 All right A sign of one questions or anything else? Oh, I guess I shouldn't Any questions or questions anything today? Or we start talking about smirks. We have any questions? Yeah Yes, the deadline has been extended to Wednesday Okay Got extra two days Yeah, see I think I don't know if people want to get deadlines, but like deadlines have been sucked and you'd like continually work on Same thing with papers when you're submitting to like a conference and they extend the deadline for a week You're like up to like work on this thing for another week Any other Happy to answer them now Yeah Yeah, I'll But it should be fairly simple, right? So I make a request Say that I accept visa for coding and I make sure that you say that you're sending me back jizid And then I make sure that it's the exact same thing, you know with jizid with not jizid, right? So it shouldn't be any I mean it shouldn't be time getting trickier except for the fact that like it better be jizid encoding that I get back Yeah Yeah, I mean generally so Like it's kind of about any software, right? So specifically this is a server, right? So in So do the test cases, right? We start the server We run test cases and we stop it So if your server crashes during the test cases, right? Then it's going to get an error like hey I couldn't connect to the server because it crashed, right? So this is part of building robust a robust server that works To me that would probably be what I would look at and be like, okay What are some like is there a possible way I could crash the server, right? Or crashing is one thing hanging would be another right if it's not accepting any new connections because it's busy You know, maybe they went into an infinite while loop or something, right? I mean those are the kind of things that Uh, I would be looking for Uh, you know other questions are making sure that the output is like exactly as As we we say it is right that you're sending the right headers you're sending the right You're sending the exact amount of content length that you specify your header that your headers are properly terminated I've seen a lot of like Not correct line endings that still work correctly in browsers, right the correct line ending is a crlf Which is a slash r slash n Um Oh, it is required it specifically says in the spec an http request is this this this followed by crlf Right where crlf is a slash r slash n Is it that I don't know there's a lot of mistakes that could be made These are generally some of the You should be Returning a proper http 1.1 for y which couldn't form to the spec, right? So this is about Kind of read the spec and see like is what i'm actually returning Read the spec I'm not saying that's what the problem is right. It's too. It's too. I can't debug everybody's code But when I see snippets of code and I see that there's that stuff in there, right? It means that you You got to read the spec to understand exactly what you should be spending When you fix those kind of things like it's like little errors that magically go away, right? There's somebody who was not Even terminating headers. I think there's two headers that were concatenated together and like that was clearly the problem, right? The problem is how it manifests itself. It's it varies completely, right? Maybe some test cases will pass while others will fail Some things are just checking that something's listening on there You know, it's hard to say a hundred percent the other things are You know URL decoding, right? Are you doing it properly based on what we said in the spec? Are like on our assignment description, right? So making sure those test cases pass Are you accurately emulating like if your language doesn't support system or whatever? Are you accurately emulating it? Hey guys in the corner You guys So yeah, if you want to talk about the project you can talk about happy to do so except Obviously direct questions or anything. I mean I'll answer something So yeah, I mean hopefully that helps like it's not you know, it's not supposed to be Intentionally incredibly tricky, right? But if you're adding additional output, right? I mean, this is how we do test cases, right? We run it We compare the output of what your program sends with whatever You're not just the output, right? But what curl says the output is or what a browser says the output is We compare that with what we expect if it's not there because there's extra html stuff or whatever Because that's not what we said to do in the spec or because you're including standard out There shouldn't be standard out for Because you're including standard error and there shouldn't be standard error in there, right? These are all things where if you're not lining up exactly with what the specs with what the assignment says then it's going to be your promise Any other questions? You can talk about it Yeah, do you need to redirect post send out and send the direct to one place? Is it like a bulletin one or the other? Say again? Like I have situations wherein there are There's something in standard out as well as in standard error So do I need to like put them together and put it on or the standard? No, only standard out only Only standard out just like the assignment description says Take the program you put it in system. Whatever the standard out is you output that like standard