Professional Documents
Culture Documents
EGIRAFFE Rechner - Und Kommunikationsnetze VO - Bmark - Pruefungsfragenausarbeitung - 2019SS
EGIRAFFE Rechner - Und Kommunikationsnetze VO - Bmark - Pruefungsfragenausarbeitung - 2019SS
Prüfungsfragenausarbeitung SS2019
1 Network foundations
Seite 1/54
www.egiraffe.at - Rechner- und Kommunikationsnetze - VO
Prüfungsfragenausarbeitung SS2019
The picture above shows TCP/IP model which is a separate question below but should here explain the
network layers.
1.4 What are the layers of the OSI model (used for)?
Seite 2/54
www.egiraffe.at - Rechner- und Kommunikationsnetze - VO
Prüfungsfragenausarbeitung SS2019
1.5 What are the layers of the TCP/IP model (used for)?
Seite 3/54
www.egiraffe.at - Rechner- und Kommunikationsnetze - VO
Prüfungsfragenausarbeitung SS2019
Workflow:
Seite 4/54
www.egiraffe.at - Rechner- und Kommunikationsnetze - VO
Prüfungsfragenausarbeitung SS2019
2 Link layer
Seite 5/54
www.egiraffe.at - Rechner- und Kommunikationsnetze - VO
Prüfungsfragenausarbeitung SS2019
Services:
Important: If there is still a shared media like a hub instead of a a switch used the so called channel
access control is needed in order to deal with frame collisions.
Seite 6/54
www.egiraffe.at - Rechner- und Kommunikationsnetze - VO
Prüfungsfragenausarbeitung SS2019
• Line busy: Wait certain time (= backoff period) and start again at step 1
• Repeat steps until max. attempt counter reached and end transmission
2.8 Why are MAC addresses and IP addresses used at the same
time?
Hub
• Star topology
• Multiple ports, reads signal on port, reconstructs it, sends it to every other port
• Only half-duplex mode
• No intermediate packet storage
• Problems: Large collision domain and decreased performance
Switch
Note: Switches operate on OSI Layer 2 and Routers forward IP packets (OSI layer 3)
Seite 7/54
www.egiraffe.at - Rechner- und Kommunikationsnetze - VO
Prüfungsfragenausarbeitung SS2019
• If MAC address of Source and/or Dest. is not in table broadcast frame to all ports is sent
• MAC address and timestamp put to table
• Every node that sends a frame is added to the table
Half-duplex
Full-duplex
• Fake foreign MAC address. Switch then redirects traffic to port of attacker
• By broadcasting an ARP reply
• Targets the SAT of the switch
Seite 8/54
www.egiraffe.at - Rechner- und Kommunikationsnetze - VO
Prüfungsfragenausarbeitung SS2019
Process
Attack Idea
• Look for many packets with „weak IVs“ that reveal information about WEP key
• Enough weak IVs found? Crack WEP key
• Weak IV is key dependent. Takes different amount of time per key
Seite 9/54
www.egiraffe.at - Rechner- und Kommunikationsnetze - VO
Prüfungsfragenausarbeitung SS2019
Attack requirements:
Seite 10/54
www.egiraffe.at - Rechner- und Kommunikationsnetze - VO
Prüfungsfragenausarbeitung SS2019
Seite 11/54
www.egiraffe.at - Rechner- und Kommunikationsnetze - VO
Prüfungsfragenausarbeitung SS2019
Two methods:
Important: Regardless of method receivers replace cached entries with new mapping! Security problem
Seite 12/54
www.egiraffe.at - Rechner- und Kommunikationsnetze - VO
Prüfungsfragenausarbeitung SS2019
Seite 13/54
www.egiraffe.at - Rechner- und Kommunikationsnetze - VO
Prüfungsfragenausarbeitung SS2019
• In the past only few network classes. Subnet masks with /8, /16, or /24 but nothing in between
• Waste of resources
• Now: Classless Inter-Domain Routing (CIDR)
