 Cool. All right. Hello, everyone. Welcome to Thursday. What is this April 2nd? We're going to be, I'm sure, maybe like you, the days kind of all blur together a little bit now, although maybe it's different when you have to attend classes all the time online. So just some updates before we kind of get going. Midterm grades. So we'll release the midterm grades later today on Canvas. So what'll happen is we'll post it on there, so you'll be able to see through Canvas what your grade is. And then from there, if you want to see how you did, you can attend office hours and the TAs, and with the TAs or I, and we'll be happy to share your exam with you and go through it, which is what we normally do. Yes. At assignment four grades, we'll be releasing those tomorrow. So we'll send those out again on Canvas, and we'll include a comment on there that'll tell you exactly how many people that you signed, how many correct keys you signed, adversarial keys you signed, and the reverse how many signatures you got on your adversarial key. And I'll also be, I'll try to have some statistics ready for Tuesday. So yeah, I won't tell you who did it, but maybe I'll ask the, if there's one person that was particularly better than everyone else, I can ask them how they did it, and they can maybe tell us about it at the start of Tuesday's lecture, which I think would be pretty cool. No, it's about learning. There's no witch hunts. It's all about learning how we can better, how do you know that wasn't me in discord? Cool. And okay, for those that haven't started, I think, you know, I think we had a good there's, I could have been all of them. You don't know that. Those are simple accounts. Okay, so start on assignment five crack, start cracking those hashes. A lot of people have already finished. But still, you know, it's going to be possible to run into issues or maybe technical problems while doing this assignment. So please get started on that as soon as possible, so that we can help. So reach out for help in the on the piazza reach out for help on office hours. There's lots of that. You probably should write code for the custom hash. You can do it however you want to do it. All right, so let's go back to networking. So we talked actually, I can just take us back real quick. So we talked a lot about different types of attacks that we can have on a TCP connection. So somebody remind us, what was the so an attacker who wants to either spoof or hijack a TCP section, what's the key piece of information from that communication that an attacker needs to know in order to in order to be able to either successfully spoof or successfully hijack the connection. Yeah, so sequence of acknowledgement numbers and specifically the Vic the target that they're trying to talk to that specific sequence number, right? So either if it's a, if it's a hijack between a communication that's already ongoing, we need to know the sequence and acknowledgement numbers there. If we're trying to spoof and initiate a connection, we need the sequence number that the other side generates that we'll never see that packet. So this really, this is why we talked about if we go all the way back, why when we talked about as part of the TCP three way handshake, we create new sequence, a random sequence and acknowledgement numbers, specifically because of this, because if somebody can easily guess your sequence or acknowledgement number, then they can do all these attacks with spoofing and hijacking. Cool. Okay. So yeah, we talked about hijacking and we talked about that it causes this act storm where they start get desynced and start acting back and forth, which causes actually pretty cool attacks. Now we'll look at today a different type of attack. So we're going to, we are going to look at now a different type of attack. So, so when we think of spoofing and hijacking, what of the three aspects of security? So what were the three, the CIA triad, what were the three aspects there? So spoofing. So which was does spoofing match up with? Yeah, integrity, possibly confidentiality. If they're using, if they're using that identity in order to give secret information out. What about hijacking? Yeah, coming into integrity and right also availability, because we can, if we're able to hijack their communication, we can also disrupt it and stop their communication from happening. Cool. So okay, so we have this, now we're going to look at kind of another entire class of attacks on networks. And this is really kind of a key availability attack is essentially denial of service. So the idea is there's some victim out there on the internet. And we want to somehow basically have it be in many different ways where no one else can talk to that server. So that system is now completely off the internet. Nobody can talk to it. Let's talk about first, why would somebody want to maybe take down and deny service to a specific application from everybody else? Yeah, so maybe spite, that's a pretty good one. Maybe we just want to take them down a business competitor. So if they're a business competitor, we may want to take them down. Yeah, funny that you talked about Minecraft. This is a similar thing in like the days of IRC servers and some some things of that bragging rights. Yeah, providing cover, these are all good. One thing that happens a lot is basically, they'll do essentially, what's the word I'm looking for? So what they'll do is they'll take down a server so they'll target like a smaller medium size company as the victim, take it down and say, Hey, I offer anti denial of service protection. It looks like your website's down. If you hire me, I'll make sure that goes away. And so they send them some Bitcoin and then magically the website comes back up. Yeah, extortion. There we go. That's the word I was looking for. Wow. Right. So these are all and if you think about a if you're able to cause a denial of service attack on something like on something like Amazon, Amazon makes tons of money per second. So every even second or minute that they're down is time where they're losing money and it's significantly impacting their business. And so we're going to look at different types of denial of service attacks on the network and kind of see how that works. So yeah. Okay, so the first attack we're going to look at is just so the first thing we'll basically look at is sin flooding. So this actually has to do with how the three way handshake works and the really important thing to understand and really the concept that I want you to understand here is that all denial of service attacks are about leverage. So anybody taken physics? Like why is leverage important? Or what is maybe the concept