NOTE: all question were worth 9 points except question 4, which was worth 10 points.

1. Suppose I decide to configure my router to filter all ICMP traffic since ICMP messages can pose a security threat. What would be a negative consequence of this decision? [HINT: http://www.networkmagazine.com/article/NMG20000829S0003 might help some people answer this question.]
   
   ICMP is used to report errors.  For example, if a packet could not be delivered to its destination, a DESTINATION UNREACHABLE message may be sent to the sender.  If ICMP traffic is filtered, such errors may go unreported.  This situation is particularly problematic if the error could be easily fixed.  For example, a DESTINATION UNREACHABLE message may indicate that an intermediate "small-packet network" is preventing a large packet from being delivered.  The source could potentially fix the problem by breaking down the packet.  However, if the DESTINATION UNREACHABLE message is never sent, the source may not be able to determine the error and hence may not be able to fix the problem.
   Essentially, anything that depends on ICMP will cease to work.  This includes path MTU discovery, traceroute and ping.
   

2. A reason for using a dynamic approach to address resolution is that a static approach can be error-prone and time consuming. What would be a benefit to using a static approach?
   
   If a network were small, and relatively static itself, using a static approach might be more efficient. A dynamic approach incurs an overhead because it requires periodic messages be sent to maintain the ARP cache. A static approach does not incur that overhead. Finally, a static approach also precludes the spoofing attacks that ARP is susceptable to, and a static approach ought to be faster.
   

3. The state stored in the ARP cache periodically times out. Discuss one benefit and one drawback to having a short timeout value.
   
   The shorter the timeout value, the more overhead incurred. When the cache state times out, another ARP request has to be sent to resolve the given address. On the other hand, the timeout value should be short enough to account for hardware changes across the network. For example, if the Ethernet board on a particular computer is replaced, a new mapping needs to be entered into the cache.
   

4. Suppose that the TCP congestion window is set to 18 KB and a timeout occurs. How big will the window be if the next four transmission bursts are all successful? Assume that the maximum segment size is 1 KB.
   
   Here's the relavant information from RFC 2001:
   
   "If cwnd is less than or equal to ssthresh, TCP is in slow start; otherwise TCP is performing congestion avoidance. Slow start continues until TCP is halfway to where it was when congestion occurred (since it recorded half of the window size that caused the problem in step 2), and then congestion avoidance takes over. Slow start has cwnd begin at one segment, and be incremented by one segment every time an ACK is received. As mentioned earlier, this opens the window exponentially: send one segment, then two, then four, and so on. Congestion avoidance dictates that cwnd be incremented by segsize*segsize/cwnd each time an ACK is received, where segsize is the segment size and cwnd is maintained in bytes. This is a linear growth of cwnd, compared to slow start's exponential growth." So we start this scenario with the Slow-start threshold (ssthresh) set to 18KB/2 = 9KB and the congestion windows (cwnd) set to 1KB due to the timeout. Then we do the following for each ACK we receive:
   
   if (cwnd <= ssthresh)
      { cwnd += 1KB; }
   else
      { cwnd += (1KB*1KB)/cwnd; }
   
   Using this we get the following:
   After 1st successful burst of 1 segment
   cwnd = 1KB + 1KB = 2KB
   After 2nd successful burst of 2 segments
   cwnd = 2KB + 2KB = 4KB
   After 3rd successful burst of 4 segments
   cwnd = 4KB + 4KB = 8KB
   After 4th successful burst of 8 segments, things get interesting
   ACK 1: (cwnd <= ssthresh) so cwnd = 8KB + 1KB = 9KB
   ACK 2: (cwnd <= ssthresh) so cwnd = 9KB + 1KB = 10KB = 10KB
   ACK 3: (cwnd > ssthresh) so cwnd = 10240B + (1024B*1024B)/10240B = 10342B
   ACK 4: (cwnd > ssthresh) so cwnd = 10342B + (1024B*1024B)/10342B = 10443B
   ACK 5: (cwnd > ssthresh) so cwnd = 10443B + (1024B*1024B)/10443B = 10543B
   ACK 6: (cwnd > ssthresh) so cwnd = 10543B + (1024B*1024B)/10543B = 10642B
   ACK 7: (cwnd > ssthresh) so cwnd = 10642B + (1024B*1024B)/10642B = 10740B
   ACK 8: (cwnd > ssthresh) so cwnd = 10740B + (1024B*1024B)/10740B = 10837B
   

5. To get around the problem of sequence numbers wrapping around while old packets still exist, one could use 64-bit sequence numbers. However, theoretically, an optical fiber can run at 75 Tbps (what is Tbps?). What maximum packet lifetime is required to make sure that future 75 Tbps networks do not have wraparound problems even with 64-bit sequence numbers? Assume that each byte has its own sequence number as TCP does.
   