• No. of addresses = 2^(32 - CIDR)
Seite 14/54
www.egiraffe.at - Rechner- und Kommunikationsnetze - VO
Prüfungsfragenausarbeitung SS2019
Workflow:
• Endpoints send IP packet with DF flag set
• If router is encountered with MTU < packet size then the packet is dropped
• Sends back ICMP message Type 3: „Destination unreachable“with code 4: „Fragmentation
required, and DF flag set“
Seite 15/54
www.egiraffe.at - Rechner- und Kommunikationsnetze - VO
Prüfungsfragenausarbeitung SS2019
Attacks:
• Ping of Death - Buffer overflow, System cannot handle more than RFC 791 allows (65.535
bytes)
• Ping Flood - Send so many ping requests that normal traffic fails to reach system
• Smurf attack (DDoS) - Attacker sends ping packets with spoofed source IP (= victim IP
address) to broadcast address in network. All connected clients will answer and overwhelm
victim
Seite 16/54
www.egiraffe.at - Rechner- und Kommunikationsnetze - VO
Prüfungsfragenausarbeitung SS2019
Workflow:
• One-to-nearest
• Send data with same address but only to closest = load balancing
• Set same destination address for every host in a group of potential receivers
• Using Borderless Gateway Protocol (BGP) a client is routed to „nearest“ host
• Used for Domain Name System or Content Delivery Networks (CDN)
4.15 Routing
Detect new paths through the internet. How to circumvent failed links or choose faster ones?
Seite 17/54
www.egiraffe.at - Rechner- und Kommunikationsnetze - VO
Prüfungsfragenausarbeitung SS2019
4.16 IP Routing
Collection of different IP network prefixes run by one or more network operators with a clearly defined
routing policy
Routing protocols
Seite 18/54
www.egiraffe.at - Rechner- und Kommunikationsnetze - VO
Prüfungsfragenausarbeitung SS2019
Problems:
Seite 19/54
www.egiraffe.at - Rechner- und Kommunikationsnetze - VO
Prüfungsfragenausarbeitung SS2019
Seite 20/54
www.egiraffe.at - Rechner- und Kommunikationsnetze - VO
Prüfungsfragenausarbeitung SS2019
Missing fields
Renamed fields
New fields
• Traffic Class (Packet Prioritization / Quality of Service (QoS), e.g. for VoIP or A/V streaming)
• Flow Label (Distinguish flow of packets that need same treatment / routes)
Next Header
• After IPv6 Header the so called IPv6 Extension Header can carry optional Internet Layer
information
• Placed between IPv6 Header and higher layer protocol
• Last Next Header in chain must be upper layer protocol
• Most IPv6 packets without extension headers
Fragmentation
Seite 21/54
www.egiraffe.at - Rechner- und Kommunikationsnetze - VO
Prüfungsfragenausarbeitung SS2019
• Any link must be able to transfer this size without end-to-end fragmentation
Addresses
Other differences
Seite 22/54
www.egiraffe.at - Rechner- und Kommunikationsnetze - VO
Prüfungsfragenausarbeitung SS2019
Types:
• Unicast (one-to-one). Address of single interface. Packet delivery for one receiver
• Multicast (one-to-many). Address for a set of interfaces. Delivered to all interfaces with this
address
• Anycast (one-to-nearest). Packet for anycast address delivered to one interface with that address
Scopes:
Unicast / Anycast
• Link local: Loopback, only valid on current link (network) →not routable (::1/128 : Loopback
or fe80::/10 single link
• Unique local: Only for communication in small subnets → Comparable to private address
10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 in Ipv4. For local communications or inter-site VPNs.
Not routable in Internet!