out is not a Not a net because it's like a well-defined thing, right? Standard out standard error. Um, so yeah, so you should Toss away. You don't ever care about what's in standard error. You only want the standard out of the command Yeah, so Sending a command that doesn't exist like asdf should it return Whatever the standard error I'm trying to run system of that command outputs. All right It does not exist. No, I think it does nothing. It's an empty string. I think that's printed out to standard error Yes, so you should output nothing A standard output of whatever you try to run that command does that's it So it's it's not I don't know It's complicated, right? But it should be complicated in reading the spec and understanding the spec right not these kinds of things should be fairly simple Yeah So if the user sends a command that runs forever That's kind of up to you, right? I would just let it run forever, right? The users an idiot. They shouldn't have done that but You know I don't even know I don't know if I want to continue Uh, so if you guys want to have discussions you can always leave Right. I'm trying to answer these questions. So it'll be helpful, right? So yeah, if you do that, right the user does that you can absolutely let it run forever But if I make another request to your server it better respond And not hang right? That's I think the key Um, so if that ever were to happen you'd have to make sure that your server still responds So, yeah, yeah Yes It's not of the type you would want to have any questions No So there's only Yeah, there's only the two cases So the only thing we're special casing is the comment section of authorize key If it's if it's one thing just one word you should return that if it's user at host You should return whatever that host thing is if it's multiple stuff you just ignore If it's one word, yes Correct, but I we said there were you can special case that It's likely that that's a host name Yeah, that's what special case it means. We're gonna do that. We're gonna do that thing But just for that, right? You don't have to worry about you shouldn't be parsing any other comments. It's just That file format any other questions Cool. Uh, so we left off with the smurf attack, right? So the smurf attack. So what, um What level of the networking stack Is the smurf attack targeting the targeting htp is targeting Using the icmp message, right? We're using the icmp ping the echo command Not in the command, but the icmp protocol the echo request in response The attacker is using that right and what they're gonna do is they use the fact that we can spoof ip packets Right, we can spoof the source of an ip packet. So we say hey, this is a request from This machine that I want to take off 128 111 41 10 Right, this is who it came from I'm gonna Make an echo request to Uh, in this case, we're sending it to 192 one 168.1.255 Right and as we talked about that's the broadcast address of the 192 168.1 network Which means that every host is supposed to reply to that address So they all get that and they say oh this host wants to see if i'm up. Of course, yeah, I'll send I'll send packets back. These are all my return packets, right back to that host dot 10 And then I also do the same thing So I Do another packet to 192 168 dot 2 dot 255, right and so then all of them respond back to this ping finally The different network was it 191 10 dot 110 10 dot 20 dot 255 right this other sub network And so then they all reply back Right, so the effect is by sending three packets Right, I've been able to get all these hosts to generate traffic towards this dot 10 machine Right, and so this is actually I guess nowadays we talk about a denial of service We're concerned with really distributed with like botnets and you control thousands of machines and can generate a bunch of traffic, right But the idea is here the sperm attack you actually do this by just controlling basically one machine And knowing some subnet where you do this and the subnets themselves with generating traffic, right? You would leverage all these other hosts ability to respond to this icmp message to take this machine offline And so this goes into actually one of the things that is really important. So why don't I just send these three packets? to the dot 10 machine itself To take it offline like I'm trying to do the denial of service. Why don't I just send them there? Yeah, so the kind of the idea to think about is yeah, I could send three packets to dot 10, right Is that going to crash the machine? No, it says I'm going to saturate the bandwidth of the link between the machine Probably not right just three packets But so the idea here is leverage, right? So denial of service attacks are all about the attacker trying to use some leverage So the idea is by sending three packets Now I could potentially have 154 hosts reply Right, so I have an increase of one packet to 200 What did I say 254? possible, right if every host is on that subnet not likely but In the worst case, that's what I could do, right? So now I have a lot of leverage so I can generate a bunch of traffic to dot 10 Right because that's kind of one of the things to think about with denial of service It's like okay if I could generate enough traffic to do a denial of service to dot 10 Right, then I'll probably denial of service