CN - Exam 2

Ace your homework & exams now with Quizwiz!

L7: What are the three layers of SDN controller?

1. Communication layer 2. Network-wide state-management layer 3. Interface to network-control application layer

L7: What are the four defining features in an SDN architecture?

1. Flow-based forwarding 2. Separation of data plane and control plane 3. Network control functions 4. Programmable network

L10: What are the properties of GFW (Great Firewall of China)?

> Locality of GFW nodes > Centralized management > Load balancing

L7: What is the function of the control and data planes?

Control plane - controls forwarding behavior of routers, such as routing protocols and network middlebox configurations. Data plane - performs actual forwarding as dictated by the control plane. IP forwarding and layer 2 switching are functions of the data plane.

L9: What are the causes or motivations behind BGP attacks?

Human Error Targeted Attack (MitM) High Impact Attack

L8: What's the purpose of SDX?

In a traditional IXP, the participant ASes connect BGP-speaking border router to a shared layer-two network and a BGP route server. In the SDX architecture, each AS has the illusion of its own virtual SDN switch that connects its border router to every other participant AS.

L8: Describe the three perspectives of the SDN landscape.

1. A plane oriented view > Management plane, control plane, data plane 2. The SDN layers > Network apps, PL, language-based virtualization, northbound interface, network OS, network hypervisor, southbound interface, and network infrastructure 3. A system design > Network applications, network OS and network hypervisors, and hardware

L7: What are the three phases in the history of SDN?

1. Active networks 2. Control and data plane separation 3. OpenFlow API and network operating systems

L7: Summarize each phase in the history of SDN.

1. Active networks 2. Control and data plane separation 3. OpenFlow API and network operating systems Active networks > Researchers wanted to test new ideas to improve network services. This required standardization of new protocols by the IETF which was a slow/frustrating process. > More active networks which wanted to open up network control. > Community belief: simplicity of the network core was vital to internet success. The pushes that encouraged active networking: > Reduction in computation cost > PL Advancement (like java) > Advances in rapid code compilation and formal methods. Active networking envisioned unified control that could replace individually managing these boxes. Active networks made three major contributions related to SDN: > Programmable functions in the network to lower the barrier of innovation > Introduced the idea of using programmable networks to overcome the slow speed of innovation in networking. Active networking produced a framework that described a platform that would support experimentation with different programming models. This led to network visualization. Active networking was more involved in redesigning the architecture of networks, so not as much emphasis was given to performance and security. Since there were no specific short-term problems that active networks solved, it was harder to see widespread deployment. The next efforts had a more focused scope and distinguished between control and data planes. This difference made it easier to focus on innovation in a specific plane and inflict widespread change. Control and data plane separation > Network operators were looking for better network-management functions such as control over paths to deliver traffic. > Identified that the challenge in network management depended on the way existing routers and switches tightly integrated the control and data planes. > Efforts the separate the two began: >> Higher link speeds in backbone networks led vendors to implement packet forwarding directly in the hardware >> ISPs found it hard to meet the increasing demands for greater reliability and new services. Two main innovations: Open interface between control and data planes AND logically centralized control of the network Differed from active networking, it: > Focused on spurring innovation by/for network administrators rather than end users/researchers. > Emphasized programmability in the control domain rather than the data domain. > Worked to network-wide visibility rather than device Attempts to separate control and data planes resulted in two concepts used in further SDN design: > Logically centralized control using an open interface to the data plane. > Distributed state management - There was skepticism to moving away from a simple network where all have a common view of the network state to one where the router only had a local view of the outcome of route-selection. This concept of separation of planes helped researchers think clearly about distributed state management. OpenFlow API and network operating systems > OpenFlow was born out of interest in the idea of network experimentation at scale, by researchers and funding agencies. > OpenFlow built on the existing hardware and enabled more functions than earlier route controllers. Enabled immediate deployment. The basic working of an OpenFlow switch: Each switch contains a table of packet-handling rules. Each rule has a pattern, list of actions, set of counters and a priority. When an OpenFlow switch receives a packet, it determines the highest priority matching rule, performs the associated action and increments the counter. OpenFlow was adopted in the industry, unlike its predecessors. Companies started investing more in programmers to write control programs, and less in proprietary switches that could not support new features easily. This allowed many smaller players to become competitive in the market by supporting capabilities like OpenFlow. Key effects that OpenFlow had were: Generalizing network devices and functions Vision of a network operating systems Distributed state management techniquesr

L8: What are three information sources provided by OpenFlow protocol?