of leverage? It's been a while since I've taken physics. So I need to rely on you too. Yeah. So that's good. Makes a hard task easier. A multiplying force. There we go. These are all good. Yeah, the quote of give me a lever and I can move the world. So kind of you can think of it in a lot of different ways. But yeah, the important thing is you're using something so that you get less effort and more outcome in some one way to think of it. So what we're going to think about here for all of these denial of service attacks is what types of resources does it take us to do this attack and what resources does the victim have to use. So a sin flooding is very, very easy. So we have our victim will say that they're at IPV. And we just start sending packets from let's see we'll call it IPA first destination IP IPV. And then let's let's see source port 8 8 9 9 destination port. It actually doesn't matter. It has to be something that it's actually listening on. So let's say it's port 80. And I'm going to send a sin packet. So okay. Let's think here for a second. So I send this packet out. It's going. All right, let's we don't have to give all types of terrible quotes that are not actually correct. You can Google on the internet for those bad quotes. So let's go with a sin packet. So we send the sin packet to V. Now what's V going to have to do? What's the packet that V is going to send us back. So if it's listening on that we which let's say we know it's listening there. So what's the source IP going to be? Yeah, IPV destination IP IPA source port 80 destination port 8 8 9 9 sin act. And I'm actually missing something here. I need a sequence number 1234. Cool. And then I also need a let's see sequence number. I will do 432 1 and act number is going to be 123 5. Cool. So the victim has to send that. And now think about if you're writing this operating system, right? So you actually have to now be handling and writing this TCP three way handshake, right? You know, there's a sin, you know, there's a sin act, and then you're waiting for an acknowledgement. So so for V, if we think about the operating system, what does it have to store in order to be able to reply correctly to that third act packet that it gets back? Yeah, it needs at least the source and destination IP, also the ports, right? So it has to store at least those bit of information because it's a the four tuple of the socket. What else does it need to know? Yeah, the sequence number exactly needs to remember its sequence number that it chose. And it needs to remember the acknowledgement number of the other side, right? So if you think about it, essentially, all of this information has to be stored inside the operating system of V until it gets an acknowledgement number. Now, again, because of the way we talked about the way networking work that networking works, the IPA that initiated this connection could go away at any time. So V doesn't know if it's ever going to get that final acknowledgement back. So it needs to store that information in the operating system for some period of time. But so if we think, okay, I can so let's say this is the attacker, the attacker can send one packet this starting sin packet. And it can cause the attacker to store all of this data on their system. And the cool thing is as an attacker, I don't actually care about creating this three way handshake, I'm looking for that lever. So the lever is I can send one packet. And I don't have to store any of this information. So I store on my side nothing. But the other side, I force them to store at least this much information in their operating system. And another thing to think about if my goal is just to have them store this information in their operating system, do I care about replying to this packet? Or do I even care about getting this packet back? So then who says I have to use my IP address? I can use anybody's IP address, I can use IPB, I can use IPC, I can use Google's IP, I can use any IP I want. Yeah, and this is a great point, Marcus. So the, yeah, the now here, we actually, it's even better if we're able to hide our source IP address, because now we don't want people to know exactly where we're coming from. You could use the targets IP address, I'm not sure how that would work, it may drop that, I'm not sure that's a little weird, I probably wouldn't use that. And so this is the goal of sin flooding is to basically send tons of these packets, because every packet you send, and this is the lever again, every packet you send cost the attacker nothing, but it forces the victim to store for every packet this information. So if we can send a bunch, and if you think about an operating system, right, is kind of running under here has its own memory space. So it, you can eventually fill up all the memory of the operating system. And then at that point, the can't accept any new connections, because it says, Hey, sorry, I don't have any more room. Yeah, so it's similar to an ax storm, but it's a deliberately caused sin flooding. So you can think of a sin flood. You can so it depends on the operating system, usually they would not, it really all depends on the on the specifics of the operating system. So usually they don't use like a ring buffer like that because they each, because the way I think it's in the specification of like when you send a sin act, you need to wait a certain amount of time before you get an act. And then you can drop that, that packet, or assume the communication is closed. So if most of them are doing that, they're all waiting basically like 30 seconds or something. Cool. So this is yeah, this is a. And so this is kind of a really common and kind of first level sin flooding, like denial of service attack. Yeah, and the other goal is, as you're doing this, if it's a big server, it's just the fact that now you're filling up all of the resources of this computer with your kind of fake traffic, so that when somebody else sends a sin packet that says, Hey, I want to talk to you. The machine doesn't respond or drops it basically. So yeah, this is a and kind of all different types of denial of service attacks rely on this notion of this lever of the fact that you, it costs the attacker nothing and it costs the victim something to respond. So yeah, by doing this, I can generate a bunch of traffic and cause that traffic to turn into resources that are stored on the system. Okay, so then now we can maybe think a little bit about prevention. So how would we prevent something like this? Yeah, so it's, it's okay, lots of different ideas. So we can try to detect it. But this is actually the key problem of doing a lot of network defense things. If you try to detect