SFL Prof. Dr. C. Rossow / S. Hausotte TU Dortmund WS 2021/2022 Exercise 3 (Network Security)
3.1 Firewalls
Given an internal network with all hosts in the range 192.168.0.0/24, write firewall rules according to the given textual descriptions. Remember to include default policies.
(a) HTTP/HTTPS only: Allow all internal hosts to act as HTTP/HTTPS clients, i.e. connect to TCP ports 80 and 443. Forbid all other communication.
Copyright By PowCoder代写 加微信 powcoder
Action Source Source port Destination Dest. port Protocol State
Action allow allow
Source 192.168.0.0/24 *
Source port * 80, 443
Destination * 192.168.0.0/24
Dest. port 80, 443 *
Protocol State
TCP established
discard * * * ***
封锁名单。允许所有出站连接,但禁止与6.6.6.6/32和66.66.66/32服务器的通信。
(b) Blocklisting: Allow all outgoing connections, but block traffic to and from servers 6.6.6.6/32
and 66.66.66.66/32.
Action Source Source port Destination Dest. port Protocol State
Action Source discard * discard 6.6.6.6/32, 66.66.66.66/32
allow 192.168.0.0/24
allow * discard *
Source port * * * * *
Destination 6.6.6.6/32, 66.66.66.66/32 * * 192.168.0.0/24 *
Dest. port Protocol State * * *
* * established ***
(a) Which root CAs does your browser trust? How many are there?
Hints: For Chrome and Chromium derivatives, go to chrome://settings/certificates, and
look at the “Authorities” tab. For Firefox, go to about:preferences#privacy, scroll down to “Security”, and click “View Certificates” under the “Certificates” heading.
(b) Which and how many certificates are there in the certificate chain for github.com?
Hints: To view the certificate (chain) of a site, start by clicking the lock in the address bar. Then, in Chromium and derivatives, click “Certificate”. For Firefox, click the sideways arrow next to “Connection secure”, then click “More Information”. In the newly opened window, click
“View Certificate”.
SFL Prof. Dr. C. Rossow / S. Hausotte TU Dortmund WS 2021/2022 Exercise 3 (Network Security)
(c) Until when is their certificate valid?
(d) What cryptographic algorithm does the key underlying the certificate for google.com use? NB: This can be different from the algorithm used to sign the certificate.
(e) Compare the certificates of google.com and tu-dortmund.de with regards to the key’s algorithm and size.
3.3 Denial of Service
(a) What types of DoS attacks do you know? What countermeasures are there?
(b) Why is it more difficult to fend off DDoS attacks than centralized DoS attacks?
3.4 Onion Routing
解释一下洋葱路由(或者特别是TOR,如果你愿意的话)如何实现匿名的目标。
(a) Explain how onion routing (or TOR in particular, if you prefer) achieves the goal of anonymity.
Solution: One intermediate, three if counting the leaf and root. github.com, signed by DigiCert SHA2 High Assurance Server CA, which is in turn signed by the root certificate DigiCert High Assurance EV Root CA.
Solution: The certificate currently served by github.com expires Thursday, March 31, 2022 at 2:00 AM GMT+2
Solution: While the certificate is signed with PKCS #1 SHA-256 RSA, the corresponding key is described as “Elliptic Curve Public Key” in Chromium-based browsers, and more detailedly as using the P-256 curve by Firefox.
Solution: The certificate used by tu-dortmund.de uses PKCS #1 RSA encryption with a 4096-bit key. The certificate used by google.com on the other hand uses an elliptic curve algorithm, as discussed in the previous question, with a 256-bit key, illustrating the increased efficiency that can be achieved by elliptic curve algorithms as compared to more traditional algorithms for asymmetric cryptography.
Solution: There are multiple types of DoS attacks: ICMP/UDP floods, SYN floods, reflection attacks, amplification attacks, HTTP floods, slow loris, R.U.D.Y (are you dead yet), compression bombs, water torture attacks.
But there are some countermeasures to that, in particular: upstream filters, anti-spoofing and traffic shaping.
Solution: A DDoS attack is being launched from multiple sources, therefore it is harder to fend off the attack by blocking addresses. Furthermore, it makes it more difficult to distinguish malicious DoS traffic from regular traffic. This may lead to overshooting when blocking addresses.
Solution: In order to obfuscate the peers of a connection, onion routing networks do not route packets directly from the source to the destination. Instead, they establish a connection via an arbitrary number of intermediate nodes, each of which only knows their predecessor and successor.
SFL Prof. Dr. C. Rossow / S. Hausotte TU Dortmund WS 2021/2022 Exercise 3 (Network Security)
(b) Explain for each type of node (entry, middle, exit) which information they have access to.
Entry Node The entry node knows the client, who issues the connection as well as the succeeding middle node.
Middle Node A middle node knows preceding node (entry or middle) and the succeeding node (exit or middle).
Exit Node The exit node knows the server as well as the preceding middle node. In addition, it can read the data that’s being sent, if not protected by an underlying protocol.
(c) Assume an evil party operates a single node within a TOR network. Will they be able to cause damage? If so, how? What if they control multiple nodes?
(d) What are ways deanonymization could occur in a TOR network? Are they feasible?
Solution: A single node – no matter of which type – can never deanonymize the peers completely. The attacker can only learn the IP addresses of it’s direct neighbors in the chain.
If the attacker controls more and more nodes, the probability increases that deanonymization can happen because the attacker controls the entire connection.
Solution: First of all, an attacker could run so many nodes that there is a reasonable probability for them to be the only one who controls traffic of a particular communication. This, however, would require a massive amount of networking and computing power on the attacker’s side. Therefore, it is considered infeasible.
In contrast, traffic correlation attacks are possible and also practically used (e.g. for criminal investigation). The idea: If one has a rough idea of who the client and server could be, one can observe their network connections and correlate the time and amount of data which is sent on one side and received on the other side.
程序代写 CS代考 加微信: powcoder QQ: 1823890830 Email: powcoder@163.com