 All right, we're gonna finish TCP Hopefully so Let's review a bit get us back into our networking mindset So what establishes? What's the TCP through a handshake? sin sin act And then act Yeah, so sin sin act act and what's the point of the freeway handshake? That's probably more important than the four blocks. Yeah establishing a connection. Oh, yeah for the people on the recording I forgot my mic, so it's the crappy mic of the computer here, so The way you get by being in class you get good quality audio Okay, so Sorry, what do we say to establish a convention, but why specifically three packets? Why does it have to be three packets? Why can't one packet or two packets of satellite connection? Yeah, so you can send one packet But because the underlying IP levels that we've been talking about are completely unreliable You have no idea if that packet makes it there or not until the other side acknowledges that packet that you send So you need three because there's two sides right one sends one And then gets a response back, but then the other one needs the third to apply back So they both seem essentially a sending one packet and getting an acknowledgement back We didn't really talk about it, but What does this mean in terms of maybe things like latency or starting up a TCP connection from here? Because maybe you need a request and then reply back on UDP, but But to even start so let's say your application You have some requests and you need a reply to even get to that point where you can exchange data with the other side You just send three packets back and forth and then you send your request and you get one packet They send you the reply back and so that's what takes five packets what took two to do What are the latencies that we're talking about here on the order of we're talking minutes seconds hours Does it depend why on what yeah, so all types of things right not just you but the other party they're talking to and anybody else in between Your you could be on Satellite so your packets can actually go up to a satellite and come back down Right, so your round-trip time is the time it takes light to travel from the earth to a satellite and back it can Talking about Wi-Fi right so your packet a Wi-Fi is pretty fast If you're the only one using it multiple people are using it you have to share that that resource Phone cell phone so any kind of wireless communication right these all can that can add latency. All right, awesome So now we've established some communication and how does each side know? What data has been sent and that the other side has seen the data that they've sent So what's that so more specific every packet that once that sense the other side has a sequence number and The other side will always send an acknowledgement back saying it saw up to that sequence number plus whatever data that it saw And that way both sides can keep track of what the other side has seen So you can walk through examples in here Some people asking after class this we're only looking at the very most basic part of networking There's a lot of more things of if you want to send multiple packets at once You can send a bunch of packets and just wait for the acknowledgment to come in There's all kinds of rules about how to do time out how to fairly Allocate resources so you're not just saturating and taking out a vantage of all of the available bandwidth All kinds of stuff then we want to shut down. How do we want? How do we tell how does one side of the connection tell the other side? Hey, I'm done talking And that says I will send no more data on this to you and because this is a two-way communication both sides have to send fin packets and Though they will acknowledge you can package at this point the connections broken down shut down no more connection here awesome Okay So now that we have an understanding of kind of the fundamentals of how TCP works now We can start looking at it as a security perspective So what do we use port scanning for in terms of UDP with the purpose of a port stand? Don't see which ports a server is listening on. Yes. I'm remote IP address We want to know what ports are open on that, right? So TCP is I actually don't know the breakdown that would be interesting But it's probably one of the most dominant types of traffic. So you're more likely to see TCP services running on a system So how can we do that? So we saw with UDP one way to do that which was sending a UDP packet and seeing if we got back an error message essentially or not What about with TCP? Yeah, so you could send a sin packet to a port and what's the other side to it to send you back a Sin a sin act Pack it back and then you send an act and you can establish that communication. What does it do if it's not listening? We go over that and send the reset packet Or it could send no packet at all depending on how it's configured But we know that if it must be the case that if there is something listening there it better send us back a sin act packet Yeah, so every port has some software running on it that controls like sending back. I'm not listening So yeah, we didn't get into that, but it's the operating system. So the operating system manages has TCP IP stack that manages all of this and this is what so essentially Going back to these examples the server is Using a C function like listen to say hey, I want to set it all up and says hey I want to listen on port 80 and then that tells the operating system Okay, great Then once the three-way handshake is established because the OS handles all that for the application Then the application is notified and then by using I believe it's send and receive You'll be able to send data and receive data and you only be able to read data once the other side has acknowledged Yeah, when you get data in it sends it back to the up to the application So your application can process it and it will buffer a certain amount and then you'll know when your socket gets shut down Cool Okay, so we're trying to figure out so we can and There's actually and the interesting thing about TCP TCP is a little bit more interesting than just UDP because there's a lot of different states here. So what we