New User Special Price Expires in

Let's log you in.

Sign in with Facebook


Don't have a StudySoup account? Create one here!


Create a StudySoup account

Be part of our community, it's free to join!

Sign up with Facebook


Create your account
By creating an account you agree to StudySoup's terms and conditions and privacy policy

Already have a StudySoup account? Login here


by: Orrin Rutherford


Orrin Rutherford
GPA 3.91

Nirupama Bulusu

Almost Ready


These notes were just uploaded, and will be ready to view shortly.

Purchase these notes here, or revisit this page.

Either way, we'll remind you when they're ready :)

Preview These Notes for FREE

Get a free preview of these Notes, just enter your email below.

Unlock Preview
Unlock Preview

Preview these materials now for free

Why put in your email? Get access to more of this material and other relevant free materials for your school

View Preview

About this Document

Nirupama Bulusu
Class Notes
25 ?




Popular in Course

Popular in ComputerScienence

This 80 page Class Notes was uploaded by Orrin Rutherford on Tuesday September 1, 2015. The Class Notes belongs to CS 494 at Portland State University taught by Nirupama Bulusu in Fall. Since its upload, it has received 25 views. For similar materials see /class/168274/cs-494-portland-state-university in ComputerScienence at Portland State University.

Similar to CS 494 at PSU

Popular in ComputerScienence




Report this Material


What is Karma?


Karma is the currency of StudySoup.

You can buy or earn more Karma at anytime and redeem it for class notes, study guides, flashcards, and more!