myself if I'm Saturating the ethernet links or something right that traffic still has to get there somehow So these are kind of important things that we'll see in denial of service attacks that a it's about the leverage So it's about using and finding some way to or what they call amplification, right? So what's the amplification of me sending one packet? How many does the victim receive? So if you remember You can't remember one of us was that a year and a half ago where they had the ntp the network time protocol daemon Had a really bad amplification attack. So people were using that to take off To take down a bunch of servers, but it's the same principle, right different different technical Implementation but the same principle of amplification So there's a bunch of icmp messages. The specific one we're going to look at is the destination unreachable This is the next one we're gonna look at The idea is the gateway can can tell the host that sent there like I don't know how to get I don't know how to get to this destination Um, it could be that the network is unreachable. It could be that that host is unreachable It could be that it can't send on that protocol for whatever reason Uh, can't send to that port. So it could be a message saying that like, hey, there's nothing listening on this port um It could be that we requested that our packet not be fragmented But we got a reply saying that like hey, we've had to fragment your packet, right? So So these are all right. So to kind of refresh ourselves at the icmp level, right these are all helpful useful debugging information, right? So you want to know if you tried to send a packet and um You said hey, don't fragment this packet, right? If they have to fragment it and then just drop it and it disappears You'll never know if it got there didn't get there or why it didn't get there Right. So this kind of helps try to answer that why question and so This there's another type of attack here um, where we can try to Once again kind of denial of service try to cut a A node out from a of the network um So basically the idea is We are sending let's see man. Okay. I gotta look at this screen. This is too small. I gotta fix it um We are sending traffic right to 123 Right, and we're saying that host. Ah, yes. Yes. Yes host 56 is uh Wow, uh host 56 is unreachable. Really understand what's going on here We're forging it The packet is being sent specifically to so here we're sending it to dot 10 Which is this machine from 123 Which is that machine. All right. We're trying to okay. Got it. Cool. I still understand where the leverage comes from here Uh, I tell you what I'm gonna have to look this up because I don't Understand what's going on here So I love that Yeah, I was thinking that maybe we're trying to take it out by telling other Hosts that we can't reach that host and so they'll try not to contact it Uh, so yeah, there's no way to send it. That should be how it works But maybe it does work like that and I just have a That idea of how it does work Yeah, the cloud part is just a router so we're just showing you these are two different submits Uh, okay, we're going to come back to that. Sorry about that Okay, so we'll go to the last I think it's the last Yeah, okay, cool. So we're gonna have the last ICMP message This one is really important. So what was the I think we mentioned it a little bit. What is the time exceeded? TTL, so what was the TTL? Time to live. Yeah, which is yeah always very exciting Right so the idea is when the TTL becomes zero Right or if we couldn't reassemble a fragmented datagram packet We get a time exceeded message back, right? So that's the switch this job or the host job to tell us that hey, we couldn't like this packet timed out So what is this? I think most of us or most of the people who've done network programming are pretty familiar with What what's the main way this is used and like a network diagnostic tool So that the packet doesn't Stay in the network, whatever. Yes, that's why you do this, but we could just drop So if we were using TTL, right, we could just drop the packet, right? We don't have to Tell anybody and the network I think will still be secure or still be uh, we won't have packets floating around forever, right? but what like Yeah, we don't have to this is kind of like a nice to have right so ip doesn't give any guarantees on delivery, right? So this is definitely not something we need It's something that's very helpful and handy and it's actually Using a tool that probably a lot of you have used before to try to debug network connections trace route Right, so this is actually exactly how trace route works, which is really cool. So it Um, what it does is it sends a packet out on the network with a TTL of one Right, and then it sees who responds back with that icmp message Timeout received, right and then it sends a new packet of TTL to Right and then gets a response back So that this way if you're getting icmp timeout messages from each of these Hops in between these switches You can actually from one host side map out the entire number of hops and Where your packets are being and where and how your packets are being routed through the network So it's actually a really handy cool tool to use Definitely not in any way malicious. So you don't have to worry about about that Yeah, so