CSCI 4830 - Network Security - Fall 2003

Solution Set for H/W #1

1. Suppose you have a machine with a static IP address. Further suppose this IP address was blocked by a gaming site where you really wanted to play. Could you simply forge your IP address and gain access to the site?

Although it's easy to forge your IP address using either tools that do it for you or by being knowledgable enough to use raw sockets in Unix or Windows (I'm not sure about MacIntosh), just changing your IP address doesn't always work! For example, the IP of the machine I'm using right now is If I sent an IP datagram with source address I would NOT receive any reply sent to this address even if I changed my IP address to this new quad. This is because IP routing is done hierarchically, and the 14.25 traffic would not be sent to which has only IP addresses prefixed with 128.138.

It would be easier to change within to another IP address within my own subnet, however: I might be able to change to and get past any site which was filtering just my original IP, but then I might also be causing problems on my LAN if this IP is in use by some other network interface on my subnet.

2. Given the answer to #1, why are DoS attacks so successful when they forge their IP address?

DoS (Denial of Service) attacks do not care about receiving replies: they are write-only attacks. In fact, they don't WANT any replies from the victim; that would just slow them down! So forging the source IP in the attack packets is a good tactic for them: it hides the true source of the attacks, making it look even more like legitimate traffic (which is very hard to filter against).

3. Why do DoS attackers often send a 65536-byte packet to their victims?

As we said in class, IPv4 (which is the dominant IP version in use today) allows framentation of datagrams. Each datagram is broken into smaller datagrams according to the MTU (Minimum Transmission Unit) of the physical network they are crossing. Ethernet has an MTU of 1500 bytes, so sending a large UDP packet of 64K means that it fragments into 65536/1500 = 44 packets. The victim's network stack then tries to absorb and reassemble these 44 packets, which is very costly for him.

4. What are the two things we allow an adversary to learn when he passively eavesdrops on an encrypted line?

As we said in class, we allow the adversary to learn that (1) communication is taking place, and (2) the approximate length of that communication.

We also mentioned that in the real world there might be even more information leaked: the amount of time a computation takes before a response is given; the amount of power consumed; the amount of heat generated; RF radiation emitted, etc. But we consider these to be outside our model for the purpose of security analysis (which is perhaps bad that we do this!).

5. Text problem 2.7.2 (pg 57)

Using an unkeyed hash function provides absolutely NO authenticity or integrity guarantees against an active adversary. The attacker can forge messages by simply recomputing the (public) hash function for any message he wishes!

6. Text problem 2.7.6 (pg 58)

If the good guys keep the same key size, then it's an advantage for the bad guys. But if the good guys double their key size, doubling their work while still taking the same amount of time as it used to, then it's much worse for the bad guys, since their work squares.

For example, suppose the good guys were using an n-bit key. With a computer twice as fast, they can use a 2n-bit key with the same performance, since doubling the length of the key just doubles their work. however, the bad guys have 2n times as much work to do with a key twice as long, so it works to the advantage of the good guys.