 All right, let's rock and roll. But first, can everyone see my screen? Yes. Yeah, so this is just an IPython terminal with I crunched all the data to get a notion of how many people were scammed total. So we had roughly about 500, 510 people like actually finish assignment three. So I thought you'd like to see what that actually looks like what assignment three ended up looking like. So first off, this is the total number of people that were scammed. So if you felt like if you ended up, you got your assignment back and you saw that you were scammed, you're not in the minority, 369 students out of, what's that? What did I say about like, let's say 510. So roughly 70% of the class got scammed. So not great. And then the question we also want to look at is I've sorted the scammed list from highest to lowest. So the question is, were there any, let's say, people that were very frequently scammed? So we can look at the top 10 here. And you can see it's actually not that bad. So nobody got scammed more than eight times. If we extend this down. So you can see this kind of like long tail of people getting scammed. So I thought this was pretty interesting seeing that like, you know, eight, seven, six, like the number of times that people got scammed was not a ton. So yeah, I think this is super interesting. You can take what you like out of that. And then if we now look at the sharks. So I'll do a similar thing. We'll ask S4S in sharks if S greater than zero. How many people, how many sharks do we have in the class total? So total 62. So we only had 62 people acting adversarily, which is roughly 10%. I mean, it's definitely slightly more, but my rough math, yeah, 12% of the class actually acted as adversaries. But you can see that that that big impact, right? 62 people were able to scam in total 369 other students. And of course, the whole point is for there to be scammers out there, right? If there's no scammers, then you can just sign everything right away. So let's look at I'm going to save the top one. I can save the top two. Let's look at the top 20 scams. Well, let's go for the 40. So starting at second, we had 73 successful scams. And these are verified, right? So these are different than the thing that you saw submitted. When you submitted your key, we just did a basic count of who was on there. But looking at this, we can actually see this big kind of taper off here. So we have 73, 65, 51, 45, 38. Get to the 30s, 20s, 10s, and then it drops off very quickly. And you can see that by the time the top 40 sharks were only scamming two people total. So should we look at the winners? What do you want to do, top three? Let's do top 10. I think that's pretty good. Cool. So this was an astounding number. So the top shark scammed 171 people in the class. This is way larger than I think I've ever seen before. So even though this is two classes put together, that's still crazy just if you think of the amount of time it takes to do that. So yeah, so there's 171. The next one was 113. And then 73, 65, 51. So yeah, I think that's super impressive. And you can see that the amount of dedication that it comes into one person scamming. Yeah, so we could do that. 171, 50169. Sorry, what was it? I was using 510. Yeah, so a third of the class. And I believe we have with us today this successful scammer themselves. Person number one in the class who is going to tell us about how they successfully scammed people. So would you like to de-anonymize yourself and unmute yourself? Hello. There we go. Hey. Hey, should I introduce myself? Yeah, please, please. OK. So my name is King. I'm a junior studying electrical engineering. I'm just taking this class for fun. I'm also working full-time as an intern at Mogue Space and Defense Group. I'm doing satellite design work. So basically for this assignment, I had to pretty much pitch everything and then have everyone to get. So can you talk about your strategies, your strategy of how you approach it from the start? OK. So first day, pretty much everyone assigned for the first day was legit. And at the same time, I asked them to send in their adversarial keys as well. So I can study the differences between a real key and adversarial key. And I found some key differences for the grayscale generated key. Some of them is just usage permissions, expiration date, and other stuff. Then I noticed you can actually edit those permissions out and also change the expire date to imitate the real key. Cool. So you like actually did basically research in looking at a bunch of adversarial keys in order to see what an adverse or what a real keys. What did real keys look like compared to adversarial keys so that you modified then your adversary key to make it look more like a real key? Yep. Another difference. So I know that all the adversarial keys and the real key are signed by the class server key. Yep. But some, so what I did was I actually create another fake adversarial key and then it is signed by a fake class key since I guess some people didn't know that it has to be the same fingerprint. So as a result, I sent in my AF key and my fake AF key saying that my AF key is actually my real key. OK, that's good. So that's basically exploiting people or pretending a show of good faith and being like, well, I'll show you yours. I'll show you my adversarial key so you know that I'm not trying to scam you. And so give them the adversarial key and what you claim to be your real key. But it's actually it's your real adversarial key and you've created even a fake adversarial key. Fake adversarial key. Yeah, other than that, I feel like for this semester since we have a pretty big Discord server, it became much easier to communicate with others through direct messages. And I guess due to the pandemic, we haven't really talked with each other or most of us haven't really talked with each other. So we kind of just trust that we're hopefully sending the real keys over to sign. So yeah, and that's a crazy, you know, it's really interesting, even like social psychology, in some sense, finding, right? That like because you didn't establish, very few of you had established trust relationships among people in your class. It's, you know, you couldn't rely on that. Let's say to authenticate people and to verify their identity. Yeah, so one last thing is that once I got to around, you know, 30 or 25 or 30ish keys, I saved a backup copy of that key because people would become suspicious when I'm sending out a key with 120 people signed with it. So I made a backup and then just sent it to other people saying, you know, I still need five more keys to get to 30 keys. Yeah. Nice. Awesome. Cool. Any other words of wisdom you can maybe share with the class? Yes, my word of wisdom is just to start early. All right. First day, you know, a lot of people don't just want to get it done, right? Yeah. So first day and last day. Yeah. So I guess that's a valid, don't procrastinate, right? That applies to every class. Yeah, I keep telling that to every class. If there was a magic way I could get students to actually believe that, I'd be a happy person. But yeah. So I saw comments saying how many people signed no F keys. I think I didn't sign any F key for mine too. So yeah, it should be, well, that should be easy to do. We should be able to get the people who are scammed. Oh, actually, I mind this length. 