Application Layer

P1. True or false?

a. A user requests a Web page that consists of some text and three images. For this page, the
client will send one request message and receive four response messages.
Answer: True
b. Two distinct Web pages (for example, www.mit.edu/research.html and
www.mit.edu/students.html) can be sent over the same persistent connection.
Answer: True
c. With nonpersistent connections between browser and origin server, it is possible for a single
TCP segment to carry two distinct HTTP request messages.
Answer: False
Correct Answer: With nonpersistent connection, a new TCP connection is established for each
request.
d. The Date: header in the HTTP response message indicates when the object in the response
was last modified.
Answer: False
Correct Answer: The Date: header indicates the time when the response was generated.
e. HTTP response messages never have an empty message body.
Answer: False
Correct Answer: HTTP response messages can have an empty message body.
P2. SMS, iMessage, Wechat, and WhatsApp are all smartphone real-time messaging systems. After
doing some research on the Internet, for each of these systems write one paragraph about the
protocols they use. Then write a paragraph explaining how they differ.
Answer: SMS (Short Message Service) is a cellular protocol for text messaging, which was
developed as part of the GSM standards. SMS messages are limited to 160 characters and are sent
over cellular networks using SS7 signaling. It is one of the most widely used messaging protocols,
especially for simple text communication without the need for an internet connection.
iMessage, used on Apple devices, is an internet-based messaging service that leverages APNs
(Apple Push Notification Service) to deliver messages over TCP/IP. It uses end-to-end encryption to
secure messages, offering multimedia capabilities and syncing across Apple devices.
WeChat, popular in China, uses XMPP (Extensible Messaging and Presence Protocol), a flexible and
open XML-based protocol ideal for real-time communication. It also employs WebSocket and other
proprietary protocols for features like voice messaging and payment services.
WhatsApp also uses XMPP but has its own customization for secure real-time messaging. In
addition to chat, it offers VoIP and video calls, with end-to-end encryption for all communication
between users.
### Key Differences:
- SMS relies on cellular networks, while the others primarily use internet-based protocols.
- iMessage is exclusive to Apple devices, while WeChat and WhatsApp are cross-platform.
- Both WeChat and WhatsApp use XMPP, but WhatsApp has more focus on global reach, whereas
WeChat integrates deeply into China's digital economy with additional services like payments.
P3. Consider an HTTP client that wants to retrieve a Web document at a given
URL. The IP address of the HTTP server is initially unknown. What transport
and application-layer protocols besides HTTP are needed in this scenario?
Answer: To retrieve a web document when the IP address of the HTTP server is unknown, the
following transport and application-layer protocols are required in addition to HTTP:
1. DNS (Domain Name System) – Application Layer:
DNS is necessary to resolve the domain name (e.g., www.example.com) into the corresponding IP
address. The client sends a DNS query to a DNS server to obtain the IP address of the web server
hosting the requested document.
2. TCP (Transmission Control Protocol) – Transport Layer:
Once the IP address is known, HTTP requires a reliable connection, which is provided by TCP. The
client initiates a TCP connection (using a three-way handshake) with the server at the resolved IP
address to ensure reliable transmission of the web document.
Thus, DNS resolves the domain name to an IP, and TCP facilitates the reliable transfer of HTTP
requests and responses between the client and server.
P4. Consider the following string of ASCII characters that were captured by Wireshark when the
browser sent an HTTP GET message (i.e., this is the actual content of an HTTP GET message). The
characters <cr><lf> are carriage return and line-feed characters (that is, the italized character string
<cr> in the text below represents the single carriage-return character that was contained at that
point in the HTTP header). Answer the following questions, indicating where in the HTTP GET
message below you find the answer.
GET /cs453/index.html HTTP/1.1<cr><lf>Host: gaia.cs.umass.edu<cr><lf>User-Agent: Mozilla/5.0
(Windows;U; Windows NT 5.1; en-US; rv:1.7.2) Gecko/20040804 Netscape/7.2 (ax)
<cr><lf>Accept:ext/xml, application/xml, application/xhtml+xml, text/html;q=0.9,
text/plain;q=0.8,image/png,*/*;q=0.5 <cr><lf>Accept-Language: en-us,en;q=0.5<cr><lf>Accept-
Encoding: zip,deflate<cr><lf>Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7<cr><lf>Keep-Alive:
300<cr> <lf>Connection:keep-alive<cr><lf><cr><lf> (Previous-2019-2020)
a. What is the URL of the document requested by the browser?
Answer: The URL consists of the host and the requested path. From the HTTP GET message:
Host: gaia.cs.umass.edu
Resource requested: /cs453/index.html
So, the full URL is:
http;//gaia.cs.umass.edu/cs453/index.html

b. What version of HTTP is the browser running?

