Assignment 10 Solutions
Some routers have static routing tables, typically forwarding all difficult routing problems to other routers they have been configured to use. Many routers are more dynamic, communicating with other routers to learn about changes in the network. The Internet is so big that links and machines, including routers, are constantly being added and subtracted. Without dynamic routing tables, this would never work.
Most routers can not only forward messages but also apply rewrite rules top addresses. Such a rule might read "if you see a message addressed to X, send it to Y instead." Such a router allows the addressing scheme used in some local subnet to be different from the addressing scheme used elsewhere.
a) Suppose an attacker was able to hack into the router connecting your local subnet to the rest of th Internet. The only thing the hacker can do is change the routing table. Your router has a static routing table with no rewrite rules. What damage could the hacker do? (0.5 points)
The attacker could misroute messages, so outgoing messages intended for some other machine get routed, for example, to the attacker's machine. The attacker could also block incoming messages from some sources by routing them elsewhere. Even if the data is securely encrypted, the attacker's ability to route messages to his own machine allows traffic analysis and rewriting at the attacker's machine, so saying that the hacked router could not do rewriting on message addresses is misleading.
b) How could you, a user of the local subnet, detect the damage discussed in part a? (0.5 points)
If the normal message delivery time is known, timing can be a give-away. Routing messages through the attacker's machine should delay the average message transit time.
Another tool to try would be routine test messages sent from various routine correspondants. If these are not delivered or if they are corrupted, the presence of an attacker can be inferred.
c) Now suppose the router that the hacker attacks one that other routers consult to dynamically update their routing tables. Does this change the nature of the attacks or just the scale of their effects. (0.5 points)
If a message passes through multiple routers and only one of them is dishonest, the other routers will limit the damage. The corrupt router may try to deliver the message to the attacker's machine, but other routers will direct it back on routes to the intended machines. In contrast, if the attacker can hack into routing information that is spread to other routers, the attacker can prevent other routers from repairing the damage.
a) What kinds of attacks could test ballots detect? (0.5 points)
This could detect if an attacker had managed to impersonate one of the electronic ballot boxes, so that ballots were delivered to the attacker's machine instead of the real ballot box. In this case, the test ballots would not be found in the ballot box.
It also, somewhat trivially, detects denial of service attacks, because the user attempting to cast a test ballot would notice that the web page for the voting system does not load.
b) In the 2006 Dutch Parliamentary elections, all of the test ballots were cast from the same PC in the offices used by the election administration. What vulnerability results from this? (0.5 points)
If a router on the gateway between a foreign country and the Netherlands was misrouting or blocking voting transactions, the test ballots would never detect this because they only pass through the network within the Netherlands.
c) For maximum effectiveness, how should the test ballots have been cast? (0.5 points)
It would have been better if test ballots had been cast from around the world using local public Internet connections. Embassy employees could have done something like this.
It has been argued that such a firewall is unnecessary, as network services you don't want to offer to the world should simply be disabled. Nowdays, many systems come, out of the box, with all these services enabled, and it is easier to block them with a firewall than it is to properly disable the services you don't want to offer.
Note that the "network stack" was presented as if all messages had to be pushed down to the physical layer for transport from sender to receiver. This is not really true. The exception occurs when the sender and receiver are on the same machine. In this case, the transport layer is likely to complete the message delivery without using any services from lower level layers. In the X-windows system (the public-domain window manager used by Linux), the window manager is a separate process, and all communication from application to window manager is done using the TCP/IP protocol stack. This allows use of remote window applications to be as efficient or even more efficient than local windows. Opening a window is done by making a network connection to the window manager. Drawing on a window involves using that connection, and closing a window involves breaking the network connection.
a) Suppose you were running Linux with the X window manager. What security threat is posed by running on a machine with no local firewall. (0.5 points)
Someone on a remote machine could open a window on your display.
b) Give other examples of local applications where the easy way to support them involves use of network protocols. (Hint: Consider any application that is useful over the network but where it might also be useful between local processes or between local users, even on a machine with just one keyboard and display.) (0.5 points)
Local e-mail would be useful on a shared machine such as a home computer. If the application you are running was developed so that it could run on a multicomputer using the IP protocol stack, it might be that the application itself also uses the IP protocol stack for internal communication even when it is running on a uniprocessor.
Assume you are involved in the design of a new data center in the Iowa City area.
a) What threats would you treat as serious predictable risks and what defensive measures would you take to deal with those risks. (0.5 points)
Floods are possible, so I would look at the flood hazard maps and build with a saftey margin outside the floodplain and above the flood level. Tornados are possible, so I would locate servers away from windows and exterior walls. Power failures and lightning strikes are possible, so I would use an uninterruptable power supply and appropriate surge protectors. The risk of evacuation is predictable even when the cause of that evacuation is unpredictable, so I would plan on having off-site backups, "go packs" and a recovery plan in place in case an evacuation is ever required.
b) What defensive measures would you recommend as generally useful for a broad range of unpredictable disasters. For each, give examples of unpredictable disasters where they might prove useful. Some of your defenses may be listed in both a) and b). (0.5 points)
Off-site backups, "go packs" and a recovery plan are generally applicable to a broad range of unanticipated events.