151 people signed no adversarial keys. So we're never scammed. Yeah. Cool. Well, thank you, King, for sharing your knowledge with us. We appreciate it. It's always good to hear that. Other clever tricks that other people I know have used. People are asking in the chat, could you actually delete the name that was generated on your adversarial key? Did anyone try that? Did they try deleting the user ID on their adversarial key? Yeah, you did. What happened? Did it? Was it successful? Yeah. So it got rid of the CSC 365 spring 21 signature, right? So what would you do in that case? Well, you do basically what King did is you can create a fake CSC 365 key, sign that adversarial key with it, because the fingerprint remains the same on that key even after you delete the key ID. So the fingerprint remains the same. You sign it with a fake CSC 365 spring 21. And I guess, King, the one thing you didn't talk about, which you can fill in here, was how did you get that signature? How did you get that fake CSC 365 key to essentially your victims? So what I did was I exported them as, I think, two keys. So you can actually combine two keys together. So when you import them, it will say you import a class key and adversarial key. So it looks like it's a CSC 365 key. Exactly. So you can definitely, and this is the other trick I've seen with people who replaced their user ID with their real name and their real email address, is they then will send you actually two keys, right? So they'll actually send you because GBG doesn't care. It doesn't know that it's not like a one file, one key thing. You can import a bunch of keys in one file. So you import the file they send you. It says two things imported. And when you list six, it says that CSC 365 is signed your key. I think there was like another, so you can actually create a second user ID. Yes. Make that as your main user ID. So when they try to sign it, it will say that a real name, you know, whatever you put. But in the end, you sign both keys, both to have key and a second user ID key. Yeah, that's great. Yeah, so the valid, having a valid, well, you could always ask. So people ask me about that, right? So having a valid CSC 365 signature was required for everyone else to know that that key is part of the game, right? So if you intentionally delete that, people are still signing your that key, that key ID. So nobody should sign it, right? Because you should send them that key. They look at it, they see the fingerprint doesn't match and you should know right away you're getting scammed too, right? So yeah, that was great. Cool. Any other thoughts or comments on assignment three in either the chat or from anyone else? Yeah, shout out to whoever that person was. Who was the fake person that somebody created in Discord? They tried to get me to sign their key. Somebody was asking if we're able to see our individual results. Yeah, we emailed it to you, your ASU email. Yeah, Diana Roberts, that's who it was. Shout out to whoever that was. That was funny. Cool. Yeah, it was interesting. Like seeing that you, you know, last year when I did this, the pandemic hit right midway through. We actually, you know, everything got canceled as you know, right after spring break. So yeah, the students had their own Discord that they had already set up but there were already some snakes basically and scammers in that Discord. So they thought they could trust each other but definitely they couldn't. And there were many people who thought like, yeah, I never got scammed who found out that one of their friends on the Discord scammed them. So yeah, anyways, so cool. I'm glad you all liked that. And now let's talk about the next assignment. Okay, so thank you, King. And yeah, you know, King is joining us after his job. So we appreciate him coming here and talking to us about that. So what was a record before? Oh, it's something, I have to look it up. It was something like 70 or it's nowhere near this but this is obvious. But on one hand, you have double the number of potential victims, right? Because you have three, you know, we had 300 people before. Now basically there's roughly 600 or total potential people. But that doesn't take nearly into account the amount of effort it still takes to scam each individual person. Some crazy stuff when I ran this in one class was, this was, it wasn't my grad class. I think this was when this was a 400 level class and there were some grad students in the class and they wrote like Python scripts and shared it with people to say, hey, here's like some code you could run to like check people's keys. And it actually was legit coded, did work, except they had basically a back door where if you checked their signature, it would say yes. So they intentionally like flooded fake keys out there. So yeah, I've seen all kinds of things. Yeah, it's super interesting. Like I think I said before, students one year created their, so you all think like, yeah, this would be so much better and easier if we're in person, but students tried to create a certificate authority where they would verify people's IDs and let them into the list and then put their real name on this list. And somebody, the person that year who was the best person got on there and scammed like 30 or 40 people who were on this what they thought a trusted list and scammed everyone on there. So all it takes is one lapse and bang, you can be scammed. So yeah, I hope it was a good lesson in thinking through trust and what things can you trust. Oh yeah, Photoshopping there. Oh, the other, so the other thing that was really interesting that I didn't see very much of, I don't know if, because I try not to pay too much attention to especially the discord when this assignment was happening, but also the Piazza board. So people would realize, basically what happened is people would realize that if you made a post on Piazza, do you know who can edit that post? Yeah, everyone, anyone in the class can edit that post. So what would happen is somebody would post a real ask for their signature and then somebody else would quickly go in, edit it, replace their key with their adversarial key and wait for other people to sign it. So then the students like evolved defenses. So