Swinburne University of Technology HIT7720

Faculty of Information and Communication Technologies Secure Networks

HIT7720 – Secure Networks

Multiple Choice Answer Sheet

Circle ONE answer only

1 A B C D

2 A B C D

3 A B C D

4 A B C D

5 A B C D

6 A B C D

7 A B C D

8 A B C D

9 A B C D

10 A B C D

11 A B C D

12 A B C D

13 A B C D

14 A B C D

15 A B C D

16 A B C D

17 A B C D

18 A B C D

19 A B C D

20 A B C D

Page 1 of 5
Swinburne University of Technology HIT7720
Faculty of Information and Communication Technologies Secure Networks

Section A
Multiple Choice Questions
Each question is worth one mark
No answer is worth 0 marks
An incorrect answer loses ¼ marks

1. A honeypot can be best described as:

A. A server that has not been secured properly that will be hacked by an intruder first
B. One or more monitored servers or services that are extremely important to an enterprise network
C. A set of firewall rules that, when signaled by an IDS, slow an attacker down
D. One or more monitored servers or services, presented on a network specifically for the purpose
of being hacked by intruders

2. When a wireless network uses 802.1x:

A. Care must be taken to make sure rouge APs are not introduced onto the network as they can be
used to crack the encryption of 802.1x over a period of time
B. 802.1x should not be used. It was defined with a weak protocol and can be cracked under certain
circumstances in a matter of minutes
C. Central authentication servers are often used
D. DNSsec is mandatory. Without it, hosts will be refused connection to the network.

3. Signature based IDS:

A. Uses algorithms and thresholds to set off alerts

B. Is an IDS that signals a firewall when it detects known binary sequences or events
C. Does not work on IPv6 based networks
D. Looks for known binary sequences or events and upon finding them, generates alerts

4. Nmap scanning of subnets becomes largely ineffective in IPv6 networks. This is because:

A. The time taken to scan one subnet is so large that it would take many years to complete at any
reasonable current-day bandwidth
B. Most hosts that implement IPv6 also implement IPSEC
C. IPv6 does not use ARP (Address Resolution Protocol), it uses ND (Neighborhood Discovery),
which contains new security mechanisms
D. IPv6 addresses are significantly larger than IPv4 addresses, making for bigger packets

5. Radika External-Locus is a woman who runs a small website that is accessible from the IPv4
Internet. The site receives only 3 or 4 unique visitors a day. The content of her site is not security
related. Which statement is most true?

A. She does not need to implement security measures unless her site has users who might be
hackers
B. She needs no security, as her unique visitors per-day is too small for any sort of DoS
C. She needs to implement security measures because she does not run IPv6
D. She needs to implement security measures

Page 2 of 5
Swinburne University of Technology HIT7720
Faculty of Information and Communication Technologies Secure Networks

6. The wide deployment of the recommendations in BCP 38 would help with:

A. DHCP issues
B. ARP issues
C. DDoS issues
D. BGP issues

7. Lawrence Slowman has deployed WEP security as the only type of security on his wireless
network. Which statement is most true?

A. This is a very good move by Lawrence.

B. This is a very bad move by Lawrence.
C. WEP offers limited security, so it is better than nothing as it takes many weeks to crack the
encryption of WEP.
D. WEP offers limited security, so it is better than nothing because it takes many days to crack the
encryption of WEP.

8. Lawrence Slowman has deployed a greynet on his enterprise network in an attempt to detect
virus infections on his network. Which statement is most true.

A. This will not work at all. He will detect no viruses as a greynet does not look for virus
signatures.
B. This will work for all viruses for which the greynet has been given virus signatures.
C. This will work, but only for viruses that perform network scanning as part of their spread.
D. This will work, but only for viruses that use huge amounts of Internet network bandwidth – that
will trigger the greynet's threshold alarms

[…etc...]

20. A network segment that deploys DHCP can suffer from a rouge client requesting multiple IP
addresses, to the point where there are none left. This could be prevented in a wired network by:

A. Deploying Greynets to detect the rouge DHCP requests

B. Limiting the amount of MAC addresses allowed on each ethernet port
C. It can not be prevented, it can only be detected
D. Taping the network at layer 1 and sending a copy of all DHCP requests to the king of the Internet

Page 3 of 5
Swinburne University of Technology HIT7720
Faculty of Information and Communication Technologies Secure Networks

Section B
Written Answers
Answer ALL questions
Each question is worth 8 marks

1. What is a zero day exploit? (2 marks)

Are these more, or less, of a problem for victims than other types of exploits? Why? (2 marks)

A zero day exploit is an attack that uses an exploit that was previously unknown. Users and
developers of software have no warning of the exploit (0 days to prepare). These are more of an
issue than other types of exploits because there are is no knowledge of the exploits and thus no
patches to code have yet been developed to fix vulnerable software.

2. Broadly speaking, what does an ARP exchange involve? How could a hacker involve themselves
in this exchange? (Use a diagram in your answer.) (3 + 3 + 2 marks)

When a host needs to forward a packet to an IP address on a local subnet, but does not know what
the host's MAC address is, it issues a broadcast ARP request. For example, “Who has 192.168.1.1?
Tell host 192.168.1.100.”. The host with the IP address 192.168.1.1 will send a unicast reply,
“192.168.1.1 is at MAC address {x}”.

An attacker could involve themselves in this exchange by (see diagram), waiting for a host to make
a (broadcast) ARP request (1). Before the correct host can reply, the attacker can then send an ARP
reply with the attacker's host details (2). The victim's traffic will then travel to the attacker (3).

3. Lawrence Slowman places a Honeypot host on his network. What is Lawrence attempting to do
by putting a honeypot on his network? (8 marks)

Lawrence has put a host on his network where it, or its services, are known to have exploits. This
host has no important information on it and is not used by regular users, although he might have
suggested it does (for example, by giving it a host name like “CreditCardServer”). He is attempting
to make any hackers that enter his network attack this machine first. He has placed triggers on this
machine and its services, so if there is any access, he will be alerted.

Page 4 of 5
Swinburne University of Technology HIT7720
Faculty of Information and Communication Technologies Secure Networks

4. What is IP packet spoofing? Does this make DDoS attacks more or less effective, and why? (4 +
4 marks)

IP packet spoofing is where a host sends an IP packet onto a network where instead of its own IP
address in the source IP field, it places a different IP address (often randomised). This makes DDoS
more effective. When attackers use their own IP addresses, a victim can place a filter preventing
packets with these source addresses entering their network. When a victim network receives an IP
packet with a forged or randomised source address, a victim has no way of knowing if this is a
legitimate packet or not and must process and reply to it.

5. What is a Darknet?
Compare and contrast this to a Greynet. (Include a diagram as part of your written response.)
How might a Greynet help the administrators of an enterprise network?
(3 + 3 + 2 marks)

A darknet is a (as large as can be achieved) contiguous block of IP address space that appears in the
global routing table. Every IP address in the block is passively monitored for inbound packets
(diagram left). Two types of packets enter darknet space, direct connection attempts (that are most
probably attempted malware connection attempts) and backscatter.

A greynet is a distributed enterprise-network darknet. Greynet listener hosts are dispersed amongst
'normal' hosts on the network (diagram right).

A greynet can help a network administrator by alerting them to hosts on their own network
performing scans on other hosts. A host doing a scan on the network strongly suggests it is looking
for servers and services to exploit.

Page 5 of 5