EGIRAFFE Rechner - Und Kommunikationsnetze VO - Bmark - Pruefungsfragenausarbeitung - 2019SS

www.egiraffe.
at - Rechner- und Kommunikationsnetze - VO
Prüfungsfragenausarbeitung SS2019
Computer and Communication

Networks
1 Network foundations
1.1 What is basically a network?
• Networks are basically nodes and links connecting the nodes

• Network nodes: PCs, servers, special purpose hardware
• Hosts, end-systems: PCs and servers running network applications
• Routers (Switches): Store and forward packets through network
• Links: Optical fiber, coaxial cable, twisted pair copper (=Kupfer), radio, 802.11 WiFi etc.
• Point-to-point: Hosts directly connected
• Multiple access (LANs, etc.): Hosts share common transmission medium
1.2 Why is networking split in layers?
• Layers help to separate services from implementation

• Modularity – In case if an issue only the affected layer has to be upgraded / replaced
• Divide complex task into several smaller (simpler) sub-tasks = layers
• Defining clear interfaces between layers
1.3 How does splitting networking in layers work?
• Encapsulate transmission in layers

• Each layer deals with different tasks
• Every layer takes the whole stuff from the preceding layer as payload,
• packs it with some additional header information needed for it's specific task and hands the
whole stuff to the next layer. Unpacking at the receiver side works the same way in the opposite
direction.
Seite 1/54
www.egiraffe.at - Rechner- und Kommunikationsnetze - VO
The picture above shows TCP/IP model which is a separate question below but should here explain the
network layers.
1.4 What are the layers of the OSI model (used for)?
• OSI = Open Systems Interconnection

• Layered framework for design of a flexible, robust,and interoperable network architecture
• It is a model and not a protocol
Seite 2/54
1.5 What are the layers of the TCP/IP model (used for)?
• Transmission Control / Internet Protocol Suite

• Nowadays leading protocol suite (ARPANET switched to TCP/IP in 1983)
• Initially defined as 4 software layers built upon hardware
• Nowadays physical component often considered 5th layer
Seite 3/54
1.6 Exchanging Data
1.7 What is circuit switching?
• Using dedicated line for communication between two partners

• Fast and guaranteed capacity when circuit is set up
• Waste of resources when channels unused
• Not suitable for inter-connecting large number of different systems. Not available for others
• Still used in mobile 2G networks (GPRS, EDGE)!
Workflow:
• Setup line / connection before starting communication

• Connection is dedicated line as long as delivery lasts
• Bandwidth sharing not needed = dedicated resources
1.8 What is packet switching?
• Divide transmitted data into small fragments (Packets, Frames, Cells, …)

• Each fragment carries addressing information in header
• Router / Switch routes each chunk individually
• Independent routing decisions. Dynamic path construction possible
• Resource sharing (multiplexing) by design
• Flow control. Sender has to adapt to speed of receiver. Router / Switch needs transmission
buffer
• Very flexible and High utilization / efficiency
Seite 4/54
• Bursty traffic handling and shaping possible

• Fairness not automatic
• queueing delays. Buffers needed
• Different paths for each package
• Lost packets. Congestion (=Überlastung)
1.9 What is (Virtual) Circuit Switching?
• Sender / receiver need specific amount of bandwidth for certain time.

• Assured that certain bandwidth is available (Streaming in 4k, video conference, traffic between
data centers)
• Dedicated physical circuit using suitable path
• Establishment permanently or on demand
• Delivery in order = all via same route
• Smaller packet overhead
• Resilience (Widerstandfähigkeit) to transmission line loss more difficult
2 Link layer
2.1 What's the purpose of the link layer?
• Encapsulate network layer packets into (Ethernet) frames

• Link = Physical inter-connection to other hosts in the network
• Link protocols = Communication standards operating on physical connections
2.2 What is LLC?
• Logical Link Control

• Interface to (higher) network layer
Seite 5/54
• Encapsulate data packet into frame and vice-versa. Packet to Frame

• Responsibility: Reliable frame delivery within LAN
• Error control (especially important for WLANs). Detect erroneous packets. Cancel Faulty
packets
• Flow control. Not used with Ethernet (retransmission on higher layer) or WLAN (bit errors
handled by MAC protocol)
2.3 What is MAC?
• Media Access Control

• Interface to (lower) physical layer
• Move frames from one network card (NIC) to another via a shared channel
• Frame to Signal
Services:
• Physical addressing via MAC address

• Marks begin and end of frames (= frame synchronization)
• Control access to shared medium = collision detection
• Virtual LAN (VLAN)
2.4 What were the basic ideas of Ethernet?
• Shared medium (cheap cabling)

• Decentralized: No central instance needed
• Random access for accessing the shared medium
Important: If there is still a shared media like a hub instead of a a switch used the so called channel
access control is needed in order to deal with frame collisions.
2.5 What is CSMA/CD?
• Carrier Sense Multiple Access / Collision Detection (CSMA/CD)

• Channel access control for shared media (hubs)
• Is used by Media Access Control (MAC) to control access to shared medium
2.6 How does CSMA/CD work?
• Listen: Wait while medium is busy

• Send: Transmit frame and meanwhile detect collisions. Collision occurred? Also inform others
using a jam signal
Seite 6/54
• Line busy: Wait certain time (= backoff period) and start again at step 1
• Repeat steps until max. attempt counter reached and end transmission
2.7 Why is CSMA/CD (usually) no longer needed?
• Switches isolate each Ethernet segment, no more collisions

• Nowadays switches and full-duplex connections is used
2.8 Why are MAC addresses and IP addresses used at the same
time?
• In LAN it is possible to communicate via Ethernet and MAC addresses.

• But it is not possible to communicate with the world! IP addressing is needed for routing
(WANs)
2.9 What is the difference between a hub and a switch?
Hub
• Star topology
• Multiple ports, reads signal on port, reconstructs it, sends it to every other port
• Only half-duplex mode
• No intermediate packet storage
• Problems: Large collision domain and decreased performance
Switch
• Star topology like hub

• Analyze information from LLC layer (MAC addresses) and forward frames selectively
• Switch is transparent to nodes. MAC address is used to send, receive data. Switch is not
addressed.
• Switch used forwarding and filtering to the know the frame recipients
Note: Switches operate on OSI Layer 2 and Routers forward IP packets (OSI layer 3)
2.10 What is the SAT?
• Source address table (SAT)

• Switch maintains table with MAC addresses
Seite 7/54
• If MAC address of Source and/or Dest. is not in table broadcast frame to all ports is sent
• MAC address and timestamp put to table
• Every node that sends a frame is added to the table
2.11 What's the difference between full and half duplex

connections?
Half-duplex
• Sending and receiving not at the same time

• Quite obvious for a shared medium (hubs, repeaters)
Full-duplex
• Sending and receiving at the same time

• Leads to collision with shared medium but with full duplex no more collision handling needed
2.12 What is MAC Flooding?
• Flood switch with fake MAC addresses until memory exhausted

• Switch then changes mode and behaves like hub
2.13 What is MAC Spoofing?
• Fake foreign MAC address. Switch then redirects traffic to port of attacker
• By broadcasting an ARP reply
• Targets the SAT of the switch
2.14 What is the difference between Ad-Hoc networks and

infrastructure networks?
Ad-hoc
• Two or more devices connect to each other directly (Peer-to-peer)
Infrastructure-based
• Access Point (AP) manages network

• WLAN and mobile networks
Seite 8/54
2.15 What is the hidden node problem?
• Wireless LAN – Collisions

• Host A starts to send
• How can Host B detect a collision if Host B is not in
range of Host A?
2.16 What is CSMA/CA?
• Wireless LAN – Collisions

• Carrier Sense Multiple Access / Collision Avoidance
• Do not try to detect collisions but avoid them
Process
• Node A wants to send and sends RTS (Request to send)

• AP sends CTS (clear to send) which is seen by all
• When CTS seen: A sends data and others to do not to try to send
• Wait until AP sends ACK
• Often turned because off big overhead for small packet
2.17 How does attacking WEP basically work?