what they started doing was they would create a post on Piazza that just said, read comment. And then they, because comments, you can't change comments. Yeah, exactly. So then people would post comments with what they were with their signature and what they wanted. So yes, it's always fascinating like what are the systems that pop up when you do this kind of assignment? So yeah, all right, let's go to assignment four. So I'm glad you all liked that. Cool, all right. So assignment four will be released basically after class. So don't bother with it right now. You can't do anything right now. Okay, so before I talk about this assignment, so this assignment is going back a little bit to authentication. So we're looking at password to hashes and the assignment is gonna be about breaking password hashes. I know we just covered network security but kind of in the timeframe we have, it's gonna be difficult to fit that in. So the basic idea is will be the next homework assignment and or the final will be pretty heavy on network security. So cool, okay. So yeah, we're gonna basically cover a scenario when password hashes are released, what happens? So there'll be four different parts to this assignment and you can basically use any resource or program to help you solve the challenge except for each other, right? So don't ruin or spoil things for each other. I highly recommend this program, hash cat is the best piece of software I've seen for doing this assignment. So part of the goal is understanding what tools are out there. I'm already giving you pointers to these tools and it's your job to read the documentation for this tools, how to install them, everything like that. So the very first thing you'll need to do is get your own hashes. So there will be an assignment called crack that pass hashes. You literally submit anything, I mean, literally anything but of course we get everything you submit so don't be dumb, just submit like a blank file and then it will return you your personal hashes to crack. So there's four different parts. The first part is an MD5 hash and for each of these we have some intelligence that's telling us something about the hash itself or the sorry, the password that this hash represents. Nobody's actually sent anything but I'm just warning you that like, I don't know it's like emailing a file to me basically. So don't just don't be dumb. Submit your read me or something like it doesn't matter. Anyways, so it's a six character password. So and this is a double checked if you don't know that you're using the right hashing algorithm, it's standard to MD5 but check with either the system that you're using and this is one of those things that's incredibly useful when you're doing this kind of password hashing usually you can break maybe one hash at a time you can break one hash at a time but you can do multiple hashes. So always whatever software you're using just to verify or using it correctly put in a hash that you know the password to. So here we know Adam hashes to this value. So if you put in this hashing there you should be able to that should pop out quickly and that tells you that you're doing it correctly. Again, so you'll have to understand read the documentation for the tool that you're using to say how do I get it to search through just the space of six character passwords? For part two is shot 256. It's standard shot 256 Adam hashes to this ASU hashes to this and this is actually a seven character password but it's composed of lowercase letters, uppercase letters and digits. So again, the password and space for a seven character password is very large so it's important that you figure out how to limit it to just this space. Bcrypt, so an important thing about Bcrypt. So Bcrypt is a slow hash or one of the slow hashes. Note that Bcrypt include a salt so that there are many possible outputs. And I think if you submit the hashes thing multiple times it'll give you technically different hashes but they're all the same. So don't really worry about that. So for instance, Adam can hash to this or to this an ASU can hash to this or this because it has different salts. And unlike the previous ones this intelligence is telling us that it's a commonly used password. All right, so you can do these three just using the tools that we have talked about before these John the Ripper and Hashcat. Again, highly recommend Hashcat. It works really well. It's very good about taking advantage of your CPU and GPU. The other thing is if you feel like you don't have an so we'll talk about it in a second but oftentimes you may run into some crazy custom hashing function that you want to brute force. So you're gonna have to write code to do that. So if you don't feel like writing code I guess we're being slightly generous where you can get 90 out of 100 by not writing any code for this assignment. But if you do want those sweet, sweet 100 out of 100 there's an extra 10 points for a custom hash function. So this is a hash function that I created. You basically do MD5 100 times. So basically you take the string string pass it through MD5 you take that string pass it to MD5 take that string 100 times then you pass that 100 times through SHA 256 and then 100 times through SHA 512 and that's the result. So this is definitely one where you wanna verify that you've implemented this correctly and you could do that by checking these hashes. So we can check the atom hashes to this 6415 blah, blah, blah, this whole thing in this hash scheme ASU hashes to this and security hashes to this. Now there, it is nice we're telling you that the user was quite lazy and the password is five characters lowercase letters A through Z. All right and then to submit. So again, the submission instructions. So submit a read me file again exactly the word read me on grade scope do the assignment crack that pass that contains your name ASU ID in a description of how you broke or reversed the hash. And you'll also obviously need to include the password. So again, the assignments auto graded there's 600 of you basically. So basically, yeah, so submit with this. So MD just like you did for the WeChile assignment way back when are the banded assignments, right? So put in your read me MD5 colon space and then the password you identified for part one SHA 256 colon space, B-crypt colon space custom colon space and that way we'll check auto grade it and you'll know your grade exactly at the moment that you submit it and it automatically grade you. So there should be no questions there. Okay, before I take questions on the assignment itself. Okay, so important things about this let's do the 31st. So that gives you like a week and a half I believe that's Wednesday or Tuesday can somebody verify the day of the week that that is? Wednesday, thank you. Okay, and