CS 161 Notes Lec 17-18

Overview

Lecture 17: Low Level Network Attacks
  1. Network attackers
    1. Man-in-the-middle attacker

    2. On-path attacker

    3. Off-path attacker

  2. ARP: Translate IP addresses to MAC addresses

  3. DHCP: Get configurations when first connecting to a network

  4. WPA: Communicate securely in a wireless local network
Lecture 18: BGP, TCP, and UDP
  1. Border Gateway Protocol (BGP): Routing packets

  2. Transmission Control Protocol (TCP): Reliably sending packets

  3. User Datagram Protocol (UDP): Non-reliably sending packets

Network attackers

Man-in-the-middle attacker

We are familiar with this, it basically means someone who can read and modify/delete our message, in the networking scenario, messages are in the form of packets.

On-path attacker

On-path attacker is someone who can read the packets, but cannot modify/delete them.

Off-path attacker

This one is interesting. Off-path attacker can neither modify/delete the packets, nor read the packets.

So, how can they perform an attack?

Well, they do can send packets. They can perform a type of attack called spoofing.

Spoofing means the attacker lies about his/her own identity when sending packets, to make victims trust them.

A table to conclude the three types of attackers,

 Can modify or delete packetsCan read packets
Man-in-the-middle attacker
On-path attacker 
Off-path attacker  

In the real world, on-path attacks can be performed on layer 1(physical layer), with devices attached on/between wires that detect network traffic.

On layer 2, on-path attacks are easy, since some LANs use broadcast technologies, which means that every packet gets sent to every machine on the LAN. According to the protocols, machines shall not read packets that are not sent to them, but attackers can choose to break this rule, to perform on-path attack easily. This is called promiscuous mode, it might require root access to such machines.

ARP: Translate IP addresses to MAC addresses

Recall that on layer 2(link layer), machines use MAC addresses to communicate with each other, while on layer 3(network layer) machines usually follow Internet protocol, using IP addresses to communicate. So, how to match MAC addresses with IP addresses?

We use a protocol called ARP,

  • ARP stands for Address Resolution Protocol.

  • ARP translates layer 3 IP addresses to layer 2 MAC addresses.

  • Steps of the protocol:
    1. Alice checks her cache to see if she already knows Bob’s MAC address.

    2. If Bob’s MAC address is not in the cache, Alice broadcasts to everyone on the LAN:
      “What is the MAC address of 1.2.3.4?”

    3. Bob responds by sending a message only to Alice: “My IP is 1.2.3.4 and my MAC address is ca:fe:f0:0d:be:ef.” Everyone else does nothing.

    4. Alice caches Bob’s MAC address.

    5. If Bob is outside of the LAN, the router will respond with its MAC address.

  • One thing to keep in mind is that all responses claiming its MAC and IP addresses will be cached, even if you’re not asking for that. That means if David suddenly sends Alice his MAC address and IP address, Alice would also cache them.

It’s easy to imagine how ARP might be attacked, spoofing is the most straightforward way.

Say, when Alice is broadcasting to ask for Bob’s MAC address, if Mallory who sits in the same LAN responses her MAC address sooner than Bob, she can trick Alice to believe her as Bob. Then, Mallory can easily perform a MITM attack.

How to defend such spoofing attacks to ARP?

  • Use switches.

  • A switch can connect a lot of machines to form a network. When switch receives packets, it reads the header to find the destination MAC addresses and send them correspondingly.

  • The difference between switch and router:
    • Router not only can maintain a LAN, but also can connect this LAN into larger network.

    • Switch can only provide communication inside a LAN.

    • Switches are usually Ethernet based, so not wireless.

    • Routers can be wireless.

  • The main idea is that switch maintains a table of IP/MAC mappings, so when Alice wants to find Bob, she can ask switch for Bob’s MAC address first.

  • This method reduces the chance of broadcast. However, if the target’s MAC address hasn’t been recorded in switch’s table, a broadcast still has to be made.

