計(jì)算機(jī)安全課后題

精選優(yōu)質(zhì)文檔-----傾情為你奉上精選優(yōu)質(zhì)文檔-----傾情為你奉上專心---專注---專業(yè)專心---專注---專業(yè)精選優(yōu)質(zhì)文檔-----傾情為你奉上專心---專注---專業(yè)EdwardElric計(jì)算機(jī)安全EdwardElric計(jì)算機(jī)安全原理與實(shí)踐課后習(xí)題答案含題目及答案中英文對(duì)照原理與實(shí)踐課后習(xí)題答案含題目及答案中英文對(duì)照

計(jì)算機(jī)安全原理與實(shí)踐課后習(xí)題答案第一章概述OverviewPe6-Pc4P1.1-Pe36-Pc24R：思考題；P：習(xí)題；R：思考題；P：習(xí)題；Pe：英文書頁碼；Pc：中文書頁碼。思考在自動(dòng)柜員機(jī)（ATM）上，用戶提供銀行卡和個(gè)人標(biāo)識(shí)碼（PIN）用于賬戶訪問。給出與系統(tǒng)相關(guān)的機(jī)密性、完整性和可用性要求的例子，并說明每種情況下的要求的重要性等級(jí)。答：Thesystemmustkeeppersonalidentificationnumbersconfidential,bothinthehostsystemandduringtransmissionforatransaction.Itmustprotecttheintegrityofaccountrecordsandofindividualtransactions.Availabilityofthehostsystemisimportanttotheeconomicwellbeingofthebank,butnottoitsfiduciaryresponsibility.Theavailabilityofindividualtellermachinesisoflessconcern.P1.5-P37-Pc25UseamatrixformattoshowtherelationshipbetweenX.800securityservicesandsecuritycorrespondtoservices.Eachcellinthematrixshouldbechecked,ornot,toindicatewhetherthecorrespondingmechanismisusedinprovidingthecorrespondingservice.使用矩陣形式來說明X.800安全服務(wù)和安全機(jī)制間的關(guān)系。矩陣的列對(duì)用安全機(jī)制，行對(duì)應(yīng)安全服務(wù)。矩陣中的每一個(gè)單元用來表示是否有相應(yīng)的機(jī)制提供對(duì)用的服務(wù)。

P1.6-P37-Pc25DrawamatrixsimilartothatfortheprecedingproblemthatshowstherelationshipbetweenX.800securityservicesandnetworksecurityattacks.畫一個(gè)類似于上述問題的矩陣，給出X.800安全服務(wù)與網(wǎng)絡(luò)安全攻擊的關(guān)系。P1.7-P37-Pc25DrawamatrixsimilartothatfortheprecedingproblemthatshowstherelationshipbetweenX.800securitymechanismsandnetworksecurityattacks.畫一個(gè)類似于上述問題的矩陣，給出X.800安全機(jī)制與網(wǎng)絡(luò)安全攻擊的關(guān)系。第六章入侵檢測(cè)InstructionDetectionPe176-Pc116R6.10-Pe209-Pc138Whatisthedifferencebetweenadistributedhost-basedIDSandaNIDS?基于主機(jī)的分布式IDS和NIDS之間的區(qū)別是什么？答：ANIDSexaminespackettrafficdirectedtowardpotentiallyvulnerablecomputersystemsonanetwork.Ahost-basedsystemexaminesuserandsoftwareactivityonahost.AdistributedIDSisacollectionofhost-basedIDSsthatcooperate,butthefocusremainsonhostactivityratherthannetworkactivity.

監(jiān)測(cè)網(wǎng)絡(luò)上流向潛在的易受攻擊的計(jì)算機(jī)系統(tǒng)的數(shù)據(jù)包流量，而基于主機(jī)的IDS系統(tǒng)檢測(cè)的是主機(jī)上的用戶和軟件活動(dòng)

R6.11-Pe209-Pc138DescribethetypesofsensorsthatcanbeusedinaNIDS.描述可被用于NIDS的傳感器類型。答：Aninlinesensorisinsertedintoanetworksegmentsothatthetrafficthatitismonitoringmustpassthroughthesensor.Apassivesensormonitorsacopyofnetworktraffic;theactualtrafficdoesnotpassthroughthedevice.

內(nèi)嵌傳感器將被插入到網(wǎng)絡(luò)段，以使正在監(jiān)控的流量必須通過傳感器。另一種是被動(dòng)傳感器，監(jiān)控網(wǎng)絡(luò)流量的備份，實(shí)際的流量并沒有通過這個(gè)設(shè)備。R6.12-Pe209-Pc138WhatarepossiblelocationsforNIDSsensors?NIDS傳感器可能的位置是什么？答：1.justinsidetheexternalfirewall;

2.betweentheexternalfirewallandtheInternetorWAN;

3.attheentrancetomajorbackbonenetworks;tosupportworkstationLANs.