it from a specific IP address, what if I'm changing my IP address? So it's always random. And another thing is how do you detect the difference between a sin flooding attack like this, and just let's say your service becomes all of the sudden popular. What's the is getting reddited a thing, it used to be called getting slash dotted when a bunch of people were sent to your server, but I don't know if Reddit has that poll. Hug of death. Okay, there you go. Yes. Yeah, or exactly, that's a good one. What if they choose actual IP addresses of your customers, and now you're blocking those IPs from getting there? Right. So yeah, you can, yeah, because you control this IP address, so if you just tried to block based on IP address, a good attacker will always be changing this IP address. So you wouldn't be able to rely on that. So maybe another thing you could do is maybe try to detect some feature of these packets that make them look more suspicious. Maybe they're dumb and don't change the source port, although that's highly, should be highly unlikely. Maybe their sequence or acknowledgement numbers are the same. The problem though is pattern or timing of them. It's really difficult because the timing all you have is one packet. So you need to decide, do you send this packet to V or not? Now machine learning is terrible for stuff like this. People try to use it all the time. And as you've seen in, if you've seen any adversarial machine learning stuff at machine learning systems are very easy to be controlled by an adversary. And if you think about the only things that have to be here in this packet are the destination IP address and the destination port. These are the only things that absolutely need to be in this packet. Everything else can be randomized. So how do you make a machine learning feature on something like this, where you have such little information? That's not to say that people don't try, but a dedicated attacker should be able to do this in a good way. Now, some things to think about. So somebody said, well, let's make the buffer larger, right? Let's like increase the size of our servers. And you can see that this happens basically over time. So machines get bigger and bigger. The operating system has more and more room. So it's harder, especially from one machine to generate the number of packets that you want. Because if you think if I'm sending all of these out from one machine, I may have a fixed amount of bandwidth that I can send from. So one thing I could do is I could take over a bunch of machines, have them all be sending, using their bandwidth to send different sin flooding packets to the victim and try to increase the amount of resources that I'm using, right? So if I can use 10 machines, I've now increased my capability by a factor of 10, 100, 100 times 1000, 10,000. And you can actually go easily rent. Well, not, I mean, so what's nice is there's already a bunch of malicious users out there who've compromised machines and they will rent them to you by the hour just like Amazon. So this is when, so this is kind of the idea of the difference between a denial of service, DOS versus DDOS, right? So a distributed denial of service. Yeah, so this notion of the problem is the handshake, right? And the problem is if you do a handshake on a different machine, well, now you're basically targeting now that machine, right? So this actually could be one idea is maybe get a huge freaking machine that does all of the TCP handshakes first and then only things that make it through, it goes out. But again, that then becomes your weak link that you can target and overcome. Yeah, so one thing, okay, Skyler has a good point. So one thing would be reduce the acknowledgement time after a SINAC is sent. So you could say only store this. So if I was storing it in the operating system for 30 seconds, say I'm only going to store it for maybe 0.5 seconds. And that could then have follow on false positive effects where now you're timing out good connections from people with slow responses. So think about people who are using like the internet in rural areas or on dial up, who it may take longer than 0.5 seconds to get there or satellite where that's a great point you literally your packet has to go from the earth to a satellite and back for it to travel in different places, right? And maybe you are willing to make that sacrifice and that would be fine. But if you're under a constant denial of service, it's probably not in your best interest to especially if you have customers in that area. So yeah, that's definitely a one thing to think about. So what about if we wanted to get rid of the fundamental problem, what could we do? So what's the fundamental problem here? Exactly keeping track of this data, right? The problem is actually storing this data. So what if I just didn't store it, right? Well, it'd be a little bit of a problem because then I need to know when I get this acknowledgement packet, the AC packet back, right? I need to know, is this a proper acknowledgement packets? But we can actually use a, yeah, so let's look at some of these things. I think we've already talked about a lot of these, we can try to filter, we can try to increase the length of the half open connection queue. That's what we talked about here, reduce the sin received timeout or the AC received timeout. In this case, I think it should be we can drop half open connections. So this is the idea of like a ring buffer, basically, of dropping old connections. And we can try to limit maybe from a specific source. One super interesting idea is to use what's called sin cookies. So this is in an RFC. So this is a really important problem that basically has a whole RFC dedicated to it. So you can go here, read up on all of these different kinds of techniques and solutions. And basically, this really cool thing is essentially a sin cookie. And the details aren't super important. But the idea is, can you make a, so if we think about it, let's see, conceptually, we get a, we know we get a sin packet first, right? So the attacker gets to choose the source IP, the destination IP, the source port, destination port. And the sequence number, the only thing that we get to choose is the acknowledgement number. But basically, the idea is, can I encode information into this acknowledgement number, such that when I get it back, I can verify. Yes, I sent this packet, it's from this IP, this IP, this port, source port, destination port, and this sequence number. So it's a really cool idea to say, okay, I'm not going to store any information in my operating system. I'm going to encode all of this information inside this acknowledgement field so that I