 of 7)
Sign in to access the full document!
CIS3360: Security in Computing
Homework 2
1. (35 points) Knowledge-based Questions:
a. Although the majority of current botnets use the centralized C&C communication
architecture, why they are very hard to shut down even if defenders know all of the bot
machines in a botnet?
b. Give the name of a real rootkit that utilizes Direct Kernel Object Manipulation (DKOM)
technique?
c. What is Trojan malware? What is a backdoor?
d. What is ARP? In what network layer is ARP being used?
e. What is a Smurf attack? What is a SYN flooding attack?
f. What are the two major DNS query modes? How many types of resource records are
saved on a DNS server?
g. Why it is easy for attacker to send out spoofed packets in the“thin pipe/thick pipe”
method while it is very hard for an attacker to inject spoofed packets in a normal TCP
communication session?
• a. Even if defenders know all the infected bot machines in a botnet, shutting it down is difficult
because of several reasons:
1. Bot machines can be distributed across many countries, making legal actions or
takedowns complicated and time-consuming.
2. Botnets can use decentralized C&C (command-and-control) structures or peer-to-peer
(P2P) networks, where nodes can act both as bots and controllers. This makes it harder
to shut down the entire botnet by targeting a single C&C server.
3. Fast-flux techniques allow attackers to quickly change their C&C server’s IP address,
making it harder for defenders to block the botnet effectively.
4. Infected machines are often spread across different ISPs and networks, making the
identification and removal of infected hosts more challenging.
• b. A well-known example of a rootkit that uses the Direct Kernel Object Manipulation (DKOM)
technique is the Zeus rootkit. It manipulates the Windows kernel to hide its presence and
prevent detection by antivirus software.
o c. Trojan malware: A Trojan is a type of malicious software that pretends to be a
legitimate program but actually contains harmful code designed to compromise the
security of the victim’s system. It does not self-replicate like viruses but relies on the
victim's actions to execute.
o Backdoor: A backdoor is a method of bypassing normal authentication and security
mechanisms in a system to gain unauthorized access. It allows an attacker to remotely
control the system or inject further malicious actions without detection.
d. ARP (Address Resolution Protocol) is a protocol used to map a known IP
address to its corresponding MAC (Media Access Control) address in a local
network. ARP operates in the Data Link layer (Layer 2) of the OSI model,
Homework 2
1. (35 points) Knowledge-based Questions:
a. Although the majority of current botnets use the centralized C&C communication
architecture, why they are very hard to shut down even if defenders know all of the bot
machines in a botnet?
b. Give the name of a real rootkit that utilizes Direct Kernel Object Manipulation (DKOM)
technique?
c. What is Trojan malware? What is a backdoor?
d. What is ARP? In what network layer is ARP being used?
e. What is a Smurf attack? What is a SYN flooding attack?
f. What are the two major DNS query modes? How many types of resource records are
saved on a DNS server?
g. Why it is easy for attacker to send out spoofed packets in the“thin pipe/thick pipe”
method while it is very hard for an attacker to inject spoofed packets in a normal TCP
communication session?
• a. Even if defenders know all the infected bot machines in a botnet, shutting it down is difficult
because of several reasons:
1. Bot machines can be distributed across many countries, making legal actions or
takedowns complicated and time-consuming.
2. Botnets can use decentralized C&C (command-and-control) structures or peer-to-peer
(P2P) networks, where nodes can act both as bots and controllers. This makes it harder
to shut down the entire botnet by targeting a single C&C server.
3. Fast-flux techniques allow attackers to quickly change their C&C server’s IP address,
making it harder for defenders to block the botnet effectively.
4. Infected machines are often spread across different ISPs and networks, making the
identification and removal of infected hosts more challenging.
• b. A well-known example of a rootkit that uses the Direct Kernel Object Manipulation (DKOM)
technique is the Zeus rootkit. It manipulates the Windows kernel to hide its presence and
prevent detection by antivirus software.
o c. Trojan malware: A Trojan is a type of malicious software that pretends to be a
legitimate program but actually contains harmful code designed to compromise the
security of the victim’s system. It does not self-replicate like viruses but relies on the
victim's actions to execute.
o Backdoor: A backdoor is a method of bypassing normal authentication and security
mechanisms in a system to gain unauthorized access. It allows an attacker to remotely
control the system or inject further malicious actions without detection.
d. ARP (Address Resolution Protocol) is a protocol used to map a known IP
address to its corresponding MAC (Media Access Control) address in a local
network. ARP operates in the Data Link layer (Layer 2) of the OSI model,
allowing devices to locate each other on a local network by resolving IP
addresses to MAC addresses.
o e. Smurf attack: A Smurf attack is a type of DDoS (Distributed Denial of Service) attack
where an attacker sends a large volume of ICMP Echo (ping) requests with a spoofed
source IP address (the victim’s IP address) to a network's broadcast address. This causes
all devices on the network to reply to the victim, overwhelming it.
o SYN flooding attack: A SYN flood is a type of DoS attack in which an attacker sends a
flood of TCP/SYN packets, usually with a spoofed sender address. This causes the target
system to allocate resources waiting for a connection that never completes, leading to
resource exhaustion and denial of service.
o f. DNS Query Modes:
1. Iterative Query: The DNS resolver queries a DNS server for the requested
domain name. If that server doesn't have the information, it will return a
referral to another DNS server that may have the information.