• Wired Equivalent Privacy
• Variant I: 40-bit key + 24-bit IV = 64-bit RC4 Key
• Variant II: 104-bit key + 24-bit IV = 128-bit RC4 key
Attack Idea
• Look for many packets with „weak IVs“ that reveal information about WEP key
• Enough weak IVs found? Crack WEP key
• Weak IV is key dependent. Takes different amount of time per key
Ways to get the key…
• Active attack (traffic generation): Replay attack or ARP replay

• Passive attack: Wait and capture traffic. Undetectable
Seite 9/54
2.18 How does attacking WPA basically work?
• Wi-Fi Protected Access
Two operation modes:
• Personal: Pre-Shared Key (PSK)

• Enterprise: 802.1x + RADIUS Authentication Server
Attack requirements:
• Only known way so far: Brute Force!

• Capture 4 way handshake
• Passphrase to test: Can be provided from a dictionary or generated on-the-fly
• SSID of AP: Serves as IV for PBKDF2 (Password-Based Key Derivation Function 2)
• Requires high computational resources
• Fasten up the brute force attack: Use pre-calculated rainbow tables or GPU acceleration
• Rainbow tables contains Pairwise Master Key (PMK) for specific SSID and dictionary of
passphrases
2.19 How does attacking WPS basically work?
• Wi-Fi Protected Setup

• 8 digits PIN as alternative to passphrases. Emphasis on usability
• Guesses until PIN is recovered
• Only works if WPS enabled on AP and amount of tries not limited!
Seite 10/54
3 Between Link and Network Layer

3.1 What is the purpose of the network layer?
Addressing across networks, routing, switching (IPv4 / IPv6 protocols)
3.2 What is ARP?
• Address Resolution Protocol

• When something needs to be sent to an IP address, ARP is used to ask the local LAN for the
appropriate MAC address
• Node that has the „queried“ IP address answers with matching MAC address
• If the queried IP address is not on the same network the MAC address of the gateway is used
3.21 What is the ARP cache?
• Information gathered by ARP is stored in ARP Cache

• Reduces communication overhead
3.3 What is ARP Poisioning?

• Attacker wants to modify traffic
• Attacker poisons ARP cache of other hosts with gratuitous ARP replies (e.g. host and gateway)
• ARP Request / Replies are not authenticated!
• Applicable in old LANs with hub but also in switched networks or open WLANs
Seite 11/54
3.4 What are Gratuitous ARP messages?
• Announcements that say a MAC address belongs to an IP address

• Update other hosts mapping when sender IP or MAC address changed
• Typically done using computer startup
• No answer expected
Two methods:
Important: Regardless of method receivers replace cached entries with new mapping! Security problem
Method A: By broadcasting an ARP request

• Target IP = Sender IP address
• set to value of machine that has changed the MAC address
Method B: By broadcasting an ARP reply

• Target IP = Sender IP address
• Target MAC = Sender MAC address
4. Network Layer – IPv4

4.1 What was the main idea when IPv4 was developed?
• Create simple network layer, move intelligence to clients (end points)

• Extendable by creating new applications on-top layers
• Connect different networks, technologies (radio, satellite, Ethernet) with different
characteristics (loss rate, delays, transmission rates, etc.)
4.2 Important IPv4 Header fields and their use?
Version IP protocol number = 4
Seite 12/54
Internet Header Length Size of IP header in 32-bit words

Differentiated Service Code Point Used to separate traffic into classed if
prioritization
Explicit Congestion Notification Notification about congestion (=Überlastung)
Total Length Packet size of header (20-60 bytes) + data (0-
65.535 bytes). Size between 20-65.535 bytes
Identification Identify fragmented packets
Flags Bit 1 set = DF (Don‘t fragment), Bit 2 set = MF
(More fragments)
Fragment Offset Offset of current fragment relative to
unfragmented packet
Time to Live (TTL) Hop count, if 0 = Router discards packet
Protocol Next layer protocol used in data portion
Header checksum 16-bit checksum of IP header
Routers verify it. On mismatch, packet is dropped
without notification
Source IP address 32-bit IPv4 address of sender
Destination IP address 32-bit IPv4 address of receiver
Options Rarely used, e.g. for debugging
Data 1 : ICMP, 6 : TCP, 17 :UDP. For TCP / UDP this is
the transport layer
4.3 What is an IP subnet?
• Group hosts into subnets

• Route entries for each IP address on every router not feasible
• Hosts sharing the same subnet do not need a router
• They can communicate via data-link layer (Ethernet, WLAN, ARP!!)
Seite 13/54
• In the past only few network classes. Subnet masks with /8, /16, or /24 but nothing in between
• Waste of resources
• Now: Classless Inter-Domain Routing (CIDR)
• No. of addresses = 2^(32 - CIDR)
4.4 Specify the subnet mask for the IP 192.168.0.1 with

192.168.0.0 as the network and 1 as the host? How many hosts
can communicate with each other in that network?
• 255.255.255.0 or CIDR /24

• 254 hosts, e.g. 192.168.1.1 to 192.168.1.254
• 254 hosts instead of 256 hosts because of Ipv4 special addresses:

• First address in network is network identifier: 192.168.1.0
• Last address in network is broadcast address of network: 192.168.1.255
Seite 14/54
4.5 What are private IP networks?
• Everybody may use them in internal networks

• Not routed on Internet
4.6 What is NAT?
• Network Address Translation

• Important concept implemented by routers / firewalls
• Transform any IP address into another one („pure NAT“)
• When transport layer is TCP / UDP, also translate source / destination ports
• Router has to rewrite addresses in IP packet and re-compute checksum
4.7 What is the MTU?
• Maximum Transmission Unit (MTU)

• Defines max. amount of bytes the data link can pass onwards
• Headers of link layer not included in MTU
• Larger MTU has greater efficiency but longer occupy link (increase latency)
• Different links between routers can have different MTUs
• Ethernet max. MTU is 1500 bytes
• Hosts or routers fragment too large packets
• Re-assembly typically by end-hosts
• Flags: Bit 1 set = DF (Don‘t fragment),
4.8 What is MTU Path Discovery?
Find out what MTU should be used for fragmentation
Workflow:
• Endpoints send IP packet with DF flag set
• If router is encountered with MTU < packet size then the packet is dropped
• Sends back ICMP message Type 3: „Destination unreachable“with code 4: „Fragmentation
required, and DF flag set“
Seite 15/54
• Repeated until MTU small enough to traverse path without fragmentation

• Problem in practice: ICMP messages are often blocked by firewalls
• Alternative using TCP: Progressively try larger packets
4.9 What is ICMPv4?
• Internet Control Message Protocol

