Final Flashcards Preview

CS 6250 > Final > Flashcards

Flashcards in Final Deck (71):

What is network management?

Process of configuring network to achieve a variety of tasks.
* Load balancing
* Security
* Business Relationships


What kind of problems can network misconfigurations lead to?

* Persistent Oscillation - routers can't agree on route to destination
* Loops - packets keep going in a loop b/t two or more routers and never reach destination
* Partitions - network is split into unconnected segments
* Black holes - router doesn't know what to do with a packet so it drops it.


Why is configuration hard?

1. Defining Correctness is hard
2. Interactions b/t protocols can lead to unpredictability
3. Operators make mistaks


What does SDN provide to operators?

1. Network wide views
* Topology
* Traffic
2. Ability to satisfy network-level objectives
* load balance
* security
3. Direct Control
* instead of configuring each device individually, express network level objectives and direct control from a logically centralized controller


What should routers do?

* Forward Packets
* Collect measurements
* NOT computer routes!
* can be (logically) centralized


What is SDN ... in the most succinct way.

"Remove routing from Routers"


What is SDN, really?

1. Logically centralized control
2. Network Wide Control


What is the control and data plane?

1. Data Plane: task is to forward packets to ultimate destination. State that lives in these routers to. Typically programmable hardware and is controlled by the control plane. Sometimes known as the Forwarding plane. Data that goes *through* the router.

2. Control Plane: Compute routing tables. Typically a software program written in high level language. Destined to, or locally originated by the router itself.

Conventionally, Control + Data run on routers

in SDN, control runs in a centralized program and distributes the rules to the routers.


What are the advantages of SDN?

1. Coordination
2. Evolve
3. Reasoning

Separation of control plane means we can apply CS techniques from programming languages or software engineering to help us reason about the network.


What is the difference b/t the control plane and the data plane?

1. Control Plane
* Logic that controls forwarding behavior
* Examples: routing protocols, config for network middle boxes (generally software)

2. Data Plane
* Forward traffic according to control plane logic
* Examples: Forwarding, Switching (generally hardware)

Routing Protocol compute paths (Control Plane) -> Forwarding Table Entries (Data Plan)


Why is separation of Control/Data planes a good thing?

- Independent Evolution - software and hardware can evolve independently
- Control from high level program - debug / check behavior more easily


What opportunities are provided by separating data and control?

* Data Centers - VM Migration to adapt to fluctuating network demand
* Routing - more control over decision logic
* Enterprise - Security
* Research - Coexistence w/ production (on same underlying network hardware)


What are the challenges of SDN?

Scalability: a control element may be responsible for hundreds to thousands of switches

Consistency: Ensuring different replicas see the same view of the network

Security/Robustness: network still functions after failure or is compromised.


What is network virtualization?

Abstraction of a physical network

Multiple logical networks on a shared physical substrate

Sort of like VM's with the hypervisor. Each network think it's view is the real view of the network but the underlying real network is hidden from it

Separation of logical and physical network.


What is traffic engineering?

Reconfiguring the network in response to changing traffic loads, to achieve some operational goal


Describe link weight tuning in Intradomain traffic engineering

Adjust link weights to redirect flow within the network to take the path you want it to take.

Some ways to set link weights are:
- Inversely proportional to capacity
- Proportional to propagation delay
- Network wide optimization based on traffic


What are the three steps to traffic engineering?

Measuring - the topology and traffic

Model - pass that into a what-if model to figure out what changes to make

Control - make changes to link weights


What are the goals of interdomain traffic engineering?

1. Predictability - predict how traffic flows will change in response to the changes implemented. Don't want globally visible changes (eg if you change your outbound path to an AS, it could now have more hops, when you advertise that others may not use you now).

2. Limit Influence of Neighbors - limit how neighboring AS's may change their behavior in response to changes made in our network. Consistent adverts across multiple peering links to b/t you and another AS

3. Reduce overload of routing changes - changes to as few ip prefixes as possible. Group prefixes that share an AS path. Focus on small fraction of prefixes that carry majority of traffic.


What characterizes a datacenter?

1. Multi-tenancy
2. Elastic Resources
3. Flexible service management

+ amortization of cost
- security, resource isolation


What are the challenges of data center networking?