1. Event-based messages sent by forwarding devices to controller given a link/port change. 2. Flow statistics generated by forwarding devices and collected by controller. 3. Packet messages are sent by forwarding devices to controller when they do not know what to do with a new incoming flow.

L9: What are 3 classes of features used to determine the likelihood of a security breach within an organization?

1. Mismanagement symptoms 2. Malicious Activities 3. Security Incident Reports

L10: List five DNS censorship techniques and briefly describe their working principles.

1. Packet Dropping > All network traffic going to a set of specific IP addresses is discarded. 2. DNS Poisoning > When a DNS receives a query for resolving hostname to IP address- if there is no answer returned or an incorrect answer is sent to redirect/mislead the request, this scenario is called DNS Poisoning. 3A. Proxy-based content inspection > Allows for all network traffic to pass through a proxy where the traffic is examined for content, and the proxy rejects requests that serve objectionable content. 3B. Intrusion detection system (IDS) based content inspection > An alternative approach is to use parts of an IDS to inspect network traffic. An IDS is easier and more cost effective to implement than a proxy based system as it is more responsive than reactive in nature, in that it informs the firewall rules for future censorship. 4. Blocking with Resets > The GFW employs this technique where it sends a TCP reset (RST) to block individual connections that contain requests with objectionable content. We can see this by packet capturing of requests that are normal and requests that contain potentially flaggable keywords. 5. Immediate Reset of Connections > Censorship systems like GFW have blocking rules in addition to inspecting content, to suspend traffic coming from a source immediately, for a short period of time. After sending a request with flaggable keywords (above), we see a series of packet trace, like this: > The reset packet received by the client is from the firewall. It does not matter that the client sends out legitimate GET requests following one "questionable" request. It will continue to receive resets from the firewall for a particular duration.

L10 - What are the steps involved in the global measurement process using DNS resolvers?

1. Performing global DNS queries 2. Annotating DNS responses with auxiliary information 3. Additional PTR and TLS scanning

L9: What are the two automated techniques used by ARTEMIS to protect against BGP hijacking?

1. Prefix deaggregation 2. Mitigation with Multiple Origin AS (MOAS)

L10: What is DNS censorship?

> A large-scale network traffic filtering strategy opted by a network to enforce control and censorship over Internet infrastructure to suppress material which they deem as objectionable. > An example of large scale DNS censorship is that implemented by networks located in China, which use a Firewall, popularly known as the Great Firewall of China (GFW). This Firewall looks like an opaque system that uses various techniques to censor China's internet traffic and block access to various foreign websites.

L8: Describe the SDX architecture.

> AS A has a virtual switch connecting to the virtual switches of ASes B and C. > Each AS can define forwarding policies as if it is the only participant at the SDX, without influencing how other participants forward packets on their own virtual switches. > Each AS can have its own SDN applications for dropping, modifying, or forwarding their traffic. Policies can also be different based on the direction of the traffic. An inbound policy is applied on the traffic coming from other SDX participants on a virtual switch. An outbound policy is applied to traffic from the participant's virtual switch port towards other participants. > The SDX is responsible to combine the policies from multiple participants into a single one for the physical switch.

L8: What are the applications of SDX in the domain of wide area traffic delivery?

> Application specific peering > Inbound traffic engineering > Wide-area server load balancing > Redirection through middle boxes

L9: What are the main data sources to identify hosts that likely belong to rogue networks, used by FIRE (FInding Rogue nEtworks system)?

> Botnet command and control providers > Drive-by-download hosting providers > Phish housing providers

L9: What are the properties of secure communication?

> Confidentiality > Integrity > Authentication > Availability

L10: What are the three steps involved in DNS injection?

> DNS probe is sent to the open DNS resolvers. > The probe is checked against the blocklist of domains and keywords. > For domain level blocking, a fake DNS A record response is sent back. There are two levels of blocking domains: the first one is by directly blocking the domain, and the second one is by blocking it based on keywords present in the domain

L10: Our understanding of censorship around the world is relatively limited. Why is it the case? What are the challenges?

