Previous Semester

Lecture 1

ISO developed the Open Systems Interconnection (OSI) model.

The OSI model Divides network communication into 7 layers.

1. Application (HTTP, FTP)
2. Presentation (ASCII, GIF, JPG)
3. Session (SQL)
4. Transport (TCP, UDP)
5. Network (IP)
6. Data Link (802.11)
7. Physical (Fiber)

In 1970, the transmission rate of a connection was 56 Kb/s. Today we have faster connections, a CAT7 cable can even transfer 10 Gb/s

A mobile hotspot is a form of ad-hoc networking

Some numbers about the internet in 2020.

• 2.92 billion users
• 1 trillion URLs
• 294 billion emails per day
• 2 billion smartphones

The phyiscal layer is made of fiber, coaxial cable, radio signals

Interfaces include ethernet chips, as well as wireless chips.

Networks are built to withstand failure among its intermediary nodes. Given 100 components, where any given component is failing 1% of the time, there is a 63% that, at any given moment, at least one component is failing.

The ipconfig command first appeared in MacOS 10.0.

The basic components of a network include

• end systems/hosts (clients and servers)
• switches/routers
• links

The Internet Engineering Task Force (IETF) is a non-profit organization that seeks to standardize protocols across the world.

1961-1972 early packet switching principles

sputnik was launched in response, us founded ARPA, the advanced research project agency, and poured money into it

www was invented in 1990s

principles of internetworking

• minimalism/autonomy

• best-effort service

• stateless transmission

• 1967, The idea for the ARPAnet is first conceived.

• 1969: The first node of the ARPAnet becomes operational (UCLA).

• 1972: The APRAnet has expanded to include nodes in USC and MIT.

• 1973: UNIX is released, and in its documentation it boasts its ability to run on a computer as inexpensive as just $40,000.

• 1977: The Berkeley Software Distribution (BSD) is established.

• 1983: The TCP, IP, and SMTP protocols are formalized.

• 1990s: Hypertext, HTML, and HTTP become widespread.

• 1995: Microsoft releases Internet Explorer.

• 1998: Google is incorporated by Stanford students Larry Page and Sergey Brin.

• 2001: Apple releases macOS (Darwin).

• 2004: Blizzard launches World of Warcraft, and reports 1,000,000+ concurrent active users on its servers.

• 2007: Apple releases the original iPhone.

Woah, modem stands for modulator demodulator.

Digital Subscriber Line (DSL)

Digital Subscrible Line Access Multiplexer (DSLAM)

Data over DSL phone goes to internet. Voice over DSL phone goes to the telephone, but the problem with cable over a phone line is that cable is a shared medium, and a phone line is a dedicated medium.

Cable is a form of broadband.

Broadband transports multiple signals and traffic types

Among a continuous band of frequencies, bandwidth is defined as the difference between the upper and the lower frequencies.

• The coaxial cable

  • made of a twisted pair. It is twisted to prevent interference from the other wires.
  • composed of two concentric copper conductors
  • part of a shared medium

• The fiber optic cable

  • made of glass fiber
  • transmits pulses of light
    • each represents a bit
  • immune to an electromagnetic pulse (EMP)

• The radio signals

  • the signal is transmitted through electromagnetic spectrum
  • All of the following transmit radio signals
    • microwave ovens
    • wifi networks
    • cellular towers
    • satellite dishes

Lecture 2

• Resource Records

• The Domain Name System (DNS) is a hierarchical naming system for domains and other Internet resources. DNS can be viewed as an address book for the Internet; a primary function of DNS is mapping domain names to host IP addresses.