Answer: The HTTP version is found in the request line:
GET /cs453/index.html HTTP/1.1<cr><lf>
The browser is using HTTP/1.1
c. Does the browser request a non-persistent or a persistent connection?
Answer: This can be determined by looking at the Connection header:
Connection: keep-alive<cr><lf>
Since the connection: keep-alive header is present, the browser is requesting a persistent
connection. With a persistent connection, the connection remains open for multiple
requests/responses rather than closing after a single exchange.
d. What is the IP address of the host on which the browser is running?
Answer: The IP address of the host from browser is running is not provided in the HTTP GET
request itself. HTTP headers do not contain the IP address of the client (browser). The IP
address would typically found in the transport layer (TCP/IP) information, which would be
captured by Wireshark separately in the packet metadata, not within the HTTP request
headers.
e. What type of browser initiates this message? Why is the browser type needed in an HTTP
request message?
Answer: The type of browser is indicated by the User-agent header:
User-Agent: Mozilla/5.0 (Windows;U; Windows NT 5.1 en-US; rv:1.7.2) Gecko/20040804
Netscape/7.2 (ax)<cr><lf>
The browser is Netscape/7.2 running on Windows NT 5.1 (Windows XP) with the Gecko
rendering engine.

The browser type needed in an HTTP request message because:

1. Content Optimization:
 Websites may serve different versions of content depending on the browser or platform
(e.g., optimized layout for mobile vs desktop).
2. Compatibility:
Some features or scripts may be tailored to specific browsers or versions, so knowing
the browser type helps ensure compatibility.
3. Analytics:
Websites may track browser types to gather usage statistics and optimize future designs
based on browser popularity.
4. Bug Handling:
Some websites may adjust their behavior based on known bugs or limitations of certain
browser versions.
P5. The text below shows the reply sent from the server in response to the HTTP
GET message in the question above. Answer the following questions, indicating
where in the message below you find the answer.
HTTP/1.1 200 OK<cr><lf>Date: Tue, 07 Mar 2008
12:39:45GMT<cr><lf>Server: Apache/2.0.52 (Fedora)
<cr><lf>Last-Modified: Sat, 10 Dec2005 18:27:46
GMT<cr><lf>ETag:”526c3-f22-a88a4c80”<cr><lf>Accept-
Ranges:bytes<cr><lf>Content-Length:3874<cr><lf>
Keep-Alive:timeout=max=100<cr><lf>Connection:
Keep-Alive<cr><lf>Content-Type: text/html; charset=
ISO-8859-1<cr><lf><cr><lf><!doctype html public ”-
//w3c//dtd html 4.0transitional//en”><lf><html><lf>
<head><lf> <meta http-equiv=”Content-Type”
content=”text/html; charset=iso-8859-1”><lf> <meta
name=”GENERATOR” content=”Mozilla/4.79 [en] (Windows NT
5.0; U) Netscape]”><lf> <title>CMPSCI 453 / 591 /
NTU-ST550ASpring 2005 homepage</title><lf></head><lf>
<much more document text following here (not shown)>
a. Was the server able to successfully find the document or not? What time was the document
reply provided?
Answer: The status line provides the server’s response:
HTTP/1.1 200 OK<cr><lf>
The 200 OK status code indicates that the server was able to successfully find the document.
The time of the reply is given in the Date header:
Date: Tue, 07 Mar 2008 12:39:45 GMT<cr><lf>
The document reply was provided on Tuesday, March 7, 2008 at 12:39:45 GMT
b. When was the document last modified?
Answer: The Last-Modified header provides the date and time the document was last modified:
Last-Modified: Sat, 10 Dec 2005 18:27:46 GMT<cr><lf>
The document was last modified on Saturday, December 10, 2005 at 18:27:46 GMT
c. How many bytes are there in the document being returned?
Answer: The Content-length header indicates the size of the document:
Content-Length: 3874<cr><lf>
The document is 3874 bytes long.
d. What are the first 5 bytes of the document being returned? Did the server agree to a persistent
connection?
Answer: The first 5 bytes of the document are part of the HTML document returned, starting after
the headers. In the response:
<!doctype html public “-//w3c//dtd html 4.0 transitional//en”>
The first 5 bytes of the document are:
<!doc
Regarding the connection type, we can check the connection header:
Connection: Keep-Alive<cr><lf>
The server agreed to a persistent connection, as indicated by the Keep-Alive header.
Additionally, the Keep-Alive header provides more details about how long the connection will stay
alive:
Keep-Alive: timeout=max=100<cr><lf>
This means the connection will be kept alive with a maximum timeout of 100 seconds.
P6. Obtain the HTTP/1.1 specification (RFC 2616). Answer the following questions:
a. Explain the mechanism used for signaling between the client and server to indicate that a
persistent connection is being closed. Can the client, the server, or both signal the close of a
connection?
Answer: In HTTP/1.1, either the client or server can signal the closure of a persistent connection
by including the header Connection: close in their message. This informs the other party that the
connection will not be reused after the response.
b. What encryption services are provided by HTTP?
Answer: Encryption Services: HTTP itself does not provide encryption. Instead, encryption is
handled by HTTPS, which uses SSL/TLS to secure the communication between client and server.
c. Can a client open three or more simultaneous connections with a given server?
Answer: Yes, a client can open multiple simultaneous connections with a server, typically up to two
or more depending on browser settings.
d. Either a server or a client may close a transport connection between them if either one detects
the connection has been idle for some time. Is it possible that one side starts closing a connection
while the other side is transmitting data via this connection? Explain.
Answer: Connection Closing During Transmission: It is possible for one side to start closing the
connection while the other is still transmitting data. If a side detects the connection has been idle,
it may initiate closure, possibly leading to data loss if not properly managed.
P7. Suppose within your Web browser you click on a link to obtain a Web page. The IP address for
the associated URL is not cached in your local host, so a DNS lookup is necessary to obtain the IP
address. Suppose that n DNS servers are visited before your host receives the IP address from DNS;
the successive visits incur an RTT of RTT1, . . . , RTTn. Further suppose that the Web page associated
with the link contains exactly one object, consisting of a small amount of HTML text. Let RTT0
denote the RTT between the local host and the server containing the object. Assuming zero
transmission time of the object, how much time elapses from when the client clicks on the link
until the client receives the object?
Answer: To calculate the total time that elapses from when the client clicks on the link until
receiving the object:
1. DNS Lookup Time: The DNS lookup involves querying multiple DNS servers (n servers). Each DNS
query takes a round-trip time (RTT), so the total time for DNS resolution is the sum of all RTTs from
RTT1 to RTTn. This time is:
RTT(DNS)= RTT1 + RTT2 + ... + RTTn
2.Object Retrieval Time: After the DNS lookup is complete, the client establishes a connection with
the server containing the object. The round-trip time to the server is denoted as RTT0. Since there
is only one object, and the transmission time is considered negligible, the time to retrieve the
object is essentially the RTT0.
3. Total Time Elapsed: The total time from clicking the link to receiving the object is the sum of the
DNS lookup time and the time to retrieve the object:
Total Time} = RTT1 + RTT2 + ... + RTTn + RTT0
P8. Referring to Problem P7, suppose the HTML file references eight very small objects on the
same server. Neglecting transmission times, how much time elapses with
a. Non-persistent HTTP with no parallel TCP connections?
Answer:
To calculate the time for retrieving an HTML file and eight small objects with different HTTP
methods, assuming negligible transmission times:
In non-persistent HTTP, a new TCP connection is opened for each object. This requires a full
round-trip time (RTT) for each connection setup, as well as an additional RTT to request
and receive each object. Since there are 9 objects (1 HTML file + 8 small objects), and the
connections are handled sequentially:
• DNS Lookup: RTT1 + RTT2+...+ RTTn
• HTML Request/Response: RTT0RTT0RTT0 (one RTT for requesting and receiving the HTML
file)
• 8 Objects: Each object requires two RTTs—one for connection setup and one for the
request/response.
Thus, the total time is:
Total Time = RTT1 + RTT2+...+ RTTn + 9 × RTT0
(1 RTT for the HTML and 2 RTTs for each of the 8 objects).