• Global: Globally valid, routed via Internet
Multicast
Seite 23/54
www.egiraffe.at - Rechner- und Kommunikationsnetze - VO
Prüfungsfragenausarbeitung SS2019
Router Discovery
Address Resolution
Seite 24/54
www.egiraffe.at - Rechner- und Kommunikationsnetze - VO
Prüfungsfragenausarbeitung SS2019
Workflow:
DAD
• Wait for router advertisement with prefix or send „Router Solicitation“ to multicast address
ff02::2 (all routers)
• Reply: „Router Advertisement“ with global prefixes
Seite 25/54
www.egiraffe.at - Rechner- und Kommunikationsnetze - VO
Prüfungsfragenausarbeitung SS2019
Privacy
5.12 ICMPv6
Seite 26/54
www.egiraffe.at - Rechner- und Kommunikationsnetze - VO
Prüfungsfragenausarbeitung SS2019
6 Transport Layer
Ports in detail:
Seite 27/54
www.egiraffe.at - Rechner- und Kommunikationsnetze - VO
Prüfungsfragenausarbeitung SS2019
6.2 What are other purposes of the transport layer which are not
implemented by every protocol which implements the transport
layer?
Reliability
• Connection-oriented
• Data delivery only possible after „Three way handshake“
• Reliable but „heavyweight“ end-to-end transport of data
• Error detection, Flow & congestion control, Ordered Delivery
• Applications: HTTP(S), FTP, SSH, SMTP, IMAP, POP3, …
• Stateful. Is destination alive? Have packets been lost? Packets in correct order? Can receiver
follow speed of send (Flow control (Buffers))
• Transaction-oriented (= „connection-less“)
• Stateless: Great for large number of clients (streaming)
• Unreliable → sender does not know if destination reached
• No congestion control
• Uses where re-transmission of lost packets makes no sense, e.g. VoIP, Streaming,
• Applications (Small implementations): DNS, DHCP, SNMP, often also in VPNs
• Simple request / response is enough (DNS, NTP)
Seite 28/54
www.egiraffe.at - Rechner- und Kommunikationsnetze - VO
Prüfungsfragenausarbeitung SS2019
Seite 29/54
www.egiraffe.at - Rechner- und Kommunikationsnetze - VO
Prüfungsfragenausarbeitung SS2019
• Window Size (16 bits): Flow Control Mechanism (Indicates how many bytes the sender is
allowed to send without overloading the receiver)
• Checksum (16 bits): As in UDP: Header and data.
• Urgent pointer (16 bits): Indicates „urgent“ data
Seite 30/54
www.egiraffe.at - Rechner- und Kommunikationsnetze - VO
Prüfungsfragenausarbeitung SS2019
• Sender determine the amount of bytes it can send before an ACK must come back by the
Window size!
• Prevent sender from injecting too much data into network. Issue between hosts – networks
• Consequences: Overload of switches / routers
• Network is overloaded → Routers / Switches cannot handle amount of traffic
• Packets are dropped causing timeouts and re-transmissons
• Congestion control keeps data flow rate below collapse
• Achieve high performance without re-transmissions and packet drops
• Maintain a „Congestion Window“ that tells sender how much data can be sent
• Congestion window is maintained by TCP stack of sender → not part of TCP header!
Idea
TCP States
1. Connection Establishment – „Build-up“ Performed before data can be sent
2. Data Transmission
3. Connection Termination – „Tear-down“ Indicates to both sides that no more data is going to be sent
Seite 31/54
www.egiraffe.at - Rechner- und Kommunikationsnetze - VO
Prüfungsfragenausarbeitung SS2019
• Retrieves information from requested URI (but does not change the resource!)
• Header and Content
• Idempotent! (Von Idempotenz)
Workflow
Seite 32/54
www.egiraffe.at - Rechner- und Kommunikationsnetze - VO
Prüfungsfragenausarbeitung SS2019
Seite 33/54
www.egiraffe.at - Rechner- und Kommunikationsnetze - VO
Prüfungsfragenausarbeitung SS2019
• If not used: Connection between server / client closed after every request
• Since HTTP 1.1: Connection kept-alive by default
• One TCP connection is used for multiple requests instead of just one.
