Prep Guide Flashcards

Question

What are the two things that need to be measured in traffic engineering?

Answer 1

1) Topology | 2) Traffic

Answer 2

1) routers may self-report (Link-State protocol) 2) entered as data by a network engineer (most common) * both the connectivity and the capacity of each router

Answer 3

- “simple counters” measurement technique * we want to know how much traffic is on each part of the network but don't necessarily need the details of specific flows

Answer 4

1) adjusting link weights ("traditional") | 2) using SDN to directly control routes

Answer 5

- this indirectly affects the routes calculated by the routing protocol - link weights are more often used this way than to represent any “real” property of the network, like bandwidth or link latency

Answer 6

- LOCAL_PREF, the local preference parameter - AS_PATH length, as determined by counting the number of ASes in the AS_PATH - MULTI_EXIT_DISC, the MED value IGP metric to the EXT_HOP, i.e., equal “hot potato” routing distance

Answer 7

- changes the flat layer 2 addressing (MAC) into a hierarchical addressing (pseudo-MAC) - switches only need to store a forwarding entry for each host in the same pod plus one for each other pod, rather than needing an entry for each host on the entire network - similar hierarchical concept as IP/layer 3

Answer 8

- Network Load Balancing - Higher Capacity - Shorter Paths - Incremental Expansion

Answer 9

Network Load Balancing – prevents bottleneck links and heavily loaded aggregation or core switches

Answer 10

Higher capacity – since the network is balanced, more hosts can reasonably be hosted on a network with the same number of switches

Answer 11

Shorter paths – shorter average number of hops between any two hosts results in faster network performance

Answer 12

Incremental expansion – allows adding switches to the network without reconfiguring the existing network infrastructure or adding additional “higher-level” switches

Answer 13

* Does not handle heterogeneous switch devices well | * Long cable runs between random switch pairs may be necessary, but are inconvenient and difficult to install

Answer 14

- The Fabric Manager is primarily responsible for maintaining network configuration soft state. - Using this soft state, the Fabric Manager performs ARP resolution, provides multicast capability to the network, and achieves fault tolerance goals.

Answer 15

- The Fabric Manager is a user process, running on a dedicated machine. - This machine may be located on the network itself, or it can reside on a separate control network.

Answer 16

This encoding consists of four components in the format: pod.position.port.vmid

Answer 17

A PMAC encodes the position of an end host in a fat-tree network.

Answer 18

The pod (first) component encodes the pod number the end host and the edge switch reside in.

Answer 19

The position component (second) encodes the end | host’s position in the pod.

Answer 20

The port component encodes the switch’s physical port number the end host is attached to.

Answer 21

- The vmid component encodes a unique ID for each virtual machine that is present on the end host. - The edge switch maintains a mapping for each VM, which uses its own AMAC (actual MAC) address. - This permits multiplexing of virtual hosts resident on a single physical host.

Answer 22

- The use of PMACs greatly simplify layer 2 forwarding due to their hierarchical nature. - Switches no longer need a forwarding table entry per virtual host. - A single forwarding table entry can be used to aggregate hosts, enabling forwarding behavior that exploits longest prefix match.

Answer 23

O(n) - n is the number of virtual hosts in the data center

Answer 24

O(k) - k is the number of ports on switches used to construct the fat tree network

Answer 25

- an approximation algorithm is used to generate a RRG (Random Regular Graph) - The result is a blueprint for the Jellyfish topology that can be used to physically cable the switches and servers

Answer 26

1) N = num of racks/switches 2) k = num of ports per switch 3) r = num of ports used to connect to other switches

Answer 27

- To incrementally add a new server rack, it is not necessary to generate a new RRG with N+1, k, and r - we can add the new rack by iteratively selecting connections between other ToR switches and replacing that connection with two new connections, each to the new switch - This maintains the previous connectivity of the topology, and also consumes two of the r ports on the new ToR switch dedicated to connecting to other ToR switches - This process is repeated until one or zero or the r ports remain

Answer 28

- after expansion, the new topology CANNOT be expected to be | uniformly random, as it would be if a new RRG was created and the entire data center re-cabled appropriately

Answer 29

● A BGP message could be sent to a router by some host that is not the router's legitimate neighbor ● An AS could lie about being the origin of a particular subnet ● An AS could lie about the AS-path to a particular subnet

Answer 30

Although BGPSec provides session authentication, this kind of attack can also be prevented without BGPSec by using the “TTL Hack”

Answer 31

BGPSec prevents this by providing certificates that sign the origin claim

Answer 32

BGPSec prevents this by providing a chain of signed paths, each partial path in the chain being signed by the AS that advertised that part of the path.