1.在外部防火墻之中

2.在外部防火墻和以太網(wǎng)/網(wǎng)絡(luò)之間

3.在主要支柱網(wǎng)絡(luò)的入口處，用來維護(hù)局域網(wǎng)。R6.13-Pe209-Pc138Whatisahoneypot?蜜罐的含義是什么？答：Honeypotsaredecoysystemsthataredesignedtolureapotentialattackerawayfromcriticalsystems.

蜜罐是為了引誘潛在的攻擊者原理關(guān)鍵系統(tǒng)而設(shè)計(jì)的障人耳目的系統(tǒng)。第七章惡意軟件MaliciousSoftwarePe215-Pc142P7.1-Pe246-Pc163Whatistheroleifcompressionintheoperationifavirus?病毒執(zhí)行過程中壓縮的作用是什么？答：Avirusmayusecompressionsothattheinfectedprogramisexactlythesamelengthasanuninfectedversion.

病毒在壓縮可能使得被感染程序正好與未被感染時(shí)的長(zhǎng)度想同。P7.2-Pe246-Pc163Whatistheroleofencryptionintheoperationofavirus?病毒執(zhí)行過程中加密的作用是什么？答：Aportionofthevirus,generallycalledamutationengine,createsarandomencryptionkeytoencrypttheremainderofthevirus.Thekeyisstoredwiththevirus,andthemutationengineitselfisaltered.Whenaninfectedprogramisinvoked,thevirususesthestoredrandomkeytodecryptthevirus.Whenthevirusreplicates,adifferentrandomkeyisselected.

先通過部分病毒代碼生成一個(gè)隨機(jī)的密鑰，然后用密鑰加密其余部分。密鑰保存在病毒代碼中。當(dāng)被感染的程序執(zhí)行時(shí)，先要使用這個(gè)隨即密鑰解密被加密的部分。再感染過程中，病毒會(huì)重新生成隨即密鑰。因?yàn)閷?duì)每一個(gè)病毒實(shí)例都使用不同的密鑰進(jìn)行加密，所以在病毒代碼很難找到用于模式匹配的固定字節(jié)。P7.3-Pe246-Pc163Whataretypicalphasesofoperationofavirusorworm?病毒或蠕蟲執(zhí)行過程中的典型階段是什么？答：Adormantphase,apropagationphase,atriggeringphase,andanexecutionphaseP7.6-Pe246-Pc163Ingeneralterms,howdoesawormpropagate?在一般情況下，蠕蟲是如何傳播的？答：1.Searchforothersystemstoinfectbyexamininghosttablesorsimilarrepositoriesofremotesystemaddresses.

2.Establishaconnectionwitharemotesystem.

3.Copyitselftotheremotesystemandcausethecopytoberun.

1通過檢查主機(jī)列表或者相似的遠(yuǎn)程系統(tǒng)地址庫，來尋找要感染的系統(tǒng)。

2與遠(yuǎn)程主機(jī)建立連接。

3將自己復(fù)制到遠(yuǎn)程主機(jī)上，并使該拷貝運(yùn)行。P7.8-Pe246-Pc163Whatisthedifferencebetweenabotandarootkit?bot和rootkit有什么不同？答：Abot(robot),alsoknownasazombieordrone,isaprogramthatsecretlytakesoveranotherInternet-attachedcomputerandthenusesthatcomputertolaunchattacksthataredifficulttotracetothebot'screator.Arootkitisasetofprogramsinstalledonasystemtomaintainadministrator(orroot)accesstothatsystem.Rootaccessprovidesaccesstoallthefunctionsandservicesoftheoperatingsystem.Therootkitaltersthehost'sstandardfunctionalityinamaliciousandstealthyway.第八章拒絕服務(wù)攻擊DenialofServicePe249-Pc166R8.1-Pe271-Pc180Defineadenial-of-service(DoS)attack.試述拒絕服務(wù)（DoS）攻擊的定義。答：Adenialofservice(DoS)attackisanactionthatpreventsorimpairstheauthorizeduseofnetworks,systems,orapplicationsbyexhaustingresourcessuchascentralprocessingunits(CPU),memory,bandwidth,anddiskspace.

DoS是一種通過耗盡CPU、內(nèi)存、快帶以及磁盤空間等系統(tǒng)資源，來阻止或削弱對(duì)網(wǎng)絡(luò)、系統(tǒng)或應(yīng)用程序的授權(quán)使用的行為。R8.2-Pe271-Pc180Whattypesofresourcesaretargetedbysuchattacks?那些類型的資源被DoS攻擊作為攻擊目標(biāo)？答：Resourcesthatcouldbeattackedincludeanylimitedresourcessuchas:networkbandwidth,systemresources,orapplicationresources.

網(wǎng)絡(luò)帶寬，系統(tǒng)資源，應(yīng)用資源R8.3-Pe271-Pc180Whatisthegoalofafloodingattack?