ultimately want to do I thought there was an ETC services So you can look up so there's a a a Registry where common ports are defined. So like port 80 is HTTP 443 is HTTPS What do we say other ones were FTP was 23 we said and 22 is SSH SMTP was 23 Okay, cool. So this is actually very easy to do and you can write your own program to do this You just tell the operating system. Well connect is the system call that you say I want to connect to this IP address on this port if it returns success That means there's something listening there to turn green back. That means that there's nothing listening there Say again Okay, that makes sense. Yes 23. All right Cool So what will happen is then the operating system will do that handshake and if it's successful Then we know that there's something listening on that other end One advantage is that the operating system does this for us We'll look at this and we'll see how other types of port scanning you actually need to be root on the system in order to Do a port scan What's one of the downsides here? How much noise exactly? 65,000 sin packets and then what? So we'll think about the worst case so we send 65,000 sin packets and we get back Well, maybe so one case they're all open we get back 65,000 sin acts and then we send back 65,000 acts and then they send back 65,000 acts and then we send back 65,000 fins to be very nice and kill the connection They send us back another 65,000 fins and then we send back 65,000 acts and then we're finally done Right For each of this you're keeping this connection open in the case that so Disadventure is very clear. It's noisy, but you can easily do this in Capital T says do basically a connect scan of this system So it's using the first one through 1500 ports scan and it's showing all the services So these are the ports and then these are the services that are registered to those ports again an important thing to keep in mind Does this exactly mean that there is a x11 server running on port 6000? No, what is this information actually showing us? Commonly associated with this port right so important thing to remember is we scan 1500 ports these are the ports that we were able to connect to and then these are the Assigned or the name It doesn't necessarily mean that's exactly what's running on that port It's just important to keep those in your mind because technically you'd have no idea what's running on that remote system Right people can do all kinds of crazy stuff which It's not really over TCP, but you can get around a lot of firewall rules by opening like a VPN on port 80 so Most companies allow traffic out going to port 80 and they don't look at anything else And so you can set up connections to your remote systems on port 80 Some people also do that with like SSH so you can SSH to your machine on port 80 and basically nobody ever blocks port 80 traffic Even though it's not HTTP So we can do this in a slightly smarter way. So here we've seen we've sent tons of package just to get this information So what's the information that we really need to be able what what do we really want to know? No, the other thing that I didn't mention that in this connect scan the other issue is very noisy is Once we establish a three-way handshake the application gets notified So essentially if you think about this system So if there's logs it will say that hey, we got a connection and then the other side dropped out before we could say anything So you also have application level logs But we can do something smarter and say well, why do we need to do the three-way handshake? Let's just send a SIN packet and then how do we tell if The other side is open or not So now if they send us a SIN back, we know the ports open do we need to send back an act? No, we don't have to And we can do this So it's called the half-open scanning So you leave the connection in a half-open state where the other side doesn't know if you got their reply back or not and they so you send a SIN they'll send a SIN act or Potentially a reset packet if the port is closed it depends on the system But we know that if we send a SIN and we get back a SIN act We don't have to finish the rest of the conversation and we can do that So if we really want to be smart we can well if we want to be nice we can send a reset packet to say I don't know what you're talking about and Essentially this is very nice because now the connection is never open the application never knows about it The operating system says oh, maybe that machine died halfway through the three-way handshake. We don't know what happened to it So here we can be yeah, so is it only logged if the whole acknowledgement handshake is complete? Yeah, and we say logged Usually in the sense of So if you have network monitoring and you're looking at all the packets you would obviously see these packets But in terms of a I had a connection from this IP on this port Like then that won't get logged until the connection actually is made So there's another nice option and math. I told you and math is your friend It's kind of the one of the Swiss army nice of network discovery and It can scan this they can say hey poor 80 is open and if we look at the TCP dump output to see what are the packets that actually got sent and This is a little bit difficult to parse, but we can go through it like this so So we first have time stamp Then we have our typical IP address and then the dot and the thing after it is the port number and the arrows indicate The direction that the packet is going so the packet from one two eight one one one forty eight sixty nine to one twenty eight one one forty one thirty eight seventy eight So trying to test for 78 and they're sending these are I think the sequence acknowledgement number and of the s same for sin And we can see a bunch of these so we can see oh that shouldn't be sent twice for some reason 81 82 80 79 and again these aren't going exactly in this in the order and So we get back a reset packet from port 78 so we can see the R here is reset we get a reset from 81 reset from 82 and We get back from 80 a Sin with an acknowledgement of the sin act in this output and this is just TCP dump is literally