Carnegie MellonComputer Science Department.15-441 Spring 2008FinalName:Andrew ID:INSTRUCTIONS:There are 16 pages (numbered at the bottom). Make sure you have all of them.Please write your name on this cover and at the top of each page in this booklet except the last.If you find a question ambiguous, b e sure to write down any assumptions you make.It is better to partia lly ans wer a question than to not attempt it at all.Be clear and concis e . Limit your answers to the space provided.Generally speaking, you need to briefly explain your answer and you will not get full credit for yes/noanswers or just numbers. Exceptions are multiple choice questions or questions where you fill in a table orheader.A B C D E F G H I Total20 15 15 8 15 15 10 15 7 120A Protecting Your Web ServerYour friend Alyssa Carmellon recently started a fantastically successful new anti-social networking site wherepeople who dislike people can meet other people, and then dislike them. Unfortunately, with popularity—andthe particular clientele the site attrac ts—has come a serious problem: her site is under constant denial-of-service attack. She’s offered you a generous consulting fee if you can help her solve this problem.1. Alyssa mentions that the attacks seem to be sending 500 small packets every second. The attack causesher web server machine to print out an error message:Kernel Error: Maximum number of pending TCP connections exceeded.and the machine then ignores most attempts to connect to port 80 (the Web ser ver). She notes thatduring this attack, the web server software itself appears totally bored—it’s not handling any GETrequests fro m clients!You tell Alyssa that this is most likely a: (circle exactly one)A. TCP Bandwidth exhaustion floodB. TCP SYN floodC. UDP bandwidth exhaustion floodD. Smurf attackE. Blormig exploitF. It’s a fluke, ignore it, it’ll go away2. Alyssa seems pleased with your explanation, but still wants to know how to solve it. She tells you thatall of the packets se e m to come from a single IP a ddress, IPevil. You suggest that she configure herborder router to act as a firewall to drop the right packets to protect the Web server from attack. List inthe table below the rules you would enter into the firewall. You can enter a sing le number or IP address,a range, or * as a wildcard. The action should be either “pass” or “ drop”.(Note: Spec ify the entire firewall configuration below. Don’t assume anything about the way it wasconfigured or working before or by default.)Source Dest Protocol Src Port Range Dst Port Range Action3. You receive a check from Alyssa, but two weeks later she returns and tells you that the attacker gotsmarter. Now, whenever she installs a firewall rule to block the traffic, the source IP addr e ss changes toa new one, so metimes within minutes! Her sysadmins can’t react q uickly enough to keep the site onlinemore than ha lf the time.After thinking for a while, you ask her more about the traffic pattern. You observe that no singlesource should b e sending very many of these packets at all, since a source should only need one or twoconcurrent connections w ith your We b ser ver. The problem, then, is to ensur e that over some period oftime, tha t source doesn’t se nd too many packets.(a) What mechanism do you suggest that Alyssa use to solve this new problem?A. BGPB. A firewallC. Token bucketD. CSMAE. A well-trained monkeyPage 2(b) You recall that this mechanism can be configured with both a long-term rate and a small “burst”number of packets. Assume that you will need to support a wide range of legitimate clients, fromancient browsers using the earliest HTTP 0.9 (recall too that many of these old browsers also opened4 connections at a time) to modern browsers using HTTP 1.1 with its modern features for improvedefficiency. Suggest to Alyssa:How many connections to allow in a burst, and briefly (1 sentence) explain why:How many connections to allow as a longer -term rate (per second or per minute):(Your answers don’t have to be precise, we’re just looking for a reasonable answer and justificationthat makes sens e .)(c) With the parameters you chose, how many connections could a client open in:1 second?10 seconds?1 minute?Page 3B Waterpipe network4. Five prisoners are lo cked up in adjacent cells in a prison. They would like to communicate with eachother but the walls and doors are too thick. One day, one of the prisoners discovers that if he hits thewater pip e in his cell with a metal spoon, the sound travels to two cells in each dire c tion, i.e. the soundfrom cell i can be heard in cells i-2, i-1, i+1, and i+ 2, assuming these cells exist. After some experiments,they discover this is true for all the cells.Over lunch, they decide to define a protocol that will allow efficient communication. One of the prisonershas taken 441 and argues that this is very much like an Ethernet so they decide to use the Ethernetprotocol over their Water Pipe Network. Unfortunately, there are some problems. Ca n you help them?(a) Ethernet uses CSMA/CD as its medium access mechanism. Can you explain how the three conceptsthat are used in CSMA/CD (CS, MA, and CD) map onto specific aspects of this network?(b) In the Water Pipe Network, not all cells can hear each other. What mechanism could you use s o allinmates can talk to each other?(c) This prisoners started planning a ja il break. During this time, they were all talking to each otherfrequently. Unfortunately, they found that using CSMA/CD over the Water Pipe Network re sulted in asignificant packet loss rate. Can you identify the problem r es ponsible for the packet losses a nd proposea solution?Page 4C Layering/Tunnelling5. The figure below shows a networ k topology connecting two LANs. LAN 1 is use s a NAT to connect tothe Internet and includes a client host H1. LAN 2 includes a web server H2. Packets between the twoLANs are routed through the tunnel between two routers as shown in the figur e . The various interfacesof the routers and hosts have the IP and MAC addresses shown in the figure.10 1 312 2 112 3 8 912 3 8 3912 2 9912 2 1310.1.3.5MAC 212.2.7.1MAC 712.2.7.3MAC 8125.3.8.9MAC 9125.3.8.5MAC 10125.3.8.39MAC 1112.2.7.99MAC 312.2.7.56MAC 412.2.7.13MAC 512.2.7.34MAC 610.1.2.3125.3.8.8MAC 12H1MAC 8MAC 10MAC 4MAC 1MAC 12NATRRRRH2EthernetH1123t e et2 EthernetsLAN 1 LAN 2WANHost H1 has established an HTTP session with web server H2 and data packets are flowing betweenthe two machines. You
View Full Document
Unlocking...