 Okay, folks. Let's get started. Happy Halloween. Sorry I have to wrap up. I thought you'd be interested in this graph. These are the views on my YouTube videos for the last week. I don't know if anything important happened on the 29th, but you can see this spike of 600 views. Actually, I think watch time is more probably interesting. That's 8,595 minutes. That's 143 hours, which is five, six days worth of viewing on one day. So I guess hopefully it's helpful to have been watching all the lectures again. Sharp decrease, though. You can see after that. It's almost like you don't care about this class after the midterm. Okay, cool. So I decided to give you a little break. There is no homework assignment released on Tuesday, but we will have a homework assignment today. This will be a pretty fun assignment. I mean, they're all fun, but the goal here is to get you cracking hashed passwords. So you'll have the two on the 11th. So what's that? 12 days? Something like that? Roughly a week and a half. There are four parts. One, and so you can find your hashes on the submission website. You go here, we'll see your custom, your hashes that are just for you. So the goal is to find passwords that hash to that value. So the different hash functions we'll look at. The first one is MD5. So in each of these hashes, I'm giving you some sample words and what they hash to so that you can check yourself if you're going to try to emulate your own whatever MD5 cracking, you can do that. There's also some leaks in here about how big the password is. So MD5, shot 256, part three is B-crypt. So you'll see, and I'll actually show it here. So you'll see my B-crypt password here. Part three keeps changing. Like the change. But it's all the same password that hashes to the same value. So you can type whatever one it doesn't really matter. You can dig more into B-crypt, but you can see that Adam hashes to this value or this value and ASU hashes to these values. So three parts. I will say, then you're free to use any resource or program to help you solve this challenge except for each other. So do it on your own like we've done in the past. There's a ton of open source software. John the Ripper is a password cracker that's used a lot of times to practice kind of stuff. So feel free, read the documentation for John the Ripper if they're out trying to get the hashes into the input that it needs and let it hash away. There's also a lot of different password cracking software out there. Feel free to use whatever floats your boat. You can also do it custom if you want. That's totally fine. Any questions on the first three? Which one is using the salt again? Is it all of them? Just B-crypt. But the salt really doesn't matter. It just takes whatever the hash is and that's what you're trying to workforce. Or guess. Different ways to approach it. Yes, for sure. The submission server is not currently on now, but I'll have it up where you submit your thing. And I'll tell you right away, yes, this is correct. It should also be obvious because you run that password through mv5 and you get to the same hash. Cool. Part four is a fun part. This is a custom hash function. So this is not something that exists. It's something I made up for this course and this hash function. You could say somebody wanted to try to send a hash function that was a lot slower. So you take the input to hash and you run it through mv5 a thousand times. So you feed the output of mv5 as an x string into the next one and keep doing that a thousand times. Then you run that result a thousand times through shot26 and then run that time a thousand times through shot512. So mathematical notation looks something like that. You continue to pass the string in a thousand times mv5, a thousand times shot26, a thousand times shot512. And so that you can check your own implementation that this is correct. You can check the pattern of hashes to this in the system. ASU hashes here and security hashes here. So you have hashes that you can check to verify that your implementation this is correct. I would recommend not writing mv5 shot26 or shot512 by hand. There are plenty of libraries. You're doing this on your own. You can write this in whatever language you want. So there's a little bit of a hint here that the user was quite lazy and the password is five characters lowercase. Questions on that part? The ten points that I should write in play here is the same custom hash function of part five but the password is more difficult. So we're not giving you specific character ranges or lengths or whatever. You've got to try to figure that out on your own. Functions? You said it's quite lazy and it's five characters. Is this just UK? You can definitely check that. So that's up to you to figure out. Don't get any hints about the password sign. I guess I should phrase it this way. Every hint that we're ever going to give is on this page. So we're going to give any equation that's not on this page. If you run that hash function once, like five minutes... No, they're very fast. Yeah, it's pretty quick. I don't have the tidings up on my head, but it's not slow like the current, but it's slower than just mv5. Wait till the eleventh to start this project? What will happen if you wait until the eleventh to start this project? I'll phrase it this way. Don't read up time. Yeah, you're fundamentally searching for a space trying to find matches that match, right? So maybe you're... a couple things. So A, if you wait until the eleventh to start this, you're going to have to try to figure out how to do mv5 and figure out how to do mv6. Because that takes time. It's not instantaneous, right? What would... What would be a good strategy or technique to see if you're on the right path? So let's think about part four, even this custom hashing algorithm. So you run it, it's running, it's calculating matches. You're just going to wait for 11 days and see if it fits out of hands or not. You probably first passed it with a really easy password and then it gets a hash you made. Yeah, so test it against a node, username and hash that it should find very quickly. So you can test that it works, right? So if you don't perform that set, you may have messed up how you're either generating the hashes or how you're iterating over that search space, right? So if you mess that up, then you will fundamentally not find anything because your code is broken. So it's always helpful, even if you're using for the other assignments, these