idea is you send a series of I believe they're probably ping messages or something But it doesn't really matter you send out ip datagrams And you start at one and each packet you give a unique id and you increase the TTL field by one So the idea is you do this collect all of the time exceeded messages And then now you have the IP addresses Of where those icmp time exceeded messages came from and because you have the id of the original ip packet You tried to send you can map that to the TTL number so you can see exactly how many hops So this is actually incredibly useful for from a security perspective, right? So why was this be useful? You can manipulate the path Yeah, so you can maybe you can manipulate the packet, right? So yeah, so but you'll never know until you know how it's getting there, right? So you may not know if it's a good path or Maybe you can find out information about those switches somehow about the path Yeah, basically It also goes back to basic kind of reconnaissance and information gathering, right? So an attacker is trying to find out about the network, right? And so if they're able to trace how packets are flowing through the network they can get information about how the Hosts are switched together what hosts are in different subnets, right? Which can try to help them infiltrate the network Oh, yeah, so there's another actual So it's also really handy to for you the user when you're doing this To try to determine actually it's kind of fun to look at so you can try to do What's the trace route from me to google, right? Like how many hops does it take? Or me too if you have like, I don't know a video game server or whatever you're trying to get to you can actually use this to determine How many hops there are you can try to determine slow connections? So you can look at like a quick kind of trace route thing if you do this so it'll tell you Specifically, okay We're trying to get to this machine here 206 132 152 33 We will do oh, that's right. Okay, cool so the other interesting thing about the ttl oftentimes Does anybody remember when I think the It was the iPhones AT&T didn't allow you to tether your phone like your internet your computer to your phone and they would be blocking and Blocking people from doing that if they detected it, right? If you didn't pay for whatever their tethering thing was So they actually use the ttl and some other fields to detect that That was one way they tried to do that is if your computer is using your phone as a router This is not a phone. It's in my bag But if your computer is using your phone as a router, right? Then whatever packets you normally would send their ttl is going to be decreased by one when it gets to horizon Right based on what it normally is So then you could actually tell that that packet was probably from the phone on the other side So then the people who made the routing software with then on jailbroken phones would then make it so that they would Change back the ttl and not decrease it, right? So this kind of arms race then I think they use Like hdp headers to try to detect, right? If you're having hdp like the user agent that says it's like a not a mobile browser coming from a phone Anyways holding deal, but kind of interesting ttl stuff. You can do it So we can look at this this trace route so we can say okay. This machine's the gateway Then after that it went to this other machine So how is it getting these names? host names They are host names, but how does it get it because it only knows the ip, right? What we give is we tell it either this host name Right so we can use dns to translate that to this ip address What about these host names in the middle? What information isn't getting back when it receives the timeout exceeded packet? That particular machines Not host name, right, but it's an ip packet, right? It knows who sent that ip packet Right and then it does actually a reverse dns look up to then try and map This name to this host name and if you can't do it Probably will not show you or you can use I think the dash n flag again to make to tell it not to do that So we can see our packets go out and then at each point it has the These values are the time to live values of the hops So it is trace write is measuring the time we sent the packet versus when we got that reply And so these you know Should be increasing But there's actually no guarantee that they will because of congestion and all the crazy networking stuff that can happen So you can see here I should do this for here, but it's actually kind of crazy you can Looking at where the traffic goes Um When I did this in santa barbara not in the network like in my home It would go like the traffic would go like sometimes up to san francisco sometimes down to la sometimes like from there It goes all over the place Sometimes some intermediary knows if they don't want to be discovered like Yeah So All right, so this is probably my wireless Right, so what happened here? What this uh, what does this asterisk mean? How does it know it failed? But I can ping right if I ping this ip address two one six fifty eight So two one six again two one six dot fourteen I actually don't okay It's the asc network Go to your homework submission server. Hopefully there's nothing sensitive on there. There we go. See I was the dash end It was it's trying