1. Traffic load balance
2. support for virtual machine migration
3. power savings
4. provisioning network when demands fluctuate
5. providing security guarantees with multiple tenets


Why is the internet insecure?

1. Designed for simplicity
2. "on by default" - any host is always reachable by any other host
3. Hosts are insecure
4. Attacks can look like 'normal traffic'
5. Federated Design - b/c it's run by many different people, difficult to prevent a coordinated attack


What are the components of Security?

* Availability - ability to use a resource
* Confidentiality - concealing information
* Authenticity - assures origin of information
* Integrity - prevents unauthorized changes data in flight


What is Control Plane Security?

Determine voracity of routing advertisements.

Session: protects point to point comms b/t routers
Path: protects AS path
Origin: protects origin AS in AS path, guaranteeing origin AS that advertises prefix is the owner of that prefix


What's the 'TTL Hack' defense?

Set the TTL to 255 and then the receiver drops anything that has a TTL of < 254. Generally eBGP communication is only a single hop away and most attackers are remote.


What is path attestation?

Each AS signs and appends a path attestation to each route advert.

If you have AS1 => AS2 => AS3
Then AS1 would send {2, 1}k1 (where k1 is the signature of AS1) to AS2

and then AS2 would send {3, 2, 1}k2, {2,1}k1 to AS3

So each hop see's who the route was intended for and who signed it along the way.

Prevents against:
- Hijacks
- Shortening
- Modification

Can't protect against
- Suppression
- Replay


How does DNS cache poisoning work?

Since DNS queries are UDP (Connectionless) and there is is not authentication, after someone sends a request, the attack can reply before the request comes back (from the master) with a flood of ID's. If one of the ID's matches, then the cache is poisoned until it expires.


How can we defend against DNS cache poisoning?

1. use an ID (but it can be guessed)
2. randomize the ID (16 bit, only, though) - b/c of birthday paradox, attacker can send only a couple hundred replies instead of all 2^16.
3. randomize the source port
- resource intensive
- NAT could derandomize port
4. 0x20 Encoding -> DNS is case insensitive
* ==
* idea is their is a key that randomizes the capitalization and that must also match - ultimately adds additional entropy


How does DNS amplification work?

attacker makes small DNS queries (~60B) but uses a spoofed source IP. The response may be 3000B, so you get a 2x order of magnitude response. If attacker has fast connection they can send a lot of data and then it gets amplified in return to the victim.

Solutions are:
* prevent ip address spoofing using appropriate filtering rules
* disable DNS resolve from resolving queries from arbitrary locations on the internet


What is DNSSEC?

Each Authoritative Name server in hierarchy returns not only referral, but signature containing ip address + public key of authoritative NS that corresponds to that referral. this PK allows resolver to check signatures of next lower level of hierarchy. This continues until the bottom.


Compare/Contrast viruses and worms

Virus: infection of existing program that results in modification of original programs behavior. Usually requires user interaction.

Worm: code that propagates/replicates across the network.


Describe the different types of viruses.

Parasitic - infects executable file
Memory Resident - Infects running programs
Boot Sector - Spreads when system is booted
Polymorphic - encrypt part of virus program sing randomly generated key


What are the three steps in the worm lifecycle?

1. Discover / scan for vulnerabilities
2. Infect vulnerable machines via remote exploit
3. Prevent being discovered.


What is the Random Constant Spread Model?

K = initial compromise rate
N = vulnerable hosts
a = fraction of hosts already compromised

Nda = (Na) * K(1-a) dt

a = e^(K(t-T)) / (1+e^(K(t-T)))

The initial number of hosts is the biggest indicator to how quickly it spreads.


What are the common filtering methods for SPAM detection?

1. Content Based (easy to evade)
2. IP Address of sender (Blacklist) - can be ineffective b/c can use BGP IP Prefix hijack to temporarily hijack a prefix, send spam from those addresses, then withdrawl
3. Behavioral Features (geographic location of sender/receiver, set of targets, upstream isp, botnet?)


What is a DOS attack?

Attempt to exhaust resources:
- Network bandwidth
- tcp connections
- server resources


What are the defenses from DOS attacks?