okay, the important thing is, so a couple of things, A, how long this takes? This could take 24 hours, 48 hours depending on the speed of computation available to you. So you can always use, I believe you should have, do you guys have AWS credits? Anyways, yeah, so students get them for free. Anyways, so share resources with each other of like, hey, this cloud provider or Google cloud or whatever. If you have problems, let me know and I can help you. So post on Piazza, share resources with each other if you need additional passing power but I've seen students complete this assignment on the most beat up laptops. So you don't need a fancy GPU you don't need any fancy system. You can do these assignments on the current systems provided you start early. So this is part of each of these pieces of software will tell you the estimated time that it thinks it's gonna take to crack it. So make sure you look at those. So this is one of those things. You gotta start this assignment early. We're not gonna give you an extension because you decided to start Wednesday morning and it's gonna take a day to crack it. Like sorry, that's the assignment itself. So you should have started early. So that's why we're giving it to you now. Pretend it's due in a week and that way Monday morning you could freak out and you'll have two days to crack it. Okay, now questions on the assignment. Any tips for Hashcat? Yeah, download it or read the manual for it, read the documentation. It's a really easy to use tool. Any other questions? Where are the hashes of the password? You'll submit to an assignment called crack that pass hashes on Gradescope. That'll be open after class today. How do we implement the code? That is a question you should be able to answer. I don't think the lectures are directly helpful for this. The goal is it's related to password authentication that we talked about and there's plenty of documentation for breaking hashes out there. So there's tons of stuff. Like seriously, John the Ripper has great documentation. Hashcat has great documentation. Just taking, I mean, I don't know, take a half hour, take an hour, read all the docs about it, it's super easy. Yeah, good information to solve part four would be write a pro. So you basically want to first step, write a program that implements this hash function, verify that you have it correctly because you have these and then write a program to brute force, loop through all five character lowercase letter strings, hash, check the hash if it's equal, you found it. So cool. Any other questions? And let's go finish network security. Do you all believe it? We're almost done with network security in that. So somebody's asking about a part four, the custom hash function, if you can use hashcat, I think you can use hashcat. You'll just need to write a, I think they call it a kernel. Like you need to write some, you need to figure out with hashcat, how to write a custom hash function for hashcat. So yes, you definitely can use hashcat, but it doesn't come out of the box. That's the entire point of that assignment is basically like, and this happens all the time. So you'll find websites that like, hey, we just did MD5 20 times. And so now all of your current hash stuff is useless and you need to figure out how to do that. All right, network security. Let's rock and roll. Yeah, so we'll finish actually network security today and then Tiffany's gonna take over. We're just talking about binaries and application security starting Wednesday. So that should be super fun. And then depending on how long that goes, we'll probably get to actually web security, which I don't know if it's cause it's an online course. I don't know if maybe your other courses are like this, but we seem to be going a little bit quicker now. So yeah, it'll be nice because, or maybe we're getting better at condensing the material or something, but yeah, we're right on track. So we should have a few weeks of web security so I can teach you all how to web hack. No, it's not quicker because of spring break. We still have 15 weeks, same number of weeks. And even worse, you could add more homework assignments cause we could have assigned homework over spring break, you know, so cool. Okay, let us start. Cool, so we talked about TCP hijacking, so I won't go over this. And now we're basically gonna touch on different types of attacks that we can see in networks. So one category of attack that we can talk about is, and let me, I can only stop. Okay, let me pull up Notability and make sure I don't have anything sensitive there, which I did, good. It's always good when I do this in advance, okay, cool. All right, see the screen? So Christian, you're gonna be our bad guy again. Although we did just get evidence that you're really not the worst person in class. So, or at least the baddest person, I don't know. We said that the scores on assignment three say that. Cool, okay, so we'll start with our classic example, or we can actually add in, let's add in Christian to this picture, cool. And I'm gonna change this to the midterm server. All right, so Christian didn't study for the midterm and would like more time on the midterm. What's one way that he could possibly accomplish that? What if, so let's put yourself in my shoes. What if six hours before the deadline, this machine goes down, or that two hours before the deadline? Yeah, I'd probably say sorry, don't wait till the last minute, but maybe I'll give extra time, right? You can always try to appeal to that. So, and this is a entire class of vulnerabilities that we've been talking about, right? Denial of service. So Christian's goal here is literally trying to take, make it so that M can't talk to anybody else. And interestingly, we talked about this a, this also came up before. So what other scenario would that come up with? Right, when did we talk about dossing in the term of network security in order to accomplish another attack? I think it was specifically TCP spoofing. I should have a big X here, right? I've lost the meaning of all of these diagrams. So, okay. So, right, so when Christian wanted to pretend to be my machine, Adam's machine against the midterm, that was the example. So Christian would send a SIN packet from Christian's machine to the midterm. The midterm would reply back to me with a SIN act and my machine would reply back with a reset go away. But if we're able to DOS and take out my machine, I'll never send that reset. So potentially Christian can actually spoof that packet. So, but let's think about the actual capabilities here. So now in this case, Christian's not trying to DOS me. He's trying to DOS the midterm machine. So, how can Christian do that? So what are some ways that you think Christian could try to DOS the server? Yeah, send too many