EC310 12-week Review - USNA 12wk...Rules of Engagement Teams selected by instructor Host will read the entire questions. Only after, a team may “buzz” by raise of hand A team must

EC310

12-week

Review

Rules of Engagement

Teams selected by instructor

Host will read the entire questions. Only after, a team may “buzz” by

raise of hand

A team must answer the question within 5 seconds after buzzing in

(must have answer at hand)

If the answer is incorrect, the team will lose its turn and another

team may buzz in. No score will be deducted. No negative scores.

Maximum score is 100. Once reached, that team will stand down for

others to participate. Teams will earn all points scored at the end of

game.

When selecting a question, Teams must only select questions of

different value, unless there are no others, but may be from different

categories.

All team members will participate and will answer questions

Only one round - No Daily Doubles, Double Jeopardy or Final

Jeopardy … and no partial credits!

Jeopardy!

TCP/IP

Model

Ethernet Internet

Protocol

ARP Routing /

MITM

Privileges

/ Buffer

Overflow

BGP /

BGP

Routing

10 pts 10 pts 10 pts 10 pts 10 pts 10 pts








10 pts

20 pts

40 pts

60 pts

Which TCP/IP layer is responsible for processes

that provide services to HTTP or FTP?

TCP/IP 10 pts

Application Layer

How many bytes are in a physical address?

Ethernet 10 pts

6 Bytes

Example F2 : 45 : 17 : FF : 71 : A2

Which of the following is not a valid IP address?

(a) 192.148.2.0

(b) 0.0.0.0

(c) 200.256.32.104

(d) 172.31.22.48

Internet Protocol 10 pts

Maximum octet value = 255

Which two layers does the Address Resolution

Protocol (ARP) involve?

ARP 10 pts

Layer 2 (Data Link)

&

Layer 3 (Network)

Routing tables are maintained on which of the following:

(a) routers

(b) host computers

(c) both a & b

(d) neither

Routing Tables 10 pts

TRUE/FALSE: It is best to order the routing

table by decreasing mask value.

Routing/MITM 10 pts

True! This is “longest mask matching” principle

What does the Linux command sudo do?

Privileges/Buffer Overflow 10 pts

Executes a single command as the root user!

The Transport layer is encapsulated by which

layer?

TCP/IP 20 pts

Network Layer (Layer 3)

What is the purpose of the CRC field in an

Ethernet frame?

Ethernet 20 pts

Used for Error Detection

What is the network address for the IP address 200.32.33.234 / 23 ?


200. 32.00100001.11101010

200. 32.00100000.00000000

(Host bits)(Network bits)

Zero out the host bits to get…

200.32.32.0

(mask)

(IP address)

(Network ID)

255.255.11111110.00000000(Mask)

An evil attacker launching an ARP-spoof

attempts to associate his ___________

address with the victim’s ___________

address.

Answer choices: hardware or IP

ARP 20 pts

hardware

IP

Routing/MITM 20 pts

If a router receives a packet with a destination

IP address that does not match any of the

networks on the routing table, what does the

router do with it?

The router sends it to the default router.

This is often indicated in the routing table by:

Mask Network

Any Any

or

/0 0.0.0.0


What does setting the setuid permission on

an executable program do?

Whenever the program is executed it

will behave as though it were being

executed by the owner!

TCP/IP 40 pts

What is the name of the collection of 1’s and 0’s

at layers 5 through 2?

Layer 5 – “Message”

Layer 4 – “Segment”

Layer 3 – “Packet or Datagram”

Layer 2 – “Frame”

Calculate the bandwidth seen by user 3 if each

network is connected via 10 Mbps Ethernet.

Ethernet 40 pts

1

2

3

4

5

6

B1 B2

10Mbps ÷ 3 = 3.33Mbps

How many addresses can be assigned to hosts

on the network 138.43.29.128 / 26 ?


32 total bits – 26 network bits = 6 host bits

26-2=62 addresses assignable to hosts.

Account for the broadcast

and network addresses.

What two types of ARP messages exist?

What is the fundamental problem with ARP that

allows an ARP-spoof to be possible?

ARP 40 pts

ARP Request

&

ARP Reply

An ARP reply can be sent (and be accepted!) without

an ARP request

Routing/MITM 40 pts

Fill in the missing information in the routing table for

R1.


What is the correct order for arranging the payload in a

buffer overflow attack, and what are their purposes?

Choices are given below:

The exploit (shellcode)

Repeated return addresses

NOP sledNOP Sled – It is a series of “no operation” commands that lets the hacker

be a bit off with the return address, so that the return address just has to

point anywhere within the NOP sled. Otherwise, the return address would

need to be the precise first address of the exploit.

The exploit – This is the executable program.

Repeated return addresses – The return address points towards the exploit

as the next instruction (however, see the note regarding the NOP sled). It

is repeated so that the hacker would have a number of chances to get the

address correctly positioned in the Return Address field in the stack.