Date Created: 09/01/15
Protocol perils Hacking the stack COUI39SC announcement Topics in Cryptography Tom Shrimpton teshrim at cs de edu Hacking the stack Protocol attacks at all layers Datalink layer Network layer Transport layer Application layer Datalink layer hacks Snif ng Gathering packets from the local network Passive wired network with a hub or a wireless network 0 Turn on promiscuous mode on NIC Make NIC accept all datalink layer frames not just its own 0 Software Snort tcpdumpethereal Snif t reptilerug acbecodersnif tsnif thtml Dsniff Active wired network built with a switch 0 Harder switch prevents data frames from being broadcast 0 How can someone sniff switched traffic Active Sniffing Fool the switch into sending the packets to the sniffer MAC Flooding 0 Send a ood of traffic with random MAC addresses 0 Fill up the switch s memory 0 Switches will then forward packets to all links on the switch Dsniff program Macof ARP spoo ng 0 Send fake ARP replies to change the Victim s ARP table Dsniff program Arpspoof Attacker configures his or her system to forward any traffic it receives to the router 0 Any traffic from the target machine is sent to the attacker s machine before being transferred to the local network Spoo ng ARP Messages send packets to the default x Con gure IP Forwarding to router for the LAN Send take ARP response to remap e ault router IP address to attacker s Packets are forwarded from attacker s machine to the actual default router for delivery to the outside world traffic destined for the outside world Based on sent to the attacker39s DEFAULT MAC address ROUTER for LAN Figure 86 Arpspoof redirects traf c allowing the attacker to sniff a switched LAN Question How do you detect a sniffer on your machine Answer Check to see if your network interface is in promiscuous mode ifcon g a gt look for PROMISC Question How do you detect a sniffer on your network Answer Send a TCP SYN packet to sniffer with bogus MAC address 80211 vulnerabilities 80211 MAC layer Nodes are identi ed with a globally unique 12 byte address No mechanism for verifying the correctness of the identity Implicit trust in a speaker39s source address 80211 deauthentication attack 80211 clients 7 Authenticate with one or more access points AP 7 Associate with the AP that they will route through Either endpoint can request deauthentication from each other 7 Attacker spoofs this message to interrupt data ow 7 Forces authentication to be reestablished Client Authentication Authentication Association As sociation Data Attacker AP Request Response Request Deautheutication 80211 disassociation attack 0 Similar to Deauthentication attack 0 Either endpoint can request disassociation from each other 7 Attacker spoofs this message to interrupt data ow 7 Forces association to be reestablished More attacking messages are required to get same effect of deauthentication message Client Attacker AP Authentication Request Authentication W w Request As sociation W Disassuciaition Disassucialiunn 12 80211 power saving attack Clients can turn off radio to conserve energy Client tells AP that it is entering sleep AP tells client when to wake up for traf c AP will buffer data and send traf c indication map TIM to client periodically Client wakes up to receive each TIM and then retrieve data if available Client w Management Client Sleeps Client Wakes Client Sleeps Client Wakes Client Sleeps Client Wakes w Attacker AP Sleep Res onse TIM TIM TIM Data gt Client Sleeps 80211 power saving attack Messages are sent in the clear Cl39 t Att k AP Attacker can spoof management 1e ac er packet and prevent synchronization Entering leep Attacker can spoof client polling and discard data Attacker can spoof TIM and convince client there is no data at Client Wakes TIM Management I es onse Client Sleeps 80211 carrier sense attacks Hidden terminals prevent perfect collision detection Physical and Virtual carriersense mechanisms used to control channel access Both of these mechanisms can be exploited 80211 physical carriersense attack Before transmitting frame node must wait at least a small interval of time SIFS for 80211 ACKs Attacker jams channel towards end of SIFS to force all to backoff CSMA SIFS is 200s for 80211b Requires 50000 packets per second to disable all access Expensive for attacker 80211 virtual carriersense attack Each 80211 frame carries a maximum number of us to reserve channel 7 Speci ed in NAV 7 Max value is 32767 or about 32ms 7 Attacker persistently reserves channel for maximum duration Only sends for short time during reservation Jarns all access with only 30 transmissions a second 7 Not all 80211 hardware obeys NAV a bug that saves 80211 from this attack D E 5 Cl mu 1 0 39 Client 2 Client 3 A acker 1 Other datalink layer attacks WEP Wired equivalent privacy Initial security scheme for 80211 Can be broken in under 1 minute 0 J Walker quotIEEE 80211 Wireless LANs Unsafe at any key size An analysis of the WEP encapsulation Network layer hacks IP spoo ng Host lls in its own address in sending packets Implicitly trusted not to forge the entry Leads to all sorts of problems 0 Chapter 3 lecture notes IP spoo ng scenario using rhosts and predictable TCP ISN Establish a blind connection with a remote host 