just parsing that data packet that we showed you the IP headers and the Any questions yeah Reset It could mean go away most of the time or if you're scanning like a corporate environment their firewall will drop all of those or actually the the interesting thing is And that says it'll say like state open filtered or closed sometimes because often at firewall Corporate policies you can only access port 80 and drop all the other packets that are coming in So you'll never get a reset packet back from the system because no packet ever reached to the actual system It got dropped by the firewall But we know that if we send us in we get back to an act there must be something listening there and this is just Scratching the surface of TCP port scanning. There's other really cool stuff where One of them is a Christmas tree Port scanning where you set all of the flags like sin act reset fin every single flag possible and it turns out that The operating system TCP IP stacks will respond differently depending on the state of the connect if there's a service listening or not so you can use these really interesting like Just and it's kind of cool You're trying to get just one bit of information Is there a service listening or not and if there's different behavior depending on what packet you send you can use that to detect But we won't go into those you can dig into n-maps help it has ways to do all of these types of scanning. All right, so now that we know the We know the IP address of the machine. We know what services are open on that machine What other information would we want to know about that machine? Operating system, right? We don't know is this Linux web server that all Windows server We may be able to if we can identify that it's a specific like if we're able to identify the Windows XP machine There are highly likely to be known exploits that will work on that machine since Windows XP is super super old Yeah Make sure that For sure yeah, so that would be the next step would be talk to the service to see what it actually is the interesting thing about operating systems is We can actually do this just by In two different ways One passively by observing the traffic that is sent there are ways to infer exactly what operating system it is The other super interesting thing is that so is the Windows TCP IP stack the exact same that's in Linux No, that would be insane That would be a clear copyright violation, right? They had to like everyone had to write this from scratch same thing with BSD Right so BSD and Linux licenses or the GPL licenses are incompatible So they had to write their own TCP IP stack, right? You can borrow in some directions, but not necessarily in the others Right also your phone. So maybe your phone has a different TCP IP stack because it's tailored to mobile devices right, so The super interesting thing is all of these devices are all of these TCP IP stacks respond differently and under different circumstances. So for instance What happens if you send just a fin packet to the thing so you've never you don't so what's a fin packet for? Closing a connection. What if you never had a connection open in the first place? What should you send back? I don't know like the what you do is look at the spec, right? What does the spec say you should do? The spec does not say what to do in this scenario because there's thousands of possible weird air edge cases So some TCP IP stacks will send back a reset packet some will just ignore it and so by using that bit of information you can figure out and by Testing with different Fingerprints you can do things like what happens if you set undefined flags in the TPC header of a request some Stacks they're copied verbatim. What happens if I send you a SIN Act packet instead of a SIN packet to start a Communication, maybe you'll ignore it and you'll actually continue that communication and start the three-way handshake These are all weird edge cases different selections of initial sequence numbers selections of TCP windows sizes all kinds of crazy stuff. I mean this thing goes on and on and on. There's There's passive tools, so POF is a tool that will just look at network traffic and be able to say oh I think this IP address is this OS and this other IP address is this OS And then you can use Nmap. Nmap has a dash I think it's capital O option that you can look it up in the help that will actively scan by sending all these Packets it has a huge database of different OSes and versions and is able to determine with pretty good certainty which operating system it is Yes, it's part of the kernel so the I think it depends exactly on Oh You definitely can so yeah like the There are ways to basically I don't know I can't refuse IP tables for this But there's basically ways to tell the OS especially on Linux like hey I want actually send the packet to user space and I'll figure out how to respond to it so you can have different TCP IP stacks in in user space Cool wondering if I should do a demo. We'll see if we have time I don't know no the yeah, okay. We're good. So Okay, just like we saw in UDP, right? We wanted different types of attacks in order to so how are we able to in UDP spoof a UDP packet? And just send the packet out right and set the first IP as somebody else's IP Packet gets there just fine. The other server has no way of knowing if IPs are different So what about with TCP? So how does that story change with TCP? Would we want to do this? No, why not? Yeah, so you need so so we have basically this would be very nice because we could impersonate a client connecting to a trusted server and This was actually this is still something that's possible It was first discussed in 1985 which kind of shows you the age of this so the basic idea is I'm gonna sorry, and I don't have my my handy-dandy Beautiful pen so I'm gonna be drawing with my finger on the trackpad This is gonna be good All right, so we have I'm gonna go back to Alice and Bob. It's been a while since we Alice and Bob and we are will be Eve The evil attacker for now. Oh, let's just getting worse and worse. Okay Cool, so we want to send a So we have to think about it in two different ways, right? We've