洪泛攻擊的目標(biāo)是什么？答：Thegoalofafloodingattackisgenerallytooverloadthenetworkcapacityonsomelinktoaserver,oralternativelytooverloadtheserver’sabilitytohandleandrespondtothistraffic.

洪泛攻擊的目的大都是使到服務(wù)器的鏈路超負(fù)荷，也可以是使服務(wù)器處理和響應(yīng)網(wǎng)絡(luò)流量的能力超負(fù)荷。R8.4-Pe271-Pc180Whattypesofpacketsarecommonlyusedforfloodingattacks?在通常的洪泛攻擊當(dāng)中，一般會(huì)使用什么樣的數(shù)據(jù)包？答：Virtuallyanytypeofnetworkpacketcanbeusedinafloodingattack,thoughcommonfloodingattacksuseICMP,UDPorTCPSYNpackettypes.

幾乎任何類型的網(wǎng)絡(luò)數(shù)據(jù)包都可以進(jìn)行洪泛攻擊，通常使用的有：ICMP,UDPorTCPSYN。R8.5-Pe271-Pc180WhydomanyDoSattacksusepacketswithspoofedsourceaddresses?為什么很多的DoS攻擊使用帶有虛假源地址的數(shù)據(jù)包？答：ManyDoSattacksusepacketswithspoofedsourceaddressessoanyresponsespacketsthatresultarenolongerbereflectedbacktotheoriginalsourcesystem,butratherarescatteredacrosstheInternettoallthevariousforgedsourceaddresses.Someoftheseaddressesmightcorrespondtorealsystems,othersmaynotbeused,ornotreachable.Anyresponsepacketsreturnedasaresultonlyaddtothefloodoftrafficdirectedatthetargetsystem.R8.6-Pe271-Pc180Defineadistributeddenial-of-service(DDoS)attack.給出分布式拒絕服務(wù)（DDoS）攻擊的定義。答：Adistributeddenialofservice(DDoS)attackusesmultipleattackingsystems,oftenusingcompromiseduserworkstationsorPC’s.Largecollectionsofsuchsystemsunderthecontrolofoneattackercanbecreated,collectivelyforminga“botnet”.Byusingmultiplesystems,theattackercansignificantlyscaleupthevolumeoftrafficthatcanbegenerated.Alsobydirectingtheattackthroughintermediaries,theattackerisfurtherdistancedfromthetarget,andsignificantlyhardertolocateandidentify.R8.7-Pe271-Pc181Whatarchitecturedoesadistributeddenialofservice(DDoS)attacktypicallyuse?DDoS攻擊通常所使用的體系結(jié)構(gòu)是什么樣的？答：Distributeddenialofservice(DDoS)attackbotnetstypicallyuseacontrolhierarchy,whereasmallnumberofsystemsactashandlerscontrollingamuchlargernumberofagentsystems,asshowninFigure8.4.Thesehaveareanumberofadvantages,astheattackercansendasinglecommandtoahandler,whichthenautomaticallyforwardsittoalltheagentsunderitscontrol.Automatedinfectiontoolscanalsobeusedtoscanforandcompromisesuitablezombiesystems.R8.8-Pe271-Pc181Defineareflectionattack.給出反射攻擊的定義。答：Inareflectionattack,theattackersendsanetworkpacketwithaspoofedsourceaddresstoaservicerunningonsomenetworkserver,thatrespondstothespoofedsourceaddressthatbelongstotheactualattacktarget.Iftheattackersendsanumberofsuchspoofedrequeststoanumberofservers,theresultingfloodofresponsescanoverwhelmthetarget’snetworklink.Thefactthatnormalserversystemsarebeingusedasintermediaries,andthattheirhandlingofthepacketsisentirelyconventional,meanstheseattackscanbeeasiertodeploy,andhardertotracebacktotheactualattacker.

攻擊者將想攻擊的目標(biāo)系統(tǒng)地址作為數(shù)據(jù)包的源地址，并將這些數(shù)據(jù)包發(fā)送給中間媒介上的一直網(wǎng)絡(luò)服務(wù)。當(dāng)中間媒介響應(yīng)時(shí)，大量的響應(yīng)數(shù)據(jù)包會(huì)被發(fā)送給源地址所指向的目標(biāo)系統(tǒng)。他能有效地使攻擊從中間媒介反射出去。R8.9-Pe271-Pc181Defineanamplificationattack.給出放大攻擊的定義。答：Anamplificationattackalsoinvolvessendingpacketstointermediarieswithaspoofedsourceaddressforthetargetsystem.Theydifferingeneratingmultipleresponsepacketsforeachoriginalpacketsent,typicallybydirectingtheoriginalrequesttothebroadcastaddressforsomenetwork.Alternativelytheyuseaservice,oftenDNS,whichcangenerateamuchlargerresponsepacketthantheoriginalrequest.

