Computer Networks - Final exam

Prof. J.-P. Hubaux and Dr. M. H. Manshaei December 21, 2010 Duration: 3:00 hours, closed book.

Please write your answers on these sheets in a readable way. Poorly written answers will not be corrected. Use extra sheets if necessary (put your name on them).

You may write your answers in English or in French.

The total number of points is 60.

This document contains 18 pages.

First Name (Pr nom): e Last Name (Nom de famille): SCIPER No: 2 Communication Systems 2 Other (mention it): . . . . . . . . . 2 Computer Science

Division:

Year:

2 Bachelor Year 2 2 Other (mention it): . . . . . . . . .

2 Bachelor Year 3

Short questions

(10 points)

For each question, please circle a single best answer. 1. WikiLeaks has recently faced DDoS (Distributed DoS) attacks. These attacks: (a) make use of Trojan horses to infect a specic host. (b) use botnets with thousands of compromised hosts (c) install malware that corrupts and deletes sensitive les. (d) allow the attacker to reveal identities of people submitting documents to different servers. 2. Consider an HTTP client that wants to retrieve a Web document at a given URL. Assuming that the IP address of the HTTP server is initially unknown, what transport and application-layer protocols besides HTTP are needed? (a) UDP (b) TCP (c) DNS (d) all of the above 3. Among the following applications, which one is not suitable for P2P architecture: (a) le sharing (b) electronic banking (c) video streaming (d) instant messaging 4. A Web cache: (a) can help prevent DoS attacks. (b) is a network entity that guarantees anonymity of Internet trafc. (c) responds to HTTP requests on the behalf of a Web server. (d) makes use of cookies to reduce the response time for a client request. 5. In TCP, the timeout interval is a function of: (a) estimated RTT at the transmitter. (b) maximum segment size (MSS) and the overhead of a datagram. (c) the size of buffer at the receiver. (d) both (b) and (c).

6. Which of the following is correct about the ow control service in TCP? (a) The sender selects the maximum segment size (MSS). (b) The receiver increases its application data rate. (c) The sender does not overow the receivers buffer by transmitting too many segments. (d) The receiver increases its buffer size. 7. A TCP transmitter has received an acknowledgment with the sequence number equal to 80. This means that: (a) the receiver has received segment 80. (b) the receiver has received the segment preceding segment 80. (c) the receiver can accept 80 bytes without overow in its buffer. (d) the transmitter should sent 80 bytes in the next segment. 8. In a Go-Back-10 protocol, the oldest transmitted segment without ACK has a sequence number equal to 100. The sender has already sent 5 packets from its transmission windows. If the timeout expires for packet 100, the sender should retransmit: (a) packets 96 to 100. (b) packets 91 to 100. (c) packet 100. (d) packets 100 to 104. (e) packets 100 to 109. 9. Consider a router with the switching fabric based on memory access. The memory access speed (read and write) is B packets per second. The overall forwarding throughput is always: (a) greater than B packets per second. (b) greater than 2B packets per second. (c) smaller than B/2. (d) smaller than B/2. 10. ICMP (Internet Control Message Protocol): (a) is used by ping to provide echo request/reply. (b) is used by traceroute to measure the delay between the routers from a source to a destination. (c) is used by hosts and routers to communicate network-level information. (d) All of the above.

11. Which of the following is incorrect about IPv6? (a) The size of IPv6 addresses is 128 bits. (b) The routers use datagram fragmentation with IPv6. (c) There is no checksum in the IPv6 header. (d) All the above are correct. 12. DHCP: (a) allows an ISP to obtain a set of IP addresses from the ICANN (Internet Corporation for Assigned Names and Numbers). (b) allows a router to allocate port numbers in a NAT (Network Address Translation). (c) allows a host to dynamically obtain an IP address when it joins the network. (d) both (a) and (c). 13. In BGP, the NEXT-HOP attribute indicates: (a) the router interface that begins the AS-PATH. (b) the shortest path between two ASs. (c) the gateway address that has the highest trafc. (d) both (b) and (c). 14. Compared to pure ALOHA, slotted ALOHA has: (a) higher efciency, because without slots a frame is more likely to suffer a collision. (b) higher efciency, because slotted Aloha uses collision avoidance. (c) lower efciency, because a large part of a slot can go unused. (d) lower efciency, because having slots requires synchronization. 15. To allow the sender to detect a collision in CSMA/CD: (a) frames must include a checksum. (b) frames must be encrypted and authenticated. (c) frames need to be shorter than some maximum length. (d) frames need to be longer than some minimum length.