Another way to defend ARP is to use tools like arpwatch as a monitor. Arpwatch is a computer software tool for monitoring ARP traffic on a computer network. It generates a log of observed pairing of IP addresses with MAC addresses along with a timestamp when the pairing appeared on the network. So suspicious activity can be monitored.

DHCP: Get configurations when first connecting to a network

DHCP stands for Dynamic Host Configuration Protocol. It provides IP addresses to devices that connect to the network for the first time. So, DHCP is a protocol that involves initialization on layer 3.

  • To connect to a network, a user needs:
    • An IP address so that other people can contact the user.

    • The IP address of the DNS server (DNS server is introduced in later lectures).

    • The IP address of the router (gateway) so that the user can contact machines outside of the LAN.

  • The first time a user connects, they don’t have this information yet.
    • The user also doesn’t know who to ask for this information.

DHCP gives the user a configuration when they first join the network, by a few steps of handshake:

  1. Client Discover: The client broadcasts a request for a configuration.

  2. DHCP Offer: Any DHCP server can respond with a configuration offer.
    • Usually only one DHCP server responds.

    • The offer includes an IP address for the client, the DNS server’s IP address, and the (gateway) router’s IP address.

    • The offer also has an expiration time (how long the user can use this configuration).

  3. Client Request: The client broadcasts which configuration it has chosen.
    • If multiple DHCP servers made offers, the ones that were not chosen discard their offer.

    • The chosen DHCP server gives the offer to the client.

  4. DHCP Acknowledgement: The chosen server confirms that its configuration has been given to the client.

As you might have noticed, similar with ARP, DHCP can also be attacked by spoofing. What’s worse, since there’s no way for someone who just joined the network to do any verification, there’s no good way to prevent DHCP spoofing. So we have to encrypt packets with protocols on higher layers to defend against DHCP attack.

WPA: Communicate securely in a wireless local network

WPA stands for Wi-Fi Protected Access. Wi-Fi is a layer 2 protocol that wirelessly connects machines in a LAN(corresponding to Ethernet which uses wire).

Components of a Wi-Fi network:

  1. Access point: A machine that will help you connect to the network.

  2. SSID (service set identifier): The name of the Wi-Fi network.

  3. Password: Optionally, a password to secure Wi-Fi communications.

WPA was released back in 2003, but soon in 2004 there came WPA2, which was more secure and complex. In January 2018, WPA3 was released, it has a better security than WPA2.

Let’s introduce WPA2 first.

  • Design goals
    • Everyone with the Wi-Fi password can join the network.

    • Messages sent over the network are encrypted with keys.

    • An attacker who does not know the Wi-Fi network cannot learn the keys.

  • The way WPA2 works is based on the following handshakes:
    1. The client sends an authentication request to the access point.

    2. Both use the password to derive the PSK (pre-shared key).

    3. Both exchange random nonces.

    4. Both use the PSK, nonces, and MAC addresses to derive the PTK (pairwise transport keys).

    5. Both exchange MICs (these are MACs from the crypto unit, recall that MAC stands for Message Authentication Codes there, here MIC stands for Message Integrity Check) to ensure no one has tampered with the nonces, and that the PTK was correctly derived.

    6. The access point encrypts and sends the GTK (group temporal key) to the client, used for broadcasts that anyone can decrypt.

    7. The client acknowledges receiving the GTK.

  • A graph illustrating the process:

  • Both sides derive secret keys for communication.
    • Wi-Fi password → PSK.

    • PSK + nonces + MAC addresses → PTK.

    • The PTK is used to encrypt and authenticate all future communication.

    • Note: The PTK is different for every user, because of the nonces.

  • The access point encrypts and sends the GTK to the client.
    • The GTK is used for messages broadcast to the entire network.

    • Everyone on the network uses the same GTK.

  • An optimized version of WPA2 handshake(4-way handshake) looks like this

I guess you’re quite confused after reading the materials above ;) , don’t worry, I felt the same when watching the lecture. The MPA2 4-way handshake was introduced in a vague way in this lecture, and unfortunately I’m not an expert in this topic, so all I can do is to search online for better resources.

https://www.wifi-professionals.com/2019/01/4-way-handshake

The above is an article I found that explained this topic clearly, if you’re also confused by the terms “derive”, “everyone use the same” in the course materials written above, definitely check this article out, I’m sure you’ll find it helpful :)

With the WPA2 4-way handshake introduced above, we got a rough understanding of how a device connect to a Wi-Fi network, and how they communicate later.