放大攻擊是反射攻擊的一個(gè)變種，同樣是發(fā)送帶有虛假源地址的數(shù)據(jù)包給中間媒介。不同的是中間媒介對(duì)每個(gè)來自攻擊者的初始數(shù)據(jù)包會(huì)產(chǎn)生對(duì)各響應(yīng)數(shù)據(jù)包。攻擊者可以發(fā)送初始請(qǐng)求數(shù)據(jù)包到某些網(wǎng)絡(luò)的廣播地址，那么整個(gè)網(wǎng)絡(luò)上的所有主機(jī)都可能會(huì)對(duì)數(shù)據(jù)包中源地址所指向的主機(jī)進(jìn)行響應(yīng)，即這些主機(jī)會(huì)形成一個(gè)響應(yīng)數(shù)據(jù)包洪泛流。R8.10-Pe271-Pc181WhatistheprimarydefenseagainstmanyDoSattacks.Andwhereisitimplemented?防范DoS攻擊的基本措施是什么？在哪里實(shí)施？答：TheprimarydefenseagainstmanyDoSattacksistopreventsourceaddressspoofing.Thismustbeimplementedclosetothesourceofanypacket,whentherealaddress(oratleastnetwork)isknown.TypicallythisistheISPprovidingthenetworkconnectionforanorganizationorhomeuser.Itknowswhichaddressesareallocatedtoallitscustomers,andhenceisbestplacedtoensurethatvalidsourceaddressesareusedinallpacketsfromitscustomers.R8.11-Pe271-Pc181Whatistheprimarydefenseagainstnonspoofedfloodingattacks?Cansuchattacksbeentirelyprevented?哪些防范措施可能抵御非欺騙的洪泛攻擊？能否徹底預(yù)防這種攻擊？答：Excessnetworkbandwidthandreplicateddistributedservers,particularlywhentheoverloadisanticipated.Thisdoeshaveasignificantimplementationcostthough.Ratelimitsofvarioustypesontrafficcanalsobeimposed.Howeversuchattackscannotbeentirelyprevented,andmayoccur“accidentally”asaresultofveryhighlegitimatetrafficloads.R8.12-Pe271-Pc181WhatdefensesarepossibleagainstTCPSYNspoofingattacks?什么措施可以防范TCPSYN欺騙攻擊？答：ItispossibletospecificallydefendagainsttheSYNspoofingattackbyusingamodifiedversionoftheTCPconnectionhandlingcode,whichinsteadofsavingtheconnectiondetailsontheserver,encodescriticalinformationina“cookie”sentastheserver’sinitialsequencenumber.WhenalegitimateclientrespondswithanACKpacket,theserverisabletoreconstructthisinformation.Typicallythistechniqueisonlyusedwhenthetableoverflows,asitdoestakecomputationresourcesontheserver,andalsoblockstheuseofcertainTCPextensions.

1可以使用改進(jìn)版本的TCP鏈接處理程序來專門抵御SYN欺騙攻擊。2當(dāng)TCP連接表溢出時(shí)，我們可以通過修改系統(tǒng)的TCP/IP網(wǎng)絡(luò)處理程序來選擇性的丟棄一個(gè)TCP連接表中不完全連接的表項(xiàng)，從而允許新的連接請(qǐng)求。3修改TCP/IP網(wǎng)絡(luò)處理程序中所使用的參數(shù)。R8.13-Pe271-Pc181Whatdothetermsslashdottedandflashcrowdreferto?WhatistherelationbetweentheseinstancesoflegitimatenetworkoverloadandtheconsequencesofaDoSattack?Slshdotted和flashcrowd分別表示什么？正常的網(wǎng)絡(luò)超負(fù)荷與DoS攻擊所造成的服務(wù)器拒絕服務(wù)之間的關(guān)系是什么？答：Thetermsslashdottedorflashcrowdrefertoverylargevolumesoflegitimatetraffic,asresultofhighpublicityaboutaspecificsite,oftenasaresultofapostingtothewell-knownSlashdotorothersimilarnewsaggregationsite.Thereisverylittlethatcanbedonetopreventthistypeofeitheraccidentalordeliberateoverload,withoutalsocompromisingnetworkperformance.Theprovisionofsignificantexcessnetworkbandwidthandreplicateddistributedserversistheusualresponseasnotedinquestion8.11.R8.14-Pe271-Pc181Whatdefensesarepossibletopreventanorganization’ssystemsbeingusedasintermediariesinanamplificationattack?什么措施可以防止某機(jī)構(gòu)的主機(jī)系統(tǒng)唄用作放大攻擊的中間媒介？答：Topreventanorganization’ssystemsbeingusedasintermediariesinabroadcastamplificationattack,thebestdefenseistoblocktheuseofIPdirectedbroadcasts.ThiscanbedoneeitherbytheISP,orbyanyorganizationwhosesystemscouldpotentiallybeusedasanintermediary.