16. In an Ethernet frame, the preamble is responsible for: (a) collision detection. (b) synchronization of the receivers clock to the senders clock. (c) error correction. (d) multiplexing/demultiplexing. 17. Which of the following is not true about SSL? (a) SSL provides authentication and condentiality for UDP and ICMP messages. (b) In SSL, the client sends to the server a list of encryption algorithms that it supports and the server chooses one. (c) In SSL, client authentication is optional. (d) In SSL, both client and server send a MAC of all the handshake messages to prevent Man-inthe-Middle attack. 18. Cipher Block Chaining prevents: (a) Cipher-text only attacks in Block ciphers. (b) Large number of rounds in Block ciphers. (c) Producing exactly same cipher-text block for two same plain-text blocks in Block ciphers. (d) All of the above. 19. In CDMA, user A uses code cA and user B uses code cB . The codes should satisfy: m m (a) cA = 1, cB = 0 (or the other way around) m m (b) cA = cB m m (c) cA = cB m m (d)
A B m cm cm

=0

20. Which of the following is generally true about modulation schemes: (a) At a xed bitrate, increasing the SNR increases the BER. (b) At a xed SNR, increasing the bitrate increases the BER. (c) At a xed BER, increasing the SNR increases the achievable bitrate. (d) (b) and (c) are correct. (e) All of the above are correct.

DNS

(8 points)

Consider a hierarchy of name servers and a number of machines that belong to the cs.princeton.edu domain as depicted below. Note the attributes (names and IP addresses) of each of the DNS servers in the hierarchy and of the machines in the cs.princeton.edu domain. Each DNS server has a number of resource records (i.e., name-to-value bindings) that contain the following elds: < N ame, V alue, T ype, Class, T T L >.

Question 1: Ignoring the TTL and Class elds, write the resource records in the form < N ame, V alue, T ype > that each of the DNS servers in the hierarchy has. Assume that the caches of all machines are empty.

Question 2: A student at EPFL wants to establish communication with the host penguins.cs.princeton.edu. Therefore, the students machine needs to resolve the IP address of the host penguins.cs.princeton.edu. The students machine is congured to rst query a local EPFL DNS server, stisun1.ep.ch, using recursive type of queries. Local EPFL DNS server is congured to use iterative type of queries. Assume that the caches of all machines are empty. a. Draw the arrows that represent the DNS messages exchanged between the entities as a result of the query for penguins.cs.princeton.edu. Enumerate (i.e., assign numbers) to the arrows to represent the order in which the messages are exchanged. Write the content of each of the exchanged DNS messages. (You may write the content of the messages together with the corresponding arrows).

b. Which resource record does the local EPFL DNS server need to have in this scenario?

Routing

(10 points)

Consider the network in the gure below. The numbers on the links between nodes represent the costs corresponding to these links. Assume that nodes initially know only the cost of adjacent links (link to which they are directly connected).

A
8

C
2 1

B
2

Question 1: The network runs the distance-vector algorithm. Assume that the algorithm works in a synchronous manner: In one time-slot, all nodes simultaneously receive distance vectors from their neighbors, compute their new distance vectors, and inform their neighbors if their distance vectors have changed. Fill out the distance tables at node C for each time-slot: cost to B C

A from A C E F

A from A C E F

cost to B C

A from A C E F

cost to B C D

Question 2: Assume that a router has the following entries in its routing table: Address/mask 135.46.56.0/22 135.46.60.0/22 192.53.40.0/23 default
arrives?

Next hop Interface 0 Interface 1 Interface 2 Interface 3

For each of the following IP addresses, what does the router do if a packet with that destination address a. 135.46.63.10 interface b. 135.46.57.14 interface c. 135.46.52.2 interface d. 192.53.40.7 interface e. 192.53.56.7 interfac Question 3: Consider the topology shown below, and suppose that each link has unit cost. Suppose that node H is chosen as the center (i.e., rendezvous point) in a center-based routing tree. Assume that each attached router uses its least-cost path to node H to send join messages to H. We also assume that nodes are joining in an alphabetic order (i.e., rst A joins, then B, etc.). Draw the resulting spanning tree in the gure. Is it unique? Justify your answer.

C G

10

ALOHA

(5 points)

Suppose 5 nodes are competing to access a channel using the (pure) ALOHA protocol. Assume each node has an innite number of packets to send. Each node attempts to transmit with probability p. Question 1: What is the probability of transmission that maximize the throughput of this network?

Question 2: Assume that the nodes use the probability of transmission computed in Question 1. Moreover, they use slotted ALOHA instead of ALOHA. Calculate the probability that in a time-slot: a. the channel is idle.

b. there is a collision.

11

ARP
gateway router
192.168.42.1 11-11-11-11-11-11 192.168.42.13 EE-EE-EE-EE-EE-EE

(10 points)

Consider the following LAN, composes of 2 machines, a gateway router and a switch:

Alice

switch

192.168.42.10 AA-AA-AA-AA-AA-AA

Eve

The router and both machines rely on ARP to dynamically obtain the mapping between IP addresses and MAC addresses. The switch, upon receiving a frame with destination MAC address X: forwards the frame to all the NICs if X is a broadcast address, forwards the frame only to the NIC with address X if X is a unicast address drops the frame if address X is unknown. Eve wants to meddle with Alices Internet connection. As she only has control over her own machine, she resort to so called ARP poisoning attacks. We elaborate these attacks in this question.