Ingres Filtering - drop if packet IP from a stub does not come from the IP address range that stub owns.
+ fool proof, works at the edge
- doesn't work in the core

uRPF checks - Check your routing table to see if the IP address coming in on an interface is from a subnet you would SEND to on that interface.
+ automatic
- requires symmetric routing

TCP Syn Cookies - Server waits to establish connection. When syn packet sent, calculates a sequence number and sends in SYN-ACK, when client responds with ACK (including that seq number), it recomputes seq number to make sure it matches. Then it establishes the connection.


How does backscatter work?

Monitor some portion of the IP address space and watch for data proportional to the attack rate.

m = x * (2^32 / n)
x = m * (n / 2^32)

m = total attack rate
x = backscatter in packets per second (observed attack rate)
n = number of ip addresses you're monitoring


Name some situations/scenarios where SDN is useful.

Backbone networks - can easily install a null route to stop attack traffic to a victim

Data Centers - migration/provisioning of VMs. All you need to do is update the switch state in the routers for the newly provisioned systems so data still goes to the right machines. Much more easily attained when done from a centralized location.


How does using pods and pseudo-MACs improve the scalability of a Layer 2 network?

The lowest level switch and all its servers are considered a 'pod'. Each pod has an address and each server within that now has a pseudo MAC. Switches now only need to maintain switch table entries for reaching other pods. Once frame enters pod, the local switch then handles it.

Ultimately, each switch doesn't have to maintain separate entries for EVERY server, only the pods.

One problem is mapping the pseudo mac to real mac, and what to do with ARP queries.

ARP queries are intercepted by switch and sent to fabric manager, who replies back with the pseudo mac for intended target host.


Briefly describe the functions of the logically centralized Fabric Manager used in PortLand. Where does this Fabric Manager reside?

The fabric manager is a user process running on a dedicated machine responsible for assisting with ARP resolution, fault tolerance, and multicast.

Could run as a redundantly separated host or on a separate control network.


Explain how PMAC (Pseudo MAC) addresses are generated for end hosts in a PortLand network, i.e. What are the four components of a PMAC, and what does each component encode? How does this design improve forwarding table sizes on large scale data center networks?

- pod.position.port.vmid

Pod = pod number of the edge switch
Position = position in the pod
Port = switch=local view of the port number the host is connect to
Vmid = multiplex multiple VM’s on the same machine

vmid's are assigned incrementally and reuses them if they don't have traffic for a long enough period of time.

Using AMACs, switch state size is O(n), where n is the number of virtual hosts in the data center, whereas state size is O(k) for PMACs, where k is the number of ports on switches used to construct the fat tree network.


Describe at a high level how a data center could generate a Jellyfish topology for their specific network. Assume the desired topology is of the simplest variety, meaning each switch has the same number of ports and will connect to the same number of servers.

Need to know:

N - number of racks/switches
k - number of ports
r - number of ports to be used for switches

Then approximation algorithm used with inputs N, k, r to generate RRG(N, k, r).


Describe at a high level how a Jellyfish topology can be incrementally expanded, using the same assumptions from the previous question. Can we expect the expanded topology to be uniformly random after an incremental expansion?

randomly remove another link from the system (at both ends) and connect one of each of the open ports to where each end you removed used to connect to.

No - no longer uniformly random as if you had started over and re-cabled.


What kinds of attacks can BGPSec successfully protect against? i.e., what specific attacks are possible against BGP but are defeated by BGPSec? (Explain clearly how these attacks would be executed – if there's more than one way to execute an attack, consider those as two different attacks.)

● A BGP message could be sent to a router by some host (e.g., a remote attacker) that is not the router's legitimate neighbor
○ Note that although BGPSec provides session authentication, this kind of attack can also be prevented without BGPSec by using the “TTL Hack”.
● An AS could lie about being the origin of a particular subnet (i.e., claiming that the AS contains a subnet when it does not, in fact)
○ BGPSec prevents this by providing certificates that sign the origin claim
● An AS could lie about the AS-path to a particular subnet (i.e., claiming that there is a path through the AS when there is not, or that there is a more efficient path than there really is)
○ BGPSec prevents this by providing a chain of signed paths, each partial path in the chain being signed by the AS that advertised that part of the path


How do SYN cookies work? How does this prevent resource exhaustion type denial of service (DoS) attacks on a server (i.e., trying to exhaust the server's resources, rather than exhausting the network's resources)?