can verify when I get that back that if it was correct or not. So, and they also encode, yeah, so anyways, I'm not going to go into the details of this, but it's essentially a hash of a lot of different types of things that allows an attacker, allows the server to not actually store data and store information about the connection, but to basically put that in the packet itself. And then when it gets a response, it can check that. So this is kind of a cool, very clever idea to like attack the root of the problem that says, well, the problem is, the attacker does no work and we store data. So how do we make that work? So, and let's actually talk for a second. Okay, cool. Uh, yep. Cool, cool, cool. Anyways, that's always done on the client side, the on the and so I guess the key question is, so what's the difference between like a sin flooding attack? And what if me? So let's say this is a Eve our attacker. What if Eve just makes, let's say connect, right, just connect to this machine, do the three-way handshake, but just do that a lot. So what's the difference between that and a, yeah, why is it detectable? Or what about it makes it detect detectable? Yes, the IP has to be the same, right? You have to receive packets back, and you have to reply to them. So you can't. So and if you think about it, there's no lever here, right? You have to on your side in order to establish a connection, you have to store just as much data as the server, right? So typically we think a server will have a lot. Yes, a very sad lever, right? So you think like this, it's very small and actually it's, it's, oh, oops, that's not sad. Yeah, it's, it's actually a one to one lever, there's actually no lever, you're getting zero leverage and advantage. Because all the data that we're sending to the server, we have to store the same amount of data for TCP connection as the server does. And so if our machine was just bigger than the server, then yes, sure, we can take it down, but that that doesn't really help the adversary can just get more machines. Now, maybe I can then take this idea and extend it, I can maybe get leverage then through my botnet. So then maybe I leverage a denial of service to just make a ton of actual connections to the machine in order to take it down. We see, let's see. So yeah, so the idea is so we can get a lever through the botnet, but still, it's not going to be as effective as using something like sin flooding, or something that has a built in lever to it, that amplifies traffic, basically. What can you be more specific? What do you what do you call an amplification attack? That's a little bit different. So the other thing to think about, especially about denial of service attacks is, so we saw like, specifically, so for instance, specifically, we were targeting here the number of half open connections that an operating system would have in its memory. And that's the specific resources that we're targeting, we can also target, and this is basically, you can then extend this idea. So you can now think of, okay, for a denial of service attack, I need a lever, and I need to target a specific resource. So it could be maybe just memory of the server. So this is actually a really interesting one, memory. So we can maybe force the other side to send us data, but never acknowledge it. So if we think, if we're transferring a big file or some part of a file, an application will send data to the OS to send from one side of the TCP connection to the other. And we just never acknowledge that we saw that data. So we just say, Oh, no, that data is somehow getting lost. And if I just do this a lot, I can force a lot of resources and memory to be stored on the system. Similarly, with so most, for instance, like a web server, most web servers use some kind of process pool. So there's a fixed number of processes that will handle incoming connections. So then I just overflow that I just make a bunch of connections. And I overflow the number of processes or threads that they have to manage that. And they can't get any more. And I just keep those connections open for as long as possible. You can target how much memory there exists for socket descriptors, or in most operating systems, there's a limit on how many sockets you can have open. And so you can actually hit that limit. So then we can go and talk about for a second, this denial of service reflection attacks. So you can think of there's a couple ways I can take down V, right? Yeah, so there's a couple ways I can take down V, right? Essentially, we've talked about I can take over and make it use too much resources internally. But what if so what is actually so I just drew like a line here, but what actually is this line, this line right here, this connection from V to the cloud. Yeah, I mean, we don't know exactly what it is. But it's some kind of physical connection. If we think about the TCP IP stack at the bottom layer, it's some sort of physical connection. And there are hard physical limits on how much data can go through those. And also somebody mentioned hops, there's also a switch here, right? There are physical limits to how much traffic can go through a switch. No, not cut the wire overload the wire. Let's see. I don't think there's enough slack free cases. Nope. Okay, there's no way for me to get this in frame. No, impossible. Okay. So what we can do is we can actually overload this wire if we're able to send. Let's think maybe it's we'll go with an easy one. It's just like a gig. Oh, move the camera. It's attached to the to it. So anyways, it's a it's fine. It's just an internet cable. But let's say it's like a gigabit per second is the Gbps is the capacity of this wire right here. So if we're able to send more than a gigabit of traffic through there, and it doesn't even have to be traffic that V can respond to, it could be garbage just as long as we saturate that link and send more data that can physically go through there, it will appear to be off because nobody else can talk to it. Even though V itself, we haven't attacked any resources with V. So how to do this we need basically a very large lever. And there are a number of different ways there've been. I think NTP had a amplification vulnerability. So the network time protocol is one way. There are DNS. Yeah, the limit of the internet cable, you can look it up, I don't know off the top my head, I just made up something. And honestly, probably your switch would probably fall over before your cable itself, but we'll target the cable right now. And so you can pick either of these the NTP one was pretty egregious. I think it was something like 1000 to one. The basic idea was NTP is I believe a UDP based