• Encapsulated in IP packets
• Used to send error and information messages
• 32-bit messages: Protocol number 1 in IP header
• ping and traceroute
Attacks:
• Ping of Death - Buffer overflow, System cannot handle more than RFC 791 allows (65.535
bytes)
• Ping Flood - Send so many ping requests that normal traffic fails to reach system
• Smurf attack (DDoS) - Attacker sends ping packets with spoofed source IP (= victim IP
address) to broadcast address in network. All connected clients will answer and overwhelm
victim
4.10 What is IP Unicasting?
• One-to-one: Single sender, single receiver

• Used for all network processes where private or unique resource is requested
Seite 16/54
4.11 What is IP Multicasting?
• One-to-some: Send data to multiple „interested“ receivers

• Address range 224.0.0.0/4 => 224.0.0.0 – 239.255.255.255
• Protocol: „Internet Group Management Protocol“ (IGMP)
• Usage: Streaming of audio / video (IPTV)
Workflow:
• Source sends packets to multicast address with group, e.g. 239.1.1.1

• Receiver joins group at 239.1.1.1 using IGMP protocol
• Data usually sent connection-less way (UDP)
4.12 What is IP Broadcasting?
• One-to-many:Send data to all receivers

• Target: Special IP 255.255.255.255 or local broadcast addr., e.g. 192.168.1.255
4.13 What is IP Anycasting?
• One-to-nearest
• Send data with same address but only to closest = load balancing
• Set same destination address for every host in a group of potential receivers
• Using Borderless Gateway Protocol (BGP) a client is routed to „nearest“ host
• Used for Domain Name System or Content Delivery Networks (CDN)
4.14 What is BGP?
Borderless Gateway Protocol (BGP)
4.15 Routing
Detect new paths through the internet. How to circumvent failed links or choose faster ones?
Two main concepts for routing
1. Forwarding - Router must move incoming packet to appropriate output link

2. Routing - Algorithms determine possible paths / routes for packet flow through networks
Seite 17/54
4.16 IP Routing
Autonomous System (AS)
Collection of different IP network prefixes run by one or more network operators with a clearly defined
routing policy
• Automatically determine network structure

• Provide forwarding tables for routers
• Exchange information with neighouring routers
Routing protocols
Interior Gateway Protocols (IGP)
• Routing traffic within an AS

• Metrics: Delays, bandwidth, hop count
Exterior Gateway Protocols (EGP)
• Routing traffic between AS

• Metrics: Policies, rule-sets
4.17 Principal routing algorithms
Link-state protocols (LS)
• Tell all network nodes who are your neighbors

• After some time, every router knows full topology of network
Distance-vector protocols (DV)
• Tell your neighbors how your world looks like

• Distance to other routers basis for shortest path problem
• Improved version with better loop detection: Path-Vector
Seite 18/54
5 Network Layer – IPv6
5.1 Why is IPv6 going to be used?
Global registries have no more IPv4 addresses to assign (Depletion == Erschöpfung)
Problems:
• Rise of always-on connections (Broadband instead of dial-up, mobile devices)

• Inefficient address use. Often far more addresses allocated than needed, e.g. /8 block. Not all
addresses usable in subnets
• NAT makes PCs un-addressable from outside
• Solution: IPv6
Larger address space:
IPv4: 32-bit max. 232 addresses

IPv6: 128-bit max. 2128 addresses
IPv4 Inefficient address use:
• Only three classes of IP addresses

• Classes replaced by CIDR (Classless Inter-Domain Routing) in order to reduce amount of
wasted addresses
1. Class A (/8): 128 networks for 16.277.216 connected hosts each
2. Class B (/16): 16.384 networks for 65.536 computers
3. Class C (/24): 2.097.152 networks for 256 hosts each
Seite 19/54
5.2 IPv6 Design Goals
• Global reach-ability without NAT

• Simplify the processing of IPv6 packet headers for routers (Less computational effort needed
for forwarding)
• Self-configuration of nodes in networks (SLAAC, NDP)
• Native support for network techniques Quality of Service, Multicasting, IPSec
5.3 Important IPv6 header fields and their use?
• Version (4 bits): IP protocol number = 6

• Traffic Class (8 Bits): Like DSCP field in Ipv5 used for traffic prioritization, e.g. low latency
for streaming media
• Flow Label (20 bits): Identifies packet using labels, e.g. VoIP conversation. Hint for routers to
use same outgoing path for these packets to avoid reordering at the receiver side. Can be useful
for real-time applications.
• Payload Length (16 bits): Only size of sent data because IPv6 header size is fixed (40 bytes).
In IPv4 is total header length
• Next Header (8 bits): Next header following the IPv6 header. Like protocol identifier in IPv4
header, e.g. TCP (6), UDP (17), ICMPv6 (58) or code of new IPv6 extension header
• Hop Limit (8 bits): Like TTL field in Ipv4. Decremented by one at each visited node. If 0 =
packet discarded
Seite 20/54
5.4 What are the major differences of IPv6 to IPv4?
Difference to IPv4 Header
Missing fields
• Routers never fragment IPv6 packets

• 40 bytes fixed header size instead of variable length
• Header checksum (TCP, UDP should to this)
Renamed fields
• IPv4 Protocol → IPv6 Next header

• IPv4 Total Length → IPv6 Payload Length (IPv6 header size always 40 bytes!!!)
• IPv4 TTL → IPv6 Hop Limit
New fields
• Traffic Class (Packet Prioritization / Quality of Service (QoS), e.g. for VoIP or A/V streaming)
• Flow Label (Distinguish flow of packets that need same treatment / routes)
Next Header
• After IPv6 Header the so called IPv6 Extension Header can carry optional Internet Layer
information
• Placed between IPv6 Header and higher layer protocol
• Last Next Header in chain must be upper layer protocol
• Most IPv6 packets without extension headers
Fragmentation
• In IPv6, routers never fragment packets

• MTU Path discovery mandatory for IPv6 clients
• Alternative for IPv6: Use Minimum MTU size 1280 bytes
Seite 21/54
• Any link must be able to transfer this size without end-to-end fragmentation
Addresses
• 128-bit addresses vs. 32-bit addresses

• Addresses no longer identify hosts but interfaces
• IPv4: „Network address“ → IPv6: „Prefix“
• IPv4: „Host address“ → IPv6: „Interface address“
• No broadcast addresses anymore → now performed via Multicast
• One interface can be assigned multiple addresses
Other differences
• No more NAT needed (Good for Peer-to-peer but privacy problem)

• ICMPv6 replaces ICMPv4, IGMP and ARP (!!)
• DHCP → DHCPv6, e.g. for DNS server discovery
• DNS adapted by AAAA record
• Self-configuration of nodes in networks (SLAAC, NDP)
• Native support for network techniques Quality of Service, Multicasting, IPSec
5.5 What are the rules of IPv6 notation?
• Hexa-decimal notation. Eight 16-bit pieces, separated by “:”

• Example: 201a:0000:0000:0945:daa2:5eff:fe8e:e553
• A set of consecutive null blocks can be replaced by two colons. Only once per address!
• Example: 201a::0945:daa2:5eff:fe8e:e553
• Leading zeros within each 16-bit part can be removed: 201a::945:daa2:5eff:fe8e:e553
• Addressing via IP & port: https://[201a::945:daa2:5eff:fe8e:e553]:443
Subnet are denoted in CIDR representation. Example: 2001:0db8:1234::/48 includes