packets, but how many packets? Like, how many are we talking about? What if Christian just cut this connection from the midterm machine's router to the internet, like physically cut it? Yeah, let's say he figures out where the server is, he breaks into the server room and cuts it. But now there may be other computers connected to there. So maybe we'll notice that. So what if he just cuts this connection from the midterm machine to the switch? Yeah, but that's a classic. I mean, this is almost every criminal movie. If they actually applied their knowledge to a good enterprise, then they wouldn't be criminals and they could make a good living doing what they wanted to do, right? So, if Christian's able to cut that connection, that would definitely disrupt. Cool. Okay, so you're saying send a lot of packets, but what are we actually trying to do when we send a lot of packets? Say over on the system, what system? Can you be more specific? Yeah, I can think about actually many things, right? And if you think about it, as long as I can take down just like we talked about, so how could I target maybe that link between the switch and the uplink or the router, right? So if you think about it, this is a physical link. There is some physical capacity there. It may be one gigabit per second that that link can possibly hold. So if Christian's able to send a gigabit per second or more, then essentially it's as if that network is cut and nobody else will be able to get traffic on there. So we call that saturating the bandwidth there. Now, if I'm running this on Amazon, how big is that link there? Yeah, very big. I'd say maybe 10 or 100 gigabit per second. And furthermore, it's even more complicated because there's probably several redundant routes in there where if one is saturated, it will go across the other ones. That's a good question. Let me look something up real quick. So people are asking what the largest attack was. Oh yeah, there we go. So the largest DDOS attack, so the D, this just stands for distributed. So I think one of the largest ones was against GitHub. I mean, to put this in terms was 1.3, oops, that's not a one. 1.35 terabits per second. So that's 1,000 times more than a gigabit per second. Yeah, and that's sustained. So continually sending that and then things will start to melt. But Christian, does Christian have a terabyte per second to send traffic? So Christian is fundamentally limited. And this is the important thing. Christian is fundamentally limited by how much, how many packets he can send, right? Let's say he's on a network where he actually has good network traffic and he can send one gigabit per second. If this, and this is where you get into the distributed part, right? If there's a total capacity going to the midterm machine of 100 gigabits per second, then Christian would essentially need to control 100 machines on the internet that can all send one gigabit per second. But of course, getting an actual gigabit per second is difficult. So anyways, that's why all this stuff makes sense. But assume that all of the, let's say the input links there are 100 gigabits per second. Christian just can't do it with his one gigabit per second. And so there's other things that he can try to target, right? So like we said, he can actually try to target. Now there's the amount of bandwidth basically going into his network. There's also the amount of bandwidth available going to his machine. If this is just one gigabit per second, then we could saturate that and crash that. Or a good one that I like is, what about the switch, right? Remember we have the switch here, but packets actually need to travel along that switch. So switches actually have their own bandwidth of how much traffic they can process. So if the switch itself is one gigabit per second, then maybe the switch falls over before any of the links do. So you see how even if you have, I'm gonna even up our capacity here and say, we're amazing, we can handle one terabit per second on all of our physical links. But if I happen to have a switch that is as capacity is only one gigabit per second, then the switch will die at that point and the midterm machine will essentially be down. Is this starting to make sense? Now, like we talked about, but switches can be very fast and have a lot of capacity. So let's say I upgrade the switch, I pay a ton of money and I have essentially a switch that is one terabit per second. Now, can I take over this? Now, can I let's say saturate any of the network connections between Christian to the midterm server? How expensive would that be? That's a great question. I don't know. I'm not a, I just kind of use network stuff. It's expensive. Like if you're trying to buy a one terabit per second capacity, it is very expensive. Okay. So now the question would be, remember like we talked about, so there's actually the midterm machine and there's some a patch actually, there's some web server here, but there's also an operating system. So what if we're able to use all of the memory in the operating system such that it has no more memory for new packets, right? So let's look back. So Christian sends a SIN packet. I'm now abstracting the packets more. Christian sends a SIN packet to the server. What does the server send back? SINAC, all right. And then what is the server waiting for? That final act, how does it know it's the right act? Not just ports. So it has to mass ports. So let's see, IPC, IPM, source port, destination port, the sequence. I'm gonna put SEQ lowercase C for Christian sequence and I'm gonna put SEQ lowercase M for the machine sequence for our sequence number. Cool. So for every outstanding SINAC packet that the server sends, it has to store this information. Does a, do machines have an infinite amount of memory? Thank you. That was an easy question. No, they definitely do not, right? Even though we pretend that Turing machines do, they do not. So the machine for every SIN packet that Christian sends, the machine, the midterm machine has to store in the operating system, one, two, three, four, five, six, at least six bytes of data. So what happened if Christian sends a gigabyte of different SIN packets? So a gigabyte's worth of SIN packets, like a million SIN packets, I'll just say that. How much data will the operating system have to store when it sends those SINACs back? So let's go with a million, oops, right? I send a million SIN packets, the OS will have to store one, two, three, four, five, six, like six million bytes, right? And I can just add 10 onto here. And at a certain point, will the server be able to keep up? Yeah, no, at a certain point that the operating system has to decide what to do. It's, let's say it's using as much memory as it possibly can, a new packet comes, a SIN packet comes in and it probably