20 Re ector attacks Occur at all layers not just network layer However most rely on IP spoo ng A re ector is any 1P host that will return a packet or more if sent a packet Re ector cannot easily locate the initiator because of IP spoo ng Examples Web servers return SYN ACKS or RSTs in response to SYN or other TCP packets DNS servers return query replies in response to query requests Routers return ICMP Time Exceeded in response to TTL expiry or Host Unreachable messages in response to unroutable IP addresses 21 Comm 1 1 mg m mm quotnew v H mm mum wen039 momma m unidml m u A anumm m mm a Dth mm mm momdmmc ICMP re ectors ICMP echo Widely used for ping Smurf attacks Repeatedly send ICMP ping to broadcast IP address of network that can receive and respond to directed broadcast smurf ampli er Use the Victim s IP address as the source IP Victim s bandwidth is lled with response packets Attacks and software Smurf ICMP Fraggle UDP and Papasmurf IClVIP and UDP List of Smurf Ampli ers 23 ICMP re ectors Other ICMP candidates Timestamp Address mask Router solicitation Information requestreply Source quench Host unreachable Time exceeded Parameter problem Redirect Need fragmentation 24 Routing attacks Attack Intruder sends bogus routing information to a target and each of the gateways along the route Impersonates an unused host Diverts traf c for that host to the intruder s machine Used to monitor dark IP addresses Impersonates a used host All traf c to that host routed to the intruder s machine Intruder inspects packets amp resends to host w source routing Allows capturing of unencrypted passwords data etc 25 Routing attacks BGP Routing Fault Example ISP mistakenly announced routes to 3000 pre xes destinations it did not own Other ISPs adopt these routes and blackholed traf c to those sites 26 Slides courtesy ofDan Massey Routing attacks Invalid BGP routes exist in everyone s table These can include routes to rootgTLD servers One example observed on 41601 originates route to ISPs announce new path 192269224 3 lasted 20 minutes 1 lasted 3 hours c gtld serversnet 192269230 monitor 27 Slides courtesy ofDan Massey Routing attacks BGP routing can direct packets Bell Labs to false server Caching Server Detected false BGP routes to rootgTLD severs at major global ISPs Routes lasted up to hours but were errors and faulty site did not reply Iternet Routing response from false server would be believed NANOG 25ICDCS 2003 protecting BGP routes to DNS SCI39VCI39S it Spoofed Root server Root server 28 Slides courtesy ofDan Massey Routing attacks Defenses Filtering based on prior information 0 Messes with faulttolerance but detects intrusion attempts Authentication of advertisements SBGP 29 Routing attacks Spoo ng with Source Routing Impersonate system A Attacker creates packets from system A to B with the attacker s address in the source route Packet sent to system B but any replies are sent to the attacker s machine 0 Attacker does not forward them to system A because the connection would be reset 3O ICMP redirect hacks Targeted Denial of Service DOS Attacker sends ICMP Redirect message to give a bogus route Attacker sends Destination Unreachable or TTL exceeded messages to reset existing connections Attacker sends fraudulent Subnet Mask Reply messages 0 Blocks communication with target Defenses Verify ICMP packet contains a plausible sequence Don t modify Global Route Table due to ICMP Redirect messages 0 Disallow ICMP Redirects Check to see if multiple ICMPs from a host agree 31 NIDS avoidance NIDS Network Intrusion Detection System Passively monitor network looking for attacks Signature analysis done across packets Challenges Accuracy false positives and false negatives 0 Performance forensic value of information Fundamental problem Deployed on a different box Potentially on a different network Result NIDS could see a different stream of packets than host Protocol implementation ambiguities 0 Different protocol stacks have different behavior 32 NIDS avoidance Insertion IDS thinks packets are valid end system rejects these Evasion end system accepts packets that IDS rejects Denial of Service resource exhaustion 33 NIDS avoidance Confuse the NIDS Invalid MAC addresses Invalid headers Permissive in receiving frugal in sending 0 Bad IP checksum will be dropped 0 IP options IP TTL ambiguity Packet received or not Packet too large for downstream link Sourcerouted packets 0 Will destination reject such packets Fragment timeout 0 Will other parts of fragment still be at destination Overlapping fragments 0 Which data will be used 34 NIDS avoidance Exhaust resources on NIDS CPU Memory Network Bandwidth Fragmentation 0 Send large numbers of fragments CPU data structure attack Memory space attack Can lead to DOS teardrop jolt2 Fragrouter Automatically fragment all packets Accepts IP packets routed from another system and fragments these packets according to various schemes Generate large numbers of false positives Separating script kiddies from sophisticated hackers Separating Wheat from chaff 35 Transport layer hacks 36 TCP session reset and hijacking attacks Problem TCP stacks With predictable sequence numbers See Chapter 3 lecture notes on TCP ISN selection and the Mitnick attack TCP reset attacks