R8.15-Pe271-Pc181WhatstepsshouldbetakenwhenaDoSattackisdetected?當(dāng)檢測(cè)到DoS攻擊時(shí)，我們應(yīng)該采取什么措施？答：Inordertosuccessfullyrespondtoadenialofserviceattack,agoodincidentresponseplanisneededtoprovideguidance.Whenadenialofserviceattackisdetected,thefirststepistoidentifythetypeofattackandhencethebestapproachtodefendagainstit.Fromthisanalysisthetypeofattackisidentified,andsuitablefiltersdesignedtoblocktheflowofattackpackets.ThesehavetobeinstalledbytheISPontheirrouters.Iftheattacktargetsabugonasystemorapplication,ratherthanhightrafficvolumes,thenthismustbeidentified,andstepstakentocorrectittopreventfutureattacks.Inthecaseofanextended,concerted,floodingattackfromalargenumberofdistributedorreflectedsystems,itmaynotbepossibletosuccessfullyfilterenoughoftheattackpacketstorestorenetworkconnectivity.Insuchcasestheorganizationneedsacontingencystrategytoswitchtoalternatebackupservers,ortorapidlycommissionnewserversatanewsitewithnewaddresses,inordertorestoreservice.R8.16-Pe271-Pc181WhatmeasuresareneededtotracethesourceofvarioustypesofpacketsusedinaDoSattack?Aresometypesofpacketseasiertotracebacktotheirsourcethanothers?有什么方法可以被用雷追蹤Dos攻擊所使用數(shù)據(jù)包的源頭？室友有一些數(shù)據(jù)包與其他數(shù)據(jù)包相比更容易被追蹤？答：TheorganizationmayalsowishtotracethesourceofvarioustypesofpacketsusedinaDoSattack.Ifnon-spoofedaddressesareused,thisiseasy.Howeverifspoofedsourcesaddressesareused,thiscanbedifficultandtime-consuming,astheirISPwillneedtotracetheflowofpacketsbackinanattempttoidentifytheirsource.Thisisgenerallyneithereasynorautomated,andrequirescooperationfromthenetworkprovidersthesepacketstraverseP8.1-Pe271-Pc181InordertoimplementtheclassicDoSfloodattack,theattackermustgenerateasufficientlylargevolumeofpacketstoexceedthecapacityifthelinktothetargetorganization.ConsideranattackusingICMPechorequest(ping)packetsthatare500bytesinsize(ignoringframingoverhead).Howmanyofthesepacketspersecondmusttheattackersendtofloodatargetorganizationusinga0.5-Mbpslink?Howmanypersecondiftheattackerusesa2-Mbpslink?Ora10-Mbpslink?為了進(jìn)行經(jīng)典的DoS洪泛攻擊，攻擊者必須能夠植草出足夠大量的數(shù)據(jù)包來戰(zhàn)局目標(biāo)體統(tǒng)的鏈路容量。假設(shè)現(xiàn)在有一個(gè)利用ICMP回送請(qǐng)求（ping）數(shù)據(jù)包的DoS攻擊，數(shù)據(jù)包的大小為500字節(jié)（忽略成幀開銷）。對(duì)于一個(gè)使用0.5Mbps帶寬鏈路的目標(biāo)組織來說，攻擊者每秒鐘至少要發(fā)送多少個(gè)數(shù)據(jù)包才能進(jìn)行有效的攻擊？在鏈路的帶寬為2Mbps和10Mbps的情況下呢？答：InaDoSattackusingICMPEchoRequest(ping)packets500bytesinsize,tofloodatargetorganizationusinga0.5Megabitpersecond(Mbps)linktheattackerneeds/(500×8)=125packetspersecond.Ona2Mbpslinkit’s/(500*8)=500packetspersecond.Ona10Mbpslinkit’s/(500*8)=2500packetspersecond.P8.2-Pe271-Pc181UsingaTCPSYNspoofingattack,theattackeraimstofloodthetableofTCPconnectionrequestsonasystemsothatitisunabletorespondtolegitimateconnectionrequests.Consideraserversystemwithatablefor256connectionrequests.ThissystemwillretrysendingtheSYN-ACKpacketfivetimeswhenitfailstoreceiveatable.Assumethatnoadditionalcountermeasuresareusedagainstthisattackandthattheattackerhasfilledthistablewithaninitialfloodofconnectionrequests.AtwhatratemusttheattackercontinuetosendTCPconnectionrequeststothissysteminordertoensurethatthetableremainsfull?AssumingthattheTCPSYNpacketis40bytesinsize(ignoringframingoverhead),howmuchbandwidthdoestheattackerconsumetocontinuethisattack?在TCPSYN欺騙攻擊中，攻擊者目的是使用目標(biāo)系統(tǒng)上的TCP連接請(qǐng)求表溢出，從而使系統(tǒng)對(duì)合法連接請(qǐng)求不能進(jìn)行相應(yīng)。假設(shè)目標(biāo)系統(tǒng)上的TCP連接請(qǐng)求表表項(xiàng)為256項(xiàng)，目標(biāo)系統(tǒng)的每次超時(shí)時(shí)間為30秒，允許超時(shí)次數(shù)為5次。如果一個(gè)連接請(qǐng)求超時(shí)未有應(yīng)答，而且超時(shí)次數(shù)大于5，那么這個(gè)請(qǐng)求將會(huì)從TCP連接請(qǐng)求表中清除。在沒有相關(guān)的應(yīng)對(duì)措施和攻擊者已經(jīng)占滿了目標(biāo)系統(tǒng)的TCP連接請(qǐng)求表的情況下，為了能夠持續(xù)占滿目標(biāo)系統(tǒng)的TCP連接請(qǐng)求表，攻擊者應(yīng)該以什么樣的速率發(fā)送TCP連接請(qǐng)求？如果TCPSYN數(shù)據(jù)包的大小為40字節(jié)（忽略成幀開銷），那么攻擊者所發(fā)送的請(qǐng)求數(shù)據(jù)包將消耗掉目標(biāo)系統(tǒng)的多少帶寬？