• Access ISP -> Regional ISP -> Tier 1 ISP

  • Each pays the next

• But sometimes you can use an IXP to make a shortcut, to make the route shorter

  • IXP is not really a network, it's just a huge switch, providing a path from one network to another

The CSCI 353 Layers

5. Application

   • Provides network support for apps

6. Transport

   • (Reliable) end-to-end delivery

7. Network

   • Global best-effort delivery

8. Link

   • Local best-effort delivery

9. Physical

   • Bits on wire

Network Devices

• Router
  • Operates at Network 3rd layer
  • Recreates a signal it receives
• Switch
  • Operates at Link 2nd layer
  • Take a packet and forward it along based on a table created by the router
  • Can check for errors in the network and drop packets if it detects error
• Bridge
  • Operates at Link 2nd layer
  • Typically has a single input and output port
• Hub
  • Operates at Physical 1st layer

Protocols

• IP (Network Layer)
  • Datagram, unreliable, best effort, connectionless
  • Routes packets "hop by hop"
  • Cloudflare: What is the network layer?
  • Cloudflare: What is the Internet Protocol (IP)
• UDP
  • Transport Layer
• TCP
  • Transport Layer

Inter-Layer Headers

• Each layer has its own header

• A packet at the network layer is a "datagram"

• A packet at the transport layer is a "transport segment"

• a packet at the link layer is called a frame

IPv4 Datagram

• Total packet length can be up to 64kB including the header and all the data

TCP

• Three way handshake

• Syn: Synchronise

• Ack: Acknowledge

• Syn + Ack

• A -> Fin -> B

• A <- Data + Ack <- B

• A <- Fin <- B

• A -> Ack -> B

• The stream of bytes is chopped up into TCP segments

  • We need to transfer the segments multiple times if the segment is lost or corrupted in transmission
  • Segment can be small, such as SSH, typing a single byte

• Ways that TCP ensures reliable delivery

  1. acknowledgements indicate correct delivery
  2. Checksums detect corrupted data
  3. Squence numbers detect missing data
  4. Flow control prevents overrunning receiver

• TCP is for process-to-process connection

  • IP is more, "endpoint to endpoint"

• A socket is an interface between an application and a network.

  • A socket is identified by an IP address and a port number
  • socket type dictates style of communication, can be reliable or best effort
  • can be connection oriented or connectionless

• An IP address doesn't identify a device, it identifies an interface

• multiplexing and demultiplexing is extending host-to-host delivery to process-to-process delivery

  • this occurs at the transport layer

Types of sockets

SOCK_STREAM

a.k.a. TCP

SOCK_DGRAM

a.k.a. UDP

SOCK_RAW

allows headers of lower level protocols to be constructed by the application

• Client-Server Model
  • a distributed application structure that partitions tasks or workloads between the providers of a resource or service, called servers, and service requesters, called clients.
  • describes how a server provides resources and services to one or more clients.
  • Examples of servers include web servers, mail servers, and file servers.
  • Each of these servers provide resources to client devices

Taxonomy of Communication Networks

• Broadcast Network
  • WiFi
  • Many-to-many, broadcast isn't just one hub with a bunch of spokes

Multiplexing

• Multiplexing in Circuit-Switched Networks is a technique for sending two or more signals over the same telephone line, radio channel, or other medium

• Circuit Switched Network

  • Similar to having a reservation at a restaurant

• Frequency Division Multiplexing

  • Analog
  • Divide frequency spectrum in frequency bands
  • Separate frequency band per circuit
  • Several signals transmitted simultaneously
  • Disadvantage is that 1/4th of the same bandwidth is available for each user

• Time Division Multiplexing

  • Digital
  • Divide bandwidth in time, each timeslot is allocated to each user, the time period in which that user can be transmitting data.
  • time is divided into time frames, each frame is divided into time slots
  • Advantage Each user has access to the full bandwith

• Wavelength Division Multiplexing

  • Used in fiber optics, increase bandwidth by chopping up the frequencies of the visible spectrum

Lecture 3

• Circuit switching is

  • a way to build a network which supports the between two endpoints, and allows sharing of channels
  • in pure circuit switching, there are no packets

• Frequency division multiplexing

  • You can constantly continue sending those bits, not required to chop them up, as you would during time-division multiplexing
  • used with analog cables

• Virtual circuits

  • Built on top of packet switching

• wavelength division multiplexing is used for circuit switching and packet switching networks

• FDM, divide the whole bandwidth into parts, each part is a frequency range for a user.