seen IP spoofing I think we can send an IP packet spoof somebody else's address We can send a UDP packet spoof somebody's address, right? So can we as Eve send a a packet To be a TCP packet to be port 80 and pretend to be be Yes Why how do we do that? So we just make the packet we set the IPs correctly the source IP is Alice the destination IP is Bob's Destination port is 80 source port is some random port that we choose Right, so we send this packet. I'm just gonna call it packet for now Right, it gets sent routed sent to be and then what does be do? Replies the Alice how with what a synac packet, right? We haven't been able to send any data to Bob We can't get Bob to do anything So Bob is going to then send Alice a so this is a sin packet, right? So then Bob uses that destination IP a source IP address Sorry and creates Bob's owns packet a synac packet and then where's that packet go? To Alice, right? And then what does Alice do? What do we need as an attacker? So to in order to establish this connection, what do we need and then do what? What type of packet yeah So we as Eve could forge this Send the act packet and then what will Bob do when Bob receives that? Let's say it didn't let's yeah What numbers do we need to get right on Yeah, so we need so there's a sequence number that Bob generates, right? That Alice sends back an acknowledgement of that sequence number plus one So the entire our ability to be able to spoof TZP packets depends on our ability to either get lucky or guess that TZP that sequence number that Bob generates or We need to steal that packet, right? So if we have the packet then we can very easily Yeah, let's Let's go the answer is it depends like most answers So let's go back look at it here. So how big is the sequence number and acknowledgement number 32 bits Which means what are the odds that we're gonna guess Bob's sequence number correct? Yeah Assuming each sequence number is equally likely right that Bob is randomly choosing a sequence number. Oh No, okay I wasn't going to cover that here, but let's We'll pause this for a second So this is it's kind of a weird diagram Delta between two sequence numbers. I think actually three sequence numbers So how much do the sequence numbers vary and I think three in space So there's three axes here. And so ideally a very secure system would be incredibly spread out So it turns out something like Windows 2000 slash XP was like, okay, but things like Windows 95 You can see it's hyper concentrated so you can actually guess and The other thing again that the attacker has very nicely the attacker only needs to get successful once Right so they can guess multiple times with multiple if they choose multiple different So the the target IP they're trying to spoof is the same But they can change the port that the client is coming from So the Bob will think it's a different connection Linux was better free DSB was very good Cisco's routers that so this is the old IOS was the operating system that ran on routers by Cisco or Apple's goal and use the IOS name So you can see again these are like pockets of these sequence numbers not really changing at all But they were then fixed Mac OS X HP had a similar very easy distribution and then they tried to fix it and then Clustered kind of even more like I don't really Understand that so anyways, so the answer is And this is something that you need to generate a sequence number every time So, you know at the time that they were doing this there was no Wasn't really a ton in the way of thinking about randomness like how random do these sequence numbers have to be But as we can see these are the key of being able to spoof Connections, right? Yeah, there's a whole reason why the original Sequence number to generate it to help prevent PCP spoofing or rather than zero I don't know. Yeah, that'd be interesting. I don't know the historical aspect there of what they were trying or not trying to do Yeah, cool, so yeah Yeah Yeah In some sense, yes, there a lot of the randomness from systems come from pseudo random number generators that generate a non-repeating series of random numbers, but they're Seated differently. So for instance, I mean, this is something I can tell you without breaking any security This is how I were able to generate different password for every single one of you So every single one of you has an account and using your account We seed a random number generator and then we use that to randomly select from the space of numbers, right? so because that I'm and this is something that's interesting so there then they've shown a lot of Websites or applications will use the time as the seed to the random number, which seems like it makes sense But it turns out they they've shown Like poker games would use that like online poker would use the time to generate a random number and then shuffle the deck But it turns out you can very easily brute force The time around I don't know actually in a good range like even two minutes Even if it's at the second increment and you can generate the random numbers and figure out based on the game Which of those seeds was correct for the time because you know what all the cards came out? And then at that point you literally know what everybody's cards are and what the next cards in the deck are going to be So you can break systems like that. So yeah, it's very tricky to get that and entropy of random numbers Cool Okay, so back in the scenario so how can we get or know that sequence number? So in some sense, how can we be successful? Or we can steal the packet right? I mean we can if we're on like we talked about if you're on the local network of either Alice or Bob or anyone in between You can use our hijacking to steal the packets there cool All right, another thing we need to do. So we what if we now need to worry about Alice? So Alice is gonna send that reset which ruined our whole game What do we do about that? What was that? Yeah So maybe if we're on the path we can steal that package and drop it Yeah Yeah, what if we need us Alice? We just sent a bunch of traffic to Alice such that that happy about very unlikely chance of ever getting through or the the