2001:0db8:1234:0:0:0:0:0 to 2001:0db8:1234:ffff:ffff:ffff:ffff:ffff
Seite 22/54
5.6 What are IPv6 types and IPv6 address scopes?
Types:
• Unicast (one-to-one). Address of single interface. Packet delivery for one receiver
• Multicast (one-to-many). Address for a set of interfaces. Delivered to all interfaces with this
address
• Anycast (one-to-nearest). Packet for anycast address delivered to one interface with that address
Scopes:
Unicast / Anycast
• Link local: Loopback, only valid on current link (network) →not routable (::1/128 : Loopback
or fe80::/10 single link
• Unique local: Only for communication in small subnets → Comparable to private address
10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 in Ipv4. For local communications or inter-site VPNs.
Not routable in Internet!
• Global: Globally valid, routed via Internet
Multicast
• IPv6 has no broadcast addresses as in IPv4, e.g. 192.168.1.255

• Prefix ff00:: identifies scope
• ff02::1 = Send broadcast to all nodes in LAN segment
• ff02::2 = All routers in LAN segment
5.7 What is the Loopback address in Ipv6?
• Link local address

• ::1/128 : Loopback address, same as 127.0.0.1 on IPv4
Seite 23/54
5.8 What is the mandatory Link Local Address in IPv6?
• fe80::/10 : Only valid and unique on single link

• Can be used for communication between two IPv6 devices (like ARP but on layer 3)
• Existence mandatory on every IPv6-enabled device!
5.9 What is the IP range reserved for global use up to now in

IPv6?
• 2000::/3 (2000... to 3fff)
5.10 What is NDP?
• Neighbor Discovery Protocol (NDP)

• Operates on link layer but part of ICMPv6
• Replaces functionality of ARP
• Hosts use it to discover routers, check neighbors
• Set of prefixes for current link
• Auto-configuration of addresses
• Which MTU or hop limit to put on outgoing packets
• Detection of duplicates (DAD) and neighbor unreachability (NUD)
Router Discovery
• In IPv4 client has static routes or learned via DHCP

• In IPv6 host joins network and sends out „Router Solicitation (=Aufforderung)“ via Multicast to
group „all routers“ (ICMPv6 message type 133)
• Router sends periodically to Multicast group „all nodes“ (message 134) and one or more
prefixes, lifetime, router information
• Security issue: MITM Attack = Everybody can send out RA and pretend to be a router (Same as
ARP spoofing)
Address Resolution
• Instead of ARP table → „Neighborhood cache“

• To get the MAC address from IPv6 address “Neighbor solicitation is sent out to solicited-node
multicast address (ICMPv6 message type 135)
• Request not broadcasted to all nodes (as with ARP in Ipv4)!
• If node is present: „Neighbor advertisement“ (Message 136)
• Neighborhood Cache is updated with mapping IP →MAC address
Seite 24/54
5.11 What is SLAAC?
• Stateless address auto configuration

• NDP – Auto-configuration
• Assign IPv6 address to interface without DHCP
• Interface can obtain IPv6 address without router / server (stateless)
Workflow:
• Multicast-capable interface comes up

• Derive IPv6 link-local address from link layer address (MAC)
• Check for potentially duplicate addresses (prevent collision)
• Perform router / prefix discovery in order to get address with
global or unique-local scope
Derive link-local address from MAC
DAD
• Check if Address is already in use: Duplicate Address Detection (DAD)

• Send „Neighbor Solicitation“ to local network
• Neighbor Advertisement“ is sent (only) if other host uses this address
Get global IPv6 address
• Wait for router advertisement with prefix or send „Router Solicitation“ to multicast address
ff02::2 (all routers)
• Reply: „Router Advertisement“ with global prefixes
Seite 25/54
Privacy
• With IPv6, every interface gets a unique IPv6 address

• No dynamic IP addresses / NAT needed
• If location changes the prefix changes but the interface ID is still the same (Tracking possible!)
• Remedy: Privacy Extensions for SLAAC“ (RFC 4941)
5.12 ICMPv6
• Replaces ICMPv4, IGMP, ARP

• As in IPv4, used to send error and information messages.
• Is not allowed to be blocked by firewalls
• No fragmentation in IPv6 → MTU Path discovery necessary
Seite 26/54
6 Transport Layer
6.1 What's the main purpose of the transport layer?
Data channels for individual applications

• Transport end-to-end messages between particular services
• Use multiplexing to differentiate multiple, separate applications (Ports!)
In UDP and TCP – Ports:
• Service is provided to higher layers through ports

• Same port number for different TCP and UDP service is possible
• Ports allow to speak to different applications running on same host
• 192.168.1.1:80 or [201a::945:daa2:5eff:fe8e:e553]:443
• Session: Communication between client and server on a socket pair
Ports in detail:
• 16-bit numbers between 0 – 65535

• Well-known ports: 0 – 1023 (specific, widely-used services)
• Registered ports: 1024 – 49151 (Proprietary applications)
• Dynamic ports: 49152 – 65535 (Dynamically opened / closed by applications during sessions)
Seite 27/54
6.2 What are other purposes of the transport layer which are not
implemented by every protocol which implements the transport
layer?
Reliability
• Re-order incoming packets according to their sending order

• Detect errors → request faulty packets again
Flow Control & Congestion Avoidance

• Sender must not overwhelm receiver with packets
• Handle too much traffic in the network
6.3 What are the two most famous protocol implementations of

the transport layer? What are themain differences between
them?
TCP: Transmission Control Protocol
• Connection-oriented
• Data delivery only possible after „Three way handshake“
• Reliable but „heavyweight“ end-to-end transport of data
• Error detection, Flow & congestion control, Ordered Delivery
• Applications: HTTP(S), FTP, SSH, SMTP, IMAP, POP3, …
• Stateful. Is destination alive? Have packets been lost? Packets in correct order? Can receiver
follow speed of send (Flow control (Buffers))
UDP: User Datagram Protocol
• Transaction-oriented (= „connection-less“)
• Stateless: Great for large number of clients (streaming)
• Unreliable → sender does not know if destination reached
• No congestion control
• Uses where re-transmission of lost packets makes no sense, e.g. VoIP, Streaming,
• Applications (Small implementations): DNS, DHCP, SNMP, often also in VPNs
• Simple request / response is enough (DNS, NTP)
6.4 What are the header fields of UDP?
Seite 28/54
• Source Port (16 bits): 0 – 65535: Identifies application of sender (client)

• Destination Port (16 bits): 0 – 65535: Identifies application of receiver (server)
• Length (16 bits): Total UDP Packet length: Header + Payload
• Checksum (16 bits): Checksum over header and data. Optional in IPv4, mandatory in IPv6
• Payload: Data to be sent, e.g. DNS request
6.5 What's a UDP reflection attack?
• Distributed Denial of Service attack

• Send packets with forged source (=fake) IP address and let server answer large replies to victim
• Attacker sends UDP requests spoofing the victim‘s IP address, e.g. NTP or DNS request
• Servers sends response to victim x-times larger than request
• Victim overwhelmed with traffic
• Attacker barely traceable
6.6 What are the header fields of TCP?
• Source & Destination Port (16 bits each): As in UDP