So, what are the possible attacks to this process?

  1. Rogue AP: Pretend to be an AP(Access Point), and offer your own ANonce to the client.
    • If you know the password/PSK, you can complete the 4-way handshake with the client and become a MITM!
  2. Offline brute-force attack: People tend to choose bad passwords, and you have enough information to know if you guessed the password correctly.
    • Nonces are sent unencrypted, and client and AP MAC addresses are public.

    • Eavesdropper guesses a password and derives:
      • Wi-Fi password → PSK

      • PSK + nonces + MAC addresses → PTK

      • Eavesdropper checks that the MIC from the guess matches the MIC that was sent

    • That’s basically saying that brute-force attack can be performed with verifications all done by the attacker, so it won’t be limited by things like number of password attempts, that makes brute-force attack much more powerful.

Another concern of WPA2 is that there’s no forward security, meaning that if later the password of Wi-Fi network is leaked, the previous packets recorded by the attacker can all be decrypted.

With the above concerns, there came WPA-Enterprise(also in WPA2).

In WPA-Enterprise,

  • Each user has its own username and password.

  • Instead of using a PSK, use a randomly generated key by an authentication server.
    • For your client to trust the authentication server, you accept a digital certificate.

    • Form a secure channel to the authentication server, which lets you enter your username and password.

    • If the username and password are correct, the authentication server sends a one-time key to use instead of a PSK to both the client and the AP (also over a secure channel).

  • The rest of the handshake proceeds normally.

In this way, all of the three concerns in WPA-PSK are settled.


In lecture 17, we introduced some stuffs about layer 3 in OSI model.

We introduced how IP addresses are claimed when a device connects to a network for the first time, and how devices communicate with IP addresses that will eventually be mapped to MAC addresses.

Recall that IP address is an address that identifies a device on the Internet.

  • IPv4 is 32 bits (e.g. 35.163.72.93).

  • IPv6 is 128 bits (e.g. 2607:f140:8801:0000:0000:0000:0001:0023).
    • Shorthand: omit sets of zeros: 2607:f140:8801::1:23.
  • Globally unique from any single perspective.
    • For now, you can think of them as just being globally unique :)
  • IP addresses help nodes make decisions on where to forward the packet.

In lecture 18, we’ll introduce how the packets are routed according to their IP addresses, and some layer 4 protocols.


Border Gateway Protocol (BGP): Routing packets

Let’s first introduce subnet.

Subnets are groups of IP addresses with a common prefix,

  • They’re written in a form like this: 128.32.0.0/16.

  • 128.32.0.0/16 is an IPv4 subnet with all addresses that begin with the prefix of 128.32.

  • The number “16” in the end specifies that 16 bits of prefix is fixed for this subnet.

So, how does IP routing work?

  • To send a packet to a computer within the local network:
    • Verify that the destination IP is in the same subnet.

    • Use ARP (or contact a switch) to get the destination MAC address.

    • Send the packet directly to the destination using the destination MAC address.

  • To send a packet to a computer that is not within the local network:
    • Send the packet to the gateway(gateway is associated with the router of your local network).

    • Past the gateway, the packet goes to the Internet.

    • It’s the gateway’s job to deliver the packet closer to the destination.

Now let’s introduce autonomous systems.

  • After the gateway of router sends the packet out, it will be sent to the Internet.

  • The Internet is a network of networks, comprised of many autonomous systems (AS).
    • Each AS handles its own internal routing.

    • Each AS is uniquely identified by its autonomous system number (ASN).

    • Each AS is comprised of one or more LANs.

    • The AS can forward packet to other connected ASes.

  • BGP(Border Gateway Protocol) is the protocol for communicating between different autonomous systems(So even though these AS are independent, they all agree with this BGP for routing policy).
    • Each router announces what networks it can provide and the path onward from the router.

