Networking Fundamentals

(Kalyana+Soma).Sundaram

Kishan Gupta

Aneesh Dogra
 

What happens when you open www.google.com

AGENDA

• DNS, UDP (0.5 days)
• HTTP/(S) (0.5 days)
• TCP, IP Routing (0.5 days)
• Conclusion and Noc session(0.5 days)

DNS

1. why DNS
   IP vs Domain Name
2. StakeHolders
   TLD owners- ccTLD,gTLD etc
   Registrars-  Godaddy, Orderbox
   DNS Cache- ISP, local

Transport Layer Protocols

UDP

• TCP
• UDP

TCP

Flags

• NS (1 bit): ECN-nonce - concealment protection (CANT EXPLAIN)
• CWR (1 bit): Congestion Window Reduced (CWR) flag is set by the sending host to indicate that it received a TCP segment with the ECE flag set and had responded in congestion control mechanism (added to header by RFC 3168).
• ECE (1 bit): ECN-Echo has a dual role, depending on the value of the SYN flag.

• URG (1 bit): indicates that the Urgent pointer field is significant

Flags

• ACK (1 bit): indicates that the Acknowledgment field is significant. All packets after the initial SYN packet sent by the client should have this flag set.
• PSH (1 bit): Push function. Asks to push the buffered data to the receiving application.
• RST (1 bit): Reset the connection
• SYN (1 bit): Synchronize sequence numbers. Only the first packet sent from each end should have this flag set. Some other flags and fields change meaning based on this flag, and some are only valid when it is set, and others when it is clear.
• FIN (1 bit): Last packet from sender.

Options

TCP

• 3 way handshake
• Acknowledgements and reliability
• tcpdump and check sequence numbers
• Push Reset Flags

Out-of-path Vulnerability in TCP (CVE-2016-5696)

A global system variable sysctl. tcp_challenge_ack limit was introduced to control the maximum number of challenge ACKs generated per second. It is set to 100 by default. As this limit is shared across all connections (possibly including the connections established with the attacker), the shared state can be exploited as a side channel.

How to hack?

• 1) send spoofed packets to the connection under test (with a specific four-tuple)
• 2) create contention on the global challenge ACK rate limit, i.e., by creating a regular connection from the attacker to the server and intentionally triggering the maximum allowed challenge ACKs per second
• 3) count the actual number of challenge ACKs received on that connection.

 If this number is less than the system limit, some challenge ACKs must have been sent over the connection under test, as responses to the spoofed packets.

SEQUENCE Number Inference

• 1) the attacker will now send 100 non-spoofed in-window RST packets to exhaust the challenge ACK count.
• Once again, based on how many challenge ACKs are received, the attacker can tell if the guessed sequence number in the spoofed RST, is in-window or out-of-window.

Ack Inference

• After an in-window sequence number of an active connection is identified, the attacker now will need to guess a valid ACK number
• In the first case where the spoofed ACK packet has an ACK number in challenge ACK window (but with an in-window sequence number), the server will reply with a challenge ACK

TCP Attacks

• SYN/ACK flood
• SYN Cookies, somaxconn, tcp_syn_backlog

Network + Data Link Layer

• Routing table
  route -n
• CIDR subnet mask
  mask XOR IP=net
• Gateway 0.0.0.0 ARP
• Net 0.0.0.0
• rp_filter(way to prevent spoofed ip)

Can the NAT box see HTTPS Application Level Data?

1. Yes
2. No

Recap opening www.google.com

Advanced

• BGP
  looking glass lg.he.net
• Tunnels
• Anycast
• CDN
• Load Balancing
• Mitigation