protocol. So what an attacker would do is basically send, let's say five bytes to NTP server spoofing source IP victim. And then the NTP server would send let's say 5000 bytes to to victim to the victim IP as a response. And in this way, so basically, I can if I have a, let's say an outgoing connection if Eve have an outgoing connection that's what would that be? Let's say 0.2 gbps. So if Eve can send that, then by sending Oh, this is 1000x. Yeah, I guess it doesn't even need to be that much. So basically, if Eve sends five bytes, so Eve now here has a 1000x lever. So Eve can send five byte packets to this NTP server. And then it will send 1000 times that amount of data to our victim, we can easily overload a one gigabit per second connection using what we have here. So in some sense, I think how we originally got here was the cookie approach has actually no relation to most of these amplification attacks. Because with an application, you can just overload the physical capacities of that switch to deal with it. Yes, it assumes the NTP server has at least a one gigabit per second, or what you do is you just find, you know, X amount of NTP servers on the internet and use a bunch of them to reflect traffic all towards the victim. Yeah, so super cool stuff. So this is kind of another then state attack to take advantage of and and attack the state like the capacity of your physical wire, which is pretty cool. Yeah, so there have been a lot of modern attacks, I think they can get up to I want to say like 20 gbps is like some of the latest ones, somebody wants to look up like DDoS capacity attacks, and maybe more than that, I think Krebs on security got hit with one a while back. But if somebody looks up that number and throws it in the chat, I will update that. But yeah, attackers by taking control of a lot of machines and using different types of amplifications, they can cause these insane denial of service attacks. Oh, 1.3 terabyte. Wow. Okay, so yeah, that's a lot. Yeah, that is very large. Right, you can actually take down a ton of systems there. And, you know, even if and this is the really difficult thing of even if you technically if the victim technically in their network could handle it, it could be something upstream that fails. Wow, that's crazy. Was that the one with cloud fare cloud flare? Do you remember? I don't know. Anyways, oh, it was GitHub. Cool. Oh, okay, I see 1.3 terabyte per second for GitHub. How does cloud flare work? That is a great networking question. At a very coarse grained, they essentially try to have boxes. So we talked about like traffic has to go from you to your ISP to other ISPs to the ISP of the target and then the IS their machine. Basically, they try to have a server in everybody's ISP, so they can get traffic and things to you very quickly. Cool. Yeah, cloud flare, the other one that's really big that you probably don't hear about very much is Akamai, which like a content distribution network type thing, which does this similar thing of like having, I think Netflix does this too, basically, where they try to have servers in as many local ISPs as possible. So when you're streaming a movie, it's coming as few hops away as possible. Okay. Yeah, awesome. So there's a lot of stuff that you can play with. And yeah, okay, cool. So then, so we're kind of actually towards the end of our network stuff here. So then we're going to move on to binaries. So we can kind of talk a little bit. One concept that comes up again and again in terms of networking is a notion of a firewall. So if we think, actually, we'll do some other stuff that I hadn't scheduled. Okay, so we have all the machines. So we have our local network, we have our gateway. And I'm going to call it G. No, that's bad G. G close enough. At some point, I'm just gonna give up our gateway. And then we have basically the outside world. So then we have now our nice cloud that's the internet. I swear I'm getting better at drawing these clouds. So the core idea of a firewall is, oh, okay, cool. GitHub does do use Akamai cool. And then you can check out this link to learn more about it. Oh, it's memcache that they targeted interesting. So the idea is we want some kind of mechanism from a security perspective, we want some kind of mechanism in order to and I'm going to draw it like this. So we want some kind of mechanism that's between our network and the internet that mediates network access. So for instance, if we wanted, let's say for, yeah, okay, this is a good example. Okay, so let's say this is my ASU. Let's say we're ASUs network, this is my ASU. And let's say this is grade database. G is our gateway. Okay, so this is so let's think so like my ASU right so the network is obviously much more complicated than this. And now we'll go with my machine. I don't want to target anyone else. Okay. So let's say that this is my work desktop. So we're all basically on ASUs network. So if you think about it from an external, no, it's more like, actually, the ASU network is one of the most insane things it's has we have at least I think 100,000 devices on the network plus probably more I think it's probably more like 110 120 with all the research machines and everything. And on top of that, you have students and their devices leaving every four years. So a quarter of our devices have turnover and churn every year. So it's I would not want to be in charge of defending this network. Yeah, it's a crazy network. You think about most companies right the turnover of most companies is not 20 to 25%. But by the nature of colleges, hopefully a quarter of you are graduating every year. And so that means new people are coming in every year as freshmen and so you get this massive turnover. Anyways, okay, so if we think about this. So from the outside, what should an outsider be able to access in our network? My ASU exactly, this is the only thing we want people to be able to access. We don't want people to directly access the grade database that would be silly. We don't want people to directly access my machine. Right. And so what we can use is this firewall, and we can plug in and program rules into our firewall that says from anybody coming from the outside, they should only be able to go to my ASU. So now I'm going to switch to select the firewall policy would state allow to IP my ASU port AD TCP. No, we haven't covered that I may cover it right now we'll see how much time we have. Right. So my firewall policy would maybe look something like this like the only people like allow to like inside the network, the IP, anyone going to my ASU only port AD and only TCP and deny everything else. Now I have another problem of then how do people like how