CS3550 Final Exam

1. Identify True or False for the following statements: (10*1 = 10)
(a) A TCP header has source and destination port address. ___
(b) OSI model has 5 layers. ___
(c) In a TCP/IP model, an application can communicate with the underneath transport layer through a port number. ____
(d) PDU header has the control information. ____
(e) UDP is an example of TCP protocol. _____
(f) HTTP is an example of TCP protocol. _____
(g) UDP provides a reliable connection for transferring data between applications. ___
(h) A TCP header is minimum 160 bits. _____
(i) TCP header does not contain sequence and acknowledge number. ____
(j) A UDP header has source and destination IP address. ____

2. For TCP protocol, show the sequence of packet exchange for the following: (a) 3-way handshake, and (b) Connection closing or teardown. (3+3=6)
Ans:



3. Briefly discuss three characteristics of TCP that ensure reliable communication. (2*3= 6)
Ans:


4. Consider the following TCP header:
Explain the meaning of the following fields: (5*2= 10)
(a) SYN flag:


(b) ACK flag:


(c) FIN flag:


(d) RST flag:



(e) Sequence number:


5. With appropriate diagram explain the steps of TCP SYN attack. (4)




6. What is a land attack? (3)



7. Explain the following types of port scanning attack with the possible outcome or response by the remote host under attack: (4*3 = 12)
(i) X-mas attack:




(ii) ICMP scan:




(iii) SYN scanning:

(iv) FIN scanning:

8. Describe any three types of active attacks on network. (3*3 = 9)
Ans:


9. Find the asset type (Hardware/Software/Data/Communication line) and security properties (Confidentiality/Integrity/Availability) affected for the following statements: (6*2 = 12)
Threat description
Asset
Security property affected
Some DLL Files are deleted from a computer that resulted in denial of access the computer by others.


You are an email recipient, but your email was being read by an unauthorized user when you left your computer desk for a brief period.


A virus modified an executable file causing it to throw an error when launching next time


NSA snooped your phone call record without your knowledge


You cannot reach the destination network through your personal computer due to a massive storm in the region.


Your computer hard disk got into flood water which had important personal files stored.



10. Explain what is a (i) parasitic malware, and (ii) independent malware? (2+2 =4)
Ans:



11. Discuss two differences between Trojan horse and mobile code? (4)
Ans:



12. What is a (i) boot sector virus and (ii) macro virus? (iii) Which of the virus is less harmful? (3)
Ans:




13. Consider the following example of data collection for an IDS. Please specify which category of IDS may collect the data (Network-based IDS or Host-based IDS) (5*1=5)
(i) Source IP address __________
(ii) TTL value ____________
(iii) Operating system name and version __________
(iv) Port number _______
(v) Session identification number ________

14. Consider the following Snort rule used for examining TCP/IP packet.
            alert 10.2.3.1 25 -> 192.168.1.0 111
            (content:"|00 ff 86 a5|"; msg: "ls -l";)
Answer true or false for the following statements:  (4)

(i)                 The rule will be triggered when the destination IP address is 10.2.3.1  ____
(ii)               The rule will match if the source port is 25 _________
(iii)             The rule will be triggered if the packet’s has the directory listing command (ls –l). __
(iv)             The rule cannot check if any “mountd” command is present in a packet. ____




15. Answer True/False for the following statements related to IDS and Firewall: (8)
(i) Some stateful firewalls keep track of TCP sequence numbers. ____
(ii) A packet filter firewall creates a directory for each of the connections. ____
(iii) TCP SYN attack can be detected by anomaly detection approach. ____
(iv) The unusual combination of TCP flags can be detected by anomaly detection approach ____
(v) A TCP packet having an acknowledgement value set to a non-zero number, but keeping the acknowledgment flag as zero is an example of an attack that should be detected by host-based IDS. ____
(vi) Snort is an example of anomaly-based IDS. ____
(vii) An active IDS can proactively stops ongoing malicious activities if configured. ____
(viii) Excessive usage of network bandwidth usage is a symptom that can be detected by Firewall. ____





Popular posts from this blog

CS3401 Practice Quiz 2 Part 2

CS3401 Practice Quiz 2 Part 1