Suppose an application entity wants to send a

100 byte message to a peer entity. If each layer

from 4-2 appends a 15 byte header, what

percentage of the total frame size is actual

application entity data?

TCP/IP 60 pts

[100 / (100+15+15+15) ] x100 = 69%

Ethernet 60 pts

Assume the Network layer passes the Data Link

layer 6030 bytes of information to transmit. How

many Ethernet frames will be required?

6030÷1500 = 4.02 thus 5 Frames

What is the block of addresses assigned to the

network 56.45.100.0 / 23 ?


56.45.01100100.00000000

56.45.01100100.00000000

56.45.01100101.11111111

(Network bits) (Host bits)

= 56.45.100.0 (First Address)

= 56.45.101.255 (Last Address)

(mask)

. . .

N1 : L1

N2 : L2

N3 : L3

N4 : L4

N5 : L5

You are user C in the network below. Design an

ARP Spoofing attack on User D. What changes

would you make to the ARP cache?

ARP 60 pts

L3

Routing/MITM 60 pts

Design an MITM attack to divert traffic from the server

Target’s

Network

40 .230 .45 .128

00101000 11100110 00101101 1 0 0 0 0 0 0 0

Target’s

IP Address

40 .230 .45 .161

00101000 11100110 00101101 1 0 1 0 0 0 0 1

Attacker’s

Lie

40 .230 .45 .160

00101000 11100110 00101101 1 0 1 0 0 0 0 0

40.230.45.161

Ans: 40.230.45.160 / 27

Other possible Answers:

40.230.45.160 / 28

40.230.45.160 / 29

40.230.45.160 / 30

40.230.45.160 / 31

Target’s

Network

40 .230 .45 .128

00101000 11100110 00101101 1 0 0 0 0 0 0 0

Target’s

IP Address

40 .230 .45 .161

00101000 11100110 00101101

Attacker’s

Lie

Name and describe two technical solutions to

prevent a buffer overflow attack.


The non-executable stack: The CPU will not execute any

machine instructions located in the portion of main memory

reserved for the stack.

The stack canary: The CPU checks a known value in

memory just prior to the location of the return address (to

make sure it was not changed) before resetting the EIP.

Address space layout randomization: The stack and

the heap are placed in random memory locations,

preventing the hacker from easily predicting return

addresses’ location.

Briefly describe each of the following

Autonomous Systems Categories:

(a) Stub AS

(b) Multihomed AS

(c) Transit AS

BGP/BGP Routing 10 pts

- Has only one connection to another AS

- Has more than one connection to other ASes, but

doesn’t allow data to pass through it

- Connects to more than one AS and allows traffic to

pass through it

Describe the steps followed in BGP routing

when selecting a route.


1) a BGP router first attempts to find all paths from the

router to a given destination

2) it then judges these paths against the policies of the AS

administrator

3) it then selects a “good enough” path to the destination

that satisfies the policy constraints


What AS path would an IP packet

from 12.12.12.1 take to reach

17.17.200.2?


from 13.13.13.3 take reach

17.17.200.2?


from 20.20.20.1 take to reach

17.17.200.2?

40 – 2003 – 2005

40 – 2003 – 2005

60 – 40 – 2003 – 2005

Consider the network diagram and BGP route

announcement from Router 3 below, assuming no local

preferences are set.

Name and describe (include negative and positive consequences)

one technical solution that an AS network operator can use to

combat prefix hijacking an MITM attack on BGP networks?


Filtering – Best current practices for AS network operators dictate the use of filters at AS borders

to reject suspicious route announcements or alter malicious route attributes. Filters are manually

established based on the routing policies of an organization. Filtering has both a business cost

and computational cost associated with it.

Internet Routing Registries – These are repositories of the IP prefixes, ASNs, routing policy,

network topology, and human points of contact for those ASes which choose to register their

information. While this method may be effective, the downside is that these registries are only

effective if the registry data is secure, complete, and accurate, which is currently not guaranteed.

Resource Public Key Infrastructure (RPKI) – Similar to the IRRs, RPKI is a repository of Internet

routing information. The key difference is that it uses the X.509 certificate system to provide

cryptographic assurance of (1) the association between an ASN and the IP prefixes it has been

allocated, and (2) the association between an ASN and the IP prefixes it is authorized to originate.

There is nothing in RPKI which validates the route attributes, including the AS path, associated with a BGP

route announcement from an AS.

Nor does it provide certainty that the AS which has registered their information used the correct ASN or set of

prefixes.

Nor does it provide network topology information or human points of contact as with IRRs.

Lastly, it does not mandate that network operators use this information when constructing their filters.

How RPKI is applied is entirely dependent on what AS network operators choose to do with the information

available.

Documents

EC310 12-week Review - USNA 12wk...Rules of Engagement Teams selected by instructor Host will read the entire questions. Only after, a team may “buzz” by raise of hand A team must