Question 1: Explain in detail how the ARP module updates the ARP table upon receiving: a. an ARP request.

b. an ARP reply.

12

Question 2: Eve wants to mount a denial-of-service attack on Alice, i.e., cut the connection between Alice and the gateway. Propose an ARP-based attack that would allow Eve to achieve this. List the ARP packets used; for every ARP packet, give the type (request/reply) and source/destination IP/MAC addresses. Describe what happens with IP packets sent by Alice afterwards.

Question 3: Eve wants to receive all the IP packets sent from Alice to the gateway. Propose an ARP-based attack that would allow Eve to achieve this. List the ARP packets used; for every ARP packet, give the type (request/reply) and source/destination IP/MAC addresses. Describe what happens with IP packets sent by Alice afterwards.

13

Question 4: Eve wants to eavesdrop on all the IP packets exchanged between Alice and the gateway in a way that would be stealthy (Alice should not realize that something is wrong). Propose an ARP-based attack that would allow Eve to achieve this. List the ARP packets used; for every ARP packet, give the type (request/reply) and source/destination IP/MAC addresses. Describe what Eve should do with the IP packets received from Alice and from the gateway.

Question 5: Propose a modication to the way the ARP module updates the ARP table that would prevent and/or detect such ARP attacks. Note: the format of ARP packets has to remain unchanged.

14

Wireless Networks

(8 points)

Question 1: In IEEE 802.11, when does using RTS/CTS decrease the network throughput compared to the case when RTS/CTS is not used?

Question 2: Consider the following IEEE 802.11 network, where all stations use channel 4:

The shaded oval around a node represent the communication and interference range of that node. Assume that nodes do not use RTS/CTS. For each of the following trafc patterns, indicate at which (if any) nodes can data frames be lost due to a collision? a. A sends data to B, C sends data to B: b. A sends data to B, D sends data to C: c. B sends data to A, C sends data to D: Question 3: Consider question 2, assuming all nodes use RTS/CTS. Is it possible that a data frame is lost due to collision in any of the scenarios a, b, and c? If yes, explain how.

Question 4: Propose a channel allocation that prevents all collisions in scenarios b and c. (Assign a IEEE 802.11 channel to each node.) A: B: C: D: 15

Security

(9 points)

Question 1: Alice and Bob share a secret key KAB . Based on this key, the following protocol allows Alice to authenticate herself to Bob:
Alice Hello I am Alice R generate nonce R Bob

generate MAC H(KA-B,R)

H hash function

H(KA-B,R)

verify MAC

Trudy is an attacker who does not have the secret session key KAB , but can eavesdrop on the message exchanges between Alice and Bob, as well as modify these messages, drop them, or inject new messages. What attack could Trudy mount if the random nonce R is not part of the protocol? (E.g., Alice simply sends Hello I am Alice, MAC(Hello I am Alice, KAB )).

Question 2: Consider the authentication protocol from question 1. Suppose that whenever Alice starts the authentication protocol with Bob, Bob also attempts to authenticate himself to Alice. Bob does so by running in parallel a second instance of the same protocol (but with the roles of Alice and Bob reversed). Give a scenario by which Trudy, pretending to be Alice, can now authenticate herself to Bob as Alice. (Hint: Consider that the messages of the two instances of the protocol can be arbitrarily interleaved.)

16
generate MAC H(KA-B,R)

Question 3: The following protocol allows Alice and Bob to establish a shared secret session key KS with the help of a Key Distribution Center (KDC). The KDC is a server that shares a unique secret symmetric key with Alice (KAKDC ) and with Bob (KBKDC ). NA is a freshly generated nonce, and K{m} denotes an encryption of message m with a symmetric key K.

Alice
A,B,NA

KDC

Bob

KA-KDC{NA,B, KS, KB-KDC{A, KS}}

KB-KDC{A, KS}

Bob and Alice now communicate using the symmetric session key KS

At the end of the protocol, the key KS is secret to everyone except for Alice, Bob and the KDC. In addition, Alice is sure that the only other party that knows KS is Bob (and the KDC), and vice versa. Trudy is an internal attacker who shares a key with the KDC (KT KDC ), but who does not know KAKDC or KBKDC . Trudy can eavesdrop on all the message exchanges between the other parties, as well as modify messages, drop messages, and inject new messages. Trudy can also initiate new protocol instances. a. Consider that B is removed from the 2nd message of the protocol. Describe an attack that Trudy can mount against this modied version of the protocol.

b. Consider that A is removed from KBKDC {A, KS } in the 2nd and 3rd message of the protocol. Describe an attack that Trudy can mount against this modied version of the protocol.

17

18