   The Sequence number (using 64 bits) will wrap around after (2^64 bytes * 8 bits/byte) / (75 * 10^12 bit/sec) = 1.97 * 10^6 sec = 1970000 sec ~ 22.7 days so the maximum segment lifetime must be limited to under 22 days. For kicks, I computed that the sequence number would wrap around in 0.00046 sec using 32 bit sequence numbers.
   

6. Why does UDP exist? Would it not have been enough to just let user processes send raw IP packets?
   
   UDP exists to allow you to send IP-encapsulated data without the connection overhead of TCP. The advantage of UDP over simply sending raw IP packets is that UDP gives you the capability to multiplex/demultiplex on different source/destination ports.
   

7. Unlike TCP, UDP does not perform congestion control. What are some of the potential effects of this fact? Discuss at least one positive and one negative effect.
   
   An application using UDP may hog a lot of the bandwidth, causing other applications to be very slow. Also, if a UDP application causes congestion, packets may be lost and cause a degradation in quality for the UDP-based application. On the other hand, the UDP protocol is simpler. It does not incur the overhead of implementing congestion control. Moreover, if congestion is transient, once the congestion resolves UDP will return to its previous level of service (send rate) immediately. In contrast, it make take time for a protocol such as TCP to build back up to the prior send rate. In addition, UDP traffic may starve TCP traffic, as UDP will not react to the congestion where as TCP will cutback its traffic in response to the congestion.
   

8. Suppose that I notice that a large number of connection requests are being sent to 128.111.52.32 port 1214. What might be happening (i.e., what application uses port 1214)?
   
   That machine is running KaZaa (or some other P2P variant like Morpheus that uses the same port). Other KaZaa peers are sending search or download requests to the given machine.
   

9. Explain how a SYN flooding attack works. [HINT: http://www.alco.dk/virus/190996.htm might help some people answer this question.]
   
   The goal of a SYN flooding attack is to overwhelm a machine that provides a TCP-based service such that it cannot provide service during the attack. The attack works by creating a large number of "half-open" connections at the victim server. The attacker sends a flood of TCP SYN messages. When the victim receives a SYN messages, it returns a SYN-ACK message, and establishes some state associated with the connection. Though the victim expects to receive an ACK message to fully establish the connection, no ACK is ever sent by the attacker. Therefore, the data structure storing the connection state fills and the victim cannot accept any additional incoming connections (from potentially valid clients). Even though the half-open connection state eventually times out, the attacker can prevent service by sending SYN messages faster than the state times out.
   

10. DNS uses UDP instead of TCP. If a DNS packet is lost, there is no automatic recover. How is this problem handled?
    
    If a DNS packet using UDP is lost this problem must be handled at the application layer. If an answer is not received after some period of time the specific application may choose to resend the DNS query. For instance the Linux DNS utility "host" by default will send a DNS query only once, but using the "-R " option will make it requery up to times if necessary. Other applications, such as web browsers like Mozilla and IE, may differ in timeout values for DNS queries as well as in how many times they will resend DNS queries before giving up.
    
    The DNS RFC (1035) also says this:
    
    "The optimal UDP retransmission policy will vary with performance of the Internet and the needs of the client, but the following are recommended:
    - The client should try other servers and server addresses before repeating a query to a specific address of a server.
    - The retransmission interval should be based on prior statistics if possible. Too aggressive retransmission can easily slow responses for the community at large. Depending on how well connected the client is to its expected servers, the minimum retransmission interval should be 2-5 seconds."
    
    and this:
    
    "The key algorithm uses the state information of the request to select the next name server address to query, and also computes a timeout which will cause the next action should a response not arrive. The next action will usually be a transmission to some other server, but may be a temporary error to the client."
    

11. Can a machine with a single DNS name have multiple IP addresses? How could this occur? Consider a hypothetical situation where it does happen, when a lookup occurs, what is the result?
    
    Yes, a machine with a single DNS name can have multiple IP addresses. This question specifically asks about "a" machine. One machine can have multiple IP addresses if it has multiple network interfaces.

    And so if a single DNS name points to multiple IP addresses, it can either be the case that there are truly multiple machines or one machine with multiple network interfaces. For example:
    
    [unj@fats unj]$ host aol.com
    aol.com has address 205.188.160.121
    aol.com has address 205.188.145.215
    aol.com has address 64.12.187.25
    aol.com has address 64.12.149.24
    
    DNS doesn't know and can't actually distinguish between whether the multiple IP addresses are for different machines or not.

    Having this one name to multiple IP addresses mapping can occur for many different reasons, but it is commonly done as a way to perform load-balancing for DNS addresses which correspond to high-traffic servers. There are other ways to perform load-balancing, but in this case sequential DNS lookups would return different IP addresses.