答：ForaTCPSYNspoofingattack,onasystemwithatablefor256connectionrequests,thatwillretry5timesat30secondintervals,beforepurgingtherequestfromitstable,eachconnectionrequestoccupiesatableentryfor6×30secs(initial+5repeats)=3min.Inordertoensurethatthetableremainsfull,theattackermustcontinuetosend256/3orabout86TCPconnectionrequestsperminute?AssumingtheTCPSYNpacketis40bytesinsize,thisconsumesabout86×40×8/60,whichisabout459bitspersecond,anegligibleamount.P8.3-Pe272-Pc181ConsideradistributedvariantoftheattackweexploreinProblem8.1.AssumetheattackerhascompromisedanumberofbroadbandconnectedresidentialPCstouseaszombiesystems.Alsoassumeeachsuchsystemhasanaverageuplinkcapacityof128kbps.Whatisthemaximumnumberof500-byteICMPechorequest(ping)packetsasinglezombiePCcansendpersecond?Howmanysuchzombiesystemswouldtheattackerneedtofloodatargetorganizationusinga0.5-Mbpslink?A2-Mbpslink?Ora10-Mbpslink?Givenreportsofbotnetscomposedofmanythousandsofzombiesystems,whatcanyouconcludeaboutabilitytolaunchDDoSattacksonmultiplesuchorganizationssimultaneously?Oronamajororganizationwithmultiple,muchlargernetworklinksthanwehaveconsideredintheseproblems?在分布式的洪泛攻擊（如習(xí)題8.1所述）中，假設(shè)攻擊者已經(jīng)控制了一定數(shù)量的高寬帶僵尸機(jī)，而且每個(gè)僵尸機(jī)有著同樣的網(wǎng)絡(luò)上傳帶寬128kbps。那么對(duì)于每個(gè)大小為500字節(jié)的ICMP回送請(qǐng)求數(shù)據(jù)包來說，單一的僵尸機(jī)每秒鐘可以發(fā)送多少個(gè)？攻擊者至少需要多少個(gè)這樣的僵尸機(jī)才能有效洪泛網(wǎng)絡(luò)帶寬分別為0.5Mbps、2Mbps和10Mbps的目標(biāo)系統(tǒng)？如果一直一個(gè)擁有數(shù)千個(gè)僵尸機(jī)的僵尸網(wǎng)絡(luò)的性能數(shù)據(jù)信息，那么當(dāng)這個(gè)將是網(wǎng)絡(luò)同時(shí)發(fā)起攻擊時(shí)你可以想象到什么？或者想象一下，一個(gè)大規(guī)模的組織具有多條大容量的連接，上述情況又如何？答：InthedistributedvariantoftheattackfromProblem8.1,asinglezombiePCcansend/(500×8)=32packetspersecond.About4suchzombiesystemsareneededtofloodatargetorganizationusinga0.5Megabitpersecond(Mbps)link,lookingeitherat500kbps/128kbps,or125/32packetspersec.Fora2Mbpslinkabout16areneeded(500/32pps),fora10Mbpslinkabout79areneeded(2500/32pps).Givenreportsofbotnetscomposedofmanythousandsofzombiesystems,clearlymultiplesuchsimultaneouslyDDoSattacksarepossible.Asisanattackonamajororganizationwithmultiple,muchlargernetworklinks(e.g.1000zombieswith128kbpslinkscanflood128Mbpsofnetworklinkcapacity).P8.4-Pe272-Pc181InordertoimplementaDNSamplificationattack,theattackermusttriggerthecreationofasufficientlylargevolumeofDNSresponsepacketsfromtheintermediarytoexceedthecapacityofthelinktothetargetorganization.ConsideranattackwheretheDNSresponsepacketsare500bytesinsize(ignoringframingoverhead).Howmanyofthesepacketspersecondmusttheattackertriggertofloodatargetorganizationusinga0.5-Mbpslink?A2-Mbpslink?Ora10-Mbpslink?IftheDNSrequestpackettotheintermediaryis60bytesinsize,howmuchbandwidthdoestheattackerconsumetosendthenecessaryrateofDNSrequestpacketsforeachifthesethreecases?為了進(jìn)行DNS放大攻擊，攻擊者必須制造出總量的數(shù)據(jù)包，來出發(fā)中間媒介產(chǎn)生大量的DNS應(yīng)答數(shù)據(jù)包給目標(biāo)系統(tǒng)，并耗盡目標(biāo)系統(tǒng)的網(wǎng)絡(luò)帶寬。假設(shè)DNS應(yīng)答數(shù)據(jù)包的大小為500字節(jié)（忽略成幀開銷），攻擊者每秒鐘至少要使中間媒介產(chǎn)生多少個(gè)DNS應(yīng)答數(shù)據(jù)包才能有效地攻擊網(wǎng)絡(luò)帶寬分別為0.5Mbps、2Mbps和10Mbps的目標(biāo)系統(tǒng)？如果DMS情書數(shù)據(jù)包的大小為60字節(jié)，那么對(duì)于上述三種帶寬的攻擊，攻擊者要分別小號(hào)多少的本地帶寬？答：TheanswersfortheDNSamplificationattackarethesameasinProblem8.1.Ona0.5Mbpslink,125packets,eachof500bytes,areneededpersecond.500ppsareneededtoflooda2Mbpslink,and2500ppstoflooda10Mbpslink.Assuminga60byteDNSrequestpacketthen125×60×8=60kbpsisneededtotriggerthefloodona0.5Mbpslink,240kbpstofloodthe2Mbpslink,and1.2Mbpstofloodthe10Mbpslink.Inallcasestheamplificationis500/60=8.3times.第九章防火墻與入侵防護(hù)系統(tǒng)FirewallsandIntrusionPreventionSystemsPe273-Pc183R9.1-Pe299-Pc201Listthreedesigngoalsforafirewall.列出防火墻設(shè)計(jì)的三個(gè)目標(biāo)。答：1.Alltrafficfrominsidetooutside,andviceversa,mustpassthroughthefirewall.Thisisachievedbyphysicallyblockingallaccesstothelocalnetworkexceptviathefirewall.Variousconfigurationsarepossible,asexplainedlaterinthissection.