do I get out from the network? Right. So I could maybe say, oh, also I need to allow outgoing traffic. And you can spend a lot of times. Yeah, so 443. Yeah, you've already figured out that this is insanely complicated. And so, you know, we're just covering the basics here because you can go insanely deep into firewalls, you could then say, as as you keep using a firewall and you accumulate all these rules, what happens if I have conflicting rules? How do I specify what to block? How do I how do I express different types of things? Like for instance, like allow any outgoing traffic. That's and, you know, kind of an interesting thing. Anyways, and the other thing is, how does this actually prevent me from accessing the grade database directly? Or let's say, I don't want to pick on any of you directly. I'll just call you student one. So this is your student one machine. What's to stop you from accessing the grade grade database connection? So the interesting thing about allowing outgoing is how do you determine what's because if you think about it, when somebody contacts into my ASU, my ASU will have to reply. So how do I allow that reply? And how do I allow Adam D to initiate outgoing communications? Yeah, so other things I may add another firewall here, I may separate my network out again, this isn't a network networking security class. So we're not going to go into all of these details, but I want you to be aware of these concepts when you're talking about firewalls, right? And these types of things. So being aware of what they're made for, what their usage, they can also do things like, so this is maybe why so they can maybe block ICMP, we talked about that, right? Of what if you're not able to ping a machine or something like that, it doesn't necessarily mean that it's down. It could have a firewall policy to block ICMP messages, all different types of stuff. And this is, we're just, you know, really just scratching the surface here. But it's one of the core components of kind of thinking about the network security of a system. So it's important for you to be exposed to it and aware of it. I think with everything that we've studied with how the networking protocols actually work, firewalls are not really that specifically complicated. So this is why I wanted to focus more on how networking actually works and what are the security implications here, and then discuss kind of the concept or idea of firewalls. Other types of network security mechanisms are, and so again, actually, if we go back here for one more second, we can see again, this notion that we talked about earlier in the class of the differences between mechanisms and policies, right? So a firewall is just a mechanism to try to enforce a network access policy. But you need a policy of what to block and what to allow, right? So this is again, gets to that notion of you need a policy of what should be allowed and what should not be allowed. So yeah, the other interesting things, you know, if you think about the ASU network, there's actually a VPN server in here. Oops, that doesn't look right. A VPN server in here, that the firewall allows you access to the VPN server that then routes your traffic. So this is actually how, for instance, like I could get to my desktop from here is I VPN into the my ASU network and then my traffic comes out as if it's inside the my ASU network past the firewall so I can access my machine. But anyways, all kinds of stuff in there. Other types of systems like intrusion detection systems. So this is kind of an another type of thing, where it's a mechanism, right? So the mechanism is you want to and I will draw a that's really bad. Let's say this is a magnifying glass. You know what, I'm just going to do this and do IDS. And it's kind of an so okay, yeah, so for firewalls, yeah, if you think about it, the year, it's a whitelisting versus blacklisting thing. So whitelisting is much more secure, right, because you're only saying what things should be allowed. So you want to deny everything and only allow specific things through. And, okay, yeah, so okay, so and an intrusion detection system, the basic idea is monitor all network traffic. And this is, you know, using exactly what kind of tools we saw TZP dump all these kinds of things, monitor the network traffic and try to determine either evidence that we've been compromised, or that were under attack, right? So those are things like we saw an intrusion detection system can detect that you're sending port that you're being port scanned, or they'll have other types of rules. And they'll be able to even identify, hey, somebody's trying to exploit some vulnerability on one of our systems. Maybe I should flag that. It's a very complicated area because all you have is network traffic. So you are at least in this case, without thinking about the host, there's host based intrusion detection systems, all kinds of stuff. But you're trying to determine if you've been attacked or not. And more fundamentally, you're looking at packets and trying to determine is this a benign or malicious traffic. So you need now a policy of what to detect. So I will say if you want to go play with this, you can go is an open source is an open source intrusion detection system that you can actually just install run on your system, it will look at all the traffic and see if you've been stuff. And if you've been attacked, I will say snort it can be very annoying because it has a the default rules are tried to the policy of what to detect has a lot of things that are in there. A cool distinction between so and the key thing here is the difference between detection and prevention. So an intrusion detection system will just basically alert that, hey, I think I've seen something bad here. An intrusion prevention system will actually block your access. So it will say, I'm going to kill this connection as soon as I see something bad. So yes, funny story, I'll say very briefly, one of the CTFs that I helped admin and run was the I think it was 2011, I CTF, where every team connected into a VPN network. And what we had is we had snort running on every incoming connection. And as soon as we detected a snort rule violation, we block their connection for five minutes. So what happens is team somebody on a team would be port scanning stuff, it would trigger snort, and then we cut their connection for five minutes. So yeah, it's a, you know, like you can get really into these types of systems, there's all types of commercial tools, we're not going to talk about them, but you definitely know enough to understand how they work by looking at this network traffic. And so basically from here, there's a ton of