> Diverse measurements > Need for scale > Identifying the intent to restrict content access > Ethics and minimizing risks Diverse Measurements: Such understanding would need a diverse set of measurements spanning different geographic regions, ISPs, countries, and regions within a single country. Need for Scale: There is a need for methods and tools that are independent of human intervention and participation. Identifying the intent to restrict content access: Identifying DNS manipulation requires that we detect the intent to block access to content. It poses its own challenges. So we need to rely on identifying multiple indications to infer DNS manipulation. Ethics and Minimizing Risks: Obviously, there are risks associated with involving citizens in censorship measurement studies, based on how different countries may be penalizing access to censored material. Therefore it is safer to stay away from using DNS resolvers or DNS forwarders in home networks of individual users. Instead, rely on open DNS resolvers that are hosted in Internet infrastructure, for example within Internet service providers or cloud hosting providers).

L9: How does Round Robin DNS (RRDNS) work?

> Responds to a DNS request with a list of DNS A records, which it then cycles through in a round robin manner. > The DNS client can then choose a record using different strategies - choose the first record each time, use the closest record in terms of network proximity, etc. Each "A" record also has a TTL for this mapping which specifies the number of seconds the response is valid. If the lookup is repeated while the mapping is still active, the client will receive the same set of records.

L8: Which BGP limitations can be addressed by using SDN?

> Routing only on destination IP prefix > Networks have little control over end-to-end paths > SDN can perform multiple actions on the traffic by matching over various header fields, not only by matching on the destination prefix.

L7: What spurred the development of Software Defined Networking (SDN)?

> SDN arose to make CN more programmable > Networks are complex/difficult to manage due to the diversity of equipment on the network > Proprietary technologies for the equipment

L9: What are the defenses against DDoS attacks?

> Traffic Scrubbing Services > Access Control List Filters > BGP Flowspec

L10 - How is it possible to achieve connectivity disruption using routing disruption approach?

A routing mechanism decides which part of the network can be reachable. Routers use BGP to communicate updates to other routers in the network. The routers share which destinations it can reach and continuously update its forwarding tables to select the best path for an incoming packet. If this communication is disrupted or disabled on critical routers, it could result in unreachability of the large parts of a network. Using this approach can be easily detectable, as previously advertised prefixes must be withdrawn or re-advertising them with different properties and therefore modifying the global routing state of the network, which is the control plane.

L9: What are the key ideas behind ARTEMIS?

ARTEMIS - a system run locally by network operators to safeguard its own prefixes against malicious BGP hijacking attempts. The key ideas behind ARTEMIS are: > A configuration file - all the prefixes owned by the network are listed for reference. > A mechanism for receiving BGP updates - allows receiving updates from local routers and monitoring services. Built into the system Using the local configuration file as a reference, ARTEMIS can check for prefixes and AS-PATH fields and trigger alerts when there are anomalies.

L9: (BGP hijacking) What is the classification by AS-Path announcement?

An illegitimate AS announces the AS-path for a prefix for which it doesn't have ownership rights. Achieve this: > Type-0 hijacking: An AS announcing a prefix not owned by itself. > Type-N hijacking: An attack where the counterfeit AS announces an illegitimate path for a prefix that it does not own to create a fake link (path) between different ASes. For example, {AS2, ASx, ASy, AS1 - 10.0.0.0/23} denotes a fake path between AS2 and AS1, where there is no link between AS2 and ASx. The N denotes the position of the rightmost fake link in the illegitimate announcement, e.g. {AS2, ASy, AS1 - 10.0.0.0/23} is a Type-2 hijacking > Type-U hijacking: The hijacking AS does not modify the AS-PATH but may change the prefix

L9: Explain IXP blackholing.

At IXPs, if the AS is a member of an IXP infrastructure and it is under attack, it sends the blackholing messages to the IXP route server when a member connects to the route server. The route server then announces the message to all the connected IXP member ASes, which then drops the traffic towards the blackholed prefix. The null interface to which the traffic should be sent is specified by the IXP. The blackholing message sent to the IXP should contain the IXP blackhole community.

L9: Explain the scenario of hijacking a path.

Attacker manipulates received updates before propagating them to neighbors. > AS1 advertises the prefix 10.10.0.0/16. > AS2 and AS3 receive and propagate legitimately the path for the prefix. > At AS4, attacker compromises update for the path by changing it to 4, 1 and propagates it to the neighbors AS3, AS2, and AS5. Therefore it claims that it has a direct link to AS1 so that others believe the new false path. > AS5 receives the false path (4,1) "believes" the new false path and it adopts it. But the rest of the ASes don't adopt the new path because they either have a shorter path already or an equally long path to AS1 for the same prefix. The attacker does not need not to announce a new prefix, but rather it manipulates an ad before propagating it.