original Cinect packet doesn't get through to Alice or Alice's reset doesn't get through right? So we're gonna do that Why do you do that? Yes Trick Alice in some sense, right? So yeah perfect cool, and that is Everything we just talked about so Cool so in the this example to get rid of that machine We send a spoofed Sin packet from the target from the victim to the target the Target replies and then we send the correct act packet back and now Questions on this it's kind of the natural extension to IP and UDP Spoofing but now with this problem of the sequence number. We have to get that sequence number, right? If we don't do that, then we can't spoof a TCP connection. So what about So what about hijacking so if we just talk about spoofing What's the difference between spoofing and hijacking in this context? Yeah, so spoofing we're pretending to be Alice Right with hijacking. There's a communication between Alice and Bob And we are trying to either modify or inject or change the data that they're sending to each other So how do we do that? I'm gonna just erase instead of redrawing this So what's the difference now in this scenario? somebody walking through with the strategy Very you're now making these spoofing problems twice as difficult and Also making sure that they can't directly talk to each other because any packet they sent is going to be sent to each other That could be one way to do it But what so if we're even trying to hijack, what are we trying to hijack? Yeah, there needs to be some connection established already between Alice and Bob, right? So Alice and Bob had to have already done the three-way handshake Right, so we have what type of packet going out. I'm just gonna keep drilling this in a Sin packet and Then what does Bob send back? Senak and Then what does Al send back? I'm just gonna do s comma a And this will be oh, this is getting out of hand Okay, the acknowledgement packet cool now at this moment in their communication Can we inject data into this communication? Well, but what okay, so let's think about it like this. Maybe this is a SSH isn't the best example, but let's say it's a telnet connection Right, so telnet doesn't have any encryption over the network And so this is a client Alice is Right, so that's the data that we want Bob to think came from Alice in the middle of their communication So what does Eve here need to know in order to do that? So they have the data of the packet they want to send Yeah, specifically the sequence numbers of both sides now, right because or because we want to be able to tell Bob So the goal of this packet is so let's go like so the IP is what so what's the source IP? Yeah, Alice's and the destination IP Bob and then now we have our TCP information. So we need to get This one came from What else do we need the sequence number? And specifically we need to know where they So we need to know what does Alice think Bob's sequence number is and what does Bob think Alice's sequence number is So we can set a packet that properly sets the sequence number and the acknowledgement number here Bob gets that does he know that it did come from Alice? Oh, he has no way of knowing. Yeah Yes, so you need to be on you need to somehow have seen that packet, right? So you need to either Be so if we're trying to do this without any knowledge, right of the network Without being able to see any of the packets then we can easily send this I mean not easily but we need to get those sequence numbers somehow, right? We need to either their broken sequence numbers or we need to guess them correctly We need to be very clever or we need to be able to then observe those those traffic Yes, so that that kind of makes the attacker's job much more difficult, but here if you think So we've seen right even on a local network of Alice she can Use our hijacking to hijack this entire communication And then at that point once Alice has established a connection with google.com they Alice can inject extra JavaScript or whatever To start crypto mining on Alice's machine or do whatever they want. Yeah No, so this is where it becomes very fun Yeah, so let's walk through it so Okay, so we'll do a sequence number of Alice and Sequence number of Bob so this packet must be had the sequence number be the let's see the sequence number of Alice run agree with that and Then the acknowledgement number is what? sequence number of Bob the other thing we should say is To make it easier for ourselves now Let's wait until they're not talking at all because there's packets going back and forth Exactly where these sequence numbers are so they're not talking like Alice is waiting to decide what to type into her server So we send this packet out as Eve Bob gets it then what does Bob do with it? That's Alice's new sequence number. I need to acknowledge this new packet So Bob thinks that Alice has a sequence number of sequence number of Alice plus I'm gonna just put D for data and So Bob acknowledges that and then what does Alice do when Bob gets a When she gets an acknowledgement for sequence number of Alice plus data That would be nice, but she goes no, that's weird So she said the packet pack that says no no my sequence number is sequence number of Alice and then Bob sends back the same thing and they get into this argument over with acknowledgment messages Literally like back and forth keeps going until one of like a packet gets dropped And they essentially think like yeah, that's what I thought like we are at this sequence number So yeah, and essentially the problem here is you desynchronized Each other's view of the communication channel so at this point they can't get back on track and so they'll eventually just reset because nobody can send anybody any data or If you're very clever and you're Really in the middle here, so you're hijacking everything you can just alter the sequence numbers to be correct So nobody will know what you did so if you are a True person in the middle right you are in between you can see stop those packets and change them You can just rewrite them so that when Bob acknowledges sequence number of Alice plus data you subtract D from that and you send back So Alice just sees