2. Recursive Query: The DNS resolver asks a DNS server to fully resolve the query,
meaning that the server takes responsibility for resolving the query, either
returning the result or an error if it cannot find the information.
o Resource Record Types: There are several types of DNS resource records, including:
1. A (Address record) – Maps a domain name to an IP address.
2. MX (Mail Exchange record) – Defines mail server for a domain.
3. CNAME (Canonical Name record) – Alias for a domain name.
4. NS (Name Server record) – Specifies authoritative DNS servers.
5. PTR (Pointer record) – Used for reverse DNS lookups.
6. SOA (Start of Authority record) – Indicates the authoritative information for a
DNS zone.
7. TXT (Text record) – Holds arbitrary text information, such as SPF data.
8. AAAA (IPv6 address record) – Maps a domain name to an IPv6 address.
• g. The "thin pipe/thick pipe" method involves an attacker sending packets using a simple UDP-
based attack or ICMP flood where no session or connection needs to be established. Since
there’s no TCP handshake, it is easy for an attacker to send spoofed packets to a target without
having to maintain any session state. In contrast, in a normal TCP communication session, there
is a three-way handshake (SYN, SYN-ACK, ACK), which makes it very hard for attackers to inject
spoofed packets without proper sequence numbers or control over the session state. Spoofed
packets in a TCP session will be rejected by the target since the sequence numbers and
acknowledgment will not align, preventing successful injection of malicious packets.
2. (20 points) DNS Query:
The following shows the result when I use “dig mx knights.ucf.edu” (unrelated text has been cut).
Please answer the following questions:
1). What is the email server name that in charge of UCF student email account of
username@knights.ucf.edu?
2). What are the IP addresses used for this email server?
3). What are the IP addresses of UCF authoritative DNS servers?
jlazar@eustis:~$ dig mx knights.ucf.edu
addresses to MAC addresses.
o e. Smurf attack: A Smurf attack is a type of DDoS (Distributed Denial of Service) attack
where an attacker sends a large volume of ICMP Echo (ping) requests with a spoofed
source IP address (the victim’s IP address) to a network's broadcast address. This causes
all devices on the network to reply to the victim, overwhelming it.
o SYN flooding attack: A SYN flood is a type of DoS attack in which an attacker sends a
flood of TCP/SYN packets, usually with a spoofed sender address. This causes the target
system to allocate resources waiting for a connection that never completes, leading to
resource exhaustion and denial of service.
o f. DNS Query Modes:
1. Iterative Query: The DNS resolver queries a DNS server for the requested
domain name. If that server doesn't have the information, it will return a
referral to another DNS server that may have the information.
2. Recursive Query: The DNS resolver asks a DNS server to fully resolve the query,
meaning that the server takes responsibility for resolving the query, either
returning the result or an error if it cannot find the information.
o Resource Record Types: There are several types of DNS resource records, including:
1. A (Address record) – Maps a domain name to an IP address.
2. MX (Mail Exchange record) – Defines mail server for a domain.
3. CNAME (Canonical Name record) – Alias for a domain name.
4. NS (Name Server record) – Specifies authoritative DNS servers.
5. PTR (Pointer record) – Used for reverse DNS lookups.
6. SOA (Start of Authority record) – Indicates the authoritative information for a
DNS zone.
7. TXT (Text record) – Holds arbitrary text information, such as SPF data.
8. AAAA (IPv6 address record) – Maps a domain name to an IPv6 address.
• g. The "thin pipe/thick pipe" method involves an attacker sending packets using a simple UDP-
based attack or ICMP flood where no session or connection needs to be established. Since
there’s no TCP handshake, it is easy for an attacker to send spoofed packets to a target without
having to maintain any session state. In contrast, in a normal TCP communication session, there
is a three-way handshake (SYN, SYN-ACK, ACK), which makes it very hard for attackers to inject
spoofed packets without proper sequence numbers or control over the session state. Spoofed
packets in a TCP session will be rejected by the target since the sequence numbers and
acknowledgment will not align, preventing successful injection of malicious packets.
2. (20 points) DNS Query:
The following shows the result when I use “dig mx knights.ucf.edu” (unrelated text has been cut).
Please answer the following questions:
1). What is the email server name that in charge of UCF student email account of
username@knights.ucf.edu?
2). What are the IP addresses used for this email server?
3). What are the IP addresses of UCF authoritative DNS servers?
jlazar@eustis:~$ dig mx knights.ucf.edu
Preview Mode
Sign in to access the full document!
100%
Study Now!
XY-Copilot AI
Unlimited Access
Secure Payment
Instant Access
24/7 Support
Document Chat
Document Details
University
Seminole State College of Florida
Subject
Information Technology