By not allocating resources until the receiving the final ACK from the client.

Client : SYN -> Server: generates cookie and sends SYN/ACK with cookie value as initial sequence number -> Client sends back ACK (with sequence # = cookie + 1), then server can check to see if it was legitimate by subtracting 1. If checks out, it will allocate resources to connection.


Describe the various rewiring activities that are unique to malicious ASes and how ASWatch captures these activities.

Groups often 'rewire' with each other, forming short lived groups where one is connected to a legitimate AS. This provides connectivity and protection for the group.

May connect directly to a legitimate upstream provider, but they may change frequently.

Advertises small portions of ip address space so if they get blacklisted they can quickly jump to another.

ASWatch observes control plane behavior (BGP traffic) in order to assess whether an AS is malicious or not.

(1) AS rewiring captures aggressive changes in AS connectivity;
(2) BGP routing dynamics capture routing behavior that may reflect criminal illicit operations; and
(3) Fragmentation and churn of the advertised IP address space capture the partition and rotation of the advertised IP address space.


Describe how (or if) BGP, origin authentication, soBGP, S-BGP, data plane verification and defensive filtering can be manipulated.

-BGP does not validate information in routing announcements, so a manipulator can announce
any path they want and claim ownership of a victim’s IP prefix.

-Origin Authentication uses a trusted database for verification so an AS can’t claim ownership of
a victim’s IP prefix, but they can still announce a path that ends at the proper AS, although the
path does not physically exist.

-soBGP uses origin authentication and a trusted database to guarantee that any path physically
exists, but the manipulator can advertise a path that exists but is not actually available.

-S-BGP uses path verification, which limits a single manipulator to announcing available paths,
but they could announce a shorter, more expensive, provider path while actually forwarding
traffic on a cheaper, longer customer path.

-Data plane verification prevents an AS from announcing a path and forwarding on another, so
the manipulator must actually forward traffic on the path he is announcing.

-Defensive filtering polices the BGP announcements made by stubs. With the model in the
paper, each provider keeps a prefix list of the IP prefixes owned by its direct customers that are
stubs. If a stub announces a path to any prefix it doesn’t own, then it is dropped. In this way, if
all providers correctly implement this it eliminated attacks by stubs.


What is shortest-path export all?

Announce the shortest legitimate available path to everyone instead of the normal path.


The “Shortest-Path Export-All” strategy was proven not to be optimal for the manipulator. Describe the 3 counterexamples that were discussed.

Announcing longer paths can be better than announcing shorter ones. In the example given in Figure 9 of the paper, advertising the shortest path will only pick up traffic from one small provider. Announcing a longer path to the large provider, will attract more traffic overall as the
large provider will prefer this path over the shorter, peer path as it will be cheaper. It is better for the manipulator to attract traffic from larger AS. This strategy will work against any secure routing protocol, except when launched by stubs in a network with defensive filtering, because
it is only implementing a different export policy than usually used.

Announcing to fewer neighbors can be better than
announcing to more. In this strategy, by not exporting to certain Tier providers, customer paths to the victim can be eliminated and influential ASes will be forced to choose shorter peer paths over a longer customer path because the customer path was not made known to them. This will work against any secure protocol as it is just using a clever export policy to manipulate traffic. Be selective.

The identity of the ASes on the announce path matters since it can be used to strategically trigger BGP loop detection. With false loop prefix hijack, the manipulator claims an innocent AS originates the prefix to his provider. But when the false loop is announced, BGP loop detection will cause the AS to reject the path, removing the customer path from the network. This will
force large ISPs to choose shorter peer paths. Unlike the first two attacks, this one will only work against BGP, origin authentication or soBGP because it involves false advertising of the path announced by an innocent AS.


Why are current defense methods against Botnet DDoS attacks ineffective against crossfire attacks?

• Crossfire attacks use legitimate IP addresses instead of spoofed ones - no ingress filtering
• They don’t use unwanted traffic - the requests are legitimate requests.
• They use low intensity traffic instead of huge streams of traffic - can’t distinguish unwanted traffic from wanted traffic


Why would an attacker mounting a crossfire attack choose to dynamically change the set of target links during an attack (known as a rolling attack)?