b. Non-persistent HTTP with the browser configured for 6 parallel connections?

Answer: In this case, the browser can open up to 6 parallel TCP connections at a time. The
HTML file requires one RTT0 to retrieve, and the 8 small objects are divided into two rounds
of parallel connections (6 objects in the first round, 2 in the second).
• DNS Lookup: RTT1 + RTT2 +...+ RTTn
• HTML Request/Response: RTT0
• First 6 Objects: 2×RTT0 (one RTT for connection setup and one RTT for the
request/response, handled in parallel)
• Remaining 2 Objects: 2×RTT02
Total time:
Total Time = RTT1 + RTT2 +...+ RTTn + RTT0 + 2 × RTT0 + 2 × RTT0
= RTT1 + RTT2 +...+ RTTn + 5 × RTT0
c. Persistent HTTP?
 Answer: With persistent HTTP, only one TCP connection is established for the entire session,
and all requests and responses occur over this single connection. Therefore, there is only
one connection setup RTT (RTT0), and each object requires only one RTT for the request
and response.
• DNS Lookup: RTT1 + RTT2 +...+ RTTn
• HTML and 8 Objects: Each requires just one RTT.
Total time:
Total Time = RTT1 + RTT2 +... + RTTn + RTT0
(Only one RTT for the HTML file and 8 objects, using the same connection).
P9. Consider Figure 2.12, for which there is an institutional network connected to the Internet.
Suppose that the average object size is 1,000,000 bits and that the average request rate from the
institution’s browsers to the origin servers is 16 requests per second. Also suppose that the amount
of time it takes from when the router on the Internet side of the access link forwards an HTTP
request until it receives the response is three seconds on average (see Section 2.2.5). Modelthe
total average response time as the sum of the average access delay (that is, the delay from Internet
router to institution router) and the average Internet delay. For the average access delay, use !/(1
- !b), where ! is the average time required to send an object over the access link and b is the arrival
rate of objects to the access link.
Answer:
Let's break down the problem step by step:
Given:
• Average object size = 1,000,000 bits
• Request rate = 16 requests per second
• Round-trip time (RTT) for HTTP requests from the router to the server = 3 seconds
• Access link bandwidth = not given directly, but we'll compute based on provided
information
• Miss rate (for cache) = 0.4 (only for part b)
Notation:
• RInternet = Internet delay = 3 seconds (this is the time it takes for the router to get the
HTTP response from the origin server)
• Raccess= Access delay = L/C(1−ρ), where:
o L = Average object size = 1,000,000 bits
o C = Link bandwidth (to be found)
 o P = Utilization of the link = λ/LC

a. Find the total average response time.