kinds of tools, you can feed it other hashes that it should find, right? Because you know it's NB5, you can feed it other hashes that it should be able to find, and then it should tell you that those hashes before it finds the other one, and there you know that it actually works. I know it's likely, but when it's checking the answer, does it check that we got the right password or that hash is the right thing? I don't remember and I think in the search space it's functionally unimportant. But yes, if you find some input that hashes to the hash that you have and the server doesn't accept it, let me know. I'm fairly certain that will not happen. Maybe, yeah. I want to try building it myself. Do you notice Java Ripper using any special technique that we don't know yet that makes it more efficient than just brute force? I don't know if Java Ripper does. I don't hash. Some of the password crackers will take it into the GPU if you have it. So GPUs allow for massively parallel computations so you can search through significantly more with the GPU. So I think those will be nice because they actually will do that. I think last year somebody tried to code up because CUDA is the language reprogramming GPU in to do these kind of transformations and they tried to do this algorithm in CUDA but I don't think we're successful. Not that it's impossible. It's just they weren't able to do it. Alright, so standard operating procedure like always on the submission, submit the password and you read me the description of how you broke or reverse the hash. Any more questions on this? Let's stop talking about ARP spoofing. And we talked specifically so some of you have reminded us maybe you were reminding on the exam. What is ARP? I'm going to look the purpose of ARP beyond just the definition of what the name means. It said map a, wait a second. No, very close though. So think about it from the perspective of somebody wants to make a connection to another machine on the local network. What do they know? IP, what do they need to know? Exactly, so a map make an IP address is two map addresses. Oh, okay. Exactly. So, perfect. Okay, cool. So we need this protocol and we're going to be able to communicate on the network. We went over examples that showed that quick ARP request, right? So we have an example here. Post A wants to talk to post B. But before it's able to do that it knows post B's IP address. It needs to send an ARP request to post B. And then post B sends an ARP reply specifying its reply address. Oh yeah, sorry. I'm going to spring candies this Halloween so I'll throw this out to the next person. So what security is inside this protocol that verifies that post B actually has that IP address? Yes. You're going to force me to throw this? All right. That'll be the answer. There is one. There is none. All right, good. We'll try undergating it. Watch out. So close. Cool. Sorry, I don't have any more. I'm sorry, the rest of you will stay very engaged. Okay, cool. And so we saw that this actually, because there's fundamentally no security here, there's nothing that maps or verifies that post B actually owns that IP address. We can use that in order to impersonate other machines on the network through ARP spoofing attacks. And specifically, we talked about if we want to sniff communications between two systems, well, what do we have to do? So we have this network, we have host A and host B. We're the attacker at host C. So we want to sniff the communication between A and B. Yeah, so we can spam the network with ARP replies fundamentally, right? We know. And the cool thing, when we think about this, so we have here, we have host A, and here we'll show the ARP cache of each of these machines. So this is what each of these machines currently knows about the network. Host A knows that 192.168.1.10 is at 0, 0, 0, 0, 1, 0, 3, 1, B, 98, which is host B's MAC address. Host B knows that, and host C also has that information of both of them. Right, so this is, is this network under attack? Normal communication, yeah. I was going to say each host has a MAC address of each IP, so they're able to send packets to one another. Exactly, so each host has all the MAC addresses and IPs, so their host A and B are able to communicate with each other. But we as host C, if we want to intercept and inject ourselves in between this traffic, host C can send an ARP reply to host A that says, hey, 192.168.1.10 is actually at B-A-G-B-A-B, B-A-B-B-A-B. Last time I said that. The attacker's MAC address. So what does host A do when it receives this ARP reply? It changes its cache, it updates its cache and says, oh, great, this 192.168.1.10 is actually now attacker's MAC address. Right, because we just talked about it, there's no security, there's no authentication, there's no way for host A to verify that this ARP reply came from host C or host B. It happens when host B tries to send a message to host A. It's going to go to host C. Host C actually sends that packet to host B and then what's going to happen? If host B wants to reply, it'll send a C. It should send a C. Right now it goes back to A because when host B wants to send an IP packet to .100, it looks at its ARP cache and says, oh, the ARP, the hardware address is that address from host A, so that's how I'm going to send it back to it. So in order to actually intercept both directions of traffic, they go from A to B and B to A where you can poison the ARP cache on both hosts. So host C just uses the symbol technique, sends an ARP reply saying, .100 is at this MAC address. Host B updates its cache and now any time A wants to communicate with .10 at the source, that doesn't make sense, so whenever it wants to communicate with .10, it's going to send the packet to the MAC address that's at the attacker's MAC address. Is host B going to see this packet? Not yet, why? To see us to send it forward to B. But why doesn't the networking device send it to host B as well? Always the destination is host C's MAC address? Yes, the destination is host C's MAC address and the switch, remember, is keeping a mapping of each port and what MAC address is seen on there. So the switch only sends it to the port that's host C is connected on. So host B never even knows that host A was ever trying to talk to it. Then host C forwards that packet on to host B. What else could host C do with this packet before it sends it to host B? Change it, what else could it do? Read it, what else? And get rid of it, right? You've