16.1. This problem is based on the TCP client program shown in Listing C.1 (C is the chapter number of the TCP Attack chapter; its actual value depends on which version of the book you are using). (1) To get responses from the server, the TCP client program should register for a source port number, but in the program, this step seems to be missing. Without this port number, how can the client program get responses? (2) Which line of the code triggers the three-way handshake protocol? (3) There are two write() calls in this client program, will each call trigger a separate TCP packet?

这个问题基于清单C.1所示的TCP客户端程序(C是TCP攻击章节的章节号;它的实际价值取决于你所使用的书的版本)(1) 为了从服务器获得响应,TCP客户机程序应该注册一个源端口号,但是在程序中,这个步骤似乎丢失了。没有这个端口号,客户端程序如何获得响应(2) 哪一行代码触发了三方握手协议(3) 这个客户机程序中有两个write()调用,每个调用会触发一个单独的TCP包吗?

16.2. This problem is based on the TCP server program shown in Listing C.2. (C is the chapter number of the TCP Attack chapter; its actual value depends on which version of the book you are using). (1) Does the program get blocked when invoking listen() until a connection comes? (2) What is the purpose of the accept()? (3) Why does the accept() call create a new socket? Why cannot we use the same one that is used in the listen() call?

这个问题基于清单C.2所示的TCP服务器程序(C是TCP攻击章节的章节号;它的实际价值取决于你所使用的书的版本)(1) 调用listen()时程序是否会被阻塞,直到出现连接(2) accept()的用途是什么(3) 为什么accept()调用会创建一个新的套接字?为什么我们不能使用listen()调用中使用的同一个?

16.3. We have two machines, A and B. (1) Two TCP client programs on machine A send their data to a TCP server that is listening to port 8023 on machine B. Will the data from these two client programs be mixed together on the server side? Please explain. (2) Two UDP client programs on machine A send their data to a UDP server that is listening to port 8023 on machine B. Will the data from these two client programs be mixed together on the server side? Please explain.

我们有两台机器,A和B(1) 机器A上的两个TCP客户端程序将其数据发送到正在侦听机器B上端口8023的TCP服务器。这两个客户端程序的数据会在服务器端混合在一起吗?请解释一下(2) 机器A上的两个UDP客户端程序将其数据发送到正在侦听机器B上端口8023的UDP服务器。这两个客户端程序的数据会在服务器端混合在一起吗?请解释一下。

16.4. A program wants to send many pieces of data to a server, each piece will be sent via a separate call. The server needs to know the boundaries among these pieces. (1) If the program uses UDP, how does the server know where the boundaries are? (2) What if the program uses TCP?

一个程序要向服务器发送许多数据,每个数据都将通过单独的调用发送。服务器需要知道这些片段之间的边界(1) 如果程序使用UDP,服务器如何知道边界在哪里(2) 如果程序使用TCP呢?

16.5. Does a SYN flooding attack cause the victim server to freeze?

半连接队列满 无法响应其他连接

16.6. In the SYN flooding attack, why do we randomize the source IP address? Why cannot we just use the same IP address?

在SYN洪泛攻击中,为什么要随机分配源IP地址?为什么我们不能使用相同的IP地址呢?

16.7. What will happen if the spoofed source IP address in a SYN flooding attack does belong to a machine that is currently running?

如果SYN洪泛攻击中伪造的源IP地址确实属于当前正在运行的计算机,会发生什么情况?

16.8. An attacker launches a SYN flooding attack against the telnet server on a target machine. This particular telnet server listens to two ports, port 23 and port 8023. The attack is only targeting the default telnet port 23. When the attack is undergoing, can people still be able to telnet to the server using port 8023?

攻击者对目标计算机上的telnet服务器发起SYN洪泛攻击。这个特定的telnet服务器监听两个端口,端口23和端口8023。攻击只针对默认的telnet端口23。当攻击正在进行时,人们还能使用端口8023远程登录到服务器吗?

16.9. Can we launch a SYN flooding attack from a computer without using the root privilege?

我们能在不使用root权限的情况下从计算机发起SYN洪泛攻击吗?

16.10. Why do we choose to fill up the memory used for half-open connections, why cannot we directly target the memory used for holding full connections? The latter requires more memory, so the resource is much easier to exhaust.

为什么我们选择填充用于半开连接的内存,为什么我们不能直接针对用于容纳全连接的内存?后者需要更多的内存,因此资源更容易耗尽。

16.11. If TCP always uses a fixed sequence number (e.g., zero) in its SYN + ACK packet during the three-way handshake protocol, please describe how you can conduct a denial-ofservice attack on the TCP server. Your objective is different from the SYN flooding attack; you want to cause the server to establish connections with many non-existing computers,and thus exhausting the server’s resources, especially its memory.

如果在三方握手协议期间,TCP总是在其SYN+ACK数据包中使用固定的序列号(例如,零),请描述如何在TCP服务器上进行拒绝服务攻击。你的目标与SYN flooding攻击不同;您希望使服务器与许多不存在的计算机建立连接,从而耗尽服务器的资源,尤其是内存。

16.12. All the information that a server needs to know about a connection is not only contained in the SYN packet, but also in the final ACK packet from the client. Therefore, information-wise, there is no need to allocate a buffer to save the information about half-open connections. If we get rid of this buffer, the SYN flooding attack will not be effective any more. Do you agree with such a statement or not. Please justify your answer.