has to either say reset or just drops it because it has no way to verify that SINAC. And so if I'm monitoring this network, will I see a bunch of SIN packets from Christian's IP address? Think about it this way, these SIN packets. So in this example, this example has Christian's IP as the source IP of the SIN packet. But does Christian actually care about getting this reply? No, because deliberately Christian does not want to establish the three-way connection. In fact, it's better. So Christian can actually just choose random IP addresses. And on the other side, then Christian, we have actually no way of knowing that Christian's sending out all of these. So it's using the fact, and this is what's a little bit confusing because these are TCP packets. So we think about TCP packets while you wouldn't want to spoof your IP. But if you only care about sending out SIN packets and don't care about getting the SINAC, all you care about is that this memory is being consumed in the operating system, then that's great. So this is called a SIN flooding attack, which is exactly like it sounds. So it's a really common denial of service attack where you send out a bunch of SINs, the victim replies with a bunch of SINACs, and then the attacker literally does nothing. And the source IP can be spoof since we don't need the final acknowledgement. And because of the resource problem that we talked about, hosts can keep a limited number of TCP connections in this half-open state. And so they stop accepting new connections. So you're really limiting the amount of people. So this is one way to perform a denial of service attack on a machine. So how would you fix this? What's the timeout gonna be? Just think about how like two seconds, how many packets can Christian send in two seconds? Yeah, a lot. And think about if Christian has access to many machines, he could send, you know, if he has access to a hundred machines, he can send a hundred times the packets he can send in two seconds. Yeah, but if I timeout after a certain number of SIN packets, Christian will send all of those SIN packets, the timeout will trigger and nobody else will, if I make a packet limit, so what are you gonna limit on, right? Because other people are sending SIN packets too, they also wanna talk to the server. So how do you know which ones are Christian's fake packets and which ones are real packets? And you can try, so there's, you know, filtering is basically a way of doing this. Like you're saying is like, well, figure out which ones are, you know, the SIN flooding packets and which ones aren't. And sometimes there are ways to tell and they can drop those packets so they don't reach it. Ah, good question. Identify machines that are sending a lot of packets. Where in this diagram is the midterm machine located? What network? Just give it a name. Let's say AWS. Where's Christian's machine located? Yeah, his network. Do we, let's say we're administrators of the midterm machine network? Do we have any visibility into Christian's network? Yeah, no, we can't know or understand or even see any packets that he's sending. So we actually have no way of knowing that these IP addresses are spoofed. That's kind of the crazy part there. So that becomes difficult. Like you said, we can try to increase the length of the half open connection queue, but at a certain point, we can try to reduce timeouts, but again, we may impact normal functionality and normal people. We could do what we talked about, drop half open connections. So if we hit a limit, so once we hit our limit, we've randomly dropped maybe some SIN acts that we're waiting for in our queue, but there's actually a very cool trick. So what's the fundamental problem here? Yeah, the problem is limited memory and how is Christian taking advantage of that by filling the memory? So if you think about it, and this is the important thing with every single denial of service attack, they all rely on some sort of lever. So you've, I don't know. You've heard that it was at the Archimedes quote about something, about giving me a lever and I can move the world or something like that. The idea being Christian sends one packet and how much memory does he get the server to store? Well, it's actually more than eight bytes, but we'll go with that. So let's say six bytes, right? Six bytes, right? So with one packet, it causes the server to store six bytes. Now, what if it was zero bytes? Would that be good? Would that stop the problem? Yeah, that's one sad packet. So then maybe Christian could try the network tricks we talked about, right? By trying to block stuff on the network. But if you think about it, like Amazon or AWS has invested a ton of resources into making sure the network is stable and secure, but my Chippo machine that I'm using to rent here probably doesn't have that. So it's much easier to attack the operating system to the machine or the application itself than it is necessarily the network. So we make Christian's problem hard. But how do we do that? Isn't that like, how can we, is there a way we can not store this data? It seems kind of crazy. Like, again, think about it. Why do we need this data? Yeah, to verify that last connection, right? To verify a valid act gets sent back. But there's this really cool approach called the sin cookies, which are probably not as delicious as they sound. And the basic idea is to encode using an algorithm because the whole point is we wanna be able to understand. So what's gonna get sent? So the sin packet is gonna have their sequence number. That's really bad, sorry. Right? So that's gonna have the sequence number. And that's what we have here. We'll also need our sequence number gets sent back. That gets sent here. So we need to be able to, now what gets sent back to us, right? A valid act will have, I'm gonna move my terrible thing. A valid act will have a source IP. Ah, I forgot how I was doing this. Okay, source. So IPC, destination. IP of M. At the TCP level, we have source port of whatever X, D, port Y. And then I have my sequence number, which will be sequence number C plus one. And my act number is sequence number of M plus one. Now, if we just trusted everything that they gave us, well, we wouldn't really have a good secure connection and people could easily spoof their IP addresses when making connections. So it makes everything, it makes spoofing a lot easier. So we don't want that. What we want is, now what the server will send back to us is our sequence number, sequence number of M plus one. So we're gonna encode a way to verify that, yes, we saw these in the original send. So that's essentially what is happening here. Anyways, we're not gonna get into the details, but it basically includes a hash of a counter and the source destination IP addresses ports. But