    • The most precise route with the shortest path and no loops is the preferred route.

Following is a graph illustrating the routing process, the shortest path will somehow be selected according to each router’s claim(yes, you may sense a problem here).

Now let’s consider possible attacks on BGP and IP.

  1. IP spoofing
    • Malicious clients can send IP packets with source IP values set to a spoofed value.

    • Edge ASes should block packets with source IPs set to the wrong value, but some don’t.

    • It’s impossible to prevent IP spoofing, so we have to use protocols in higher layers to protect against this attack.

  2. BGP hijacking: A malicious autonomous system can lie and claims itself to be responsible for a network which it isn’t.
    • Still, there’s no good defense for that on network layer(layer 3), we have to use protocols in higher layers to protect against this attack.

Transmission Control Protocol (TCP): Reliably sending packets

Before introducing TCP, let’s first recall the unreliability of IP.

  • It does add a checksum when sending packets, but that’s not encrypted, its purpose is to check whether there’s loss in transmission, but doesn’t protect the packet from being tampered.

  • IP provides best effort delivery service, it will try its best to deliver your packet, but it doesn’t care if its lost or broken in the end.

  • Also, the order of packets arriving can be random, IP doesn’t guarantee the packets to arrive in the same order as they were sent.

Besides unreliability, IP also has limitation on packet size. That’s to say, if we only use IP, the user has to manually split the packets that exceed the packet size, and the receiver also needs to manually resemble the packets(note that the order is not guaranteed, so it’ll be a nightmare for the receiver).

So, with these issues in mind, we have to depend on higher layer protocols to gain a better communication experience.

Here we introduce TCP, which stands for Transmission Control Protocol.

What does TCP provide?

  1. Provides a byte stream abstraction.
    • Bytes go in one end of the stream at the source and come out at the other end at the destination.

    • TCP automatically breaks streams into segments, which are sent as layer 3 packets.

  2. Provides ordering.
    • Segments contain sequence numbers, so the destination can reassemble the stream in order!

    • Each TCP connection requires two sets of sequence numbers.
      • One sequence number for messages from the client to the server.

      • One sequence number for messages from the server to the client.

    • Before starting a TCP connection, the client and server must agree on two initial sequence numbers (ISNs), each one represents the first sequence number that is supposed to be for the message sent.
      • The ISNs are different and random for every connection (for security reasons, as we’ll see soon).
  3. Provides reliability.
    • The destination sends acknowledgements (ACKs) for each sequence number received.

    • If the source doesn’t receive the ACK, the source sends the packet again.

  4. Provides ports.
    • Multiple services can share the same IP address by using different ports.

    • Ports are provided to distinguish services with the same IP address.

    • See the graph show below, port information is contained in TCP header.

TCP 3-way handshake

As we mentioned above, there’re random ISN(initial sequence number) for every connection, so how do they make this agreement at the beginning? Like Wi-Fi connection, we’ll use a handshake technique for such initialization.

  1. Client chooses an initial sequence number x its bytes and sends a SYN (synchronize) packet to the server.

  2. Server chooses an initial sequence number y for its bytes and responds with a SYN-ACK packet.

  3. Client then returns with an ACK packet.

  4. Once both hosts have synchronized sequence numbers, the connection is “established”.

Once the handshake is done, data can be sent using TCP.

  • For every connection, there’s a TCP handler(usually the operating system does this for you).

  • The TCP handlers on each side track which TCP segments have been received for each connection(one computer may have multiple connections going on at the same time, so, how does the TCP handler distinguish them?).
    • A connection is identified by these 5 values (sometimes called a 5-tuple):
      • Source IP

      • Destination IP

      • Source Port

      • Destination Port

      • Protocol

  • Data from the byte stream can be presented to the application when all data before has been received and presented.

  • Byte i of the byte stream is represented by sequence number x + i.
    • The first byte is byte i = 1, since sequence number x was used for the SYN packet and y for the SYN-ACK packet.
  • A packet’s sequence number is the number of the first byte of its data.
    • This number is from the sender’s set of sequence numbers.
  • A packet’s ACK number, if the ACK flag is set, is the number of the byte immediately after the last received byte.
    • This number is from the receiver’s set of sequence numbers.