Answer 33

- When an attacker performs a BGP hijack it leaves its own AS out of the path. - It can ensure that even traceroute cannot discover it by simply not decrementing the TTL field on the traceroute when it passes through the attacking AS. - To traceroute, it then looks like that AS isn't actually there.

Answer 34

There are several ways this could happen, but the most common is DNS poisoning.

Answer 35

- attacker SPAMs DNS server with bad mappings - eventually one matches and DNS accepts and caches is - DNS responds to future requests with the new bad mapping - the attacker collects traffic and/or spoofs the legitimate server

Answer 36

ARP Poisoning: An attacker could send gratuitous ARP responses for a particular IP address to hosts on its local network so that those hosts send messages to the attacker's MAC instead

Answer 37

- ARP poisoning works similarly to DNS poisoning, except that there is not ID value that the attacker needs to guess - A host will accept an ARP response even if no ARP request for that IP→MAC mapping was ever made – such a response is referred to as a “gratuitous ARP response” - The main drawback compared to DNS poisoning is that the attacker must be on the same local network as the target

Answer 38

- The main drawback compared to DNS poisoning is that the attacker must be on the same local network as the target - Users connected to the same “public hotspot” are all on the same local network

Answer 39

- The server does not allocate resources for the TCP connection immediately upon receiving a SYN packet, but instead waits for the ACK to allocate those resources. - the server's SYN/ACK response to the SYN packet contains a special “SYN cookie” that it uses as the connection's initial sequence number. - When the server gets an ACK, it can calculate whether or not the sequence number in that ACK could have been legitimately generated as a SYN cookie.

Answer 40

If the ACK sequence number (SYN cookie) checks out, then the server knows 1) that the client has engaged in the entire 3-way handshake, rather than sending spurious ACKs, and 2) the client's IP address given by the IP headers is it's legitimate address, because otherwise it wouldn't have received the SYNACK that contains the SYN cookie.

Answer 41

The /12 subnet contains 2^(32-12) = 2^20 = 1048676. So 1048576/1048576 = 1 packet to observe

Answer 42

BGP does not validate information in routing announcements, so a manipulator can announce any path they want and claim ownership of a victim’s IP prefix.

Answer 43

Origin Authentication uses a trusted database for verification so an AS can’t claim ownership of a victim’s IP prefix, but they can still announce a path that ends at the proper AS, although the path does not physically exist.

Answer 44

soBGP uses origin authentication and a trusted database to guarantee that any path physically exists, but the manipulator can advertise a path that exists but is not actually available.

Answer 45

S-BGP uses path verification, which limits a single manipulator to announcing available paths, but they could announce a shorter, more expensive, provider path while actually forwarding traffic on a cheaper, longer customer path.

Answer 46

Data plane verification prevents an AS from announcing a path and forwarding on another, so the manipulator must actually forward traffic on the path he is announcing.

Answer 47

- Defensive filtering polices the BGP announcements made by stubs. - With the model in the paper, each provider keeps a prefix list of the IP prefixes owned by its direct customers that are stubs. - If a stub announces a path to any prefix it doesn’t own, then it is dropped. In this way, if all providers correctly implement this it eliminated attacks by stubs.

Answer 48

1) Announcing longer paths can be better than announcing shorter ones 2) Announcing to fewer neighbors can be better than announcing to more. 3) The identity of the ASes on the announce path matters since it can be used to strategically trigger BGP loop detection.