basically, you choose your sequence number very carefully such that when they send it back, it allows you to verify the other bits of information. So this is a super cool idea so that you don't actually have to store any data so that we can check it and verify that, yes, we can rebuild everything and verify that. That really doesn't matter, blah, blah, blah. Anyways, so yeah, this is a super interesting way and operating systems actually have a setting that you can configure to say, yes, use SIN cookies on your server if you need to. They're not established by default, I think, because, well, if I had to guess, I'd say you're reducing the entropy of your sequence and acknowledgement numbers because you're encoding information there, so. But anyways, I think this is a super fascinating way and just the idea of like doing something crazy and saying, well, the core problem like we saw is I send one packet and I get the server to store six bytes of data. How can I make it so that I store zero bytes of data and then actually doing that? So that's where we get SIN cookies, which are pretty cool. We also have other denial of service effects, attacks that basically take advantage of targeting different resources. So like we said, this takes advantage of resources that are associated with a half open TCP connection, but when I establish a TCP connection, I send the SIN, I send the SIN act, I send the act, I send the SIN, I send the SIN, I send the act, right? The server actually will have to store some information. So, for every socket, the server is storing information. So if I have a bunch of machines, rather than necessarily doing a SIN flooding attack, I can make TCP connections and then just hold that connection open, forcing the server to the server's operating system to hold that memory open. I can also take advantage. So this was a common PHP back in the day and Apache was a process pool model where basically it would spawn, let's say 10 different processes who are responsible for responding to requests. And what they do is they make 10 connections and just hold those connections open as long as possible so that no other connection could go in. Oh, this is really cool. So we can purposely, so we saw, if we go back here, right? We saw, remember when we talked about the sequence, right? We have the sender, we have the receiver, right? Let's say our sequence number is at 10. So now what if as the sender, I'm malicious now and I send, well, here's let's say one gigabyte starting at sequence number 11, let's say, right? The operating system has to keep that in its memory. And obviously one gigabyte is, that's looks like 16 Bs. That one gigabyte may be too much. So it depends on the specific operating system of how much data it will store there. But essentially the idea is fill the operating system up with all this information because it's just waiting for that first byte before it can return everything up to the application that's listening. But you've never actually send that last one and you force it to store all that data. So you do this with enough connections and you could force the operating system. Again, it's a you make one TCP connection. And in this case, like force server to store one GB. And so you make enough connections from enough machines to use all the memory available on the system. All kinds of cool stuff in here. One of my, the slow Loris that Loris, is that right slow? How do you spell that? It's an animal. Yeah, that's right, cool. So the idea there is it's a denial of service attack against HTTP or web servers. And the idea is an HTTP request looks like HTTP or no, it looks like get slash HTTP one dot one. Something like that. That's Loris like this, L-O-R-I-S. Go Google it. You can see they're very cute. Kind of cute. Oh, you should get your cute radar checked. I've seen one in person. I can't remember where, but maybe it was Thailand. Anyways, the, so the notion is that you make an HTTP connection to the web server. And rather than sending all the data at once, you send like one byte a second. Say G, E, T, space. Slash, and you do this with enough connections, you've reached the limit of what the web server will concurrently process. And you can't really, it's really difficult to tell is like, is this person just on a really crappy internet connection or are they doing this deliberately? So this is another super interesting denial of service attack. Okay, we'll cover very briefly firewalls. The concept is basically, oh, we'll get my machine. So I'm running my machine in here. I've got access, let's say to a web server. It's my router that has access to something else. Well, actually I'll pretend we're all on the internet for now. So now there's our great friend, Christian. So yeah, so why was port scanning useful for Christian? So let's say I have this web server here, right? To know which services are running, which are associated with the ports. So let's say I have SSH, SSH daemon running on port, that's too many S's, SSHD port 22, and I have Apache on port 80. And I wanna set up my system such that Christian or anyone should be able to access the web server because that's what it's for. But only people inside the network should be able to access port 22. So the goal is, wouldn't it be great if I had some system? Oh no, my wall looks ugly. There we go, probably better if I just delete it. All right, fire, does that look good? All right, you can draw your own firewalls later. Does that look good enough for you? Everyone's a critic. Okay, so a firewall is just basically a network mechanism. So it goes back to what we have as policies and mechanisms. So remember all that stuff we talked about, that's actually relevant, right? So it's a mechanism that allows, so you can specify a policy and you can say only TCP port 80 allowed to web server. So you can write this policy in the language, install it on the firewall. And this means that now any packet that the outside world sends to port 80 will be dropped, or sorry, it will be anything that's not to port 80. So when Christian scans this system, he'll only see that port 80 is open. And not just that if Christian thinks that it's open, he literally can't scan any other port. Whereas me in this network, I would see port 80 and port 22 are open. So this is just the basic idea of it allows you, firewalls allow you to write network policies about who should be able to access your network. And this is actually why the internet isn't such a huge dumpster fire, is goes back to what we talked about of routers. So your home router and the fact that you have NAT basically has a default policy of no incoming connections, which is actually a great secure policy because it means that no matter what junk you're running, and it used to be people would find vulnerabilities