learned to just iterate it and I think the kind of shoddy technology availability attacks that host C is able to do from this essentially trivial network attack. Try to tell if we can keep like not that this would actually be a I don't know if this would be more for your real attack or what. But what if you explain to ASP who has this one? You send it back to its own MAC address. Would it actually believe you and try sending it back to itself or like what would happen? I think it would probably ignore it or maybe it would try to send it to itself and then nothing would happen because it wouldn't reply to it because it's not configured to have this IP address so it won't reply to those packets. I don't know. Could you flow the servers say you're C and instead of trying to intercept traffic, you're just trying to overload what you're about saying like all IPs are at this MAC address. I don't know if that's what comes on the server. Who has this? You're like this MAC address. Yeah, so let's say this is a very large network with a lot of hosts and one of the hosts is running let's say a web server or something a lot of traffic or you can do it either way. So if you poison let's say every IP and every MAC address in here you can then point everybody to one system. The problem would be that system doesn't have any of those packets so it'll generate a lot of traffic but each of those hosts would be like oh this host is down so I'm not sure how that would play long-term because I don't know if they'd keep sending that in there but yes, you could definitely use that to fan with choicers excited. But we actually have one additional attack that we can do at this level so we're again looking at local networks so here we were able to convince hostB to send data through us at which point we could essentially do anything but we could also so, okay let's think about this way when hostB gets this IP packet right it says the source IP address is from 192.168.1.100 how does hostB know that that IP address actually sent the packet? There's nothing, we can go back and look at the IP packet there's nothing there that says that the source IP address is actually who created that packet so we can without playing any art games as hostC we can actually impersonate hostA to hostB just by spoofing a packet and setting the source IP address to be hostA so here we are, another situation we have three machines on the network 14.76 and .121 so as an attacker let's say that there's some trust relationship between .14 and .76 so for instance you can say it's a network file share where files are accessible only to a certain IP address this is how you configure these systems you can say only .76 is able to access .14 that's something we can definitely do but now when .14 gets this packet that says that it's from .76 to .14 does it actually know it came from .76? No so let's say what's going to happen now when .14 replies what does that reply to the packet the source would be its MAC address and the destination whichever MAC address it was told was not that IP yes, but what about IPs? they'll kind of be .14 it's a source .76 so does the attacker see that reply? I'll see that right, so without our spoofing we won't see that reply it depends on the application right, think about so like we talked about accessing a file on a file system so the packet says hey I want to access file a secret employee data then what's the reply going to be okay here's the data but where's that data going to go is it coming to us as the attacker? no, but what if we said I want to delete file super secret data why does it not come back cool let's draw some pictures because in this one we haven't sent the ARP thing yet so no ARP scoofing we haven't played any ARP games just a second I'm going to pause this so, same situation A B we're C so we are is it okay if I don't write all of the IP addresses? 1 to 1 this was .76 and this was .14 so we're sending a packet from A to C and our IP packet looks like so the source is what's the source of our packet? .1 .1 it's getting sent from us but we're scoofing it as if it came from .14 so what's the source of the IP header going to be? .14 and the destination .76 and then we have ethernet frame but we'll ignore that for now so host A gets this packet says okay great I'm going to do something and now I need to reply to it so what information does it have to be able to reply to this packet? IP addresses right so the reply will look something like so now what will the reply look like so the source will be what? and the destination .14 .14 and so when that packet gets sent out it maybe has to do an ARP lookup to say who has .14 it figures out it's host B who has that MAC address and then it replies back to host B so we as host C because we haven't done any ARP poisoning or anything we never see that response packet but that may be okay or maybe and this has been done in the past where it used to be instead of SSH there was telnet basically which was a login protocol and so many systems would trust and say if we're inside a we can say if we're .14 then we can log into this system .76 without a password so what you can do is send a packet that says login and run this command to give me access to the system and even though you never get to reply everything still works and is good but we'll see this attack kind of extended in later phases any questions on this yes so let's think about it from the switches perspective so the switches here it gets this packet which the source and it's this reply so the source is .76 the destination is .14 now the ethernet frame is what's important here so the ethernet frame what's the source ethernet address so the source here is the reply from A to B so A is generating this reply so it's going to be the MAC address of A and the destination because we haven't done the ARP poisoning A will have to use ARP to say who has what's the MAC address of .14 host B will say I have the MAC address .14 of host B's MAC address and so this replies destination MAC address will be host B which means that the switch sees that and it sends it out just on this port if we're on a hub though we could then use promiscuous mode to see that packet which is why that switch hub distinction is so important anything else now so we've looked at basically everything we're going to look at on a local network so everyone fully understands how one machine sends that to another machine on a local network so what's the process like