Answer:

b. Now suppose a cache is installed in the institutional LAN. Suppose the miss rate is 0.4. Find
the total response time.
 Answer:

P11. Consider the scenario introduced in the previous problem. Now suppose that the link is
shared by Bob with four other users. Bob uses parallel instances of non-persistent HTTP, and the
other four users use non-persistent HTTP without parallel downloads.
a.Do Bob’s parallel connections help him get Web pages more quickly? Why or why not?
Answer: Yes, Bob’s parallel connections help him download web pages faster compared to the
other users, because he can download multiple objects simultaneously. This reduces the total load
time, especially when the connection is not heavily congested.
b.If all five users open five parallel instances of non-persistent HTTP, then would Bob’s parallel
connections still be beneficial? Why or why not?
Answer: No, if all users open parallel connections, the benefit is reduced due to bandwidth
contention. The shared link becomes congested, and each user’s individual connections get limited
bandwidth, leading to longer delays for everyone.
P12. Write a simple TCP program for a server that accepts lines of input from a client and prints
the lines onto the server’s standard output. (You can do this by modifying the TCPServer.py
program in the text.) Compile and execute your program. On any other machine that contains a
Web browser, set the proxy server in the browser to the host that is running your server program;
also configure the port number appropriately. Your browser should now send its GET request
messages to your server, and your server should display the messages on its standard output. Use
this platform to determine whether your browser generates conditional GET messages for objects
that are locally cached.
Answer: Here’s a simple TCP server program in Python that accepts lines of input from a client and
prints them to the server’s standard output.
P13. Consider sending over HTTP/2 a Web page that consists of one video clip, and five images.
Suppose that the video clip is transported as 2000 frames, and each image has three frames.
a.If all the video frames are sent first without interleaving, how many “frame times” are needed
until all five images are sent?
Answer:

b. If frames are interleaved, how many frame times are needed until all five
images are sent.
Answer:

P14. Consider the Web page in problem 13. Now HTTP/2 prioritization is employed. Suppose all
the images are given priority over the video clip, and that the first image is given priority over the
second image, the second image over the third image, and so on. How many frame times will be
needed until the second image is sent?
Answer: To determine how many frame times are needed until the second image is sent when
HTTP/2 prioritization is employed, let’s analyze the situation given the information from the
previous problem.
Given:
- Total images: 5
- Frames per image: 3
- Images have priority over the video clip.
- Images are prioritized in order: Image 1 > Image 2 > Image 3 > Image 4 > Image 5.
Sending Order:
1. The first image will be sent first since it has the highest priority.
2. After sending frames from the first image, the server will proceed to send frames from the
second image.
Frame Times Calculation:
- Each image has 3 frames.
- When prioritization is used, the server will send frames in the following sequence:
1. Frame 1 of Image 1
2. Frame 1 of Image 2 (this is the frame we want to count)
Since each image has 3 frames, the sequence for the first few frame times will look like this:
1. Frame 1 of Image 1 - 1st frame time
2. Frame 1 of Image 2 - 2nd frame time
Thus, it will take **2 frame times** until the first frame of the second image is sent.
P15. What is the difference between MAIL FROM: in SMTP and From: in the mail message itself?
Answer: Differences Between MAIL FROM: in SMTP and From: in the Email Message
Purpose:
MAIL FORM: Specifies the sender's address for the SMTP transaction; used for handling bounces.
From: Indicates the sender's address in the email header; visible to the recipient.
Functionality:
MAIL FROM: Used for delivery error notifications.
From: Provides information to the recipient; what they see in their inbox.
Visibility:
MAIL FROM: Not visible to the end user; part of the SMTP protocol.
From: Displayed in the email client; user-friendly format (can include a name).
Format:
MAIL FROM: Plain email address (e.g., `user@example.com`).
From: Can include a display name (e.g., `John Doe <john.doe@example.com>`).
In essence, MAIL FROM: deals with technical aspects of sending emails, while From: focuses on
user interaction and identification.
P16. How does SMTP mark the end of a message body? How about HTTP? Can HTTP use the same
method as SMTP to mark the end of a message body? Explain.
Answer: SMTP Message End Marking:
SMTP marks the end of the message body using a specific sequence of characters: a line containing
only a single period (.). This period must be on its own line, followed by a carriage return and line
feed (<CR><LF>). When the server detects this sequence, it knows the message body has ended.
HTTP Message End Marking:
HTTP typically uses a Content-Length header to indicate the size of the body in bytes. The server
sends this header with the response, so the client knows exactly how many bytes to expect in the
body.
Alternatively, chunked transfer encoding can be used when the content size is not known
beforehand. In this case, the body is sent in chunks, and each chunk is preceded by its size. A final
zero-length chunk marks the end of the body.
Can HTTP Use the Same Method as SMTP?
No, HTTP cannot use the same method as SMTP (i.e., using a single period) to mark the end of the
message body because HTTP is designed to support binary data (e.g., images, files, etc.) that could
contain periods, which would lead to ambiguity.
Conclusion:
SMTP uses a simple text-based marker (.) to end the message body, while HTTP uses a more robust
system based on content length or chunking to handle a wide range of data types, including binary
content. HTTP cannot rely on SMTP's method due to the potential presence of the period character
in the transmitted data.
P17.Read RFC 5321 for SMTP. What does MTA stand for? Consider the following received spam e-
mail (modified from a real spam e-mail). Assuming only the originator of this spam e-mail is
malicious and all other hosts are honest, identify the malacious host that has generated this spam
e-mail.
From - Fri Nov 07 13:41:30 2008
Return-Path: <tennis5@pp33head.com>
Received: from barmail.cs.umass.edu (barmail.cs.umass.
edu
[128.119.240.3]) by cs.umass.edu (8.13.1/8.12.6) for
<hg@cs.umass.edu>; Fri, 7 Nov 2008 13:27:10 -0500
Received: from asusus-4b96 (localhost [127.0.0.1]) by
barmail.cs.umass.edu (Spam Firewall) for <hg@cs.umass.
edu>; Fri, 7
Nov 2008 13:27:07 -0500 (EST)
Received: from asusus-4b96 ([58.88.21.177]) by barmail.
cs.umass.edu
for <hg@cs.umass.edu>; Fri, 07 Nov 2008 13:27:07 -0500
(EST)
Received: from [58.88.21.177] by inbnd55.exchangeddd.
com; Sat, 8
Nov 2008 01:27:07 +0700
From: ”Jonny” <tennis5@pp33head.com>
To: <hg@cs.umass.edu>
Subject: How to secure your savings
Answer: What Does MTA Stand For?
MTA stands for Mail Transfer Agent, which is software responsible for transferring emails between
servers. It follows the SMTP protocol to route and deliver email messages to the recipient's email
server.
Identifying the Malicious Host in the Spam Email:
Based on the headers provided, here's the breakdown of the email's journey:
1.Received: from [58.88.21.177] by inbnd55.exchangeddd.com – This line shows the first transfer
from a host with the IP address 58.88.21.177.
2.Received: from asusus-4b96 ([58.88.21.177]) – This confirms that the IP 58.88.21.177(originating
host) sent the email to barmail.cs.umass.edu.
3. The other received headers (from barmail.cs.umass.edu and cs.umass.edu) are from trusted,
honest hosts that forwarded the email.
Conclusion:
The malicious host in this spam email is the one with the IP address 58.88.21.177, as it was the
originating server sending the email to trusted MTAs.
P18. a. What is a whois database?
Answer: Whois is a publicly accessible database that provides information about the registration
of domain names, IP addresses, and other network resources. It can show the owner of a domain,
their contact information, and the DNS servers associated with a domain. It is widely used for
troubleshooting, security research, and network management.
b.Use various whois databases on the Internet to obtain the names of two DNS servers. Indicate
which whois databases you used.
Answer: Using various Whois databases (e.g., ARIN and ICANN), you can find DNS servers for
domains. For example:
• Using ARIN (American Registry for Internet Numbers), you can search IP ranges and DNS
details.
• ICANN Whois database helps with domain registration data.
Sample DNS servers obtained via Whois could be ns1.google.com and ns2.google.com.
c.Use nslookup on your local host to send DNS queries to three DNS servers: your local DNS server
and the two DNS servers you found in part (b). Try querying for Type A, NS, and MX reports.
Summarize your findings.
Answer: Using nslookup, we can query DNS servers for different types of records:
• Type A (Address Records): Maps a domain to an IPv4 address.
• NS (Name Server Records): Lists authoritative DNS servers for a domain.
• MX (Mail Exchange Records): Specifies mail servers for email delivery.
Findings will vary based on the domain queried. For example:
• A Record for google.com may return IPs like 172.217.3.110.
• NS Record may return DNS servers such as ns1.google.com, ns2.google.com.
• MX Record may return mail servers like aspmx.l.google.com.
d.Use nslookup to find a Web server that has multiple IP addresses. Does the Web server of your
institution (school or company) have multiple IP addresses?
Answer: Many large organizations have web servers with multiple IP addresses for load balancing
and redundancy. Using nslookup, we may find multiple IPs for a web server.
• For example, querying nslookup google.com often returns multiple IPs (e.g., 172.217.3.110,
172.217.4.238).
e.Use the ARIN whois database to determine the IP address range used by your university.
Answer: We can use the ARIN database to find the IP range assigned to a particular organization,
such as a university. Simply search by the institution’s name to get results such as:
• Range: 192.168.0.0 - 192.168.255.255.