Uses similar approach to terminate an existing connection Send a spoofed TCP RST With guessed sequence numbers 0 BGP session reset TCP hijacking Attacker inserts itself into path 0 Already on the path or Via ARP spoo ng Sniff to nd sequence numbers of Victim connection Attacker takes over existing connection using spoofed packets and dropping packets of one of the endpoints 37 TCP session hijacking Problem 7 Attacker not along path of hijacked connection 7 Attacker sends system B packets With system A s IP address 7 System A notices a mismatch in TCP sequence numbers 7 Sends ACK packets to resynchronize the numbers 7 Continual retransmission of ACK packets is known as an ACK storm Most hijacking tools cannot cope w1th the ACK storm and the connection will be dropped MK MK Ar K ACK ACK ACK Ac K ACK 4 pm mm inUeasvng Shquenre numben Figure 820 An ACK storm triggered by session hijakkmg TCP session hijacking Hunt 2 methods to keep session alive 0 Use ARP spoo ng to keep connection from being dropped 0 Attempt to resynchronize the connection Send a message to system A saying msg from root power failure try to type 88 characters where 88 is the number of chars that the attacker typed during the hijacking Increments the sequence number of system A s TCP stack to where it should be Two new ARP spoof messages are then sent restoring the correct MAC addresses 39 NETWORK ALICE IP a had I wlty MAC AAAAAAAAAAAA 2 MAC BBBBBBBBBBBB quotARP 1 wxyz is at abcd is at DDDDDDDDDDDD EE EEEEEE EEEEquot EVE IP Anyihing MAC CCCCCCCCCC CC Figure 821 Avoiding the ACK storm by ARP spoo ng TCP SYN ooding Attacker sends many connection requests W spoofed source addresses to Victim Victim allocates resources for each request 0 Finite halfopen connection requests supported Connection requests exist for THVIEOUT period Once resources exhausted all other requests rejected 139 151 lN 5TH IllITI E Sh 39I NNI39ICV39I39IID Normal connection est a l Nun1mman aliuoltrl SYN H i N in SEE Purl J39qulmling L39LITLH H quota Syn Flooding attack Ll 39l lzN H T39N IllI39M 41 TCP SYN ooding defenses System Con guration Improvements Reduce timeout period Increase length of backlog queue to support more connections Disable nonessential services to make a smaller target Router Configuration Improvements Con gure router external interfaces to block packets With source addresses from internal network Configure router internal interfaces to block packets to outside that have source addresses from outside the internal network TCP SYN cookies Make handshake stateless on server end Server makes ISN a function of a secret nonce it keeps and pieces of the SYN connection ID Only create TCB and establish connection upon verifying client s ACK 42 TCP SYN ooding defenses Firewall as a Relay 5 1 i139k m39 U Firewall answers on behalf of Destination 2 I Disadvantages SYN MK Adds delay and overhead WN Pushes problem to rewall use Eff MN M K a m L in l r Mir quot3 a 5 high I 4ll11 3 quot a kiln Hula 39 d39l 1 d 39 quot Ma cqucncc number wnu m on 43 TCP SYN ooding defenses Firewall as a Semitransparent Gateway Firewall forges the 3rd handshake ack from the client to the destination This moves connection out of backlog queue freeing resources Sends RST packet if no subsequent ACK received from client Eventual ACK from a good client will be ignored as a duplicate Disadvantages Large illegitimate open connections if system under attack 0 Must very carefully choose timeout periods 44 TCP SYN ooding defenses 3 quot H Iquot E39I L1 139 5 quoti re and I WM E55 EE a a ma h d W fink h F quot 39 I I h V b H g M 39l c E Hal 1 L u qjvua R51 x r r 39 F 39 F Hula Attack W semi transparent Legit connection W semi gateway transparent gateway 45 TCP congestion control avoidance Attempt to trick sender into ignoring congestion control ACK division 7 Receiver can acknowledge every byte in segment with a separate ACK 7 Leads Sender to grow cwnd faster than normal Solution to ACK division 7 Modify congestion control to guarantee segmentlevel granularity 7 Only increment MSS when a valid ACK arrives for the entire segment Bunch of Sender Recelver acks and r 148 6m 391 RTT 5qu 4 7Burst 1 R39I39I39 n 2521 4351 Bdrm36 5541 Data 5841 730 mm Sequems numben Eyes i I n m ls l MKS mm samm nnrmm Asks nnrmal mum A m H u at us we U7 Timalsatl TCP congestion control avoidance Duplicate Ack Spoo ng 7 Receiver sends multiple ackssequence I no Way to tell What segment is being acked 7 Causes sender to enter fastrecovery mode and in ate cwnd Solution to Duplicate Ack Spoofing 7 Add new fields to TCP headers I nonce amp noncereply 7 random values sent with segmenw and replies I Only increment cwnd for ACKs with previously unseen nonces Receiver Sequeme number Ewes Burst of dup acks CK unrn Segments rnmnn ACKs rnamn Dr M u no as as Yrmelsecl u Sender enters Fast Recovery an R39I39I39 later TCP congestion control avoidance Optimistic ACKing 7 Send acks for segments not yet received 7 Decrease perceived RTT affecting CW growth Segment acks Sande Recelver Segs arrive I 45 TCP congestion control avoidance Solution to optimistic acking Cumulative Nonce 7 Sender sends random number nonce with each packet 7 Segment size slightly randomized 7 Receiver sends cumulative sum of