what's the first step yeah the sender sends out an ARP request for the MAC address what's step zero what does the sender need to know IP address IP address of where it wants to send that to and what else what it wants to send what else don't know the don't know the don't know what constitutes an inside by local network and outside by local network so they can use the target IP address for the destination with the net IP to say is it local or is it not and if it's local then it has to go through ARP so it maps the destination IP address to the source to the MAC address so we can create an Ethernet for me send that off done right the data does not have to go anywhere else of course that does not answer the question of how does ARP packet get from our laptop is Google on our local network no that would be bad right or weird so we need some mechanism to do this but and we'll get into the details but it's actually not as complicated as it seems because it's made up of all of these local deliveries doing exactly what we talked about so essentially we need to extend one more piece of information to our step zero so we had our address our IP address our IP address the target the destination IP address our subnet and then we need some notion of a gateway or a default of where do we send packets that are not inside of our local network okay so a lot of information maybe too much information so I need my IP address because it's all IPv6 what I'm down to is another server so here we have on this server we have its local network we've seen this before this is the submission server it has its net mask and so what we need is a routing table we need to know if a packet is not on our local network where does it go so the first entry here is default essentially if it doesn't match anything or any of these other rules one zero one knows where it needs to go and this actually makes sense if we go way all the way back which I'm not going to do I'll just redraw it to our drawing so what we looked at here is we have some switch and we had some hosts a now most C will be a good person so we have our local network everything's great but what actually makes this an internet as opposed to just a local network there's some other network that we want to get to right so let's say there's a big so we'll say okay we'll use g for google there's some google system somewhere so how does our information actually get from us to them what must be the case yeah there needs to be some kind of connection between us and them right and fundamentally what we need is we'll call it right now rather but because that's the more we're more connected we're more familiar with we need some local host on our network that knows how to get packets out to other networks and then that is connected to something else that knows how to get packets out of its network and that's connected to something that finally connects into google's network so for instance and this is a key to sit well so essentially my default route here would say okay if it's local on your network send it out otherwise if it goes anywhere else send it to host r because r knows where the packets know after this point and then r sends it to its next hop and then that sends it to its next hop and then that finally gets to google where google does stuff with it and then replies backwards so this is but the nice thing is the kind of thing that makes this conceptually not crazy is that our gateway or our next hop is on our local network so it's 172.3101 so it's on our local network we know exactly where it goes so we can send the packet to it and then it will know where to go so let's walk through an example IP is here 172.31.0.1 IP is here 172.31.0.1 we are about 25 250 alright we want to send it back to 8.8.8.8 what is that google's DNS server there's also response to ping request so we can easily ping it and see that it's up it's actually it caused us some trouble at DEF CON CTF this year because we told all the teams to use this DNS address so when they connected locally into our network and then somebody else above the chain saw a lot of weird DNS requests at 8.8.8.8 so they blocked that IP address and so all the players were complaining that the internet was down because they couldn't get to their DNS server but if they used a different DNS server it would work anyways we had to fix this by telling everyone to use DEF CON's DNS server because that was not blacklisted so we were fighting all these different detection systems anyways let's go to this ok so now we have to say ok what's this packet so this IP packet right has some data that host A is trying to send to 8.8.8.8 so what's the source yeah .250 I'm not going to write that alright all this time 172.31.6.250 and the destination 8.8.8.8 8.8.8.8 why doesn't it put 172.31.0 because what we don't want it to stop there yeah because the IP packet gets our packet from us to the destination it doesn't specify what the next topic is it says who is this packet trying to get to we're trying to get the packet to 8.8.8.8 not our gateway in fact at this point we don't even care how our packets get here if this bridge is through pigeons or over microwave connections or up to a satellite in back now we actually don't care as long as the traffic ultimately gets there ok so our machine we have this we have some data we want to send this 172.31.6.250 so what's the first thing that we do check the net mask check the net mask so to determine what if it's local or outside is this destination a local address or not so it's 8.8.8.8 on this network no it fails completely right there's nothing not insane at all so not on our network so then what do we do yeah so we slightly more precise we'd look at our routing table to see exactly where it goes because you can have the way this is set up is kind of nice in that you can have multiple routes to different things so you can have different routers that route things differently so you feel crazy when you're creating your networks we don't have to get into all those details right now we can say we use the default gateway so this time the default gateway is 172.31.01 does it have to be a .1 it doesn't we just have to know what that gateway is right as part of being able to talk to remove those on the network we need to know what that gateway is now what do we do so we know it's not something on our local network we also just said okay we know we need to send it to the gateway but we're not going to change the destination