different areas in order to there's a lot of different ways that you can take and go into network security. And there's a lot of research here. So for instance, one of the areas that we do research in is software defined networking. So the idea is that if you've ever like programmed switches or done anything like that been into like Cisco or all that stuff, it's kind of a real pain in the butt to configure all of these different switches. So the idea is make the switches really dumb and have a central machine that controls all the switches can program rules and has a global view of the entire network. So for instance, in the context here, one of the really interesting things that we've done with this is rather than have a firewall just on let's say your the entry point of your network, with this, you can essentially put a firewall into every switch of your network. So every switch can be enforcing your firewall rules, so that you can do things like enforce Hey, Adam D should not be able to talk to the grade database, right? Only maybe my ASU should be able to talk to the grad grade database or whatever front end there. And one of the really interesting things about software defined networking is like Google uses this in their data centers, and they took their network utilization up from like 70% to like 99.9% or something insane like that. So they're getting a lot of benefit from using these kinds of techniques. Like we talked about, there's a lot of stuff to do in firewalls, analyzing them, verifying correctness, all kinds of things intrusion detection systems were actually really funny. They were a really big research area in like the late 90s, early 2000s. And people it's basically just a very, very difficult problem that's really hard to solve. So it kind of went away. And now it's back under the guise of advanced persistent threat detection. So you can think about intrusion detection systems, like how do you take if you have an IDS here, and here, and on this machine, how do you take all those logs, aggregate them, understand what happens? It's kind of a crazy thing. Other things that you can go look up at is IPv6. So one of the key things that actually it's kind of insane that we have didn't talk about. So we talked about IP addresses. Right. So how big was an IP address? How many bits? Yeah, 32 bits. So they're going to be two to the roughly two to the 32, which is like 4.2 million. That's actually not enough, which seems kind of crazy, right? Oh, is it billion? Okay. Right. And actually, so that's not even enough, right? So if you think about if you wanted every person to have an IP address, that's actually not enough addresses. And for various other reasons. So IPv6, they move to I believe it's 128 bit addresses. Can somebody check me that that's correct? Yeah, I thought it was I couldn't remember exactly. Two to the 128 gives us Oh, is that what it is? Well, yeah, so a ton. So that's 3.4 times 10 to the 38. So three, three, followed by 38 zeros. So there's been all kinds of stuff we basically have a tons of IP address range now in IPv6. But the problem is the transition has basically been very, very slow. And it looks does look very ugly. So looking at I'm very much used to IPv4 addresses, IPv6 addresses uses kind of similar to kind of similar to Ethernet addresses uses kind of the colon notation with different aspects here. So yeah, so anyways, you can go learn more about IPv6. It has actually the same kind of RFCs that you can go learn about. I'll definitely say I'm not an expert yet. But it kind of is the future and we're slowly over time shifting more and more over to IPv6. Let's see. IPsec is a basically a technology in a way to put add security into the IP layer. So for all of those reasons that we talked about that, the IP layer does not provide anything in terms of authentication, integrity, reliability, anything like that. IPsec tries to address some of those so you can go kind of look that up more in there. Cool. And then I think with the Oh, yeah, I didn't talk about that. 802.11x. Let's see. And now I'm going to write down anything else that anybody wants to learn about in the next 15 minutes in regards to networking. So you have somebody mentioned 802.11x, which I can talk about Nat, which we talked about. What is networking, you should start at the top and relearn it. Cool. Okay. So is it 1x? Yeah. So we talked about this a little bit. So 802.11x is basically solves the problem of anybody being able to plug into an ethernet port. So 802.11x allows you to do basically port based authentication. So we talked about my beautiful design of a switch. So you have different ports in a switch. And it actually allows you to authenticate to a remote system. So when a cable is plugged in here, that's not good. When the cable is plugged in here, this can actually be authenticated. So we know that this is somebody inside of our organization and not somebody external. So that's kind of the high level version there. Nat, so Nat stands for, and actually Nat is probably the biggest reason why we've been able to stay on IPv4 for so long. So if some of you right now would go open up a terminal, run if config or ipconfig. If you're on Windows, I think ipconfig should work. If you can run that and tell me what your IP address is. So we know there's some special IP ranges, right? So we know 127 0000 slash eight is local network. Let's see, have some other ones 192.168.29.129. Same.1. Let's see, somebody else is 1.215. Think anybody else 015. That's good. Anybody got a 10. something 015. I can show you mine 192.168.0.27. So this is actually a little weird. Can somebody send me so if you look at like mine, right, you can see my net mask or my broadcast. So my network, I'm on 192. So if I go here, I'm on slash 24. Anybody else here? Is it on something? Can somebody like who is 192.168.0.15? Could you show me your what's your net mask? Oh, what is that a slash? I don't even know what that is. It's like a slash 30 or something. So I'm going to go out on a limb and guess this is a slash 24 and this is a slash 24 as well. Let's see, can I, okay, I'm going to use you for a second Emily. Okay, so why aren't Emily and I on the same network? This seems kind of crazy, right? We just learned we have IP addresses. So we have I have an IP address, I have a net mask, I have a gateway which is 192.168.01. So how come, so how come I can't ping Emily? Yeah. So exactly. Okay, so now we've run into this interesting thing. So there's a couple things here. One is we've actually have other types of special IP ranges 192.168.0.0. I believe it's slash 16 is private network. And 10.0.0.0 slash eight is also a private network. There's