  • This is common for

• TDM

  • typically used for digital transmission

• WDM

  • typically used for fiber optics
  • kind of like FDM for fiber optics

• TCP socket identified by 4-tuple

  • Source IP
  • Source Port
  • Dest IP
  • Dest Port

Lecture 4

Midterm

• Midterm 1 is next week, in class, September 16
• Covers lectures 1-4
• Closed book/notes test
• Practice exam posted on Blackboard
• Exam is accessed via Blackboard
• You are allowed one 8.5" x 11" handwritten note sheet (double sided)
• (2h 15m) exam length
  • You are allowed one (5 minute) restroom break
  • Auto submits when clock strikes zero
  • How does this get handled with DSP?
  • You'll record yourself and share your screen (mic & camera on)
  • Must record to the cloud
  • You'll share a link to your Zoom recording via a Google form posted on Piazza
  • You can start it whenever you want

Lecture 5

Internet Names

• Machine addresses: 128.125.253.146

• DNS: Domain Name Service

Domain Name Service

• Cloudflare covers it well in What is DNS?

• DigitalOcean has a course: An Introduction to Managing DNS

• Translates hostnames to IP addresses

• Can perform load distribution by reordering the list of IP addresses that it returns.

• The client will try every IP address in the list returned by DNS until it accesses the sought-after resource

• DNS is a distributed, hierarchical, database

• Dynamic DNS is covered in Cloudflare's What is dynamic DNS (DDNS)?

Server Hierarchy

• Highest layer: root servers, whose locations are hardwired by other servers

• Next layer: Top-level domain (TLD) servers

  • Manages TLDs such as com, gov, etc.
  • Verisign Global Registry Services manages the TLD servers for the com top level domain

• Bottom level: Authoritative DNS servers

  • Actually store the name-to-address mapping
  • Maintained by the corresponding administrative authority

• Depth of tree is arbitrarily set to 128 layers: fifth.fourth.sub.example.com

• A DNS zone corresponds to an administrative authority that is responsible for that portion of the hierarchy.

  • For example, USC controls names *.usc.edu
  • Multiple managed zones can exist on the same server
  • DNS zone file is a plaintext file that contains a representation of all of the domains in the zone

DNS Root Servers

• Check out Cloudflare's article What is a DNS root server?

• 13 servers, labeled A through M, spread across North America

Networking Techniques

• Anycast is a networking technique where the same IP address range is advertised from multiple locations

  • Cloudflare article: What is Anycast DNS?
  • Benefits: Reduces latency, supports load balancing, increases reliability
  • Drawbacks: Doesn't support TCP, so it's only used for single-request, single-response use cases like DNS

• Unicast is a 1-to-1 mapping of addresses to hosts

  • Drawback: vulnerable to DoS attacks
  • Cloudflare: What is a Denial-of-Service (DoS) attack?

• Multicast

  • Host has no way to differentiate anycast and multicast traffic.

• Anycast routing finds the shortest path to a destination based on the number of hops

• BGP: Border Gateway Protocol

Name Resolution

Name resolution starts with a recursive resolver (also known as a DNS recursor)

1. requesting host trojan.usc.edu sends a request to local DNS server dns.usc.edu for the IP address for bruin.cs.usc.edu

2. the local DNS server dns.usc.edu checks if it has cached the IP address of bruin.cs.usc.edu. If it's cached, the local DNS server sends the cached IP address of bruin.cs.usc.edu to the requesting host. The process is finished at this point, preventing the steps below from executing.