L9: Explain the scenario of prefix hijacking.

Attacker uses a router at AS4 to send false announcements and hijack the prefix 10.10.0.0/16 that belongs to AS1. > The attacker uses a router to announce the prefix 10.10.0.0/16 that belongs to AS1, with a new origin AS4, pretending that the prefix belongs to AS4. > This new announcement causes a conflict of origin for the ASes that receive it. > As a result of the new announcement, AS2, AS3 and AS5 receive the false ads and compare it with the previous entries in their RIB. > AS2 will not select the route as the best route as it has the same path length with an existing entry. > AS3 and AS5 believe the new ad, and they will update their entries (10.10.0.0/16 with path 4,2,1) to (10.10.0.0/16 with path 4). Therefore AS5 and AS3 will send all traffic for prefix 10.10.0.0/16 to AS4 instead of AS1.

L9: Describe a Reflection and Amplification attack.

Attackers use a set of reflectors to initiate an attack on the victim. A reflector is any server that sends a response to a request. The master directs the slaves to send spoofed requests to a very large number of reflectors. The slaves set the source address of the packets to the victim's IP address, thereby redirecting the response of the reflectors to the victim. Thus, the victim receives responses from millions of reflectors resulting in exhaustion of its bandwidth. In addition, the victim's resources are wasted in processing these responses, making it unable to respond to legitimate requests. The master commands the three slaves to send spoofed requests to the reflectors, which in turn sends traffic to the victim. This is in contrast with the conventional DDoS attack we saw in the previous section, where the slaves directly send traffic to the victim. Victims can easily identify the reflectors from the response packets but reflectors can't identify the slave sending the spoofed requests. If the requests are chosen in such a way that the reflectors send large responses to the victim, it is a reflection and amplification attack. Not only would the victim receive traffic from millions of servers, the response sent would be large in size, making it further difficult for the victim to handle it.

L9: Explain provider-based blackholing.

BGP blackholing - Countermeasure to mitigate a DDoS attack. With this mechanism, all attack traffic to a targeted DoS destination is dropped to a null location. The premise of this approach is that the traffic is stopped closer to the source of the attack and before it reaches the targeted victim. For a high volume attack, it proves to be an effective strategy when compared to other mitigation options. Provider-based blackholing - A network that offers blackholing service is known as a blackholing provider. It is also responsible for providing the blackholing community that should be used. Network or customer providers act as blackholing providers at the network edge. ISPs or IXPs act as blackholing providers at the Internet core. If the blackholing provider is a peer or an upstream provider, the AS must announce its associated blackhole community along with the blackhole prefix. Assume the IP 130.149.1.1 in AS2 is under attack.

L9: How does DNS-based content delivery work?

CDNs distribute the load among multiple servers at a single location, but also distribute servers across the world. When accessing the name of the service using DNS, the CDN computes the 'nearest edge server' and returns its IP address to the DNS client. It uses sophisticated techniques based on network topology and current link characteristics to determine the nearest server. This results in the content being moved 'closer' to the DNS client which increases responsiveness and availability. CDNs can react quickly to changes in link characteristics as their TTL is lower than that in RRDNS.

L8: What are the two main operations of P4 forwarding model?

CONFIGURE - determines the packet processing and the supported protocols in a switch whereas POPULATE - decides the policies to be applied to the packets.

L8: What are the differences between centralized and distributed architectures of SDN controllers?

Centralized controllers can't scale. Distributed controllers can. Centralized controllers have a single POF while distributed systems do not (i.e. they have fault tolerance).

L10 - What metrics does Iris use to identify DNS manipulation once data annotation is complete? Describe the metrics. Under what condition, do we declare the response as being manipulated?

Consistency Metrics > Domain access should have some consistency, in terms of network properties, infrastructure or content, even when accessed from different global vantage points. Some consistency metrics used are IP address, Autonomous System, etc Independent Verifiability Metrics > Use metrics that can be externally verified using external data sources. Some of the independent verifiability metrics used are: HTTPS certificate. Neither metric is satisfied, response = manipulated.