IP address to be the gateway's address because this packet is not meant for the gateway but what do we want to have happen essentially the source address but then how will google know to respond to us when it finally gets that IP packet yeah did you do like a broadcast and maybe the gateway will pick it up okay so we need the packet to get from A to R on our local network so how do we get a packet from A to R on a local network yeah we need to send it to the router we need to send what to the router we need to send a packet to the router whatever we want like if I want to get to google I need to send it to the router here's your packet what do you want to do I want to tell it I'm going to send it from white voice to the router and then the router is going to go that's not a local IP address and it's going to send it to something that it thinks that yes but pause how do we get the packet from A to R send the packet I don't know if I want to pause so like sending this packet in another packet just addressed to the router sure and what do we have how do packets actually move we're communicating with C how did the packet go from A to C Ethernet right at the local network stage Ethernet moves packets from one Ethernet MAC address to another Ethernet MAC address so we need that same delivery mechanism here we then encapsulate this IP packet inside of an Ethernet packet so we need what's our source MAC address we'll call it MAC right we know that then what do we need the MAC address to the router how do we find it out ARP request how do we make an ARP request but why can't we make an ARP request let's say that it's on the same ARP we know the gateway's IP address we know the gateway's IP address yes we know the gateway's IP address because it's part of the input to the system right just like before when we want to send the packet from A to C we need to know host C's IP address we need to issue an ARP request to find out who has that MAC address for host C so we do the same thing we ask we do an ARP request and say who has the MAC address for 172.3101 that broadcasts out just like you all said that was very good all ones broadcast goes to every list on the network 172.3101 responds back to us with an ARP reply if you remember way back to when we were using TCP to look at the packets on that machine on the wireless network we saw a lot of ARP replies which were from the router from the gateway because my machine was talking to talk to that machine because of this so this is great so then our destination here in the Ethernet frame is going to be what MAC address of R so I send that out I send that packet out on Ethernet it goes from A to R then what does R do when it gets it unwraps it takes off the Ethernet layer it says it first says is this packet from E it goes for R what would it have the destination would be 172.3101 is that a 6 or a 0 it doesn't matter so if the destination of the IP packet said the router's IP it's going oh great this is for me I'm going to respond when you visit your wireless router configuration page inside your network that's exactly what's happening that's how it knows to show you a web page versus sending your packet along where it needs to go cool now R gets it it says is this for me no then what does it do it needs to look in its routing table to say where do I send this packet to it's not quite as similar as the gateway but it needs to know based on this IP address where does this packet go and then it decides okay let's call this alpha right so then does it change the IP packet to change the destination to be alpha no what does it do creates a new ethernet frame with so let's get rid of this creates a new ethernet frame with the source of what MAC address of R and the destination MAC address of alpha how does R know the MAC address of alpha R and then it sends that along and then what does alpha do when it gets that packet takes off the ethernet frame and checks what IP address is it for me is it for alpha same thing figures out where it goes right figures out where it goes says oh there's uh where it needs to go it sends the packet here same thing ethernet source ethernet of the MAC address of alpha and the destination of the MAC address of beta missed a step and we're talking about R alpha and beta so now what does beta do at this point when it gets that packet is it for me is it destined for beta what's the third thing we missed is it on the same network or not right we missed that is this on my local network or not so beta would likely have an IP address of let's say 8.8.8.1 with the slash 24 so we know the netmask is here so the network ID is 8.8.8 so now what does it do so it says this is in my local network and then what happens makes an R request makes an R request for an 8.8.8.8 gets the MAC address of G and then sends a local delivery from here to here all good so let's say reverse is the process the exact same process happens in reverse louder please on those gate please potentially it gets tricky when you have ISPs that have multiple so this is a very simple view but if you think that we don't use sentry link anymore who do we use can we remember I'll say cox we change from sentry link though but somebody else starts with an H it's not one of the like I think it's a satellite satellite internet my parents have that so anyways so the important thing is kind of tied up in this question of so let's say this is an ISP right they may have different notions of what is the best way to get this traffic they may say because they may be connected to other ISPs so here let's say this is Google's ISP we'll call this cox we'll call some other ISP sentry link so each of them are kind of each interconnected with each other right so cox could actually say even though I have an interconnect to straight to google it actually may be more profitable for me to send this traffic first to sentry link and then have them send it to google and then do stuff that happens but the other thing that can happen is the path that your packets take to get there is not guaranteed to be the same path that it takes to get back because of weirdness network stuff just happens so wouldn't this require our router to be connected to two switches at once to like be the intermediary so the router essentially acts as both the router and switch so you can think of so if you just buy a switch like those devices that we saw on Amazon they'll do no routing you have to set up for each machine and also we didn't