2.Onlyauthorizedtraffic,asdefinedbythelocalsecuritypolicy,willbeallowedtopass.Varioustypesoffirewallsareused,whichimplementvarioustypesofsecuritypolicies,asexplainedlaterinthissection.

3.Thefirewallitselfisimmunetopenetration.Thisimpliesthatuseofatrustedsystemwithasecureoperatingsystem.

1所有入站和出站的網(wǎng)絡(luò)流量都必須通過防火墻?？梢酝ㄟ^物理阻斷所有避開防火墻訪問內(nèi)部網(wǎng)絡(luò)的企圖來實(shí)現(xiàn)。

2只有經(jīng)過授權(quán)的網(wǎng)絡(luò)流量，例如符合本地安全策略定義的流量，防火墻才允許通過?？梢允褂貌煌愋偷姆阑饓?shí)現(xiàn)不同的安全策略。

3防火墻本身不能被滲透，防火墻應(yīng)該運(yùn)行在有安全操作系統(tǒng)的可信系統(tǒng)上。R9.3-Pe299-Pc201Whatinformationisusedbyatypicalpacketfilteringfirewall?典型的包過濾防火墻使用了什么信息？答：SourceIPaddress:TheIPaddressofthesystemthatoriginatedtheIPpacket.DestinationIPaddress:TheIPaddressofthesystemtheIPpacketistryingtoreach.Sourceanddestinationtransport-leveladdress:Thetransportlevel(e.g.,TCPorUDP)portnumber,whichdefinesapplicationssuchasSNMPorTELNET.IPprotocolfield:Definesthetransportprotocol.Interface:Forarouterwiththreeormoreports,whichinterfaceoftherouterthepacketcamefromorwhichinterfaceoftherouterthepacketisdestinedfor.

源IP地址：發(fā)送IP包的系統(tǒng)的IP地址；目的IP地址：包要到達(dá)的系統(tǒng)的IP地址；源和目的段傳輸層地址：只傳輸層（如TCP，UDP）端口號(hào)，不同的端口號(hào)定義了不同的應(yīng)用程序，如SNMP和TELNET；IP協(xié)議域：用于定義傳輸協(xié)議；接口：對(duì)于有三個(gè)或更多接口的防火墻來說，定義哪個(gè)接口用于包的出站，哪個(gè)接口用于包的入站。R9.5-Pe299-Pc201Whatisthedifferencebetweenapacketfilteringfirewallandastatefulinspectionfirewall?包過濾防火墻和狀態(tài)檢測(cè)防火墻的區(qū)別是什么？答：Atraditionalpacketfiltermakesfilteringdecisionsonanindividualpacketbasisanddoesnottakeintoconsiderationanyhigherlayercontext.AstatefulinspectionpacketfiltertightensuptherulesforTCPtrafficbycreatingadirectoryofoutboundTCPconnections,asshowninTable9.2.Thereisanentryforeachcurrentlyestablishedconnection.Thepacketfilterwillnowallowincomingtraffictohigh-numberedportsonlyforthosepacketsthatfittheprofileofoneoftheentriesinthisdirectory.