3. the local DNS server dns.usc.edu asks root DNS server for the IP address of the TLD DNS server for edu

4. the root DNS server sends the IP address of the TLD DNS server for edu to the local DNS server

5. The local DNS server dns.usc.edu asks the TLD DNS server for the IP address of the authoritative DNS server

6. The TLD DNS server sends the IP address of the authoritative DNS server to the local DNS server

7. the local DNS server requests the authoritative DNS server for the IP address of the machine bruin.cs.ucla.edu

8. the authoritative DNS server sends the local DNS server the IP address of the machine bruin.cs.ucla.edu

9. the local DNS server sends the IP address of the machine bruin.cs.ucla.edu to the requesting host (and caches it as well)

Official 8-step Procedure

1. A user types ‘example.com’ into a web browser and the query travels into the Internet and is received by a DNS recursive resolver.
2. The resolver then queries a DNS root nameserver (.).
3. The root server then responds to the resolver with the address of a Top Level Domain (TLD) DNS server (such as .com or .net), which stores the information for its domains. When searching for example.com, our request is pointed toward the .com TLD.
4. The resolver then makes a request to the .com TLD.
5. The TLD server then responds with the IP address of the domain’s nameserver, example.com.
6. Lastly, the recursive resolver sends a query to the domain’s nameserver.
7. The IP address for example.com is then returned to the resolver from the nameserver.
8. The DNS resolver then responds to the web browser with the IP address of the domain requested initially.

DNS Records

• Google covers the DNS basics pretty well.

• Cloudflare covers it well in What is a DNS record?

• Each piece of DNS information stored is called a resource record (RR)

• A: Address

  • name = hostname
  • value = IP address

• NS: Name Server

  • name = domain usc.edu
  • value = name of DNS server for domain
  • is used to route DNS queries further along in the query chain

• CNAME: Canonical NAME

  • name = hostname
  • value = canonical name

• MX: Mail eXchange

  • name = domain in email address
  • value = canonical name(s) of mail server(s)

Old-school Website Management

1. Create a company "Example"
2. Get a CIDR blcok from your ISP
3. Register example.com with domain registrar
4. Registrar inserts RR pairs ino the .com TLD server txt (mystartup.com, dns.mystartup.com, NS) (dns.mystartup.com, 212.44.9.129, A)
5. Store appropriate records (A & NS) at dns.mystartup.com

Improving DNS Performance

• Web browser caches content
  • Also performs negative caching, remembering what does not work

User Datagram Protocol UDP { # UDP }

• Wikipedia: UDP datagram structure

• UDP Spec - RFC 768

• TCP Spec - RFC 793

Pipelining

• Allows sending multiple "in-flight", yet-to-be-acknowledged packets
• Automatic repeat request (ARQ)
  • Go-Back-N (GBN) ARQ
  • Selective Repeat (SR)

Sliding Window

• Sliding window protocol

• A window is a set of adjacent (consecutive) sequence numbers.

• The goal is to send n packets at a time.

• Sliding window is also known as packets in flight

• The sender and the receiver might not have the same window.

• Since a TCP header is 16 bits in length, the max size of a window is 2^16

• Throughput or Bandwidth is the maximum rate of data transfer across a given path.

• TCP uses ACKs but not NACKs (Negative ACKs)

• TCP uses checksums

• A transmission in TCP has the receiver buffer a partitions of memory at least equal to the size of the sliding window

• IP packet

  • Each link has an MTU (Maximum Transfer Unit)
  • Each segment must fit MTU (for example, 1500 bytes with Ethernet)

• The maximum segment size

• Structure of a TCP segment header

• Formula MSS = MTU - (IP header) - (TCP header)

• TCP segments are either set when

  1. The segment is full (max segment size MSS)
  2. The segment is not full, but the data in the buffer times out, and gets sent

Lecture 6

Review

• DNS is application layer protocol

  • at the

• The end to end principle

  • We want to push complexity to the network layer.
  • We want our network to be dump, and our end systems to be smart

• The sliding window protocol

General Terms Used

• Go back N GBN protocol

  • Sender transmits up to n unacknowledged packets
  • If frames arrive, the receiver asks the sender to retransmit the frames if:
    1. The frames are damaged
    2. The frames are lost
    3. The frames are fine, but arrived out of order
  • Receiver

• Cumulative acknowledgement

  • The packet referred to in the "acknowledgement" is actually acknowledging the minimum packet number you don't have yet. If you have 3, 5, 6

• Even though a sender received 3, 5, and 6, it will still acknowledge 4, causing the sender to resend 5 and 6 regardless. This was a decision made during the design of the TCP protocol.