talk about how to assign IP addresses all that kind of stuff somebody needs to give out IP addresses or you set them all up statically but so you can just buy a switch that just does this or you can most only think of home use by a router which does both of these and the next is a GHCP server that gives out IP addresses to everyone on the network and will act as your gateway out then does the ISP hook up our router to other usually there'll be a link from your router to the to your table modem I think and then from there it'll go out like over coaxial which I'm not sure the exact protocol that is and then it's what DOCS they can do weird stuff too so that that goes from like your cable modem to your ISP and then from there it then needs to go further wherever it needs to go so yeah yeah so you can definitely like there's nothing that says router has to be like a dedicated physical box it can be a computer with two but the key is it has to have two interface cards that has to be able you have to configure it and set it up properly you can set up a machine for routing which essentially means it will take in packets that aren't destined for an IP address to exactly what we talked about and set those off you can also do we'll get to it I think a little bit later but you also have this problem of your IP addresses usually a home or private network IPs like 192.168.0 about 10 that's not publicly routable on the internet so your routers transfer on your packet to make it seem like it's coming from this IP address that is publicly accessible and then when Google replies your router translates it back so that your machine thinks that it sends IP addresses of local addresses and just gets back replies to local IP addresses yeah so once these packets frame segments need to look at them they're not the one that might need for anything so fundamentally yes we don't care all we care about at the IP level is we're sending an IP packet of this source this destination and this data so we don't care how it gets there as long as it gets there to our target so yes you can all kinds of weird stuff can and does happen often transparently to you you would never know that these kind of transformations happen so yeah so internally the ISP may decide like ah ethernet's too slow or crappy or whatever and do a completely different thing as long as they send out on the interconnect that interconnect has to work and so both sides need to be able to take essentially and get it to the next place so with the connection from your router over to like Google or something like that I get the router going to the ISP and that's easy enough that's first going to send it to my people but how does the ISP then know this packet that I have this is going to this Google that could be like four or five node hops a little afterwards so there's a whole protocol called the border gateway protocol I think is what VGP stands for is a protocol for all of these interconnected switches to say and announce hey I send me traffic for like IP address or the ranges so it would be 8.8.8 slash 24 so this would brought like VGP this network would broadcast that out to everyone else that says I know how to get that traffic home and so everybody else will route through that the crazy thing that happens is mistakes or malicious action so I think it was I can't remember the country on the top of my head but no it wasn't China at least the case I was thinking of some country wanted to ban YouTube from within their country so they accidentally released a VGP route that told the entire internet I route for youtube.com and so everyone's YouTube traffic went to this ISP in this country that is not youtube.com and can't respond to this packet so from everyone else on the internet youtube was down just because this company this ISP had accidentally announced this route so the VGP is a kind of scary area because it's done at very kind of it's a very manual trusting process of what actually happens here but yeah that's the next question that's what happens and you can look at the spec for VGP too so RSS is there a YouTube or any other companies good steps too with that happening in the future? I think it was I think it was kind of sad I think it's more naming and shaming unfortunately there's like only so much you can do I will say I'm not 100% well versed in everything that happens here but yeah it's definitely a known issue with kind of poor network name problems Anything else? So this is why we studied for so long the local area delivery because of the other things we talked about or we needed to mention so we mentioned in the IP packet the TTL the time to live so essentially what happens is every hop here from A to R when R gets a packet it decorates the TTL value if it's 0 it drops the packet and doesn't do anything with it if it's higher than 0 it passes it on to the next hop that's actually being changed a little bit let's go the TTL here changes every hop which then actually means that the header check sum needs to change every hop because the packet is known as the changing because the value is changing so let's see who talks about all this here's an example of exactly what we talked about of a packet getting one from one host to the other so things that people often end up messing up or have a misconception about so here we have 111.10.20.1.21 and 128.11.41.10 this is the destination does 128.11.41.10 ever know the MAC address of the center? No, why not? Because all the running stuff is using the IP address and the packet changes every hop and the only MAC address is only MAC address or only valid inside a local network so nobody outside of that ever sees your MAC address they all see new MAC addresses What about with IPv6? Yeah, weird stuff happens so an application or protocol could choose to embed a MAC address into its protocol but in which case that's a good idea, a bad idea the point is some people try to say they can just filter a DDoS based on the source MAC address Questions on routing? Packets where they need to go used to be, actually a historical interesting thing is that it used to be that the person who created the IP packet could specify the hops that they wanted it to take so they could specify the entire route from the source to the destination Why would you do that? What's the benefit of that? A lot safer? For whom? Assuming that everyone is properly following your route they can choose to just send it in another direction and remove your source