• Sequence & Acknowledgement Number (32 bits each): Various roles (sessions, error handling,
oder,…)
• Data Offset (4 bits): = Header Length: Necessary because of variably-sized options
• Reserved (3 bits): Always 0
• Flags (9 bits): = Control bits. Needed for connection establishment, tear-down, error-handling,
etc.
Seite 29/54
• Window Size (16 bits): Flow Control Mechanism (Indicates how many bytes the sender is
allowed to send without overloading the receiver)
• Checksum (16 bits): As in UDP: Header and data.
• Urgent pointer (16 bits): Indicates „urgent“ data
6.7 What is Port scanning?
• Check whether specific ports are open on host

• Leading tool: nmap
TCP SYN Scan - „Half-open“ scanning

• Attacker sends SYN packet
• If server answers with SYN/ACK packet → port open
• If server answers with RST packet → port closed
• Attacker sends RST packet instead of ACK
TCP FIN Scan

• Attacker sends FIN packet
• If port is open → server ignores FIN packet
• If port is closed →server answers with RST packet
6.8 What is Syn Flooding?
• Very common DoS attack

• Attacker starts handshake with SYN segment
• Victim replies with SYN-ACK and allocates memory (reassembly buffer, etc.)
• Attacker host stays silent. No ACK from attacker.
• Problem is that host can only keep limited number of TCP connections in half-open
state to limit memory usage → after that limit, no more connections accepted!
• Solution (not always): Drop half-open connections (FIFO), SYN cookies
6.9 How does error handling in TCP work?
• Packet to server is lost. So server does not ACK packet

• Client waits for ACK until timeout and re-sends packet
6.10 How does flow control in TCP work?
• Prevent sender from overwhelming receiver with too much data

• Receiver could be busy, under heavy load or have limited buffer space
• Sender‘s „speed“ must be adapted to receiver. Issue between sender – receiver
Seite 30/54
• Sender determine the amount of bytes it can send before an ACK must come back by the
Window size!
6.11 Sliding Window
• Adjust amount of sendable data (= advertised window) before ACK comes

• Receiver advertises amount of bytes it is able to receive
• Starting size of window negotiated during handshake
6.12 How does congestion control in TCP work?
• Prevent sender from injecting too much data into network. Issue between hosts – networks
• Consequences: Overload of switches / routers
• Network is overloaded → Routers / Switches cannot handle amount of traffic
• Packets are dropped causing timeouts and re-transmissons
• Congestion control keeps data flow rate below collapse
• Achieve high performance without re-transmissions and packet drops
• Maintain a „Congestion Window“ that tells sender how much data can be sent
• Congestion window is maintained by TCP stack of sender → not part of TCP header!
Idea
• Based on a technique called additive increase / multiplicate decrease

• Start sending small amount of data (small congestion window)
• Increase amount of data in a linear way (additive increase)
• When packet loss occurs, set congestion window to half (multiplicate decrease)
• Which amount of bandwidth is available at the beginning of a connection? Slow start!
• Instead of linearly increasing the congestion window, let it grow exponentially → doubled
every time an ACK arrives!
TCP States
1. Connection Establishment – „Build-up“ Performed before data can be sent
2. Data Transmission
3. Connection Termination – „Tear-down“ Indicates to both sides that no more data is going to be sent
Seite 31/54
7 Application Layer – HTTP

7.1 What is the HTTP GET method used for?
• Retrieves information from requested URI (but does not change the resource!)
• Header and Content
• Idempotent! (Von Idempotenz)
7.2 What is the HTTP POST method used for?
• Updates, creates, adds resources

• Sending request again would re-trigger same action
• Not idempotent
7.3 What is the HTTP PUT method used for?
• Creates or replaces resources

• Idempotent
7.4 What is the HTTP CONNECT method used for?
• Used for proxies to tunnel TLS connections

• Standard way for clients behind HTTP proxy to access HTTPS websites
Workflow
• Client requests HTTP proxy server

• Request includes destination and port (google.at:443)
• Proxy creates connection on behalf of client
• Proxy then forwards encrypted traffic
Traffic readable by proxy?
• TLS MITM attack!

• No! Would have to fake certificates, user would be alerted
Seite 32/54
7.5 What is the HTTP HEAD method used for?
• Retrieves headers only

• Equal to GET but without body
• Meta-information stored in headers, e.g. session information
7.6 What is the HTTP TRACE method used for?
• Intended for debugging – echoes back received request

• Useful for detecting changes that intermediate servers made, e.g. proxy
• Insecure. Can help to bypass security controls during attack (cookie stealing)!
7.7 What is the HTTP OPTIONS method used for?
• Return methods a server provides for some resource

• Allow: OPTIONS, TRACE, GET, HEAD (Permitted methods on given resource)
• Public: OPTIONS, TRACE, GET, HEAD, POST (Like allow but available for anyone)
7.8 What's the basic structure of an HTTP request?

GET / HTTP/1.1
Host: www.example.com
Accept: text/html, */*

Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: <BROWSER AND OS>
7.9 What's the basic structure of an HTTP response?

HTTP/1.1 200 OK
Content-Type: text/html;
Content-Length: 23
Date: <DATA>
Server: <SERVER>
…
Connect: close
Content <html>...</html>
Seite 33/54
7.10 What is Chunked Encoding?
• Enables server to „stream“ content in chunks to client

• Standardized with HTTP 1.1
• Transfer-Encoding: chunked
• No Content-Length header. Length is not known yet.
• Every chunk prefixed with number of bytes that follow in hexadecimal format
• Followed by actual chunk
• 0 = End of chunk stream → subsequent request may follow
7.11 What is HTTP Keep Alive?
• If not used: Connection between server / client closed after every request
• Since HTTP 1.1: Connection kept-alive by default
• One TCP connection is used for multiple requests instead of just one.
7.12 What is REST?
• Representational State Transfer

• Systems conforming to REST are called „RESTful“
• Using standard HTTP methods, operations are performed on resources, e.g. create, modify,
delete resources
7.13 Why do we need HTTP/2?
• Reuse core concept of HTTP (methods, status codes, header fields, etc.) but
• format (frame) the data more efficiently → Transfer binary data instead of text
• Address deficiencies of HTTP 1.1
• Web pages use more and more resources (images, scripts, stylesheets) → Huge overhead due to
multiple (sometimes parallel) requests
HTTP 1.x performance issues:
• Limited parallelism
• Head-of-line blocking
• High protocol overhead (~800 bytes of header + cookies, no compression of HTTP metadata)
Seite 34/54
Head of line blocking
Number of allowed parallel requests in the browser is used up and subsequent requests need to wait for
the former ones to complete
Solution in HTTP/2 Only one TCP connection for multiple requests
7.14 What is Server Push of HTTP/2?
Server sends resources the client has not yet requested
7.15 What is AJAX?
• Asynchronous JavaScript and XML

• Reload only parts of webpage asynchronously because otherwise the UI would block while
loading
• Use JavaScript to asynchronously get data from web server via XMLHttpRequest
• Formats: Plain text, XML, HTTP, JSON, ... basically anything that is part of HTML
Problems:
• Client still needs to poll server for updates periodically

• New TCP/IP connections for AJAX HTTP requests (HTTP is stateless)
• Protocol overhead
7.16 What is COMET?
• Long polling
• Similar to XMLHTTPRequest but request remains open until data available
7.17 What are WebSockets?
• Long-lived TCP connection between server and client

• Enables bi-directional communication
• When data is sent →much less overhead, no HTTP protocol headers needed
• Server can send („push“) data to client without waiting for poll request from client
• Protocol Handshake: Client upgrades HTTP connection to WebSocket
• Plaintext URI: ws://example.com/socket
• Encrypted channel (TCP+TLS): wss://example.com/socket
Seite 35/54
7.18 What is HTML5 postMessage?