L9: Explain the structure of a DDoS attack.

DDOS is an attempt to compromise a server or network resources with a flood of traffic. To achieve this, the attacker first compromises and deploys flooding servers (slaves). Later, when initiating an attack, the attacker instructs flooding servers to send a high volume of traffic to the victim. This results in the victim host either becoming unreachable or in exhaustion of its bandwidth. The master host sends control messages to the three compromised slaves directing them to send a huge amount of traffic to the victim. The packets sent from the slave contain the source address as a random IP address and the destination as the victim's IP address. This master-slave configuration amplifies the intensity of the attack while also making it difficult to protect against it. The attack traffic sent by the slaves contain spoofed source addresses making it difficult for victims to track slaves. Also, since traffic is sent from multiple sources, it's harder to isolate and block the attack traffic.

L10: How does DNS injection work?

DNS injection is one of the most common censorship techniques employed by the GFW. The GFW uses a ruleset to determine when to inject DNS replies to censor network traffic. To start with, it is important to identify and isolate networks that use DNS injection for censorship.

L7: Why did the SDN lead to opportunities in various areas such as data centers, routing, enterprise networks, and research network?

Data Centers - Management of large data centers is not easy. SDN makes it easier. Routing - BGP constrains routes. There are limited controls over inbound and outbound traffic. With SDN, it's easier to update the router's state and SDN provides more control over path selection. Enterprise Networks - Using SDN, it is easier to protect a network from volumetric attacks such as DDOS if we drop the attack traffic at strategic locations on the network. Research Networks - SDN allows research networks to coexist with production ones.

L9: How do Fast-Flux Service Networks work?

FFSN is based on a 'rapid' change in DNS answers, with a TTL lower than that of RRDNS and CDN. One key difference between FFDN and the other methods is that after the TTL expires, it returns a different set of A records from a larger set of compromised machines. These compromised machines act as proxies between the incoming request and control node/mothership, forming a resilient, robust, one-hop overlay network.

L10: What are the limitations of main censorship detection systems?

Global censorship measurement tools were created by efforts to measure censorship by running experiments from diverse vantage points. For example, CensMon used PlanetLab nodes in different countries. However, many such methods are no longer in use. One of the most common systems/approaches is the OpenNet Initiative where volunteers perform measurements on their home networks at different times since the past decade. Relying on volunteer efforts makes continuous and diverse measurements very difficult.

L9: What is spoofing, and how is it related to DDoS attack?

IP spoofing is the act of setting a false IP address in the source field of a packet with the purpose of impersonating a legitimate server. In DDoS attacks, the source IP address is spoofed, resulting in the response of the server sent to some other client instead of the attacker's machine. This results in wastage of network resources and the client resources while also causing denial of service to legitimate users. Also, the attacker sets the same IP address in both the src/dst IP fields. This results in the server sending replies to itself, causing it to crash.

L10 - What kind of disruptions does Augur focus on identifying?

IP-based disruptions as opposed to DNS-based manipulations.

L8: Describe the responsibility of each layer in the SDN layer perspective.

Infrastructure > Consists of networking equipment (routers, switches, etc). Diff - these physical networking equipment are merely forwarding elements that do a simple forwarding task, and any logic to operate them is directed from the centralized control system. Southbound interfaces > Connects bridges between connecting and forwarding elements. Sit between control and data plane, so play a crucial role in separating plane functionality. APIs are tightly coupled with forwarding elements of the underlying physical or virtual infrastructure. Network virtualization > Network infrastructure needs to provide support for arbitrary network topologies and addressing schemes. Existing virtualization constructs can provide full network virtualization, however they're connected by a box-by-box basis config and there is no unifying abstraction that can be leveraged to configure them globally, making network provisioning tasks as long as months/years. Network OS > SDN eases network management and solves networking problems by using a logically centralized controller - the network (NOS). Provides abstractions, essential services and common APIs to developers. Such systems propel more innovation by reducing inherent complexity of creating new network protocols and applications. Northbound interfaces > Two core abstractions of an SDN ecosystem are Southbound and Northbound interfaces. Northbound interfaces are supposed to be a mostly software ecosystem, as opposed to the Southbound interfaces. Another key requirement is the abstraction that guarantees PL and controller independence. Language-based virtualization > Important characteristic of virtualization is the ability to express modularity and allowing different levels of abstraction. For example, using virtualization we can view a single physical device in different ways. Takes the complexity away from app devs without compromising on security which is inherently guaranteed. Network programming languages > Achieved using low-level or high-level programming languages. Using low-level languages, it is difficult to write modular code, reuse it and it generally leads to more error-prone development. HL programming languages in SDNs provide abstractions, make development more modular, code more reusable in the control plane, do away with device specific and low-level configurations, and generally allow faster development. Network applications > Implement the control plane logic and translate to commands in the data plane. SDNs can be deployed on traditional networks, and can find itself in home area networks, data centers, IXPs etc. Due to this, there is a wide variety of network applications such as routing, load balancing, security enforcement, end-to-end QoS enforcement, power consumption reduction, network virtualization, mobility management, etc.

