EECS 402 “Internet Security and Privacy The Final Exam 65 points Due on Friday, May 8, before 8am 1. (10 pts) In virtualized environments, the same server hosts multiple websites. Therefore, during TLS handshake, the client must specify which website it is trying to access so that the server will know which certificate to return. Since this exchange happens before the certificates can be sent, in the TLS protocol as discussed in class, the clients specify the website in the clear. This allows a passive observer to learn which sites a given client is accessing. Propose a scheme that prevents such privacy vulnerability. 2. (5 pts) DNSSEC protocol went to great length to develop an elaborate technique to support statically pre-signed responses that indicate that a queried domain name does not exit. What’s the reason DNSSEC server could not simply pre-sign a standard error message (equivalent to “NOT FOUND”) to indicate a non-existent name? 3. (10 pts) We say that numerous certificate authorities present a significant weak point in the PKI security. Design a scheme that uses DNSSEC and DNS hierarchy (rather than the PKI’s certificate authorities) to ensure (a) the same confidentiality as PKI and (b) that response from foo.com’s website comes from the rightful owner of foo.com domain. Assume the keys cannot be stolen or broken but Internet routes can be subverted to lead to a spoofed IP address. Be specific: sketch any new DNS record type and their contents that your scheme requires. 4. (10 pts) Describe a technique an attacker can use to evade detection by a rule-based IDS: a. (5 pts) Leveraging knowledge that there are extra routers deployed between the IDS monitor and the target end-host b. (5 pts) Leveraging knowledge that the IDS uses shorter IP fragmentation cache timeout than the target end-system 5. (10 pts) Fraudulent TLS certificates undermine the foundation of security and trust of the Internet. a. (4 pts) Outline the prevalent technique in today’s Internet that aims to mitigate this threat and explain how it helps protect against fraudulent certificates. b. (3 pts) Describe the actions a participating website must take to benefit from this technique. c. (3 pts) Describe the actions a participating web browser must take to benefit from this technique. 6. (10 pts) Attackers commonly scan Internet IP addresses for well-known services, such as open SMTP relay servers, open Web proxy cache servers, etc. as the first step in utilizing these services for various malicious behaviors. To this end, the attackers attempt to open communication to target IP addresses on the default ports used by those servers (e.g., port 25 for SMTP servers). In response, network administrators monitor for port scanning activity and blacklist the perpetrating IP addresses and even work with the perpetrators’ ISPs to deprive them from Internet access altogether. Provide a technique allowing the perpetrator to leverage (some) content delivery networks to conduct such Internet scanning while avoiding detection. 7. (5 pts) The use of UDP by DNS, along with the fact that DNS responses are often much larger than requests, exposes DNS to being exploited for amplification+reflection attacks, where the attacker queries a DNS server using a forged source IP address of the victim. Can TCP be exploited for amplification+reflection attacks? Justify your answer (answers without explanation will not be accepted). 8. (5 pts) Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) are two popular anti-spam techniques. Some network administrators employ both – why? (Be technical and specific, a vague answer along the lines of “the more the merrier” will not be accepted).