nonces 7 if receiver detecm loss it sends back the last nonce it received 7 Requires modifications to stack Sender Receiver TCP congestion control attacks The shrew attack Use knowledge of TCP congestion control to shut out a Victim Time packet bursts to disable Victim s retransmissions and force exponential backoff 50 TCP re ectors TCP stack can be made to re ect Via SYN ACK by sending an initial SYN with spoofed IP address Filtering leads to noremote access RST by sending a FIN Countermeasures problematic Filter out SYN ACKs Leads to disabling access to services Filter out RST Results in clogging of stale connections state 51 NIDS avoidance TCP tricks to confuse or disable NIDS TCP Options elds 0 Will packet be accepted 0 Will option be processed Destination might be con gured to drop weird options Old TCP timestamps PAWS Destination might be con gured to drop TCP RSTs with weird sequence numbers 0 Is connection reset TCP handshake time out 0 Will TCB still be at destination TCP stream reassembly with overlapping segments Rewrite old data or not 52 Application layer hacks 53 DNS spoo ng Problem No authentication of responses Any DNS response is generally believed No attempt to distinguish valid data from invalid Responses can contain entries that should not be trusted but are Responses are cached Just one false root server could disrupt the entire DNS Attacks Inject bogus DNS responses Attach additional bogus entries in valid DNS responses especially for internal names Firewall p gt ocal Name Serve Remote Name Server 54 DNS spoo ng Attacker activates dnsspoof program Attacker quickly sends fake DNS response with any IP a ress At aCke 5mm DNS request from the line victim to use wwwskoudisslu 39com 101156 I wwwskoudisstuffmm the desiredzdefination i 4 Victim to attacker s site Instead pf desrred DIVEFAU LT Victim tries to des mamon ROUTER rE o1ve a name usrng for LAN Attacker s mathine at 101156 Figure 87 A DNS attack using Dsniff DNS spoo ng Easy to observe UDP DNS query sent E to well known server on well known Ii port wwwdarpamil A 4 wwwdarpamil A 19251819 Am DNS Server Sanj oy s Laptop Caching DNS Server mil DNS Server First response wins Second response is silently dropped on the oor darpamil DNS Server 56 DNS cache poisoning Response CalLV6r wwwattackerc0m A 1289128127 Vj attackerc0m NS nsattackerc0m attackerc0m NS nsattackerc0m A 12891282 gt wwwg00glec0m 39 11 Query wwwg00glec0m nsattackerc0m Query wwattackerc0m Any Bell Labs Laptop Remote attacker 57 DNS cache poisoning Defenses DNS Proxy Filter Drop malformed packets 0 Verify Does the answer really answer the query made Was the answer received from the appropriate server Proxy performs checks on the answers from outside DNS servers 58 Authenticating DNS Responses Attack fundamental problem Resolver can t distinguish between valid and invalid data in a response Add source authentication Verify the data received in a response is equal to the data entered by the zone administrator Each DNS zone signs its data using a private key Query for a particular record returns The requested resource record set 0 A signature SIG of the requested resource record set Resolver authenticates response using public key Public key is precon gured or learned via a sequence of key records in the DNS heirarchy 59 Secure DNS Query and Response Caching DNS Server 39 p Authoritative DNS Servers lt f Endqlser WWWdarpamil 1 192518195 Attacker can not forge this answer Without the darpamil private key WWWdarpamil Challenge add signatures to the protocol manage DNS public keys 6O Manin themiddle attacks Web proxying Attacker runs webmitm feature on Dsniff and uses DNS spoo ng Use DNS spoo ng to have all HTTP and HTTPS traf c go to webmitm Target connects to attacker s machine and SSL connection is established Attacker s system establishes a SSL connection with the server the target is attempting to access Webmitm acts as proxy with two connections From the target s system to the attacker s machine From the attacker s machine to the actual server the target was trying to reach Note the target receives attacker s certi cate not the certi cate of the server the target is trying to reach User receives warning about a certi cate that is not signed by a trusted certi cate authority Who pays attention to those Webmitm displays the contents of the SSL session on the attacker s screen SSH proxying Similar to above with sshmitrn another Dsniff feature 61 Maninthemiddle attacks Auarker anwazes dnsspom and mbmnm pmgramx Dnsspoof sends fake DNS response wnh me w addres of the macmne running wcbmm m 12 3 r a IP address own cmflcaie a me Hem 1011 www skoudixsruf com the desired deslmauon 31101212 41 v i pruxymg mnecnon n accesses the desued server in an ua m a View 9 by auackcr usmg wenmum a a proxy g w address IOZ 2 Z 41 Figure as Snif ng an HTTPS comedian using dsnm39s personnrthemiddk attack Distributed Denialof SerVice Take control of large numbers of machines zombies Use collection of zombies Botnet to knock out target service Example TFNZK 63 Distributed Denial of Service DNS DOS attacks DNS root server attack 0 Recent DDoS attack disabled majority of the 13 DNS root servers Bringing down all 13 root servers is frequently mentioned as a worst