L10 - How does Iris counter the issue of lack of diversity while studying DNS manipulation? What are the steps associated with the proposed process?

Iris uses open DNS resolvers located globally. In order to avoid using home routers (which are usually open due to configuration issues), this dataset is then restricted to a few thousand that are part of the Internet infrastructure. Steps: > Scanning the Internet's IPv4 space for open DNS resolvers > Identifying Infrastructure DNS Resolvers

L8: Describe the purpose of each component of ONOS (Open Networking Operating System)

ONOS - distributed SDN control platform. 1. Application 2. Network View 3. OF Manager View is built by using the network topology and state info (port, link and host information, etc) discovered by each instance. To make forwarding and policy decisions, the applications consume information from the view and then update these decisions back to the view. The corresponding OpenFlow managers receive the changes the applications make to the view, and the appropriate switches are programmed. The applications interact with the network view using the Blueprints graph API. The distributed architecture of ONOS offers scale-out performance and fault tolerance.

L8: How does ONOS achieve fault tolerance?

ONOS redistributes the work of a failed instance to other remaining instances. Each switch in the network connects to multiple ONOS instances with only one instance acting as its master. Upon failure of an ONOS instance, an election is held on a consensus basis to choose a master for each of the switches that were controlled by the failed instance. For each switch, a master is selected among the remaining instances with which the switch had established connection.

L10 - Explain a scenario of connectivity disruption detection in case of the outbound blocking.

Outbound blocking is the filtering imposed on the outgoing path from the reflector. Here, the reflector receives the SYN-ACK packet and generates a RST packet. As per our example, in step 3, the IP ID increments to 7. However, the RST packet does not reach the site. When the site doesn't receive a RST packet, it continues to resend the SYN-ACK packets at regular intervals depending on the site's OS and its configuration. This is shown in step 5 of the figure. It results in further increment of the IP ID value of the reflector. In step 6, the probe by the measurement machine reveals the IP ID has again increased by 2, which shows that retransmission of packets has occurred. In this way, outbound blocking can be detected.

L9: What are two findings from ARTEMIS?

Outsource the task of BGP announcement to third parties: Having just a single external org to mitigate BGP attacks is highly effective against attacks. Comparison of outsourcing BGP announcements vs prefix filtering: When compared against prefix filtering (current standard defense mechanism), found that filtering is less optimal when compared against BGP announcements.

L8: What is P4?

P4 - a language that was developed to offer programmability on the data plane. P4 (Programming Protocol-independent Packet Processors) - a HL PL to configure switches which works in conjunction with SDN control protocols. P4 is used to configure the switch programmatically and acts as a general interface between switches and the controller with its main aim of allowing the controller to define how the switches operate.

L10: Which DNS censorship technique is susceptible to overblocking?

Packet Dropping

L10 - How is it possible to achieve connectivity disruption using packet filtering approach?

Packet filtering can be used to block packets matching a certain criteria disrupting the normal forwarding action. This approach can be harder to detect and might require active probing of the forwarding path or monitoring traffic of the impacted network.

L9: (BGP hijacking) What is the classification by affected prefix?

Primarily concerned with the IP prefixes that are advertised by BGP. There are different ways the prefix can be targeted, such as: > Exact prefix hijacking: When two different ASes (one genuine, other counterfeit) announce a path for the same prefix. Traffic is routed towards the hijacker wherever AS-path route is shortest, thereby disrupting traffic. > Sub-prefix hijacking: This is an extension of exact prefix hijacking, except that in this case, the hijacking AS works with a sub-prefix of the genuine prefix of the real AS. Exploits characteristics of BGP to favor more specific prefixes, and as a result route large/entire amounts of traffic to hijacking AS. Example: A given hijacking AS labelled AS2 announces that it has a path to prefix 10.10.0.0/24 which is a part of 10.10.0.0/16 owned by AS1. > Squatting: In this type of attack, the hijacking AS announces a prefix that has not yet been announced by the owner AS

L8: What are the primary goals of P4?