That's my drawing A lot of these old features are interesting to think about because you have to envision them in the context of an internet that doesn't really work where you just built this a hardware is crap the software is crap stuff doesn't work so you need these debugging features in some sense to say I know that the path from ASU to UCLA because it's all academics you could specify the trusted gateways that would actually work and get your packet there so in that sense it's good What's the downside of this? Am I not going to be an efficient route? What else? There's no redundancy so if that route is not available it's not going to take any more It's very brittle because if you specify this route it doesn't work your target just gets dropped What's that? That particular route Yeah, so remember so if we go back to that diagram all of these links have essentially a fixed amount of bandwidth that they can hold a fixed amount of packets that can actually be sent Once you saturate that fundamentally you can't show any more data across there so so if I was an attacker and let's say I wanted to let's say kill this link you could actually target specifically your packets to always go then maybe on a loop again control of 10,000 machines on the internet in the form of a botnet and you can make all of their traffic go through one route from one link which normally if this becomes saturated they have other interconnects and other ways to go around that so this is going to be weaponized by an attacker, yeah Sure, how much do you trust Cox though? The problem is who do you trust, right? I guess like if you knew a route that was trustworthy If you knew then you could choose that route but anybody maliciously could alter that route, drop it to say you don't, you know, I'm not supposed to buy that Hey guys, that doesn't happen anymore but it's an interesting like historical tidbit of like would it be better if we had this, would it not, it definitely as the internet scales up to millions and millions and millions of machines it becomes essentially unfeasible to specify the source because you also need a way to discover what were the other routes, right? You need to know that map, like do you know any of the routes that are from here to Google? No, no Okay So you can look, yeah, so here's an example of a routing table It gets complicated, you can do cool stuff with it but we won't go into this super detail here We talked about this this is actually everything that we talked about we looked for matching host address matching network address and then a default entry so it's just going through the route table looking at those things You'll get a message back from your network from your kernel saying hey this host unreachable or network unreachable depending on what the error message is you can set and either statically change and alter your routes or you can dynamically do this this as you get more and more into networking sometimes you have to do weird stuff to make stuff work and you have the power to change your routes Cool Okay, so back to the layering So now we've seen basically the core Right, yeah So a quick question on that previous slide So I was the world called a search for a matching host search for a matching network and search for a team hold entry I love that it says if you can't find that host why would it not find that host and not just like because the default is if you doesn't match it You can have a network that does not have a default set So that could be or I think you get a different You could set up a machine such that maybe it's only allowed to talk to two internal networks so if somebody tried to send a packet out to the global internet and error basically So you're running a machine that should only talk to two networks that should never talk to the internet so in that case you wouldn't specify a gateway A default gateway But you could say hey for 8.8.9.8 send it to this machine so you can get arbitrarily complicated with these things Alright, so now we've built up the core of this network We have at the physical layer So we saw ARP links IP addresses to hardware addresses The thing we didn't talk about is there actually is a protocol somebody mentioned in the very beginning there is a protocol that maps MAC addresses to IP addresses Reverse ARP You're not forgetting the details there We have the IP level So the IP level really is the level that gets us the ability to talk to other people on the global network from an internal network that we control everything to the ability to send packets to another network and another system Cool, but what are we doing all this networking for We want to exchange data We want to write some applications that actually do stuff So we need some way to actually send data So we need some types of protocols and this is TCP and VVP that actually will send data and fundamentally we can't forget We always want to support applications If we don't have applications why do we do all this and I don't like networking So all this stuff is in service of actually doing real things So the first thing we'll look at is UDP So UDP is the essentially it's very very similar to IP in terms of guarantees which means that it's thought of in terms of packets so you send an IP packet It is connectionless which means you don't have to establish any connection and just you send a packet It's unreliable What does that mean? Yeah, no guarantee that it never gets there It's best effort service which means that delivery integrity, non-duplication, ordering and bandwidth is not guaranteed So none of these things are guaranteed by this protocol So why is that useful? If you had to guarantee a connection before you started sending packets that would have significantly increased latency So also in cases where it doesn't really matter if you're missing a packet? Sometimes you don't matter But then why do we need this UDP player? Why don't we just use IP? IP gave us all these things So let's think about it this way What did IP address let us do? Send between networks Send a packet or some piece of creation from one IP address to another IP address Your application is running So we have an HTTP and an NFS How does the receiving machine know what application this packet is meant for? So think about it in terms of this We'll change our address metaphor and say that IP addresses and machines are like apartment buildings So if you try to just send a letter to somebody and address it to an