To avoid detection and indefinitely continue attack on the target. They don’t want to leave each attack going for so long that it triggers a change in the network topology. Could have negative effects for the attack itself.


Briefly describe the 3 categories of attackers against DNS.

Off Path - They aren’t on the path to the DNS Resolver and can’t observe the request. They generally try to trigger a request and then spam the DNS Resolver hoping to get a match.

On Path - They can observe the request to the DNS resolver directly. They can forge DNS request replies and as long as their response comes back sooner than real one, they would be accepted.

In Path - They are like a man in the middle - but more difficult to deploy b/c they need to intercept packets. Hold on can’t help here. They can block and modify packets.


How does the Hold-On algorithm work?

Once a DNS query is submitted, instead of just accepting the first response it gets back, it waits a period of time for another response. It checks the TTL and the response time against expected values. If response time is < 0.5 * expected, it doesn’t accept that response. It also rejects if the TTL is incorrect. So a match is one where the TTL is matched and the response time within expected range. If no match, returns last invalid response. If DNSSec is used, returns first valid signed response. If not DNSSec response within hold-on, returns DNSSec error.


Describe the differences in the terms network virtualization and software defined networking (SDN). How can we use network virtualization to evaluate and test SDNs?

Separates the control plane from the data plane. SDN is a way to abstract, easily program, control, and distribute filtering, forwarding, and packet modification rules. It defines how various pieces of hardware operate from a higher level, centralized logic controller.

Network Virtualization is the ability to have multiple logical networks simultaneously exist on the same set of physical hardware without interfering with each other.
How can we use network virtualization to evaluate and test SDNs?

Because we can deploy different versions of the SDN on the same physical network using virtualization.


Name some places where network virtualization is useful, and some places where it is not normally especially useful. (See if you can come up with 2 of each.)

• Useful in research - allows multiple people to use the same underlying physical hardware, but be ‘on a different network’ so they don’t interfere with each other.
• Useful - multi-tenant data centers
• Useful - Computer networking classes
• Not useful - overkill for home networking or possible your office
• Networks highly sensitive to latency are not a good option b/c of overheads associated with virtualization


Why use the Pyretic programming API when the hardware itself exposes the OpenFlow API?

Pyretic is much faster to develop in with a higher level interface and makes everything much easier to reason about. You can easily apply normal CS techniques and software principles when designing the controller.


How does a network policy implemented in python and executed on a Pyretic controller result in policies on OpenFlow switches?

Connects to openflow clients, interprets packets and checks them against policies, then installs the low level rules on the hardware devices on the network.


What are the two things that need to be measured, and how could each be measured? (Traffic Engineering)

• The topology and the traffic
• Topology - capacity of each link and router
• Traffic - simple counters


What are two ways that control could be implemented? (Traffic Engineering)

• Adjusting link weights. This is how link weights are more often used (as opposed to any ‘real’ property of the link, eg, bandwidth or congestion, etc)
• Use SDN to directly control routes used on the network


In intra-AS multipath, traffic can be split among paths with the same path length (i.e., sum of link weights along that path). In inter-AS multipath, what properties of the paths (i.e., of the BGP advertisements) need to be equal in order to allow multipath over those paths?

• Local preference
• AS path length
• multi_exit_discriminator (MED)


What are the advantages of using a Jellyfish topology over a traditional hierarchical data center topology?

• Can support up to 25% more servers
• More nodes are reachable given a certain number of hops (eg, 4 hops)
• Incremental expansion
• Network load balancing


What are the drawbacks or problems with using a Jellyfish topology?

• Cabling - could require tons of cabling
• Doesn’t handle heterogeneous switches well (different sized switches)


How does an attacker who performs BGP hijacking prevent being detected by traceroute?

By never decrementing the TTL value so it never runs out on their machine and times out.


ow can DNS be manipulated (i.e., attacked) to allow someone to become a “man-in-the-middle”?

DNS poisoning - when DNS sends query to resolver, someone spam replies with an illegitimate request (guessing the entropy) and if accepted it will be cached, now the traffic goes to the MITM.