an acknowledgement of secret sequence number of Alice. She goes great. Yes We're on the same page and then now when Alice is sending data back when Alice is Alice sends data to Bob Her sequence number will be behind by D So the person in the middle needs to add D to that and so if you do that you can actually keep the connection going But it may just be better to just reset things at that point. Yeah It seems like the obvious thing is because both of them it seems like it's a lot of really easy to not alter We can just mess up This you can't do this unless you guess the sequence numbers, right? But you didn't guess the sequence number correctly Bob's gonna ignore it and say that this packet's not for me Like Alice messed up. She's sending me a weird packet. It's completely not what I'm expecting the box only listening for Alice's sequence number plus some window like 1500 bytes or something So it's difficult for a 3d printer to guess and just create a way in that window Susan if you were to actually run a pseudo RMR There'd be no way for someone to tell that it was your computer No, all I'm saying like this came from the e-mail a switch would say No, I mean Possibly a switch could say that your first switch, but My switch is owned by me or whatever my ISP and then the packet had to travel between two different ISP's before getting to Bob But that might happen Bob like doing that forensics back work of trying to identify that is it's almost impossible because there's too many parties involved Because I need to go to company X and say hey Can you give me the logs on this specific server at this time and even then it's very unlikely that they're a lot exactly what was sent You really maybe if they log anything it's connection information But yeah, so this is why and we're kind of finally at the point here now where we can talk about why our hijacking and our spoofing is so So bad because you put yourself exactly in the middle of that person's communication with for instance the gateway So you can do our hijacking between Alice and her gateway and now you can see all outgoing traffic that Alice makes anything That's not encrypted You can alter and change completely and do whatever you want with and this includes any Includes mostly well Say you can't you can't do let's see usually you can't do our hijacking on a Wi-Fi network But if the Wi-Fi network is unencrypted you can see all the package And if you can see all the packets then what can you see here? The sequence numbers which means when you're on a public Wi-Fi and You're using any kind of unencrypted communication. This can happen. That's why unencrypted Wi-Fi is so terrible questions You can see every single packet So what they're doing there is they're using your MAC address to the router probably is Singer your MAC address connect and said I don't know what this MAC address is redirect them to a login page and Then from that login page once you log in that stores on this MAC address has accepted So it just lets your traffic Yeah, yeah Current state Well, it depends on how we do so after we've done this So we've essentially fundamentally broken the integrity of their communication because We were able to convince Bob that Alice said that Alice never said And Bob has no way of knowing that we sent that and Alice didn't send that And so at that point, you know, depending on the context is it's kind of game over in terms of security of this communication, right? Because it could be a maybe it's a Website for selling stock and we just told them to transfer or sell all of our stocks or the bank account application And we just told them Bob to transfer all of Alice's money to us Right fundamentally Bob has if Alice could do this do something to this application we can now convince that application to do Do it on behalf of After the fact but we already injected so that data got sent to Bob and Bob thinks that came from Alice so at that point afterwards now Alice and Bob can't talk but Bob thinks that and Bob has no way of knowing that this data came from us So then when you try to reestablish No, no, no, not necessarily So for instance tell that session right Alice logs into the system using a password everything I send in the clear Which means that look I mean when I say literally tell that it's like you type an L key and send the packet It's an L. You type an S key. They send the packet that sends S You can enter it says enter and then they send you back the results of your LS query So what that means is data coming into that connection is treated as a command So this data is rm-rf slash Eve sends it to Bob Bob thinks it comes as part of this communication Which then means that Bob will do whatever this command says it's supposed to do It doesn't care that it can't talk to Alice anymore It's gonna do whatever that data says that it should do because it thinks it's coming from Alice We can send multiple as many more as we want and Like I mentioned if we were clever and we're actually a person in the middle Then we can just translate and we Alice could still interact with Bob We can send a reset because you know, how do they know what happened like maybe the connection their Wi-Fi There's not broken or whatever right so long as we do whatever we need to do to cover damage or All other ways we're trying to get onto Bob So maybe we use this to be able to change out And then now we connect the Bob as Logging a user Alice with And now we're it it only takes one probably just cool and okay, so we can go over. Yeah Yeah, so basically this is the what they call an act storm that happens which we talked about when they desync cool, all right other types of things that we can do is And we talk about this of the problems of availability, right? So there's all these kind of cases where We can maybe try to attack the availability of the system so put yourselves now into the mind of an attacker So why would somebody want to take down another machine? System you could take down whatever watching it so that they can't see like any logs of you Yeah, so you can take down a lot of people use third-party providers for stuff So maybe you can take down their log aggregator