CS671 Spring 2021 Homework 3

Networking and Cybersecurity

Dr. Greg M. Bernstein

Due Wednesday, March 3rd, 2021 by 11:59PM, 50 points.

General Instructions

The goals of this assignmnt are getting hands on with some networking technologies to analyze a DoS attack, understand more on Botnets, and work with cryptography.

Create and Use a new Branch hw3

We will create a new git branch called hw3 for use in this assignment. The branch you create must exactly match the one I’ve given you for you to receive any credit for this homework.

Prior to creating this new branch make sure your working directory is “clean”, i.e., consistent with the last commit you did when you turned in homework 2. Follow the procedures in GitHub for Classroom Use to create the new branch, i.e., git checkout -b hw3. Review the section on submission for using push with a new branch.

Use README.md for Answers

You will modify the README.md file in your repo to contain the answers to this homework.


Question 1. (10 pts)

This problem, besides part (a), you will need the free open source WireShark network protocol analyzer. You will learn about the reflected and amplified DoS attack that I demonstrated in class and described in the course slides. You will use the following packet capture files that I made for some of the questions: UnsolicDNSSmall.pcapng and UnsolicDNS.pcapng.

(a) Multiple choice Chapter 3

Questions from Chapter 3 of the course text:

Question Answer Question Answer
2 3
4 7
8 9

(b) WireShark and DNS Capture

Capture a DNS request and response exchange with WireShark and show a screenshot here. Highlight the request and corresponding response in the screenshot. Notes: This is not as easy as it appears. First you need a way to trigger a DNS request. Second that request needs to be for “unsecured DNS”. For example if I try using FireFox which I have configured to use secure DNS (DNSSEC) I will not see any traffic recognizable DNS traffic with WireShark. Hence I triggered the DNS traces shown in my screenshot with Chrome. Finally when using WireShark you will tend to see a ton of packets, so you will generally need to put in a packet filter to restrict to just DNS packets.

Answer the following additional questions: (i) What is the domain name in your queries? (ii) What type of IP addresses are used by the machines for the DNS exchange? (iii) What type of DNS record was returned?

My screenshot looks like the following:

DNS Capture

(c) Where to send the DNS response?

Look at the DNS request packet in WireShark. Where does the DNS server that receives this packet get the information for where to send the response. Write down that IP address here. Show me a screenshot of the packet details so I can verify.

My packet screenshot looks like:

DNS request packet

(d) Why use reflection in an attack?

In my DoS attack on my laptop (IP address the attacker was using my Linux machine (IP address Open the packet capture file UnsolicDNSSmall.pcapng and look for DNS packets concerning the domain “www.grotto-networking.com”. Answer the following questions.

  1. Do you see both “queries and responses” or just “responses”?
  2. If my laptop didn’t ask for this information why was it sent?
  3. Who sent it?
  4. Can you tell from the packet who is responsible for it being sent?
  5. Why would an attacker use a reflection attack?

(e) Amplification in attacks

Using WireShark open the UnsolicDNS.pcapng and look for the “relatively” large unsolicited DNS messages received. Answer the following questions:

  1. How large is the Ethernet Frame? (in bytes)
  2. How large is the IP Packet?
  3. How many DNS resource records (total) are in the packet?
  4. What type of resource records (and their meaning) are in the packet?
  5. Why would an attacker want “Amplification”?

Question 2. (10 pts)

Botnet readings and podcast: EP 13: Carna Botnet, BOTNETS 101: INFAMOUS BOTNETS OF THE 21ST CENTURY, 9 of History’s Notable Botnet Attacks.

(a) Multiple choice Chapter 4

Questions from Chapter 4 of the course text:

Question Answer Question Answer
2 3
4 5
6 20

(b) The Carna Botnet

Answer the following questions concerning the Carna botnet

  1. What was the estimated number of computers used in the botnet when it was at its peak in size?
  2. What was the primary method of gaining access (infecting) machines to join the botnet?
  3. What was the botnet primarily used for? Or what was it most famous for?

(c) The Mirai Botnet

Answer the following questions concerning the Mirai botnet

  1. What was the estimated number of computers used in the botnet when it was at its peak in size?
  2. What was the primary method of gaining access (infecting) machines to join the botnet?
  3. What was the botnet primarily used for? Or what was it most famous for?

(d) Botnet uses

What are at least four illegal uses for botnets? List them here.

Question 3. (10 pts)

(a) Crack my shift Cipher examples

Crack with brute force the following shift cipher examples (each may use a different shift). You can use my Python examples from Crypto Basics or simpleCipher.ipynb which is an IPython/Jupyter notebook.


(b) Create a double substitution Algorithm

Create a cipher algorithm that uses two different substitution ciphers alternatively on the letters in the plaintext. Show your python code and an example encryption and decryption here.

(c) Encode a book

Encrypt the sherlockHolmes.txt and show the results of the frequency analysis on the ciphertext here.

(d) Crack your Algorithm with a chosen plaintext

Show how to crack your algorithm with a chosen plaintext attack (like in the course notes and Python notebook).

Question 4. (10 pts)

(a) AES efficiency

What is a micro-controller? Is AES available for micro-controllers? (Hint: look for AES and Arduino). If AES is available for micro-controllers why is security of IoT a problem?

(b) Key Length Compromise

Why would using text directly as a key in AES potentially compromise security? A 256 bit AES key corresponds how many bytes? What equivalent portion of a byte isn’t being used for key material if we know that each byte in the key is an ASCII printable character? What does this imply for a 256 bit key? Rough approximations are sufficient here just justify your answer.

(c) Bad AES Use

As demonstrated in class even though AES is a very well proven encryption algorithm, its misuse can leave huge security holes. To see this yourself, take a screen shot of something without much detail on your computer. Save it in JPEG format. Using either the Python in the AES slides or this Jupyter notebook encrypt the raw bytes with AES-ECB and show me the result here.

Then encrypt it with AES-CBC and show me the result here.

Question 5. SSH and Public Keys (10 pts)

(a) Generate an Key pair for SSH

On your laptop or other machine generate a Public/Private key pair using ssh-keygen. Show one of those pairs here. Which of the keys can you safely share on your homework?

(b) Share Key with CS Server

For your account on the CS department server set it up to use public key access. Show your modified authorized_keys file here.

(c) Demonstrate login without Password

Demonstrate that you can login to your account without a password, e.g., take a screenshot right after successfully logging in with your keys. Mine looks like:

SSH with no password