服务器需要知道的关于连接的所有信息不仅包含在SYN包中,而且还包含在来自客户端的最终ACK包中。因此,在信息方面,不需要分配缓冲区来保存关于半开放连接的信息。如果我们去掉这个缓冲区,SYN泛洪攻击将不再有效。你同意这样的说法吗。请证明你的回答是正确的。

16.13. To reset a connection between two remote machines, i.e., we will not be able to see the packets between these two machines, what are the main challenges?

要重置两台远程机器之间的连接,即我们将无法看到这两台机器之间的数据包,主要挑战是什么?

16.14. Are TCP Reset attacks effective against encrypted connections, such as SSH?

TCP重置攻击对加密连接(如SSH)有效吗?

16.15. Is UDP communication subject to reset attacks?

UDP通信是否受到重置攻击?

16.16. There is an active Telnet connection from a client (10.0.2.5) to a Telnet server (10.0.2.9). The server has just acknowledged a sequence number 1000, and the client has just acknowledged a sequence number 3000. An attacker wants to launch the TCP session hijacking attack on the connection, so he can execute a command on the server. He is on the same local area network as these two computers. You need to construct a TCP packet for the attacker. Please fill in the following fields:

  • Source IP and Destination IP
  • Source port and Destination port
  • Sequence number
  • The TCP data field.

存在从客户端(10.0.2.5)到Telnet服务器(10.0.2.9)的活动Telnet连接。服务器刚刚确认了序列号1000,客户端刚刚确认了序列号3000。攻击者希望对连接发起TCP会话劫持攻击,以便在服务器上执行命令。他和这两台计算机在同一个局域网上。您需要为攻击者构造一个TCP数据包。请填写以下字段:

16.17. In a TCP session hijacking attack, if the server is waiting for data starting from sequence number X, but we used X + 100 in our attack packet. Will our attack succeed or fail?

在TCP会话劫持攻击中,如果服务器正在等待从序列号X开始的数据,但我们在攻击数据包中使用了X+100。我们的进攻是成功还是失败?

16.18. Can we launch a TCP session hijacking attack against an SSH connection?

我们可以对SSH连接发起TCP会话劫持攻击吗?

16.19. The Mitnick attack is a variation of the TCP session hijacking attack. This attack involved two computers (we will call them A and B) in San Diego Supercomputer Center. B trusted A, so if somebody logs in from A, no password would be asked. Kevin Mitnick wanted to log into B, but he did not know the password, and he had no access to A either. He could only do that remotely. To get in, he would have to fool B to believe that his login request was from A.

Before the login program runs, a TCP connection needs to be made first. Therefore, Mitnick needed to forge a TCP connection request from A to B first. If the connection is established successfully, Mitnick would have all the parameters about the connection, including the port numbers and sequence numbers. He could then use this connection to log into B, and steal information from there.

To simplify the scenario, let us assume that computer A was not even running; only B is running. Please describe how Mitnick would get B to establish a connection with A. In TCP Attacks 3 those days, TCP’s initial sequence numbers were not randomized, and they were quite predictable.

Mitnick攻击是TCP会话劫持攻击的变种。这次攻击涉及圣地亚哥超级计算机中心的两台计算机(我们称之为A和B)。B信任A,因此如果有人从A登录,则不会询问密码。Kevin Mitnick想登录到B,但他不知道密码,也无法访问A。他只能远程操作。要想进去,他必须骗B相信他的登录请求来自A。
在登录程序运行之前,首先需要建立TCP连接。因此,Mitnick需要首先伪造从a到B的TCP连接请求。如果成功建立连接,Mitnick将拥有有关连接的所有参数,包括端口号和序列号。然后他可以使用这个连接登录到B,并从那里窃取信息。
为了简化场景,让我们假设计算机A甚至没有运行;只有B在运行。请描述Mitnick如何让B与a建立联系。在那三天的TCP攻击中,TCP的初始序列号不是随机的,而且它们是可预测的。

16.20. UDP services can be used for amplification attacks. Why cannot TCP be used for the same attack?

UDP服务可用于放大攻击。为什么TCP不能用于相同的攻击?

16.21. In the past, we wrote a SYN flooding program using Python, but we could never get the attack to work; there is nothing wrong in the program. After a close look at the attack, we found out that he speed of our Python program is too slow: it can only send out a few spoofed packets in a second. We also found out that there are many Rest packets coming back to the victim machine. Based on this observation, please explain why our Python program could not get the attack to work.

在过去,我们使用Python编写了一个SYN flooding程序,但是我们无法让攻击生效;这个程序没有错。在仔细观察了攻击之后,我们发现Python程序的速度太慢了:它只能在一秒钟内发送几个伪造的数据包。我们还发现有许多Rest包返回到受害者机器。基于这一观察,请解释为什么我们的Python程序无法使攻击生效。