• Allows for sending data between two windows / frames across domains securely
• Enables to send plain text messages from one window to another
• Safely enables cross-origin communication between window objects;
• Before HTML5 cross-domain scripting was not possible due to SOP (=Same Origin Policy)
Security:
• Client: Do not specify * as target origin
• Receiver: Always check the sender‘s origin!
7.19 What are HTTP sessions?
• Unique identifier transmitted for each request / maintained by session

• HTTP is stateless, any request is considered unrelated to prior ones
• Server does not maintain session information
• Do (re-)identify users Session Ids are used
• Whoever knows the session ID has access (even without credentials)!
Requirements
• Session ID should be randomly chosen, unique, large key space

• Not predictable or from weak random number generator
Pass session IDs
• Via rewritten URLs = Session ID in URL

• Via cookies = Stored in HTTP headers
• Via hidden tags in HTML pages
• Via tokens sent in header
7.20 Why is it a bad idea to store the session key in the URL?
• Idea: Encode session ID as parameter into URL

• Webservers log requests → Session IDs also!
• Browser history contains login information
• Users who copy URLs also copy session Ids
• Session ID exposed in HTTP referer header
Seite 36/54
Problem:
• HTTP Requests typically send a referer field with originating URL

• If the origin URL has a session ID, the referer leaks it to the clicked page!
7.21 What are HTTP cookies?
Workflow:
• Set by server via HTTP header „Set-Cookie“

• Browser stores cookie and sends it back when revisiting same domain / path
• Data within name/value pairs
Cookie Structure
• Domain
• Path: /
• Expiration: if not set: session cookie, valid until browser closed
• Secure: If flag set → Cookie only to be used within HTTPS connections
• Httponly: If flag set → Do not allow scripts to access the cookie (JavaScript)
Advantages
• Does not appear in server logs

• User cannot interfere, e.g. copy cookie accidentially
Problem: Tracking & Privacy
• On first visit of page, server sets cookie with unique identifier

• On subsequent visits, same cookie sent
• Profiling which pages were visited, in what sequence, for how long?
Technical issues / attacks
• Man-in-the-middle: If traffic not encrypted → cookie could be sniffed

• Cross-site scripting (XSS): Attacker injects code into website and steals cookie
• Cross-site request forgery (CSRF)
Types of cookies:
• Session cookies: No expiration date, valid until browser closed

• Persistent cookies: Valid until expiration date
• Third-party cookies: Page sets cookie for another domain Supercookies: Set for entire TLD
(e.g. .at) sent to app.at and attacker.at. Potential security flaw → often blocked!
Seite 37/54
• Zombie cookies: Recreated after deletion from another storage, e.g. Flash or HTML5 storage
7.22 What are bearer tokens?
Access token sent in HTTP header
Workflow:
• User authenticates using credentials

• Server returns bearer token
• Client saves it locally, e.g. HTML5 localStorage
• User requests protected resource → web app inserts token in HTTP header
Use tokens instead of cookies because:
1. Easier for Single sign-on (SSO) scenarios
• Pass identity of authenticated users between identity provider and service provider
• No 3rd-party cookie needed
2. Tokens contain „claims“ = statements about user + additional metadata
• Useful to allow/deny access to resources, services, routes
3. Trusted information exchange
• Tokens can be signed → Ensures authenticity of sender

• Signature calculated over header + payload → Ensures integrity („no modification“)
Example JSON Web Tokens
• Information exchange using JSON object

• Digital signature makes it verifiable
Seite 38/54
8 Web technologies
8.1 What is SOP?
• Browser Security - Data is only exchanged with web application and not any other domain
• Provides further degree of isolation
• Scripts shall only access properties of documents & windows of same origin
• Eliminate requests to other domain than origin
• Not usable in reality since cross-origin requests required for many scenarios (Dropbox,
Facebook, Maps)
• URL structure: scheme://domain:port/path?params
• Origin A can access origin B‘s DOM if match on (scheme, host, port)
Seite 39/54
• Path and params are not considered!
The same-origin policy restricts how a document or script loaded from one origin can interact with a
resource from another origin. It is a critical security mechanism for isolating potentially malicious
documents.
8.2 What is the default setting of the SOP?
By default forbidden
• Direct access to DOM, cookies, window from other origins

• Direct HTTP(S) requests other origins (e.g. XMLHttpRequest )
Allowed requests to other origins
• <img> Including remote images

• <script> JavaScript libraries from other domains
• <iframe> Other page included in iframe
• HTML5 postMessage to other windows / frames
• Remaining HTML tags
Ways to bypass
• AJAX Proxy
• JSONP
• CORS
• Content Security Policy
8.3 What is JSONP?

• JSON with Padding - Data is wrapped in (= „padded with“) JavaScript function call
• Idea: Include code from other domains. <script> element only allows us to request a (valid)
script on foreign origin, e.g. Javascript library but no interaction with other page
• How to get data resources from other website. JSON object without reference will be deleted by
garbage collector
• Response would include JSON data as string which will case an syntax error
• Solution: process fetched data and pass it to an existing function call (also known as „callback“)
Seite 40/54
8.4 What is the security issue of JSONP?
• With JSONP, any content can be injected into the page

• You cannot control who (which origins) access your JSONP API
8.5 What is CORS?
• Cross-Origin Resource Sharing

• Mechanism to limit which origin can access resources
• Perform cross-origin AJAX requests
• Permissions defined by server in HTTP headers
8.51 How does CORS typically work? What is it's main purpose?
Client
• Website is loaded in browser: http:///example.com

• Resource to be requested via AJAX: http://thirdparty.com/resource.js
Seite 41/54
• GET request from client to thirdparty.com includes origin header
Server
• thirdparty.com knows whether the origin is trused
• Server responds with allowed origin domains in HTTP response header or with * if any domain
is fine
Browser
Checks if current domain matches allowed origin (pass or block)
8.6 What is CSP?
• Content Security Policy

• Idea is to define policy for web application
• Browser shall enforce policy, received via special HTTP header field
• Used CSP tags have to be supported by browser!
8.xx Protection tips
<script> element
Be cautious when embedding <script> elements pointing to 3rd party sites into your web application
If attacker gains access to these scripts → can compromise your website and your
Seite 42/54
user‘s personal data
JSONP
• is not „secure by design“

• Same thing as <script> elements
• Do not use it to send sensitive data → not protected by SOP
CORS
• Do not set Access-Control-Allow-Origin header to *
8.7 What is Session Fixation?
Attacker injects own session ID which is then used by user (and known by attacker)
Workflow:
• Attacker signs in a website and server returns session ID

• Attacker sends the link with the session ID to the victim
• Victim opens the link and uses the session ID
• If server does not regenerate ID upon login, attacker already knows ID
8.8 Which possibilities has an attacker when trying to do