another one, I think it starts with 172. That is another private network. I'll have to look that up and figure that out. But so all of these IP address ranges, so there we go 172.16. I don't remember the range there. Do you remember is it to 32? Yeah, whatever 12. Okay, cool. Awesome. Okay, cool. Thank you. Okay, so there I get local network, private network. So these are all different size networks. And they're guaranteed by the RFC to actually be private. And what that means is not globally routable. So your feet, you can be free to use these IP address range internally. And no, no one will be able to route to that. So this is why just so happens that Emily and I have the same IP address range locally inside of our local networks. But how does this actually work? Because now, if I wanted to ping, and we've actually seen this before, I didn't talk about it. But if I ping 8.8.8.8, and I run TCP dump. So if I run this, I see and we actually captured those packets, right, we saw packets that had source IP of my now we know internal private IP 192.168.0.27, and two 8.8.8.8.8.8.8.8.8.8.8 is able to magically reply to me at 192.168.0.27, which seems insane. This should never happen because I just said this is a private IP address. No one can actually talk to this IP address. This is why I was you're fine posting this IP address here in this channel, because nobody else can ever route to that IP address. And it's all due to that. Okay, so how does this work? So I'll draw me. So I'm here on this network. I'm connected to my a switch, which is connected to a gateway that also does NAT. So gateway, and it has its, and this is to my now my ISP. Let's see what I want this to do. So what happens is my gateway, and this is what you're basically your cable box does is it gets a or your switch or whatever. I mean, it's usually all in one, right? So usually this switch and this gateway are all in one. But it you have a public IP address that's given to you by your ISP, right? This is what we've been talking about in terms of IP address. This is the public IP address that's not in one of these ranges that people can actually route to. And oftentimes you actually internally don't even know it. So, so what happens is your gateway uses this protocol called NAT to translate every packet that goes outside of your network to this internal IP address. So what does this look like? So let's say we just saw an ICMP packet, we'll talk about it at the IP level. So I have we know that I will have source IP. So now I'm saying this is my internal IP address. So this is IP internal a destination IP. I want this to go to 8.8.8.8.8. And I'll just call it an ICMP packet. So this packet gets sent. And we've been studying this for a while. So we all know exactly what happens. We know how the next step delivery we know that my machine has to to knows the gateway. So it has to use ARP to figure out the Ethernet address of the gateway sends the packet. So this packet goes from me internally to my gateway. The gateway gets this packet says where is this packet going 8.8.8.8.8. Oh, great. That's out on this. I need to translate that packet. So before this packet goes out, the gateway will translate it and say, okay, source IP is now it can't use the internal. It has to use the external. And it uses destination IP as 8.8.8.8 and ICMP. And then at this point, this is the packet that gets sent out to the world. So that Google can get that. And what the gateway stores is the gateway stores a mapping that says, at least in this case, ICMP to 8.8.8.8 back to IP int a so it can translate it back. So when Google gets this, Google will reply destination, Google will reply with source IP 8.8.8 destination IP IP A ICMP. So this gets sent now from Google back to my gateway, the gateway gets this. And then it does its translation. So it that's the network address translation, the t part, and it's going to change this to the internal IP address. And then that is now what my machine sees. And that's exactly what we're seeing here in this example. So we're seeing ICMP, echo requests and replies that use internal IP addresses, which the gateway has translated for us using that. And so, yeah, it's really the terminal color scheme. I can't remember. I think it's like Dracula or Dracula or something. I don't know, I can post it later if somebody asked me in Piazza. So yeah, so and basically your router is doing this for every single packet that goes out. So it has all kinds of cool stuff to be able to map this it will change different ports to know what ports to come back as anyways, network address translation is super cool, because it's doing all this work. And one of the super interesting things, and this is very cool, is how does anybody outside so let's say there's, we'll go back to Eve. We go back to Eve. And we say, okay, let's send. How can Eve send a sin packet to me? So let's think about this. So Eve would need to send a packet that went basically, we'll call it ICMP for now. Doesn't really matter. But let's say so source IP is IP Eve destination IP address IP A sends this packet out. Eve sends this packet gets to my gateway. My gateway says, Oh, I don't have any way to translate this. I'm not expecting a packet back in for internal A. So I'm going to drop this packet and it never sees it. So I basically can't and that's why so people are talking about port forwarding, right? So this is why if you want to run a, I just would put FW, this is why if you want to run like a something internally inside your network, that you want people to be able to connect to it, you can set up your router and say when you get it essentially a sin packet on this specific port forward it to the Xbox and that's talking to the NAT translation to do that. There's also, if you really want to look at this, there's a really cool protocol called stun, which is how can you do so if you and I are both behind NATs, and we want to do a peer to peer connection, how do we set that up so that we can talk to each other. So there's a whole protocol of cool tricks to do that to trick your router into doing this. But anyways, this is kind of the, I guess, short ish, but was kind of long explanation of NAT and network address translation. So one thing I will tell you is you can go to, you can go to ipchicken.com that can tell you your IP address and you can compare that with IP addresses you put in here. I would not personally share your IP address just, you know, you never know, keep that private at least a little bit. You can check that out. And so thanks everyone, that was a great class. And on Tuesday, we will start with binaries. We'll get to binary hacking. See y'all. Be safe.