f.Describe how an attacker can use whois databases and the nslookup tool to perform
reconnaissance on an institution before launching an attack.
Answer: Attackers can use Whois to gather information about domain ownership, DNS servers, and
IP ranges.
Using nslookup, attackers can find IP addresses and server configurations (such as MX records).
This information can be used to plan attacks like DDoS or to exploit vulnerabilities in outdated
systems.
g.Discuss why whois databases should be publicly available.
Answer: Whois databases should be publicly available for transparency, security research, and
troubleshooting.
• Benefits: Helps identify malicious actors, resolve network issues, and assist in legal
investigations.
• Risks: Attackers can use it for reconnaissance, as discussed earlier, which can be mitigated
by privacy-focused domain registration options.

P19. In this problem, we use the useful dig tool available on Unix and Linux hosts to explore the
hierarchy of DNS servers. Recall that in Figure 2.19, a DNS server in the DNS hierarchy delegates a
DNS query to a DNS server lower in the hierarchy, by sending back to the DNS client the name of
that lower-level DNS server. First read the man page for dig, and then answer the following
questions.
A.Starting with a root DNS server (from one of the root servers [a-m].root-servers.net), initiate a
sequence of queries for the IP address for your department’s Web server by using dig. Show the
list of the names of DNS servers in the delegation chain in answering your query.
Answer: Query for My department’s Web Server IP:
Start with a root DNS Server: Using dig to query one of the root servers (e.g., a.root-servers.net)
for the IP address of my department’s web server.
Example command:
dig@a.root-servers.net mydepartment.example.com
DNS Delegation Chain: The root server will respond with the address of a lower-level DNS server
(e.g., a top-level domain (TLD) server like .edu or .com). This process will repeat until we reach the
authoritative DNS server that has the IP address of my department's web server.
Example Output:
• Start at the root DNS server
• Delegation to .edu TLD server
• Delegation to the DNS server for example.edu
• Final response from the authoritative DNS server with the IP address.
The list of DNS servers queried forms the delegation chain.
B.Repeat part (a) for several popular Web sites, such as google.com, yahoo.com, or amazon.com.
Answer: Query for Populer Websites
1.Google.com:
dig@a.root-servers.net google.com
2.Yahoo.com:
dig@a.root-servers.net yahoo.com
3.Amazon.com:
dig@a.root-servers.net amazon.com
For each query, following the same delegation process, we will receive responses from root servers,
TLD servers (e.g., .com) and eventually the authorities DNS servers that hold the IP address records
for these popular domains.
Each dig command will show how DNS queries are passed down the hierarchy, allowing to see the
delegation process from root to the final authoritative server.
P20. Suppose you can access the caches in the local DNS servers of your department. Can you
propose a way to roughly determine the Web servers (outside your department) that are most
popular among the users in your department? Explain.
Answer: To determine the most popular web servers outside your department using the local DNS
server's cache:
1.Analyze DNS Query Logs: Check the DNS query logs for domains frequently requested by users.
2.Monitor Cache Hits: Identify which domains remain in the cache and are frequently accessed,
indicating repeated visits.
3.Filter External Domains: Focus only on web servers outside your department by filtering out
internal domains.
4.Rank Popular Servers: Rank external web servers based on the number of DNS queries or cache
hits.
This method gives a rough estimate of web server popularity based on DNS activity.
P21. Suppose that your department has a local DNS server for all computers in the department.
You are an ordinary user (i.e., not a network/system administrator). Can you determine if an
external Web site was likely accessed from a computer in your department a couple of seconds
ago? Explain.
Answer: Yes, as an ordinary user, you might be able to roughly determine if an external website
was likely accessed from a computer in your department a few seconds ago by checking the local
DNS server’s cache. Here's how:
1. Query the Local DNS Server: Use a tool like nslookup or dig to query the DNS server for the
domain of the external website. If the DNS server responds with the IP address and the
response is marked as "non-authoritative" (i.e., from cache), it indicates that the domain
was recently queried and cached by the DNS server.
2. Time-to-Live (TTL) Check: The DNS response will also include the Time-to-Live (TTL) value.
If the TTL is close to the original value, it means the DNS entry was cached only a few
seconds ago, suggesting that someone recently accessed the website.
Limitations:
• You cannot know which specific computer accessed the website, only that it was likely
accessed by someone in the department.
• If the TTL is low, it could mean the website was accessed some time ago, not necessarily
within the last few seconds.
P22. Consider distributing a file of F = 20 Gbits to N peers. The server has an upload rate of us = 30
Mbps, and each peer has a download rate of di = 2 Mbps and an upload rate of u. For N = 10, 100,
and 1,000 and u = 300 Kbps, 700 Kbps, and 2 Mbps, prepare a chart giving the minimum
distribution time for each of the combinations of N and u for both client-server distribution and
P2P distribution.
Answer: To calculate the minimum distribution time for distributing a file of F=20 Gbits to N peers,
we'll compute the distribution time for both client-server (CS) and peer-to-peer (P2P) models,
using the given parameters.
Parameters:
• File size F=20 Gbits.
• Server upload rate us=30 Mbps
• Peer download rate di=2 Mbps.
• Peer upload rate u varies: 300 Kbps,700 Kbps,2 Mbps
• Number of peers N=10, 100, 1000
P23. Consider distributing a file of F bits to N peers using a client-server architecture. Assume a
fluid model where the server can simultaneously transmit to multiple peers, transmitting to each
peer at different rates, as long as the combined rate does not exceed us.
a. Suppose that us/N<= dmin. Specify a distribution scheme that has a distribution
time of NF/us.
Answer:

b. Suppose that us/N>=dmin. Specify a distribution scheme that has a distribution

time of F/dmin.
Answer:

c. Conclude that the minimum distribution time is in general given by

max{NF/us, F/dmin}
Answer:

P24. Consider distributing a file of F bits to N peers using a P2P architecture.

Assume a fluid model. For simplicity assume that dmin is very large, so that
peer download bandwidth is never a bottleneck.
a.Suppose that us<= (us + u1 + . . . + uN)/N. Specify a distribution scheme that has a distribution
time of F/us.
Answer:

b.Suppose that us Ú>=(us + u1 + . . . + uN)/N. Specify a distribution scheme that has a distribution
time of NF/(us + u1 + . . . + uN).
Answer:
c.Conclude that the minimum distribution time is in general given by max{F/us, NF/(us + u1 + . . .
+ uN)}.
Answer:

P25. Consider an overlay network with N active peers, with each pair of peers having an active TCP
connection. Additionally, suppose that the TCP connections pass through a total of M routers. How
many nodes and edges are there in the corresponding overlay network?
Answer:

P26. Suppose Bob joins a BitTorrent torrent, but he does not want to upload any
data to any other peers (so called free-riding).
a.Bob claims that he can receive a complete copy of the file that is shared by the swarm. Is Bob’s
claim possible? Why or why not?
Answer: No, Bob’s claim is not possible.
In BitTorrent, peers are expected to upload data while downloading. If Bob does not upload
anything (free-riding), other peers will likely limit or stop sending him data. The protocol's tit-for-
tat mechanism incentivizes sharing, so he won't be able to receive a complete copy of the file.
b.Bob further claims that he can further make his “free-riding” more efficient by using a collection
of multiple computers (with distinct IP addresses) in the computer lab in his department. How can
he do that?
Answer: Bob can enhance his free-riding by:
1. Using Multiple IPs: By employing several computers with distinct IP addresses, Bob can join the
swarm multiple times.
2. Simultaneous Downloads: Each computer can download different pieces of the file
simultaneously, increasing the chances of getting more data without uploading.
3. Rotating Connections: Bob can disconnect one computer and connect another to reset his
status and gain more access.
4. Coordinated Downloads: By coordinating requests across computers, he can maximize the
number of unique pieces he receives.
While this approach is technically possible, it undermines the cooperative nature of BitTorrent.
P27. Consider a DASH system for which there are N video versions (at N different rates and
qualities) and N audio versions (at N different rates and qualities). Suppose we want to allow the
player to choose at any time any of the N video versions and any of the N audio versions.
a.If we create files so that the audio is mixed in with the video, so server sends only one media
stream at given time, how many files will the server need to store (each a different URL)?
Answer: If the audio is mixed with the video, the server sends only one media stream at a time.
For NNN video versions and NNN audio versions, each unique combination of video and audio
must be stored as a separate file.
• Total Files: The number of different combinations of audio and video is given by the product
of the number of video versions and the number of audio versions:
Total Files=N×N=N^2
Thus, the server will need to store N^2 files (each with a different URL).
b.If the server instead sends the audio and video streams separately and has the client synchronize
the streams, how many files will the server need to store?
Answer: If the server sends audio and video streams separately and allows the client to synchronize
them, the server will need to store each audio and video version independently.
• Total Files: The server will store:
o N video versions
o N audio versions
Thus, the total number of files is:
Total Files=N+N=2N
Therefore, the server will need to store 2N files (each with a different URL).
P28. Install and compile the Python programs TCPClient and UDPClient on one host and TCPServer
and UDPServer on another host.
a.Suppose you run TCPClient before you run TCPServer. What happens? Why?
Answer: Running TCPClient before TCPServer
What Happens: If you run TCPClient before TCPServer, the client will attempt to establish a
connection to the server, but since the server is not running, the client will fail to connect.
Why: TCP is a connection-oriented protocol that requires the server to be actively listening for
incoming connections on a specific port. When the client tries to connect and does not find a
server, it will receive an error (typically a "Connection refused" error).
b.Suppose you run UDPClient before you run UDPServer. What happens? Why?
Answer: Running UDPClient before UDPServer
What Happens: If you run UDPClient before UDPServer, the client will send UDP packets to the
server's specified address, but the server will not be available to receive them.
Why: Unlike TCP, UDP is connectionless, meaning it does not establish a formal connection
between the client and server. The client will send packets regardless of whether the server is
listening. The packets will be dropped, and the client may not receive any indication that the server
is not available unless it implements its own error-checking mechanism (e.g., waiting for a response
that never comes).
C.What happens if you use different port numbers for the client and server sides?
Answer: Using Different Port Numbers for Client and Server
What Happens: If you use different port numbers for the client and server sides, the client will be
unable to connect or communicate with the server.
Why:
• For TCP: The client must connect to the exact port where the server is listening. If the ports do
not match, the connection attempt will fail with a "Connection refused" error.
• For UDP: The client will send packets to the wrong port, and since the server is not listening on
that port, the packets will be dropped. The server will not receive any data, and the client may
not get any error indication unless it has its own error handling.