so they have no way to access their logs That's a good one so you could Okay, you could Yeah, okay, so like an important news announcement comes out you take down a bunch of stock exchanges except for Brokering firms except for yours. So you're the only one that can trade off that information Yeah, maybe we take down one server to trick people by DNS poisoning or our hijacking our Move thing to try to get people to use our server instead of theirs Like Right so yeah, so That would be one. I mean that's not really a financial game unless maybe you're able to get more spots and then sell them to people We can't get in So yeah, like tossing the The course or an attrition page on the time of the register for courses Well Yeah Yeah, that's not as I heard rumors of like law students who would kind of similar would rent books Like get the books from the library and rip out chapters of the book so that other students can study from them before exams He's not scaring each other What else none of these sound like a very big money-making investors I guess like maybe maybe you happen to know like a security company Like say a bank that buys a security company X and you happen to know what device the bank Sends information through in order to send a long call or something or maybe all of them There's a lot of information Sure, he just told somebody to server ransom. Yeah, what's that? Just block all their traffic and they'll get you. Yeah, so What have you taken down so I would you target Amazon for this? For Microsoft or Google Well, yeah They are Very high end of websites. They can handle a lot of traffic If you redirect it and you can just a fraction of Google traffic probably the ASU everything would melt Right, so Google's able to handle a ton of traffic Um, so then who would you target? Yeah A little less sketchy I make both of those examples. Okay, so let's talk about websites right taking on their website Is it really gonna affect a hospital necessarily if their web page is down? You'd hope not right you hope that people are gonna die at the website Right, what companies actually get significantly affected if their web page is unavailable? Yeah, like a major range Uh commercial airline company that retires bookings. Yeah, okay So airline companies. Yeah, any kind of business that's not in that top Percentage, right if they're making money selling good over the internet And you're able to take them down Right you take them down for like 15 minutes, then you send them an email that says hey That's unfortunate that your site is down. I'm actually in the business of offering the denial of service protection Uh, if you pay me some bitcoins, I can guarantee that your site will never go down And then if they don't reply you Exactly. Yeah, it's a protection record. Yeah, this literally happens. I mean, this is something that happens Surprisingly, you are not the most malicious people on the internet. People already thought of this to do this kind of thing That's just crazy to me. How do people who are filming on this do that? Why would you just then like okay, go? Oh, well, I should do the denial of service I'm just gonna go research this movie on my own. Why would people leave the kitchen even? Like how could possibly be that stupid? So I think it's Yeah, as the person doing the denial of service scam, I mean, you're not really you're you're scamming them But you are taking on their site, right? So you do it for 15 minutes at the end you'd send them an email And then when they ignore you you do it for another 15 minutes And or you send an email being like your site's gonna be down for exactly 15 minutes A reply to your first email you dost them for 15 minutes and at the end of that you reply See that sucks you really should pay me and you just keep doing that for maybe longer longer period of time And they start calculating. Wow. It's costing us. We know our website makes Whatever a thousand dollars an hour. We could pay five hundred dollars for that to stop happening Yeah Right, it's like a business decision at that point. Well, okay, so that was from the short term But then right after that they go get a good person who's good at stopping the denial of service I hope but but the trick is targeting mid to lower tier companies who don't have the budget I mean, there's other companies you can also hire your company like cloud player to soak up your traffic Or acclimatize the other one, but the problem is those places are they're very very expensive Like they can handle these types of denial of service, but for businesses they cost a lot of money And then You could try to do complicated things splitting networks and doing all kinds of crazy stuff, but you need a small-ish network Anyways, okay, great. So you're all good. Well-versed criminals. I'm very proud of you this semester. You've Got we went a little dark pretty quick, but We got to the money-making aspect because a lot of this cyber crime is all about making money So one of the most common ways Of taking down a server is actually just kind of the simplest So let's think about it from the perspective of an attacker, right an attacker wants to perform a denial of service attack What does that actually mean? So we want to take down a machine, but how so what are your options? So let's see. Let's look at this real quick. So all right. I'm going to erase all this again. We're just going to go with this example Oh, this is too much Okay, so we want to take down bob Right So there's some stuff already in this diagram, right? So we have So we know that there's some network link in the bob. Maybe we can saturate that network link. How much bandwidth are network links? Yeah, in the gigabits to tens maybe hundreds depending on how much bandwidth they have at various points Are you so let's say eve Eve has her laptop. She's sitting in cse 365 Is she gonna be able to take down bob server by saturating it with one to ten gigabits per second? No, why not? She's one machine I hope she's not writing these packets out by hand It's possible, but I wouldn't recommend it Okay, so what is eve to do? What does eve need conceptually here? What's the problem? So either needs more servers. So rather than one eve you can so let's say eve is able to generate a A quarter of a gigabit a second. How many machines would eve need to do 10 gigabits per second? 