How can ARP be used to mount a “man-in-the-middle” attack against a host on the same local (Layer 2) network as the attacker?

Send a gratuitous ARP response (without request) spoofing some else’s MAC so that traffic meant for them comes to you. Often can be for the default gateway so everyone’s traffic comes to you. You associate your IP address with someone else’s MAC.


Synopsis of Jellyfish paper

Instead of using a fat tree, use this RRG. You basically, uniformly, randomly connect top of rack switches to each other and end up being able to support more hosts and more hosts can reach more other hosts at a lower number of hops. Cabling is a problem and all switches should at least have the same or more number of ports (or more).


Synopsis of PortLAND paper

Scaling a fat tree network at layer 2 is hard b/c each switch has a flat map of the entire topology, which can be huge.

Instead, put lowest level hosts and their switches into PODs. Then have a fabric manager that responds to ARP requests with a pseudo mac (defined by the pod.postion.port.vmid). This guy can live as it's own host either on the same network or on another network.

Now switches only need to hold entries for other switches and the hosts within it's POD.


Synopsis of Crossfire Paper

Why make an attack look like an attack, when you can have the same effect by using normal, low rate traffic spread out over lots and lots of bots?

The idea is that you analyze the target area you want to attack, find the common links that go to that area, then setup lots of bots to send legitimate requests to proxy servers (legitimate hosts) that will also use those links. Then you have the bots send small requests, maybe every second, so it looks like normal traffic and they are legitimate requests, however, ALL those requests are going through a target link which will overload it and thus create a DOS to the target area for anything else trying to get through that link.

You can 'roll' this attack, eg turn on/off chunks of bots so that you keep the attack going, but don't cause a change in the routing table that may move traffic off the target link.


Synopsis of Hold-On: Protecting against On-Path DNS Poisoning

On-Path DNS poisoning is the easiest to implement b/c the DNS server accepts the first response it receives from a DNS resolver. Basically the moment you see the request go out, you spam back spoofed DNS replies with enough entropy that you are likely to get a match before the legitimate reply comes back.

To protect against this the DNS server should do the following:
- send normal DNS requests for non-blocked, un-interesting locations
- get an avg of the response time and resulting TTL
- When the DNS server sends future requests, instead of accepting the first response, wait a period of time for other responses
- Check responses against the expected TTL and response time. If those match, use that DNS response
- If none match within the given time period, use the last received un-validated response


Synopsis of BGP and BulletProof hosting paper

Bulletproof AS's are those that generally are illegitimate and out to cause problems instead of serving as a legitimate AS - they are dedicated to supporting cybercrime.

ASWatch is a system that uses the control plane to monitor BGP route activity to determine if an AS is suspected of being a naughty one. It looks at how they rewire together, size of their advertised prefixes (they usually use small ones so they don't get everything they own blacklisted at once), and how often and long they advertise their prefixes.


Synopsis of How Secure are Secure Interdomain Routing Protocols paper

Evaluation of various BGP Security protocols to 'smart attacks'.

BGP - doesn't really protect against anything. Has no mechanisms for validating information in routing announcements. Manipulator can announce any path they want.

Origin Authentication - Uses trusted DB to guarantee that an AS cannot falsely claim to be owner of an IP prefix. Manipulator CAN announce any path that ENDS at at the AS that rightfully owns the victim IP prefix.

soBGP - (Secure Origin BGP) - uses origin authentication + additional trusted database that guarantees that any announced path physically exists in the AS-level topology. Manipulator can still announce path that exists but is not actually available.

S-BGP - (secure BGP) - uses origin authentication + cryptographically-signed routing announcements to provide path verification. Limits a single manipulator to announcing available paths only. They can still announce a shorter legitimate path (even if it's a provider router, that could cost money), but that doesn't mean they will use it. They may still send the data along a longer path.

Data-Plane verification - prevents an AS from announcing one path, but then forwarding on another. (this prevents what was discussed in S-BGP)

Defensive Filtering - polices BGP announcements made by stubs. Stub should never announce a prefix that it does not own (b/c it has no customers). In this case, each provider keeps a list of the prefixes owned by each of its direct customers that are stubs. If stub announces any prefix it doesn't own, the provider drops the packet.

Defensive filtering is basically on par with S-BGP and data plane verification.