Session Hijacking?
Prediction
Session IDs should be generated randomly. History shows that weak random number generator are
used
Brute Force
Just probing until valid session ID is found. Remedy: Use large key space, e.g. /dev/urandom
Sniffing
Intercepting (=abfangen) transmission
• Easy if website uses HTTP

• Man-in-the-middle (MITM) attack on TLS connection if using HTTPS
• Capture session ID from recording (URLs, cookies from HTTP headers, etc.)
Seite 43/54
Leverage flaws in cookie processing
Secure flag. If not set Cookie is also sent if connection is downgraded from HTTPS to HTTP
HttpOnly. If not set readble from JavaScript (alert (document.cookie))
Bypassing HTTPOnly Flag
Cannot access document.cookie fromJavaScript due to HttpOnly flag

Send TRACE request to web server and read response
8.9 What is XSS?
• Cross-Site Scripting
• Code injection attack to execute malicious JavaScript in another user‘s browser → Bypasses
SOP because browsers trust local (same) origins!
Consequences
• Cookie Theft (access victim’s cookie using document.cookie)

• Keylogging (register keyboard event listener and send all keystrokes to attackers server)
• Pishing (Attacker can manipulate DOM. Insert fake login form)
8.10 What are the three main XSS types?
1. Stored („Persistent“) XSS

• Attacker manages to store malicious payload in target database
• Every victim calling the page will be served (and execute) the XSS payload
2. Reflected („Non-Persistent“) XSS
• XSS payload is part of the request URI → „reflected“ back in HTTP response
• Often used in Phishing mails, social engineering attempts
3. DOM-based XSS
• DOM injection on client-side → server is not involved in any way
8.11 What is CSRF/XSRF?
• Cross-Site Request Forgery

• Attacker speculates that users are authenticated at some website
• Provides victim with crafted URL (Malware, email, XSS injection)
• Tries to perform action on some website on user‘s behalf
Problem:
Seite 44/54
CSRF vulnerabilities occur when a website allows an authenticated user to perform a sensitive action
but does not verify that the user himself is invoking that action. The key to understanding CSRF attacks
is to recognize that websites typically don’t verify that a request came from an authorized user. Instead
they verify only that the request came from the browser of an authorized user.
8.12 How can CSRF be mitigated?

Synchronized tokens
• Should be generated randomly (unpredicted, unique)

• Token transmitted with every form field
• <input type="hidden" name="csrftoken" value="KbyUpYj7CDP3qmLlkPt" />
• Attacker will not manage to place correct token into forged request
Cookie-to-header token
Server sets CSRF token into cookie Set-Cookie: Csrf-token=…
Sent by with every request to server. Server will validate presence and integrity of token
9 TLS
9.1 What is a TLS Handshake?
• Establish parameters for cryptographically secure data channel
ClientHello: TCP connection setup on port 443. Client initiate TLS negotiation:
• Highest supported TLS version

• Random number for key exchange
• SessionID
• Suggested cipher suites
• Supported compression methods
• Extensions
Seite 45/54
ServerHello
Response to ClientHello if server finds common set of algorithms:
• Choosen TLS version

• Random number for key exchange
• SessionID
• Chosen cipher suite
• Chosen compression method
• Common extensions
If no match on TLS version and cipher suite Handshake abort with error
Server: Certificate
Server sends X.509v3 certificate chain. Has to be the first certificate

Each following (intermediate) certificate must certify the preceding one
Root certifacte not needed because Browser need to know them anyway
Server: ServerKeyExchange
Carry additional data needed for key exchange

Only sent when required for specified protocol. Example Parameters for ECDH
Seite 46/54
Often this information is already within the certificate, e.g.. if key exchange is RSA
Server: CertificateRequest
Request client authentication and tell client expected public key
Server: ServerHelloDone - Signal that server has sent all handshake messages
and then the client side … see slides are make a nice picture TODO
9.2 What is a X.509 certificate?
• Contains the public key and the domain for which it is valid.
• This info gets hashed and signed by a so called Certificate Authority.
• The whole certificate is supplied by the server to the client during the TLS handshake.
• The client can verify this signature, because it has already got the public key of the Certificate
Authoritiy in it's local trust store.
9.3 What is a cipher suite?
Define exactly how security will be implemented.

[SSL|TLS], [Key Exchange], [Authentication], [Bulk cipher], [MAC]
9.4 Demystify the following cipher suite name:

TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
[SSL|TLS], [Key Exchange], [Authentication], [Bulk cipher], [MAC]
• TLS is used
• Key Exchange - ECDH = Elliptic Curve Diffie Hellman
• RSA Authentication
Seite 47/54
• AES in Galois/Counter Mode with 128 Bit length as encryption

• Hash function is SHA256
9.5 What is an ephemeral key exchange (DHE or ECDHE)?
• DHE = Diffie Hellman Ephemeral

• ECDHE = Ellliptic Curve Diffie Hellman Ephemeral
• Server generates a short-living („ephemeral“) Diffie-Hellman keypair

• Ephemeral (= flüchtig)
9.6 What is PFS?
• (Perfect) Forward Secrecy

• For every new session, client & server generate new Diffie-Hellman parameters
• If compromised somehow - attacker could only read this particular session
• Attacking the session key – If parameter securely chosen brute force should not be possible
• 2048-bit or stronger Diffie-Hellman groups with safe “primes”
• Server needs at least TLS 1.2 + offer PFS supporting cipher suite
• Important: Only key exchange with DHE or ECDHE offers forward secrecy!
9.7 What is HSTS?
• HTTP Strict Transport Security (HSTS)

• Prevent SSLStrip attacks (based on downgrades HTTPS → HTTP )
• Tell browser that all connections to a domain are HTTPS only
• Specified via HTTP header that can only be sent during valid HTTPS request
Seite 48/54
9.8 What is HSTS preloading?
• Problem is if an attacker has control over the initial HTTPS requests

• Attacker would strip HSTS headers and browser would not know HSTS shall be active
• Solution is that to ship Browsers with “preloaded” HSTS lists → Sites that always require
HTTPS
9.9 How does a MITM attack work on HTTPS?
Problem: You are not presented the „correct“ certificate for a domain
Solution: HTTP Public Key Pinning (HPKP)
Variant A:
• Attacker exchanges certificate with self-generated one

• Client connects and attacker redirects data transfer
Variant B:
• Certificate Authority (CA) is compromised

• Attacker generates trusted certificate and exchanges it
9.10 What is HPKP?
• HTTP Public Key Pinning (HPKP)

• Our browsers trust ~130 CAs („Trust Store“)
• Browser compares DNS hostname with subject name in certificate
• If yes then check if certificate issued by trusted CA
Scenario 1
Now server for google.com is setup, DNS entries are rewritten to point to that server and a certificate is
issued. User would not notice that he was was forwarded
Scenario 2
Attacker has access to trusted CA and issues a certificate for arbitrary hostnames
Attacker performs MITM attack using previously generated certificate
Remedy
• Hash values („pins“) of public keys associated with certificates
Seite 49/54
• If PIN changes (= certificate changes), drop connection even if certificate would be trustworthy
and DNS name matches with cert‘s subject name
• PINs either stored in browser (or mobile app) or sent via HTTP header
How to generate PINs?
• Get SHA-256 hash value of public key of server certificate

• Base-64 encoding of hash and inserting into header
Advantages and disadvantages
• Defeats MITM attacks and PIN can also be stored in browsers

• But like HSTS “Trust-on-first-use” mechanism
• Setup mistakes
• Its mandatory to have >= 2 PINS
9.11 What is SSLStrip?
• Downgrade communication from HTTPS to HTTP

• Solution: HTTP Strict Transport Security (HSTS)
Variant 1:
• Web page offers HTTP and HTTPS version

• Attacker injects HTTP links to force user to use weak HTTP communication
Variant 2:
• Web page offers HTTPS only

• Attacker uses proxy server (MITM) and translates to HTTP communication
10 DNS
10.1 What is DNS?
• Domain Name System
• Hierarchical and decentralized naming system
• Translates domain names to IP addresses and vice versa.
• What in the past managed by hosts file (“/etc/hosts”).
Seite 50/54
• Domains could map to multiple address (load balancing, latency reduction) or assign both IPv4
and IPv6 addresses to domains
• Re-use 1 IP address for multiple domain names
10.2 What are the key features of DNS?