in windows or whatever. And there's a, I don't know if it's still true, but there's a saying or a notion that if you plugged a Windows XP machine directly to the internet, there's so much scanning and viruses that are scanning for targets going on that you would get infected within 15 minutes. I don't know that that's necessarily true nowadays, but the point is now that everyone has NAT and they basically have this default firewall that says no incoming connections, you actually get a decent amount of security from this. So firewalls are like a whole topic and area then you can get all into the weeds. You have all this problem of your policies when you have something like this look very easy, but what if you have a thousand hosts and you have conflicting policies? How do you deal with that? There's a whole bunch of stuff here, but yeah, other types of systems that are interesting that fall into the network security context, intrusion detection systems. So these are systems that like a network firewall is basically trying to block any access in or allow you to specify a policy of who should get in. You could think of an IBS is a system that basically listens and looks at traffic coming into your network and tries to decide is this an attack or not? So this was a hot topic in like the, I don't know, 80s, 90s for a long while before people kind of realized like, oh, this is actually an incredibly difficult problem trying to determine if I'm seeing an attack or not. This goes back to when we talked about like our house example, right? So we want to be able to know if an attack occurred on our system because we wanna know if we should remediate or if we should do something, right? It's like we talked about with houses and alarm for your house isn't necessarily to deter thieves, although that can help. It's mainly there so you know when something's happening. So an intrusion detection system is a mechanism that allows that monitors all network traffic to try to determine evidence of compromise. So it can say, hey, I saw somebody launched a Apache exploit at our web server. And then I also saw all of our database data flying out of our server, seems like a problem. The key problem though is if anybody's run so snort if you wanna, you know, play around with this I highly recommend just like download snort it's an open source IDS, run it on your own network traffic with the default policies and see what it sees. You'll see that it's really difficult to, you know, write these things. What do you actually want to detect? And the, yeah. So that one cool difference here is an intrusion prevention system. So rather than just a tech that kind of acts as a firewall and if it detects something, it actually blocks it. Let's see what I wanna cover here. Snort, yeah, part of the problem why it's so difficult to understand if you're actually is, if an attack was actually successful or not is because of the vantage point here, right? You're only looking at the traffic. So it can be really difficult to say, yeah, maybe. So what if they launched a or they sent traffic that should trigger a vulnerability in IIS version 10.0 to your web server? Is that actually in, did you actually get compromised? Because you're actually running Apache, not IIS, two I's, one S, right? Like that's a completely different operating system. The same vulnerability is not going to exist on both. Cool. And then I'll show an example of this because I do wanna talk about this a little bit more. But yeah, so there's a whole like network security, like we just scratched the surface here. There's a whole other class you could take at the undergraduate level if you're more interested in this and wanna go deeper. Other topics and areas that we work on is we do research on software defined networking. So we look at new networking systems, allow a central system to configure like a whole enterprise network and change routes and change how switches work on the fly. It's super cool, but it introduces some interesting security problems. Firewalls, like I mentioned, this policy problem, what if you have two administrators who put in a rule that says, well, we should allow this and block this? You know, that's a core problem because it means your policy is inconsistent of what you actually as an administrator want to have happen in this network. Intrusion detection systems, the new hotness is called the APTs or Advanced Persistent Threats, which is just the notion of a highly sophisticated attacker. And so you may, you know, we looked at an intrusion detection system as just one thing that's listening to traffic here, but you could think of actually listening to traffic throughout your whole network. You could think of monitoring all the systems on your network, the host, so you can see what's happening and you can try to link events to see attackers propagate through your network. IPv6 is a whole area we don't touch on, IPsec. Anyways, there's a bunch of cool areas to look at in network security, but you are just dangerous enough now to know the basics. So yeah, any last questions on network security? Do we want to go back and look at my drawing of firewalls? Is that what you, the people want? Should I sell an NFT of this beautiful firewall? Now I'll give it for free. Feel free to screenshot this, you know, YouTube video and to your heart's content. Cool. All right. With that, we close out network security. So an IPS, I'm sorry, and I just said goodbye, but yeah, an IPS is not a firewall. It's, you can think of the difference between one is like a bouncer, right? So the firewall is a bouncer that allows things in or out and examines everything and decides whether packets go in or out. Whereas the intrusion detection system is like a security camera and all the people that are going in and out of the building and trying to determine if anybody's going to steal money from the bank, right? So it's like people watching what's going on to try to say, oh, I think we have a robbery in progress but IPS is don't really, or sorry, IPS. Sorry, I missed that. Yeah, yeah. So the prevention part, does that mean it's- So the difference is basically, yes. It doesn't do what a firewall does because a firewall has a policy specified by an administrator of what they want in and out. An IPS, an intrusion prevention system acts as an IDS but when it detects something, it can actually block it. Most IDS's don't do that. Okay, so a firewall blocks by policy, IPS blocks by detection. Exactly. Then maybe someone kind of logic. Exactly. Yeah, and it needs that, right? Because you don't want stuff blocked just because it kind of looks like maybe an attack. Right. No, that's a million dollar business transaction. Please don't block that. Thanks. Cool. All right. Thanks, everyone. That was fun.