• Reuse core concept of HTTP (methods, status codes, header fields, etc.) but
• format (frame) the data more efficiently → Transfer binary data instead of text
• Address deficiencies of HTTP 1.1
• Web pages use more and more resources (images, scripts, stylesheets) → Huge overhead due to
multiple (sometimes parallel) requests
• Limited parallelism
• Head-of-line blocking
• High protocol overhead (~800 bytes of header + cookies, no compression of HTTP metadata)
Seite 34/54
www.egiraffe.at - Rechner- und Kommunikationsnetze - VO
Prüfungsfragenausarbeitung SS2019
Number of allowed parallel requests in the browser is used up and subsequent requests need to wait for
the former ones to complete
Solution in HTTP/2 Only one TCP connection for multiple requests
Problems:
• Long polling
• Similar to XMLHTTPRequest but request remains open until data available
Seite 35/54
www.egiraffe.at - Rechner- und Kommunikationsnetze - VO
Prüfungsfragenausarbeitung SS2019
Requirements
7.20 Why is it a bad idea to store the session key in the URL?
Seite 36/54
www.egiraffe.at - Rechner- und Kommunikationsnetze - VO
Prüfungsfragenausarbeitung SS2019
Problem:
Workflow:
Cookie Structure
• Domain
• Path: /
• Expiration: if not set: session cookie, valid until browser closed
• Secure: If flag set → Cookie only to be used within HTTPS connections
• Httponly: If flag set → Do not allow scripts to access the cookie (JavaScript)
Advantages
Types of cookies:
Seite 37/54
www.egiraffe.at - Rechner- und Kommunikationsnetze - VO
Prüfungsfragenausarbeitung SS2019
• Zombie cookies: Recreated after deletion from another storage, e.g. Flash or HTML5 storage
Workflow:
• Pass identity of authenticated users between identity provider and service provider
• No 3rd-party cookie needed
Seite 38/54
www.egiraffe.at - Rechner- und Kommunikationsnetze - VO
Prüfungsfragenausarbeitung SS2019
8 Web technologies
8.1 What is SOP?
• Browser Security - Data is only exchanged with web application and not any other domain
• Provides further degree of isolation
• Scripts shall only access properties of documents & windows of same origin
• Eliminate requests to other domain than origin
• Not usable in reality since cross-origin requests required for many scenarios (Dropbox,
Facebook, Maps)
• URL structure: scheme://domain:port/path?params
• Origin A can access origin B‘s DOM if match on (scheme, host, port)
Seite 39/54
www.egiraffe.at - Rechner- und Kommunikationsnetze - VO
Prüfungsfragenausarbeitung SS2019
The same-origin policy restricts how a document or script loaded from one origin can interact with a
resource from another origin. It is a critical security mechanism for isolating potentially malicious
documents.
By default forbidden
Ways to bypass
• AJAX Proxy
• JSONP
• CORS
• Content Security Policy
Seite 40/54
www.egiraffe.at - Rechner- und Kommunikationsnetze - VO
Prüfungsfragenausarbeitung SS2019
8.51 How does CORS typically work? What is it's main purpose?
Client
Seite 41/54
www.egiraffe.at - Rechner- und Kommunikationsnetze - VO
Prüfungsfragenausarbeitung SS2019
Server
• thirdparty.com knows whether the origin is trused
• Server responds with allowed origin domains in HTTP response header or with * if any domain
is fine
Browser
Checks if current domain matches allowed origin (pass or block)
<script> element
Be cautious when embedding <script> elements pointing to 3rd party sites into your web application
If attacker gains access to these scripts → can compromise your website and your
Seite 42/54
www.egiraffe.at - Rechner- und Kommunikationsnetze - VO
Prüfungsfragenausarbeitung SS2019
JSONP
CORS
Attacker injects own session ID which is then used by user (and known by attacker)
Workflow:
Prediction
Session IDs should be generated randomly. History shows that weak random number generator are
used
Brute Force
Just probing until valid session ID is found. Remedy: Use large key space, e.g. /dev/urandom
Sniffing
Seite 43/54
www.egiraffe.at - Rechner- und Kommunikationsnetze - VO
Prüfungsfragenausarbeitung SS2019
Secure flag. If not set Cookie is also sent if connection is downgraded from HTTPS to HTTP
HttpOnly. If not set readble from JavaScript (alert (document.cookie))
• Cross-Site Scripting
• Code injection attack to execute malicious JavaScript in another user‘s browser → Bypasses
SOP because browsers trust local (same) origins!