apartment building Is it going to go to the main office or what's the problem? Why is it going to the main office? We don't know who it's going to go to We don't know which individual unit inside this big apartment complex this letter is meant for Similar thing here We have different applications They all want UDP packets so they all want data But we need to have some mechanism that a sender can specify for this application or this other application Just to make sure so IP will get into Google's IP and UDP will get into the cloud or whatever inside Google It's one of their products Definitely yes, but I don't like the general description of the pipeline Let's say DNS is a DNS service So how does it know that it's DNS versus some other protocol that's running on there So this is where we're going to and this is really what at the transport layer this allows us to build different kinds of applications on top of this because what we're going to do is we're going to just like an apartment building we're going to give a system ports and again, so this is slightly We use the same thing on switches physical ports We use the same terminology on port or UDP and TCP packets as we'll see but this allows somebody to send a packet to a specific port and IP address combination So rather than just sending it to an IP address we can specify what port this is for and UDP stuff is a lot of it is used for multimedia DNS, NFS, RCP all kinds of stuff So we look UDP is kind of a thin layer on top of the IP packet so we have the source port the destination port, again just like before we need to send our messages and we need to tell the other side how to talk back to us IP packets had IP source IP destination similarly UDP has source port, destination port the length of the message a checksum and that's it So it's a very thin layer on top of IP packets and to go back to our diagram now actually as an application we're going to say we want to send a UDP data grant or packet to this IP address and this port So that port information encapsulated inside the UDP header which is sent as part of the IP data in IP header which gets it from us to Google and in each hop along the way this Ethernet frame is created to send it on local delivery from one to the other so that when Google gets it they can rip off throw away this, look at the IP header and say oh this is a packet for 8.8.8.8 what port is it looking at throw this off, use the UDP it's UDP packet it's for port 23 Is that right? No, what's DNS? 53 Yeah, okay Cool So pretty simple right? Yeah What's the purpose of the headers like for example is UDP Yeah, there's actually it's kind of annoying this is where that beautiful that's why networking people focus on all these beautiful abstraction layers and that's why we have this nice diagram like this but the layers bleed into each other so for instance if we go all the way back to IP packets I can find there's a TCP or UDP packet in the IP frame but I can't remember where that is I thought it would be very simple Service type, I think Service type doesn't make sense, HLML Alright, I'll also look that up and get back to you So now we can use this to send data to a UDP packet so what then specifies what's inside the UDP data? Are we going to have another thing just this Russian messing dolls go? You know this is I guess as far as the data part is going to be what data you're sending and you're specifying the protocol and the fourth one right here is actually not IP header even if you can get it out of the IP data section that's why it's not specified I don't know I think it's an option or something Something's specified something tells it that if TCP or UDP data is sent as part of IP I don't need to look at that But yeah, so remember the key thing is what's sent in such as UDP data is the protocol So whatever the protocol is so for instance DNS so the domain name resolution maps google.com to a specific IP address and it has its own protocol about what data is sent back and forth so we can ask our DNS server what's the IP address of google.com and it will apply the IP or 5 IP addresses of google.com all specified in the DNS protocol and that all gets sent just as this part here but the nice thing as far as networking is concerned is we don't care the application can send whatever thing it wants from the data the network will do its best to try to make sure that it gets there and so since we have essentially the exact same so what additional let's go back to the header so what additional security mechanisms does it add to be on top of IP so it adds the concept of ports security check sums check sums are by nature reversible so none so that means all of the attacks that we looked at for IP work exactly the same on UDP so this means that if we want to spoof a UDP packet it's essentially IP spoofing so we have a trusted client and a trusted server here like we talked about with NFS the network file system so as an attacker we can send so what stops us from specifying the client's IP address in our packet as the source nothing and fundamentally that's what the server needs the server uses that IP address to know where we're coming from so we can fundamentally send a spoofed UDP request to a service running on the server with the source IP address of the client and then who does the server think that packet comes from the client it has no other information it does not know and again this now because we've talked about indirect delivery this could be a completely different network than ours it doesn't have to be on our local network this could be across the internet we can send any UDP packet to any IP address spoofing any source IP so what's going to happen when the server replies it's going to reply to the trusted client so we're fundamentally not going to see this reply so this makes our job more difficult because we're now no longer on the same local network as the target system if we are then how do we access that reply? ARPS spoofing if we're either on the local network with the client or the server or what else? anything in between any of those hops between the client and the server if we can trick and use ARPS spoofing or anything to get a hold of that packet then we can see that reply is there a word to say that you want to be a router that helps traffic get through to where it's going to go? does the coaches do that? depends on the network I think sometimes yes but not all the time we're getting here, stop here, see you on Tuesday