Reconfigurability > Method of parsing and processing of packets takes place in the switches should be modifiable by the controller. Protocol independence > To enable switches to be independent of protocol, controller defines a packet parser and a set of tables mapping matches and their actions. The packet parser extracts the header fields which are then passed on to the match+action tables to be processed. Target independence > Packet processing programs should be programmed independent of the underlying target devices. > These generalized programs written in P4 should be converted into target-dependent programs by a compiler which are then used to configure the switch.

L7: What is the difference between a traditional and SDN approach in terms of coupling of control and data plane?

SDN separates the control and data planes. Traditional - routing algorithms (control plane) and forwarding function (data plane) are closely coupled. The router runs and participates in the routing algorithms.

L7: What are the main components of SDN network and their responsibilities?

SDN-controlled network elements > Forwards network traffic based on rules computed by the SDN control plane. SDN controller > Acts as an interface between other two Network-control applications > Programs that manage underlying network by collecting info on elements with help of the controller.

L10: What are the strengths and weaknesses of "DNS poisoning" DNS censorship technique?

Strength > No overblocking: Since there is an extra layer of hostname translation, access to specific hostnames can be blocked versus blanket IP address blocking.

L10: What are the strengths and weaknesses of "packet dropping" DNS censorship technique?

Strengths > Easy to implement > Low cost Weaknesses > Maintenance of blocklist - Challenging to stay updated on list of IP addresses to block > Overblocking - If two websites share same IP address and the intention is to only block one, there's a risk of blocking both

L10: What are the strengths and weaknesses of "content inspection" DNS censorship technique?

Strengths > Precise censorship: A very precise level of censorship can be achieved, down to the level of single web pages or even objects within the web page. > Flexible: Works well with hybrid security systems e.g. with a combination of other censorship techniques like packet dropping and DNS poisoning Weakness > Not scalable: They are expensive to implement on a large scale network as the processing overhead is large (through a proxy)

L10 - How to identify DNS manipulation via machine learning with Iris?

TODO

L9: What is one of the major drawbacks of BGP blackholing?

The destination under attack becomes unreachable since all the traffic including the legitimate traffic is dropped. Consider the DDoS attack scenario where there is no mitigation strategy in place. In the control plane, the prefix 100.10.10.0/24 is advertised by AS1. Suppose a web service running on IP 100.10.10.10 comes under attack, which falls under AS1. This results in unreachability of the service by users from both AS2 and AS3 as the network port in AS1 becomes overloaded.

L9: (BGP hijacking) What is the classification by data plane traffic manipulation?

The intention of the attacker is to hijack the network traffic and manipulate the redirected network traffic on its way to the receiving AS. Three ways the attack can be realized under this classification: > Dropped, so it never reaches the intended destination. This attack falls under the category of blackholing (BH) attack. > Eavesdropped or manipulated before it reaches receiving AS, also called MitM > Impersonated - network traffic of the victim AS is impersonated and response to this network traffic is sent back to the sender. This attack is called an imposture (IM) attack.

L10 - Explain a scenario of connectivity disruption detection in case of the inbound blocking.

The scenario where filtering occurs on the path from the site to the reflector is termed as inbound blocking. In this case, the SYN-ACK packet sent from the site in step 3 does not reach the reflector. Hence, there is no response generated and the IP ID of the reflector does not increase. The returned IP ID in step 4 will be 7 (IPID(t4)) as shown in the figure. Since the measurement machine observes the increment in IP ID value as 1, it detects filtering on the path from the site to the reflector.

L10: Explain a scenario of connectivity disruption detection in case when no filtering occurs.