Consequences
Problem:
Seite 44/54
www.egiraffe.at - Rechner- und Kommunikationsnetze - VO
Prüfungsfragenausarbeitung SS2019
CSRF vulnerabilities occur when a website allows an authenticated user to perform a sensitive action
but does not verify that the user himself is invoking that action. The key to understanding CSRF attacks
is to recognize that websites typically don’t verify that a request came from an authorized user. Instead
they verify only that the request came from the browser of an authorized user.
9 TLS
ClientHello: TCP connection setup on port 443. Client initiate TLS negotiation:
Seite 45/54
www.egiraffe.at - Rechner- und Kommunikationsnetze - VO
Prüfungsfragenausarbeitung SS2019
ServerHello
If no match on TLS version and cipher suite Handshake abort with error
Server: Certificate
Server: ServerKeyExchange
Seite 46/54
www.egiraffe.at - Rechner- und Kommunikationsnetze - VO
Prüfungsfragenausarbeitung SS2019
Often this information is already within the certificate, e.g.. if key exchange is RSA
Server: CertificateRequest
Server: ServerHelloDone - Signal that server has sent all handshake messages
and then the client side … see slides are make a nice picture TODO
• Contains the public key and the domain for which it is valid.
• This info gets hashed and signed by a so called Certificate Authority.
• The whole certificate is supplied by the server to the client during the TLS handshake.
• The client can verify this signature, because it has already got the public key of the Certificate
Authoritiy in it's local trust store.
• TLS is used
• Key Exchange - ECDH = Elliptic Curve Diffie Hellman
• RSA Authentication
Seite 47/54
www.egiraffe.at - Rechner- und Kommunikationsnetze - VO
Prüfungsfragenausarbeitung SS2019
Seite 48/54
www.egiraffe.at - Rechner- und Kommunikationsnetze - VO
Prüfungsfragenausarbeitung SS2019
Problem: You are not presented the „correct“ certificate for a domain
Solution: HTTP Public Key Pinning (HPKP)
Variant A:
Variant B:
Scenario 1
Now server for google.com is setup, DNS entries are rewritten to point to that server and a certificate is
issued. User would not notice that he was was forwarded
Scenario 2
Attacker has access to trusted CA and issues a certificate for arbitrary hostnames
Attacker performs MITM attack using previously generated certificate
Remedy
Seite 49/54
www.egiraffe.at - Rechner- und Kommunikationsnetze - VO
Prüfungsfragenausarbeitung SS2019
• If PIN changes (= certificate changes), drop connection even if certificate would be trustworthy
and DNS name matches with cert‘s subject name
• PINs either stored in browser (or mobile app) or sent via HTTP header
Variant 1:
Variant 2:
10 DNS
10.1 What is DNS?
• Domain Name System
• Hierarchical and decentralized naming system
• Translates domain names to IP addresses and vice versa.
• What in the past managed by hosts file (“/etc/hosts”).
Seite 50/54
www.egiraffe.at - Rechner- und Kommunikationsnetze - VO
Prüfungsfragenausarbeitung SS2019
• Domains could map to multiple address (load balancing, latency reduction) or assign both IPv4
and IPv6 addresses to domains
• Re-use 1 IP address for multiple domain names
Seite 51/54
www.egiraffe.at - Rechner- und Kommunikationsnetze - VO
Prüfungsfragenausarbeitung SS2019
Seite 52/54
www.egiraffe.at - Rechner- und Kommunikationsnetze - VO
Prüfungsfragenausarbeitung SS2019
Seite 53/54
www.egiraffe.at - Rechner- und Kommunikationsnetze - VO
Prüfungsfragenausarbeitung SS2019
• Multiply amount of traffic flood thanks to „large replies“ after „small queries“
• Use an arbitrary (spoofed) source IP address
• Make response to query significantly larger than the request
• Attacker sends query with e.g. 60 bytes, response has 3000 bytes - Traffic amplification factor
of 50
Seite 54/54