to reverse it So I can even ping let's do it from here All right, so I can see that I can get packets to and from that IP address I can do trace route What can't I have any extra utilities on them? uh, this is The second isn't this is the submission server and then there's uh Anyways, it's complicated But yeah, there's it goes into a queue and there's workers that pull from the queue to execute all your submissions But even then it's done in like a ch group jail. So any package is getting solved on effect the outside. So Yeah, so we can kind of see the difference here, right? So any of these stars? So what does that mean? Right? So we said that we saw that I can get packets to this IP address, right? But they won't respond to that. What was that? They won't respond to that. What do you mean respond back? I'm not sending them a message What was it? Masking Just think about what happens, right? So I'm sending I take a packet, right? I said the TT on the 1 I send it on the first hop Right, so this is this first hop here Is my gateway, right? so Then so you gotta think about it then from the switches perspective, right? So the switch gets this packet It decrements the ttl. It sees that it's zero Now it has to decide what to do, right? So we can send an icmp Timeout exceeded message and then we'll see it here, right? Like this machine clearly is doing that but The switch can also decide to just drop the packet on the floor and not do anything and not respond with the timeout exceeded Right, so then how does tracer out of the tech back? In specific time, right? Because that's actually all it can do. It's actually it can't tell Did I not receive a timeout in 30 seconds because the network's congested? Maybe I never got back the reply, right? Maybe there was congestion in the network and my packet got dropped on the way back Which is actually why I believe it makes three by default Packets so that you can tell if there's any congestion in the network you can tell So yeah, you can see that like That went out on I don't know quest net and then to Down to lax so we can see that like this ip address that google gives us is in la so it's maybe doing some tricks of When we do a dns request it's trying to give us a local A local server so it tries to give us a server in la to go to Um, and we can see here that like the route these packets took is very different And we're not getting any response back on the wireless Which is kind of crazy, but yeah, it's it's uh pretty cool Something has a really cool tracer out that's like a story all the host names Ah Okay, yeah, yeah, and actually like route route. I think your router will do that a lot of the web interfaces all that kind of stuff Very handy feature handy tool to use Actually, that's right. The other thing I want to mention about this so There's actually a group of researchers who propose the new denial of service attack Using trace route Well, I'm not using trace out but using trace route to plan the attack in some sense Right, so one way we saw with the smurf attack Right is we can just send you a bunch of traffic, right? That's how I can knock you offline. I can Take out a bunch of traffic, right? But I have to send this directly to this host Right, so I have to send this traffic to your host You've got the host itself is going to be overwhelmed with processing all this information Or some of the switches is going to the switches are going to be overwhelmed or the you know, the ethernet is going to get saturated I can do that or So in this subnet, right What if I cut off this blue link here Then can any traffic get to the subnet? So this traffic all this traffic to get this subnet is going through some switch somewhere, right? So what if I target that switch? Then if I target that switch, it's going to knock off the whole subnet So basically what these researchers found out I can't remember where they're from But their idea was they could use trace route to map all the different connections in the internet And try to identify a switch such that It was upstream from my target, right? So traffic to my target has to go through this switch But I can send traffic to another host And it will go through that switch too So then I get to take your machine off the network by sending traffic that's not even directed towards you It's directed to other people, but because of how it travels through the network I know it's going through that specific node So it's kind of an interesting way of Like indirect firing of packets You're trying to hit one of the other switches and they use trace route to try to determine that So I thought that was a cool approach to actually Leverage this for a malicious purpose Of course one of the problems there as we saw right is oftentimes networks will not tell you you can't trace route every network Plus there is actually some people at the talk who are saying that at big ISPs Oftentimes they won't even What are they saying sometimes that when a packet comes in they'll encapsulate it in something else And then route it through their own network. So it actually comes out as the same TTL on both sides So you'll never actually know Any of the hops within their network. Any questions on trace route? It's fun. You should play with it It's not malicious at all. So Don't worry about that Cool. All right. So now