40 right So she can go on an underground forum hire cyber criminals that will give her access to a botnet a plot Some machine that exists on the internet that An attacker has gotten control of could be your machine Right and eve can direct all of those to generate as much traffic as they can to bob I think even a A quarter of a gigabit per second is still very high Okay, this is one thing that eve can do right and What else could eve do? So just get more machines. That's the only get Yeah, so okay, so make sure the handshake doesn't go through So there's various points here that eve can target, right? So the network bandwidth is one possible thing. That's like a physical limitation of the network, right? How much capacity can this specific cable hold? Or multiple cables multiple routes all that kind of stuff, right? But other things so we know that bob only has one server Right, what are some of the limitations of a server? memory What if eve is able to convince bob's machine to use 200 gigabytes of ram the bob's a mid-range realtor They're not going to be using a website that machine that has gigabytes of ram What are some other things? Yeah, so number of connections that can be established. Where is that likely defined? in the So the operating system right may define the number of connections So maybe eve can saturate that limit exceed the total number of connections. What else could eve maybe do? Yeah So there's link level dots what we talked about physical links There's a kind of ip tcp level dots and then all the way to the application level dots You could make bob run a very Expensive regular expression Right and the key to all of these so why so let's say we're able to convince bob to do hashes for us Right. Why is that a problem? Why does that take why does that cause it another service against bob? What if okay, so you want him busy to do something that he's Not supposed to or that he doesn't necessarily know he wants to do But what if to make him have a decrypt hash you have to do a decrypt hash as well Before you could make him do it Or whatever reason you're I don't know he'll only have something if you can prove that you've hatched it Would you be able to denial of service him? You're denial of servicing yourself so fundamentally There's an asymmetry here in every single denial of service at that So you are able to trick bob to do work that you don't have to do yourself So if you can just send him a request would take you three packets that are cheap to send and then bob hashes for a minute Then you can just send those three packets over and over and over it costs you nothing and it costs bob a minute of computation And you can keep doing that so denial of service at all of these levels is all about leverage So what we talked about is if eve gets multiple machines. She's increasing her relative her leverage relative to bob She's able to generate and use more resources than bob is able to use eve may also be able to trick bob to do that so for instance one of the classic Denial of service attacks is about taking advantage of the operating system and The fact that the so think about Again all comes back to the three-way handshake. So one side sends a sin the other side sends what? A sin act and then the The client says what back to believe it Think about between those between step two and three. What does the server have to store? How does how does the server know that the act was correct? The sequence number of alice so the client right so the server has to store somewhere the sequence number of the client And the tuple right the source port source ip the sx port the sx ip that's the storage free How long does the server keep that information around? Till well, what if you never reply? So what if the act never gets there? Right some kind of time it needs it needs to store it around for some kind of time and as an attacker If I send one sin packet to you What do you send back? So what what did it take what resources did it take me to send a sin packet? Nothing, I don't have to store anything right? I send a sin packet to you. You send a sin pack Sin act back and then what are you storing that sequence number that uh Your sequence my sequence number your sequence number that you generated for that the quarks Right, you have to store information in the kernel about that connection and it cost me nothing So one of the very common denial of service attacks is an attacker just keeps sending sin packets to a machine And the victim keeps replying with sin act packets and the attacker never replies And that way the server has to store that information somewhere And even better for us We don't care if we ever get that sin act packet back So we can spoof our IP address. We don't care I'm never gonna get this packet back Be somebody else's problem as long as I use a source. I a source IP of somebody that's not going to reply back with a reset Then we're good and I can now trigger a denial of service packet so Operating systems will limit the number of tcp connections they keep in this half open state And so what I do I just fill up that buffer with all of that and now nobody else can initiate a new connection to you Yeah DOS style attacks, yeah Yeah, so it depends. I mean that's the the key So for modern systems, it's not really much of a problem, but these are kind of conceptual problems of kind of looking at Um, so what things can you do to fix this? Well, you can filter Uh, maybe based on source IP if it's not changing as much you can increase that length use more resources Reduce the timeout that you store that information Um You can limit the half open cookies at we're gonna go Anyways, you can do something very cool And the sequence number that you use is chosen in a way that you can verify when it gets sent back to you without you storing anything Uh, so you basically like embed data in your sequence number Um, all right, we will finish up with this. I thought we'd get through all of it Do we want to All right