case scenario that would cripple the Internet Local DNS name server attack 0 Send large set of valid queries to victim 0 Use arbitrary names to thrash cache 0 Solution Provide ltering in name servers so as to only serve recursive queries from local addresses 64 Packet of death Send a malformed packet Different platforms may be susceptible to different types of malformed packets These packets have structures that the TCPIP stacks cannot anticipate causing the system to crash Malformed packet suites available at 65 Application layer re ectors 0 DNS Re ector sending DNS reply in response to a spoofed DNS request 0 Victim can con gure its local DNS servers so as to lter out unknown DNS server responses If the victim is an authoritative name server 0 Attacker queries a large number of local DNS servers which in turn recursively query the Victim Victim server gets bombarded due to multiple queries 66 Application layer re ectors HTTP proxies HTTP proxy caches provide a way that an HTTP client can manipulate a proxy server into initiating a connection to a victim web server HTTP proxy servers act as re ectors for the DDOS attacks Limitations Proxies can be con gured to serve a restricted set of clients Not enough proxies to constitute a large pool of possible re ectors Connection between slave and the re ector cannot be spoofed unless the re ecting proxy has predictable sequence numbers 0 Logging helps in identifying the slave s location 0 De nitely a major threat if proxies running on stacks with predictable sequence numbers are widely deployed 67 Application layer re ectors Gnutella Provides a push facility that instructs the server to connect to a given IP address and port in order to deliver the Gnutella item Gnutella connection to the IP host is separated from the initial client making it impossible to trace back to the slave Fix Modify the protocol to include path information With push directives Gnutella could be a major problem for DDOS re ector attacks 68 Application layer re ectors SNMP UDPbased requestreply Sites that fail to block offsite access to SNMP provide a large number of re ectors SNMP attack is sourced at port 161 Filtering out the external SNMP messages leads to major problem for service providers 0 Con gure the lter to receive SNMP messages from interested hosts Game protocols Quake Qstat UDP Counterstrike clients UDP 69 n npn nm lmignnicnnx w ms M P m aid mun irnunun nnmc nnnnxcmnnn Insigni cant lxmgni mm Nucns t m incrbulunicsxuvlhnuscb nngmcnnnunmgnnnmcnxsN Ar mm one IP nnnmn None KP source Nunc OM iincmblc il39x mum can idonul39y as unintcrcaling mum no general mm m xcnmlc scrwrs smc mu nmnnnmc mcr umc Mn ior mmquot 3911 P SYN M K T P R l39 um length Insngnmcnnx 011m UDI Jpphmlimv L39riknmm HRH l suMMm OF D FFERENT RErLEUovz THREATS AND THE Emcch or commmc m V usmc F L FER NC NIDS avoidance Confuse NIDS at applicationlayer Addition of interpreted characters AH How does OS interpret 71 References C Schuba I Krsul M Kuhn E Spafford A Sundaram D Zamboni quotAnalysis of a Denial of Service Attack on TCPquot S Bellovin quotSecurity Problems in the TCPIP Protocol Suitequot S Bellovin quotDefending against sequence number attacksquot S Bellovin quotPackets Found on an Internetquot R Morris quotA Weakness in the 42BSD Unix TCPIP Software B Cheswick S Bellovin A DNS Filter and Switch for Packetfiltering Gateways S Savage N Cardwell D Wetherall T Anderson TCP Congestion Control with a Misbehaving Receiver 72 Extra slides 73 TCP for Transactions TTCP re ectors Spoof initial SYN packet with acceptable seq no Make an expensive request Factors that limit the TTCP attack TTCP server will begin in slow start 0 Unless the server s stack has predictable seq no Amenable to stateless packet ltering TTCP is not Widely deployed 74 IP Address Spoo ng Used to disguise the IP address of a system Three ways an IP address can be spoofed changing the IP address undermining UNIX r commands and spoo ng with source routing Changing the IP address The attacker can either recon gure the whole system to have a different IP address or use a tool Nmap or Dsniff to change the source address of outgoing packets Limitation the attacker cannot receive any responses 75 Undermining UNIX r Commands Attacker nds two computers with a trust relationship Send a bunch of TCP SYN packets to target and see how the initial sequence numbers change A DOS attack is sent to other system Attacker initializes a connection With target system using the IP address of the other system Target system sends TCP SYN and ACK packets to other system which is dead Attacker estimates initial sequence number of other system and sends TCP ACK packet back If initial sequence numbers match attacker has successfully gained oneway access to the target 76 Undetmining UNIX r Commands Open several TCP connections to Bob to observe the iniua sequence number 39m the response SYN A stA ACK B ISNB ACK A ISNA SYN B ISNB Figure 816 Spoo ng attack against UNIX trust relationships Review by example Building scalable web services Building scalable web services A relatively easy problem Why 0 HTTP stateless requestresponse protocol 0 decoupled independent requests How 0 divide and conquer replicate partition distribute load balance