moving up from IP, right? So what's in the layer above IP? Yeah, the transport layer. So one of the two main transport layer protocols TCP and UDP, right? So UDP is the first one we're going to talk about At a high level, what's the purpose of UDP? When do I want to use UDP? Connectionless, what does that mean? Yeah, okay, so connectionless so I don't have to establish a Descend the UDP packet or connect us to you, right? I don't have to establish an entire connection again Why real-time communication? It's fast If in a video if a packet drops it doesn't change the video Right, so we said it's connectionless. If it is lost all around then you can use UDP All right, so what is it about UDP? What does that mean about UDP? So it doesn't guarantee any service, right? So we don't have to establish a connection first. We No guarantee that a packet's going to get there Or some other things that kind of relate but they're all kind of It doesn't have an unchecking Right, we got that with a connection Yeah, no order, right? So not only can packets get dropped but they can come to us in any order, right? Ah, yeah, yeah, that's kind of a good one Yeah, so There's no Explicit mechanisms to limit UDP traffic, right so we can kind of send as much as we want So yeah, so basically It's connectionless, right? It's unreliable, which means that the packets could drop anything could happen Best effort which just also means unreliable, right? If somebody's going to tell you they'll do their best effort, I mean It means whatever it means I guess Datagram which means it's going to send some data, right? So there's no kind of limitations on what it's going to send So the important thing right delivery the fact that it's delivered or not You will not know when you send out a UDP packet, right? That's the other thing So not only can it be dropped, but you may never know if it was accepted or not The integrity of the packet is Not guaranteed I believe that, I think there's a check something, yeah, no overall integrity The ordering packets could be duplicated, right? UDP packets can be duplicated, we'll not know And bandwidth is not guaranteed, which goes kind of like to the congestion control But so it's I'd say the dominant is definitely TCP as far as like, I don't know amount of traffic and all that stuff But UDP is definitely using a lot of key internet technologies and protocol And that's why it's incredibly important So typically DNS uses UDP, right? Which is really important And also some peer-to-peer networking type stuff or some I guess I'm Video conferencing is kind of the classic UDP The important thing here is so up till now, how did we talk to a different machine? What do we need the what? IP yeah, we need an IP address, right? So UDP and kind of the higher levels introduce this port abstraction, right which says that well Okay If the I if you think about everyone living in a building right the IP address is the building But the port would be the apartment number Right, so it's like what because now we're starting to get closer to the application So I'm not just trying to get a piece of information from me to you. I'm trying to get it to a specific Program running on your machine um Yeah, so there's it's it's used So if we look at a UDP message We have a source port so some portances us so the the port of the application or whoever that sent it The destination port where we want the destination port to go to The length of the message a check sum And then the data So wait, what about the IP address? How do we get this packet to them? Yeah Yeah, right, so it's the packets are layered right so just as we saw Uh an IP packet right is encapsulated within a what packet? On a wire network an ethernet packet right the link layer So the same way UDP packet is inside an IP packet, right? So before the IP the UDP header is going to be an IP header, right? And then within that that's all encapsulated within the frame. So you have kind of Everybody's seen like those russian nesting dolls right So you have the big ethernet packet you pull it apart It's a little smaller doll which is the IP address header and you pull that apart And you look inside there and that's the UDP header and the UDP data No, I have the nesting Backwards so this the UDP packet is inside the IP packet, right? So the IP adds its own headers on top of that And then the ethernet frame that's headers before that so each layer when it processes it right like the network card basically essentially Investigates these headers and then returns as data to whoever wants it this IP packet And then above that this UDP packet is what The application would receive More or less they can also read those other packets if it's important to them So what does this mean? So we looked at so looking at this message Right, will we learn about the source? So would we learn about the source and destination IP? In the security context Yeah, they're not explicitly checked, right? We can just make an IP packet with whoever source or destination IP we want What about these ports here on UDP? What about security so who checks that it actually came from our source port? If I were an attacker crafting a UDP message, what are this can I control? Everything yeah everything right I control everything and in fact I control everything on here right which is what