    • This would be (sequence number) + (length of data) for the last received packet.

What are TCP’s policies for data retransmission?

  • If a packet is dropped (lost in transit):
    • The recipient will not send an ACK, so the sender will not receive the ACK.

    • The sender repeatedly tries to send the packet again until it receives the ACK.

  • If a packet is received, but the ACK is dropped:
    • The sender tries to send the packet again since it didn’t receive the ACK.

    • The recipient ignores the duplicate data and sends the ACK again.

  • When packets are dropped in TCP, TCP assumes that there is congestion and sends the data at a slower rate.

How do we end/abort a TCP connection?

  • To end a connection, one side sends a packet with the FIN (finish) flag set, which should then be acknowledged.
    • This means “I will no longer be sending any more packets, but I will continue to receive packets”.

    • Once the other side is no longer sending packets, it sends a packet with the FIN flag set.

  • To abort a connection, one side sends a packet with the RST (reset) flag set.
    • This means “I will no longer be sending nor receiving packets on this connection”.

    • RST packets are not acknowledged since they usually mean that something went wrong.

Here’re some TCP flags:

  1. ACK
    • Indicator that the user is acknowledging the receipt of something (in the ack number)

    • Pretty much always set except the very first packet 

  2. SYN
    • Indicator of the beginning of the connection
  3. FIN
    • One way to end the connection

    • Requires an acknowledgement

    • No longer sending packets, but will continue to receive

  4. RST
    • One way to end a connection

    • Does not require an acknowledgement

    • No longer sending or receiving packets

Here’s how a TCP packet looks like:

So, how can TCP be attacked?

  • It’s kinda obvious, there’s no encryption involved, TCP should still be vulnerable to attacks that tamper the packets. This type of attack is called TCP hijacking.

  • Here’re two types of TCP hijacking,
    1. Data injection: Spoofing packets to inject malicious data into a connection.
      • Need to know: The sender’s sequence number.

      • Easy for MITM and on-path attackers, but off-path attackers must guess 32-bit sequence number (called blind injection/hijacking, considered difficult).

      • For on-path attackers, this becomes a race condition since they must beat the server’s legitimate response.

    2. RST injection: Spoofing a RST packet to forcibly terminate a connection.
      • Same requirements as packet injection, so easy for on-path and MITM attackers, but hard for off-path attackers.

      • Often used in censorship scenarios to block access to sites.

  • The graph below shows how data injection looks like.

  • Another possible attack is TCP spoofing(well, honestly the TCP hijacking above is also sorts of spoofing).

  • TCP spoofing is basically for the attacker to start a TCP connection with a fake IP address.
    • Recall: IP packets can often be spoofed if the AS doesn’t block source addresses.

    • Need to know: Sequence number in the server’s response SYN-ACK packet.

    • Easy for MITM and on-path attackers, but off-path attackers must guess 32-bit sequence number (called blind spoofing, also considered difficult).

    • For on-path attackers, this is a race condition, since the real client will send a RST upon receiving the server’s SYN-ACK!

  • The graph below shows how TCP spoofing looks like.

User Datagram Protocol (UDP): Non-reliably sending packets

As the subtitle indicates, UDP doesn’t provide reliability.

  • UDP stands for User Datagram Protocol.

  • Provides a datagram abstraction.
    • A message, sent in a single layer 3 packet (though layer 3 could fragment the packet).

    • Max size limited by max size of packet.

    • Applications break their data into datagrams, which are sent and received as a single unit.

      • Contrast with TCP, where the application can use a byte stream abstraction.

      • In UDP these things are done by users manually.

  • No reliability or ordering guarantees, but adds ports.
    • It still has best effort delivery.
  • Much faster than TCP, since there is no 3-way handshake.
    • Often used for gaming, streaming purpose.

Since there’re no sequence numbers, UDP attacks are even more easier than TCP.

Here’s how UDP packet looks like,

Written on May 10, 2023
-->