Buy Material

Are you sure you want to buy this material for

25 Karma

Buy Material

BOOM! Enjoy Your Free Notes!

We've added these Notes to your profile, click here to view them now.


You're already Subscribed!

Looks like you've already subscribed to StudySoup, you won't need to purchase another subscription to get this material. To access this material simply click 'View Full Document'

Why people love StudySoup

Jim McGreen Ohio University

"Knowing I can count on the Elite Notetaker in my class allows me to focus on what the professor is saying instead of just scribbling notes the whole time and falling behind."

Jennifer McGill UCSF Med School

"Selling my MCAT study guides and notes has been a great source of side revenue while I'm in school. Some months I'm making over $500! Plus, it makes me happy knowing that I'm helping future med students with their MCAT."

Steve Martinelli UC Los Angeles

"There's no way I would have passed my Organic Chemistry class this semester without the notes and study guides I got from StudySoup."


"Their 'Elite Notetakers' are making over $1,200/month in sales by creating high quality content that helps their classmates in a time of need."

Become an Elite Notetaker and start selling your notes online!

Refund Policy


All subscriptions to StudySoup are paid in full at the time of subscribing. To change your credit card information or to cancel your subscription, go to "Edit Settings". All credit card information will be available there. If you should decide to cancel your subscription, it will continue to be valid until the next payment period, as all payments for the current period were made in advance. For special circumstances, please email


StudySoup has more than 1 million course-specific study resources to help students study smarter. If you’re having trouble finding what you’re looking for, our customer support team can help you find what you need! Feel free to contact them here:

Recurring Subscriptions: If you have canceled your recurring subscription on the day of renewal and have not downloaded any documents, you may request a refund by submitting an email to

Satisfaction Guarantee: If you’re not satisfied with your subscription, you can contact us for further help. Contact must be made within 3 business days of your subscription purchase and your refund request will be subject for review.

Please Note: Refunds can never be provided more than 30 days after the initial purchase date regardless of your activity on the site.