Question: Which algorithm would you choose for inter-domain routing? Link State (LS) vs. Distance Vector (DV)? Why? Answer: For inter-domain routing, I would choose distance vector over link state. With link state, every node in the network has a lot of information about the connections, which not only brings up privacy concerns, but also is more expensive to compute for large network topologies. With inter-domain routing, large topologies are rather common. BGP uses not distance vector, but a similar one, but certainly does not use link state.

RIP: Routing Information Protocol

Lecture 8 Question 6

Question: What could happen if routers lie? Answer: A router could lie if it wanted to redirect or attract traffic, which it could use to either sniff the packets to obtain information, or just gain information on where traffic is coming and going from (valuable!)

Question How can you prevent routers from deceiving other devices on the network? Answer You can configure your network to only communicate with trusted networks.

Lab 3

Snort resources. There's a Docker container for Snort built on top of Debian.

I found the Snort manual to be very helpful while working on this project.

For Snort to detect attacks and alert you when attacks occur, Snort needs to know where its rule base is. As a matter of convention, we place our custom rules for Snort in the file /prefix/snort/local.rules.

The general format of a Snort rule is as follows:

ACTION PROTO SOURCE_HOST SOURCE_IP DIRECTION DESTINATION_HOST DESTINATION_IP \[OPTIONS\]

A Snort rule can be broken down into two logical parts

1. The rule header, which contains the following information:

   • Action to perform

   • Protocol that the rule applies to

   • Source and destination addresses and netmasks

   • Source and destination ports information

2. The rule options, which allow you to

   • Create a descriptive message to associate with the rule

   • Check a variety of other packet attributes by making use of Snort's extensive library of plug-ins.

When a packet comes in, its source and destination IP addresses and ports are compared to the rules in the ruleset. If any of them are applicable to the packet, then the options are compared to the packet. If all of these comparisons return a match, then the specified action is taken.

Snort provides several built-in actions that you can use when crafting your rules.

• log - log the packet

• alert - generate an alert using the selected alert method, and then log the packet o pass -- ignore the packet

• drop -- block and log

• sdrop -- silently block but do not log

• reject - block, log and send response (TCP reset for TCP or ICMP port unreachable for UDP)

Note the last three actions would only work in inline mode.

Shown below is a sample local.rules file:

alert icmp any any -> any any (msg: "Testing ICMP alert"; sid:1000001;)
alert udp any any -> any any (msg: "Testing UDP alert"; sid:1000002;)
alert tcp any any -> any any (msg: "Testing TCP alert"; sid:1000003;)

Currently protocols supported are TCP, UDP, ICMP and IP. Direction is specified using ASCII arrow syntax ->. The IP address and port number on the left-hand side of the direction operator is the source host, and the right-hand side is the destination host. <> can be used to represent a bidirectional arrow operator. Rule options are separated by ( ; ) and rule option keywords are separated from their arguments by a ( : ). The msg rule option is a simple text string to be printed along with the alert or the log. The sid keyword is used to identify Snort rules, custom defined rules should have a sid >= 1000000. rev is used to mark the revision numbers in conjunction with sid.

• Checking the validity of a Snort ruleset

  snort --v -c /usr/local/etc/snort/snort.conf -T
  

• Executing Snort with the updated ruleset

  snort -c /usr/local/etc/snort/snort.conf -l /usr/local/var/log/snort -K ascii -i eth0
  

Breaking down the options used in the previous command:

• -c: Config file to use (in this case snort.conf imports local.rules

• -l: Directory to use for logging output

• -K: Logging mode (pcap (default), ascii, or none)

• -i eth0: The interface to listen to (eth0)

Understanding Standard Alert Output

When Snort generates an alert message, it will usually look like the following:

[**] [116:56:1] (snort_decoder): T/TCP Detected [**]

The first number is the Generator ID, this tells the user what component of Snort generated this alert.

The second number is the SID or Snort ID (sometimes referred to as the Signature ID). Rule-based SIDs are written directly into the rules with the SID option. In this case, 56 represent a T/TCP event.

The third number is the revision ID.