Answer 49

- advertising the shortest path will only pick up traffic from one small provider - Announcing a longer path to the large provider, will attract more traffic overall as the large provider will prefer this path over the shorter, peer path as it will be cheaper. - It is better for the manipulator to attract traffic from larger AS. - This strategy will work against any secure routing protocol, except when launched by stubs in a network with defensive filtering, because it is only implementing a different export policy than usually used.

Answer 50

- In this strategy, by not exporting to certain Tier providers, customer paths to the victim can be eliminated and influential ASes will be forced to choose shorter peer paths over a longer customer path because the customer path was not made known to them. - This will work against any secure protocol as it is just using a clever export policy to manipulate traffic.

Answer 51

- With false loop prefix hijack, the manipulator claims an innocent AS originates the prefix to his provider. But when the false loop is announced, BGP loop detection will cause the AS to reject the path, removing the customer path from the network. - This will force large ISPs to choose shorter peer paths. - Unlike the first two attacks, this one will only work against BGP, origin authentication or soBGP because it involves false advertising of the path announced by an innocent AS.

Answer 52

- Malicious ASes change their providers often to avoid being detected or to avoid the negative consequences of their customers activities. - they are also known to connect to Providers with lax security policies and / or long response times to abuse complaints. - Malicious ASes have longer periods of downtime, due to depeering from their neighboring ASes and detection avoidance strategies they employ.

Answer 53

- ASWatch captures these activities by taking snapshots of AS relationships periodically and observing the changes in relationships over time. - These activities are then used to feed the reputation engine that identifies malicious ASes.

Answer 54

- Malicious ASes conduct a wide variety of abusive actions, many of which can be countered with simple blacklisting. - Examples of this would be DoS, spamming, and phishing. - If a malicious AS consistently advertises its entire IP address space, it runs a higher risk of having the entire IP space blacklisted when these activities are detected. - Small fragments of advertised space allow malicious activities to continue their activities in a fresh IP space fragment when they are blacklisted.

Answer 55

- Rolling attacks are implemented by an attacker to indefinitely continue an attack on a target area. - Continuing to flood the same set of target links will ultimately have negative effects on the attack when router failure detection mechanisms are tripped. - Rolling attacks will make the crossfire attack even harder to detect by changing the attack vector without changing the overall target area.

Answer 56

1) Off-path adversaries 2) On-path adversaries 3) In-path adversaries

Answer 57

- Off-path adversaries can’t observe DNS queries and responses. - They will trigger specific DNS lookups, but must generate numerous packets in hopes of matching the request the resolver will accept as they must guess the transaction ID and other entropy.

Answer 58

- On-path adversaries can passively observe the actual lookups requested by a resolver and can directly forge DNS replies. - As long as the resolver receives the forged reply before the legitimate one, it will accept the forged reply.

Answer 59

- In-path adversaries can both block and modify packets and can block the legitimate packet. - Hold-On can’t help here as the legitimate packets can be blocked.

Answer 60

NOTE: This card needs to be broken into smaller questions/answers. - Because the legitimate reply cannot be blocked by on-path adversaries, the “Hold-On” period can be used to wait for the legitimate reply to arrive. - The stub resolver/forwarded first learns the expected RTT and TTL associated with legitimate traffic to remote recursive resolver. - Then after issuing a DNS query, it starts its Hold-On timer - If a DNSSEC-protected response is expected, local signature validation is done for each reply and returns the first fully validated reply to the client or a DNSSEC error if the Hold-On timer expires before one is validated. - If there is no DNSSEC, the resolver compares the timing of the reply to the expected RTT and compares the TTL field in the header to the expected TTL. - If a reply is validated it will return this reply to the client, but if there are mismatches, it ignores the response and continues to wait. - If the timer expires, it will send the last reply received that was not validated.

Answer 61

- Network Virtualization refers to abstracting the network away from the physical equipment, which can be accomplished without SDN - SDN refers separating the control plane from the data plane by using a centralized logic controller. SDN does not necessarily imply Network Virtualization is employed.

Answer 62

- Network virtualization software like Mininet allows SDNs to be tested in a virtual environment by using logical processes to emulate physical network devices, including OpenFlow capable switches. - By emulating the physical equipment, control plane logic for an SDN can be tested without the need for physical equipment and complicated data collection methods.