The sequence of events is as follows: The measurement machine probes the IP ID of the reflector by sending a TCP SYN-ACK packet. It receives a RST response packet with IP ID set to 6 (IPID (t1)). Now, the measurement machine performs perturbation by sending a spoofed TCP SYN to the site. The site sends a TCP SYN-ACK packet to the reflector and receives a RST packet as a response. The IP ID of the reflector is now incremented to 7. The measurement machine again probes the IP ID of the reflector and receives a response with the IP ID value set to 8 (IPID (t4)). The measurement machine thus observes that the difference in IP IDs between steps 1 and 4 is 2 and infers that communication has occurred between the two hosts.

L8: What's the main purpose of southbound interfaces?

They're the separating medium between the control plane and data plane functionality. They promote interoperability and deployment of vendor-agnostic devices.

L8: When would a distributed controller be preferred to a centralized controller?

To prevent a single point of failure and scaling issues. To take advantage of fault tolerance.

L8: What are the core SDN controller functions?

Topology, statistics, notifications, device management, along with shortest path forwarding and security mechanisms. Security mechanisms are critical components to provide basic isolation and security enforcement between services and applications.

L7: Why separate the control from the data plane?

Traditional approach - routers responsible for both routing and forwarding functionalities. Change to either functions required an upgrade of hardware. In the new approach, routers only focus on forwarding. Design can proceed independently of other routing considerations. Improvement in routing algorithms can take place without affecting any existing routers. The software aspect of the network can evolve independent of the hardware aspect. This enables us to use higher-level software programs for control since both control and forwarding behavior are separate. Makes it easier to debug and check the network's behavior.

L7: What is the relationship between forwarding and routing?

Traditional approach - the routing algorithms (control plane) and forwarding function (data plane) are closely coupled. The router runs and participates in the routing algorithms. From there, it is able to construct the forwarding table which it consults for the forwarding. SDN approach - a remote controller that computes and distributes the forwarding tables to be used by every router. This controller is physically separate from the router. There is a clear separation of the functionalities. The routers are solely responsible for forwarding, and the remote controllers are solely responsible for computing and distributing the forwarding tables.

L8: What are the applications of SDN? Provide examples of each application.

Traffic Engineering > ElasticTree identifies and shuts down specific links and devices depending on the traffic load. > Load balancing applications such as Plug-n-Serve and Aster*x achieve scalability by creating rules based on wildcard patterns which enables handling of large numbers of requests from a particular group. Mobility and Wireless > OpenRadio enables decoupling of the wireless protocols from the underlying hardware by providing an abstraction layer. > Light virtual access points (LVAPs) offer an improved way of managing wireless networks by using a one-to-one mapping between LVAPs and clients. Measurement and Monitoring > New functions can be added easily to measurement systems such as BISmark in an SDN-based broadband connection, which enables the system to respond to change in network conditions. > OpenSketch is a southbound API that offers flexibility for network measurements. > OpenSample and PayLess are examples of monitoring frameworks. Security and Dependability > Randomly mutating the IP addresses of hosts to fake dynamic IPs to the attackers (OF-RHM) > Monitoring the cloud infrastructures (CloudWatcher). Data Center Networking > LIME is one such SDN application which aims to provide live migration > FlowDiff is an application which detects abnormalities.

L9: The design of ASwatch is based on monitoring global BGP routing activity to learn the control plane behavior of a network. Describe 2 phases of this system.

Training phase > The system learns control-plane behavior typical of both types of ASes. The system is given a list of known malicious and legitimate ASes. It then tracks the behavior of these ASes over time to track their business relationships with other ASes and their BGP updates/withdrawals patterns. ASwatch then computes statistical features of each AS. The system then uses supervised learning to capture the known behaviors and patterns with a trained model. Operational phase > Given an unknown AS, it then calculates the features for this AS. It uses the model to then assign a reputation score to the AS. If the system assigns the AS a low reputation score for several days in a row (indicating consistent suspicious behavior), it flags it as malicious.

L8: Describe a pipeline of flow tables in OpenFlow.

When a packet arrives, the lookup process starts in the first table and ends either with a match in one of the tables of the pipeline or with a miss (no rule is found for that packet). Actions for the packet include: > Forward packet to outgoing port > Encapsulate packet and forward to controller > Drop packet > Send packet to normal processing pipeline > Send packet to next flow table


Related study sets

RN Question Trainer Test 4 Missed Questions

View Set

Collaboration and Team Work PREPU

View Set

Chapter 3 (Specifically Tissues)

View Set

Series 6 Investment Company Act of 1940 Rules

View Set

Con rights and libs Zelman v. Simmons-Harris

View Set