P29. Suppose that in UDPClient.py, after we create the socket, we add the line: clientSocket.bind((’
’, 5432)) Will it become necessary to change UDPServer.py? What are the port numbers for the
sockets in UDPClient and UDPServer? What were they before making this change?
Answer: In the context of a UDP client-server architecture, let's analyze the effect of adding the
line clientSocket.bind(('', 5432)) in UDPClient.py.
Original Setup
Typically, in a simple UDP client-server setup, the client does not bind to a specific port; instead, it
allows the operating system to assign an ephemeral port automatically. The server, on the other
hand, binds to a specific port to listen for incoming messages.
Original Ports:
• UDPClient.py: The client socket usually does not bind to a specific port, so it relies on an
ephemeral port assigned by the OS.
• UDPServer.py: The server binds to a specific port (e.g., 5432) to listen for incoming packets.
This is the port number used in the bind call in the server code.

Effect of the Change

When you add the line clientSocket.bind(('', 5432)) in UDPClient.py, you are explicitly binding the
client socket to port 5432.
After the Change:
• UDPClient.py: The client now binds to port 5432 explicitly.
• UDPServer.py: The server still binds to port 5432.
Implications:
 1. Port Conflict: If both the client and server are running on the same machine and are bound
to the same port (5432), this will cause a conflict. The OS will prevent the client from
binding to a port that is already in use by the server.
2. Necessary Changes: You will need to change either the client or server port number to
avoid the conflict. For instance:
o We could change the client's port to another unused port (e.g., 5433).
o Alternatively, keep the server on port 5432 and allow the client to use an ephemeral
port (by removing the bind statement from the client)

P30. Can you configure your browser to open multiple simultaneous connections to a Web site?
What are the advantages and disadvantages of having a large number of simultaneous TCP
connections?
Answer: Yes, you can configure your browser to open multiple simultaneous connections to a
website, which is often enabled by default.
Advantages
1. Improved Performance: Faster loading times by fetching resources in parallel.
2.Better Bandwidth Utilization: Maximizes available bandwidth.
3.Reduced Latency: Multiple requests can be sent out simultaneously, decreasing wait times.
4.Increased Fault Tolerance: Other connections can still succeed if one fails.
Disadvantages
1.Network Congestion: Too many connections can overwhelm the network and increase latency.
2.Higher Server Load: Many connections can strain server resources and affect performance.
3.Connection Limits: Servers may restrict the number of concurrent connections, leading to
rejections if exceeded.
4.Overhead: Each connection incurs setup and maintenance costs, which can negate performance
benefits if excessive.
Using multiple TCP connections can enhance performance, but it must be balanced with potential
drawbacks like congestion and server load.

P31. We have seen that Internet TCP sockets treat the data being sent as a byte stream but UDP
sockets recognize message boundaries. What are one advantage and one disadvantage of byte-
oriented API versus having the API explicitly recognize and preserve application-defined message
boundaries?
Answer: Byte-Oriented API (TCP Sockets)
Advantage:
Simplicity: Easy to use since developers don't need to manage message boundaries explicitly.
Disadvantage:
Loss of Boundaries: Doesn’t preserve application-defined message boundaries, complicating data
interpretation.
Message-Oriented API (UDP Sockets)
Advantage:
Preserved Boundaries: Maintains clear message separations, making it easier to manage discrete
messages.
Disadvantage:
Increased Overhead: Adds complexity and may lead to performance inefficiencies due to
fragmentation and reassembly of messages.

P32. What is the Apache Web server? How much does it cost? What functionality does it currently
have? You may want to look at Wikipedia to answer this question.
Answer: The Apache Web Server, also known as Apache HTTP Server, is a widely used open-source
web server that has been around since 1995. It is maintained by the Apache Software Foundation
and is known for its flexibility, security, and extensibility, making it the most popular web server on
the internet. As of now, it powers about 47% of all websites.
Cost: Apache is free to use, as it is open-source software released under the Apache License.
Functionality: The server supports various features including:
- HTTP/2 and IPv6 support
- SSL/TLS for secure connections
- URL rewriting
- Load balancing
- Support for dynamic content using modules like `mod_php` and `mod_perl`
- Customizable configuration through `.htaccess` files