簡(jiǎn)單的包過濾防火墻允許所有高編號(hào)端口上基于TCP的入站網(wǎng)絡(luò)流量。狀態(tài)監(jiān)測(cè)防火墻通過建立一個(gè)出站TCP連接目錄來強(qiáng)制執(zhí)行TCP流量的規(guī)則。當(dāng)每個(gè)已建立的連接都有一項(xiàng)與之對(duì)應(yīng)。這樣，只有當(dāng)數(shù)據(jù)包符合這過目錄中的某項(xiàng)時(shí)，包過濾器才允許那些到達(dá)高編號(hào)端口的入站流量通過。R9.6-Pe299-Pc201Whatisanapplication-levelgateway?什么是應(yīng)用級(jí)網(wǎng)關(guān)？答：Anapplication-levelgateway,alsocalledaproxyserver,actsasarelayofapplication-leveltraffic.

應(yīng)用級(jí)網(wǎng)關(guān)也稱為應(yīng)用代理，騎著應(yīng)用級(jí)流量中繼器的作用。R9.7-Pe299-Pc201Whatisacircuit-levelgateway?什么是電路級(jí)網(wǎng)關(guān)？答：Acircuit-levelgatewaydoesnotpermitanend-to-endTCPconnection;rather,thegatewaysetsuptwoTCPconnections,onebetweenitselfandaTCPuseronaninnerhostandonebetweenitselfandaTCPuseronanoutsidehost.Oncethetwoconnectionsareestablished,thegatewaytypicallyrelaysTCPsegmentsfromoneconnectiontotheotherwithoutexaminingthecontents.Thesecurityfunctionconsistsofdeterminingwhichconnectionswillbeallowed.

電路級(jí)網(wǎng)關(guān)不允許端到端TCP鏈接，一條在自身和內(nèi)部主機(jī)TCP用戶之間，另一條在自身和外部之間TCP用戶之間。一旦建立了兩條鏈接，網(wǎng)關(guān)就可以在這兩天里鏈接之間傳遞TCP段，不檢查其內(nèi)容。安全功能包括判斷哪些鏈接是允許的。R9.9-Pe299-Pc201Whatarethecommoncharacteristicsofabastionhost?堡壘主機(jī)共有的特征是什么？答：1.Thebastionhosthardwareplatformexecutesasecureversionofitsoperatingsystem,makingitahardenedsystem.

2.Onlytheservicesthatthenetworkadministratorconsidersessentialareinstalledonthebastionhost.ThesecouldincludeproxyapplicationsforDNS,FTP,HTTP,andSMTP.

3.Thebastionhostmayrequireadditionalauthenticationbeforeauserisallowedaccesstotheproxyservices.Inaddition,eachproxyservicemayrequireitsownauthenticationbeforegrantinguseraccess.

4.Eachproxyisconfiguredtosupportonlyasubsetofthestandardapplication’scommandset.

5.Eachproxyisconfiguredtoallowaccessonlytospecifichostsystems.Thismeansthatthelimitedcommand/featuresetmaybeappliedonlytoasubsetofsystemsontheprotectednetwork.

6.Eachproxymaintainsdetailedauditinformationbyloggingalltraffic,eachconnection,andthedurationofeachconnection.Theauditlogisanessentialtoolfordiscoveringandterminatingintruderattacks.

7.Eachproxymoduleisaverysmallsoftwarepackagespecificallydesignedfornetworksecurity.Becauseofitsrelativesimplicity,itiseasiertochecksuchmodulesforsecurityflaws.Forexample,atypicalUNIXmailapplicationmaycontainover20,000linesofcode,whileamailproxymaycontainfewerthan1000.

8.Eachproxyisindependentofotherproxiesonthebastionhost.Ifthereisaproblemwiththeoperationofanyproxy,orifafuturevulnerabilityisdiscovered,itcanbeuninstalledwithoutaffectingtheoperationoftheotherproxyapplications.Also,iftheuserpopulationrequiressupportforanewservice,thenetworkadministratorcaneasilyinstalltherequiredproxyonthebastionhost.

9.Aproxygenerallyperformsnodiskaccessotherthantoreaditsinitialconfigurationfile.Hence,theportionsofthefilesystemcontainingexecutablecodecanbemadereadonly.ThismakesitdifficultforanintrudertoinstallTrojanhorsesniffersorotherdangerousfilesonthebastionhost.

10.Eachproxyrunsasanonprivilegeduserinaprivateandsecureddirectoryonthebastionhost.R9.10-Pe299-Pc