• Scalability (handle large number of records, sustain high update frequency and lookup load)
• Distributed control (Decentralized management)
• Fault Tolerance (Robust against attacks, Minimize lookup failures and duplicate names)
10.3 How is the distributed control realized for DNS?

• Tree structure with Top-Level domains (TLDs) at the top is used
• Depth of the tree is arbitrary (limit: 128 entries)

• Domains are substrees
• Name collisions avoided
• Hierarchical namespace broken into zones (Zone = Administrative authority responsible for
some portion of the hierarchy)
• Parent zone tells how to find servers for subdomain
• Zones separately managed („Delegation“)
• Basic information element: Resource Records
10.4 Which protocol is used by DNS?

• For transport, DNS uses primarily UDP, servers run on well-known port 53
• Only two message types in same format: Query & Reply
Seite 51/54
10.5 What are DNS root servers?

• Responsible for the root domain
• Return authoritative name servers for specific TLDs
• With a single root DNS server, all other DNS info could be discovered recursively
• 13 logical name servers: a.root-servers.net, ..., m.root-servers.net
• But not 13 physical server. Replication using anycasting
• DNS servers configured with „root hints file“ for bootstrapping DNS resolution
• Can be updated periodically by admin, e.g. upon restart of service
• Contains root name servers and their IP addresses
10.6 What is a TLD?

• Top-Level Domains - Domains at highest level of DNS system
• Generic domains (gTLD) are unsponsered TLDs like com, net, org, info and sponsored like
gov, mil
• Country domains (ccTLD) .at, .de
• Special domains .arpa, .example, .invalied, .localost, .test
• all .at domains are ultimately registered at www.nic.at
10.7 What is a DNS Resource Record?

• Basic information element in DNS System
Seite 52/54
• Format: Class, Name, Value, Type, TTL
10.8 What's the difference between an authoritative name server

and a non authoritative name server?
• Authoritative server is responsible for a zone e.g. .at or .iaik.tugraz.at
• At least one server / zone („primary name server“).
• Usually redundant cluster with identical zone files on multiple servers
• Non-authoritative server gets information about domains from other servers recursively or
iteratively.
• Responses often stored in local cache until time-to-live (TTL) value reached
• faster responses, no need to go through all servers in tree
10.9 What is the difference between iterative and recursive name

resolution?
Iterative
Iterative DNS queries are ones in which a DNS server is queried and returns an answer without
querying other DNS servers, even if it cannot provide a definitive answer. Iterative queries are also
called non-recursive queries.
Recursive
Recursive DNS queries occur when a DNS client requests information from a DNS server that is set to
query subsequent DNS servers until a definitive answer is returned to the client. The queries made to
subsequent DNS servers from the first DNS server are iterative queries.
Seite 53/54
10.10 Does a Denial of service attack work against the

distributed DNS system?
In some cases it may. If the DNS server responsible for the zone tugraz.at is made unavailable no one
will be able to connect to tugraz.at any more, but making the whole DNS system unavailable is
impossible.
10.11 What is a DNS amplification attack?
• Multiply amount of traffic flood thanks to „large replies“ after „small queries“
• Use an arbitrary (spoofed) source IP address
• Make response to query significantly larger than the request
• Attacker sends query with e.g. 60 bytes, response has 3000 bytes - Traffic amplification factor
of 50
10.12 How does DNS cache poisoning work?
Let user connect to wrong destination IP address

MITM
Seite 54/54

EGIRAFFE Rechner - Und Kommunikationsnetze VO - Bmark - Pruefungsfragenausarbeitung - 2019SS

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

EGIRAFFE Rechner - Und Kommunikationsnetze VO - Bmark - Pruefungsfragenausarbeitung - 2019SS

Uploaded by

Copyright:

Available Formats

www.egiraffe.

at - Rechner- und Kommunikationsnetze - VO

Computer and Communication

1.1 What is basically a network?

• Networks are basically nodes and links connecting the nodes

1.2 Why is networking split in layers?

• Layers help to separate services from implementation

1.3 How does splitting networking in layers work?

• Encapsulate transmission in layers

• OSI = Open Systems Interconnection

• Transmission Control / Internet Protocol Suite

1.6 Exchanging Data

1.7 What is circuit switching?

• Using dedicated line for communication between two partners

• Setup line / connection before starting communication

1.8 What is packet switching?

• Divide transmitted data into small fragments (Packets, Frames, Cells, …)

• Bursty traffic handling and shaping possible

1.9 What is (Virtual) Circuit Switching?

• Sender / receiver need specific amount of bandwidth for certain time.

2.1 What's the purpose of the link layer?

• Encapsulate network layer packets into (Ethernet) frames

2.2 What is LLC?

• Logical Link Control

• Encapsulate data packet into frame and vice-versa. Packet to Frame

2.3 What is MAC?

• Media Access Control

• Physical addressing via MAC address

2.4 What were the basic ideas of Ethernet?

• Shared medium (cheap cabling)

2.5 What is CSMA/CD?

• Carrier Sense Multiple Access / Collision Detection (CSMA/CD)

2.6 How does CSMA/CD work?

• Listen: Wait while medium is busy

2.7 Why is CSMA/CD (usually) no longer needed?

• Switches isolate each Ethernet segment, no more collisions

• In LAN it is possible to communicate via Ethernet and MAC addresses.

2.9 What is the difference between a hub and a switch?

• Star topology like hub

2.10 What is the SAT?

• Source address table (SAT)

2.11 What's the difference between full and half duplex

• Sending and receiving not at the same time

• Sending and receiving at the same time

2.12 What is MAC Flooding?

• Flood switch with fake MAC addresses until memory exhausted

2.13 What is MAC Spoofing?

2.14 What is the difference between Ad-Hoc networks and

• Access Point (AP) manages network

2.15 What is the hidden node problem?

• Wireless LAN – Collisions

2.16 What is CSMA/CA?

• Wireless LAN – Collisions

• Node A wants to send and sends RTS (Request to send)

2.17 How does attacking WEP basically work?

Ways to get the key…

• Active attack (traffic generation): Replay attack or ARP replay

2.18 How does attacking WPA basically work?

• Wi-Fi Protected Access

Two operation modes:

• Personal: Pre-Shared Key (PSK)

• Only known way so far: Brute Force!