makes Security so difficult right because I as an attacker can control everything on here. So we saw that by manipulating the source IP address and the specifically spoofing the source IP address or maybe changing the destination IP address we can play games with that So we can do the same thing with UDP right so we saw that we can spoof IP packets. Well UDP packets are basically the same thing as IP packets Right, so if we have this trusted client and this server and we're in the middle We can spoof a UDP request from the trusted client to the server So what do we need to make sure we specified? What The port number yeah, so which port number Yeah, both right we're gonna have to make sure it's the trusted client port number and the server that we're trying to get to We'd have to make sure the IP address is right the from IP address is the trusted client the to IP address is the server So then what happens when the server tries to respond here? Right yeah, so it's going to get that UDP request Right and the only information you have to respond to a UDP request right is inside that packet So what's the IP address of who sent it to you and what port were they? And that's how you send the connection back so that reply is going to go back to the trusted client So if we can Get it to the point. Oh, it's going on a variation. Oh, yeah, this is very okay. It's a very yeah It's UDP hijacking similar to IP hijacking Variation of the spoofing attack the basic idea is the client is going to request something from the server like a dns request And say hey, what's the IP address of google.com? So if we get this request also, right, so when can we get the request? Sniffing the network if we're on the same subnet. Maybe we've done some hard poisoning or our spoofing, right? Maybe we can if we can get that request Now if I reply back As long as my reply gets there before the servers Now the client's going to think that I respond it as the server. So when the server gets these two packets Right, what's different from them from these two packets the spoofed UDP reply and the UDP reply The source what are the source of both of these packets going to be? The server Yeah, we're spoofing it right so that's the important point. So we are we control the source port and the source IP address Right, so we can spoof The reply to make it seem like it came from the server. So we set the source port to be whatever the We use the UDP request and we set whatever the destination port is the destination port the source port Let's see. Am I doing this right? Yeah, we set the destination here of the UDP reply to the the Source of yeah, we switched those around. Okay, that's all I'm gonna say because I'm getting confused talking about The idea the yeah the the basic idea here is right in this UDP request We have all the information we need to be able to generate a reply and because and this goes back because UDP is a connectionless protocol, right client and server aren't talking Really, it's just a hey send a packet and then send a reply Right when you get a packet and send a reply So why would this be useful? Distinguish between right because even an act is going to come from the client's gateway Right and so all it sees is hey, this is a reply to that request I sent great, so Yeah, so it's really difficult to kind of detect this thing unless you see this spoof reply But even then I can prove that it's not just a duplicated reply So what does DNS do? Yeah, right, it's just like a simple at a high level. It's very simple So it just takes in the names right human names translates them to numbers, right like IP addresses How it works is it works for UDP so Your each of your machines knows of a DNS server right either through DHCP or something right So when it gets a request for a name it's never seen before it asks that DHCP server Hey, what's the IP address of google.com? Right, and then it's exactly like this it makes a UDP request to I can't remember the port it's 53 52 53 yeah, so it makes a UDP request to port 53 and says hey, what's the IP address of google.com? Right, and then it gets a response a UDP response back that says hey Google.com is that was a 216 something 216 and I remember it's in a 2216 in it Right, this is the IP address of google Right, so would that be really cool if we could pretend to be google.com to people? It's as simple as this Right, so think about a wireless network right with no security We see all the UDP requests, right? We're on the same sub network as the client. We see all the UDP requests At that point it's very trivial to respond faster than the dns server and say yep Don't worry about it google.com is 192.168.1.1 Definitely me send all your stuff to google.com right and then they'll contact us and we can pretend to be google So this is actually kind of a fundamental problem that A lot of the upper networking layers have to deal with and that's why we have certificate pinning and all these other kind of things at the top layer because This fundamental problem with UDP that it's so trivial and easy to hijack The UDP connection and the fact that dns relies on this unreliable connectionless protocol Well, so we'll stop here. We'll get into some port scanning and then we'll Hopefully our wednesday will knock out all the rest of the networking stuff and finish your tcp