CS计算机代考程序代写 dns cache assembly Hive Beehive

Beehive

Network security

, CSE 365 Fall 2021

mailto:

Outline

● Internet in a nutshell and the OSI model
– Ethernet, ARP, IP, TCP, BGP, etc.

● Attacks in different layers
– Off-path vs. in/on-path

● Firewalls and NIDSs
● VPNs
● Port scanning, SYN floods

Some comments

● Bits matter
● Self reliance

– Linux machine with root
● RTFTB doesn’t apply in this class, so really it’s

RTFSC and RTFM
● These slides have a lot of info, consider it to be

an overview and then use the homework as a
focal point

Internet in a nutshell…

You want to connect two machines…

● Machines = desktops, laptops, mobile devices,
routers, embedded devices, …

A “hop”

sulu kirk

A “hop”

sulu kirk

Ethernet

A “subnet”

sulu kirk

chekov

A “subnet”

sulu kirk

chekov

ARP = Address Resolution Protocol

A network with routers

kirk

bones

spock

uhura

scotty

sulu

chekov

More terminology

● IP = Internet protocol
● Forwarding, or “routing”

– How packets get across the network
● Interface

– WiFi, cellular, …
● Path (or “route”), reverse path

IP address

● IPv4 is 32-bits, broken into 4 bytes
– 192.168.7.8
– 64.106.46.20
– 8.8.8.8

● IPv6 is 128 bits
– 2001:0db8:85a3:0000:0000:8a2e:0370:7334

CIDR

● Classless Inter-
Domain Routing

● /27 has a net
mask of
255.255.255.224

From Wikipedia

A connection

● For now, just know TCP, UDP, and ICMP
– Stream sockets vs. datagrams

● TCP and UDP have “ports”
– Port helps identify a process for incoming packets
– Open port == “listening”

● Three-way handshake

Process?

Kernel

Process 1 Process 3Process 2

Separated by virtual memory, access system resources via system calls.

Hardware

Almost there…

● DNS for resolving hostnames to IPs
– breakpointingbad.com becomes 149.28.240.117

● BGP to scale to the size of the Internet
– Path vector protocol

● HTTP as another example of an application
layer protocol

Internet in Ecuador…

OSI model

● 1. Physical
● 2. Link
● 3. Network
● 4. Transport
● 5. Session
● 6. Presentation
● 7. Application

Attacks in different layers

Physical and link

● “Network adjacent”
● Can sniff (promiscuous mode)
● Can spoof

– ARP cache poisoning
– Goal is often to pretend to be the gateway

IP and transport layer

● Can spoof
● Can hijack

BGP or DNS

● Can spoof anything that doesn’t have crypto
● DNS cache poisoning
● BGP prefix attacks

Firewalls and NIDSs

Firewalls and NIDSs

● Basic idea is to sit in between two machines
and apply some policy

● Firewall… “no packets enter my network with
destination port 25”

● NIDS: Network Intrusion Detection System….
“Don’t allow TCP connections to send
‘%u9090%u6858%ucbd3%u7801%u9090%u68
58%ucbd3’”

https://citizenlab.ca/2015/04/chinas-great-cannon/

See also “QUANTUM Insert”

https://citizenlab.ca/2015/04/chinas-great-cannon/

In- vs. On-path

● In-path … Attacker (or “security” device) gets to
hold on to the packet and look at it, or modify it,
before forwarding it

● On-path … Attacker (or “security” device) gets a
copy, via something like a port mirror, but the
packet has already been forwarded

Jed’s opinion: There is no firewall or NIDS that
can’t be broken/evaded.

Ptacek and Newsham

● Insertion, Evasion, and Denial of Service:
Eluding Network Intrusion Detection

● Also see the work of Vern Paxson on “Bro”
(now “Zeke”)

● The following is an example that uses IP
fragments, all images from:

https://www.sans.org/reading-room/whitepapers
/detection/ip-fragment-reassembly-scapy-33969

https://www.sans.org/reading-room/whitepapers/detection/ip-fragment-reassembly-scapy-33969
https://www.sans.org/reading-room/whitepapers/detection/ip-fragment-reassembly-scapy-33969

TCP is even worse…

● http://www.icir.org/vern/papers/TcpReassembly/

http://www.icir.org/vern/papers/TcpReassembly/

TTL tricks

kirk

bones

spock

uhura

scotty

sulu

chekov

redshirt

mudd

“Information only has meaning in
that it is subject to interpretation”

–Computer Viruses, Theory and Experiments by
Fred Cohen, 1984

“The only laws on the Internet are
assembly and RFCs”

–Phrack 65 article by

“Information is inherently physical”

–(Lots of people said this, but see Richard
Feynman’s Lectures on Computation)

OSI model

● 1. Physical
● 2. Link
● 3. Network
● 4. Transport
● 5. Session
● 6. Presentation
● 7. Application

A layer 7 example (XSS) due to Jeff
Knockel

● Suppose “” is
blacklisted

● Use “