![Page 1: Networking stuff, from the real worldsergey/cs60/rob-graham-practical-network… · • Inet_pton() • Inet_ntop() What is the deal with DNS anyway? • How long do you cache the](https://reader036.vdocument.in/reader036/viewer/2022070218/612663ef01e5d96bc719018f/html5/thumbnails/1.jpg)
Networkingstuff,fromtherealworld
RobertGrahamDartmouth,Spring,2017
![Page 2: Networking stuff, from the real worldsergey/cs60/rob-graham-practical-network… · • Inet_pton() • Inet_ntop() What is the deal with DNS anyway? • How long do you cache the](https://reader036.vdocument.in/reader036/viewer/2022070218/612663ef01e5d96bc719018f/html5/thumbnails/2.jpg)
OSIMODELTRUTHS
![Page 3: Networking stuff, from the real worldsergey/cs60/rob-graham-practical-network… · • Inet_pton() • Inet_ntop() What is the deal with DNS anyway? • How long do you cache the](https://reader036.vdocument.in/reader036/viewer/2022070218/612663ef01e5d96bc719018f/html5/thumbnails/3.jpg)
TheOSIisalie• Createdinlate1970stodescribehowterminalstalkedtomainframes
• TCP/IPmodelshoehornedintoit– TheOSIModelhasbeen“retconned”tofitTCP/IP
• Thereisnosessionlayer– Yes,sessionconcepts,butnolayer
• ThereisnopresentaNonlayer– Yes,presentaNonconcepts,butnolayer
• ThereisnotevenanapplicaNonlayer– ApplicaNonsareareontopoftheapplicaNonlayer,nottheapplicaNonlayerthemselves
![Page 4: Networking stuff, from the real worldsergey/cs60/rob-graham-practical-network… · • Inet_pton() • Inet_ntop() What is the deal with DNS anyway? • How long do you cache the](https://reader036.vdocument.in/reader036/viewer/2022070218/612663ef01e5d96bc719018f/html5/thumbnails/4.jpg)
Thereareonly4layers
• Transport(TCP,UDP,SCTP)• Internetwork(IPv4,IPv6)• Localdatalink(Ethernet,WiFi)• Localphysical(Ethernet,WiFi)
![Page 5: Networking stuff, from the real worldsergey/cs60/rob-graham-practical-network… · • Inet_pton() • Inet_ntop() What is the deal with DNS anyway? • How long do you cache the](https://reader036.vdocument.in/reader036/viewer/2022070218/612663ef01e5d96bc719018f/html5/thumbnails/5.jpg)
Localphysicallayer
• ASFARAS:thelocalwire(orintotheair)• UNIT:bits
![Page 6: Networking stuff, from the real worldsergey/cs60/rob-graham-practical-network… · • Inet_pton() • Inet_ntop() What is the deal with DNS anyway? • How long do you cache the](https://reader036.vdocument.in/reader036/viewer/2022070218/612663ef01e5d96bc719018f/html5/thumbnails/6.jpg)
Locallink
• ASFARAS:nexthop• UNIT:frames(localaddress,CRCchecked)
• STRIPPEDOFFBEFORENEXTHOP• Othernon-Ethernetlinksexist– MPEG-TS,ATM,FrameRelay,PPP,etc.
![Page 7: Networking stuff, from the real worldsergey/cs60/rob-graham-practical-network… · • Inet_pton() • Inet_ntop() What is the deal with DNS anyway? • How long do you cache the](https://reader036.vdocument.in/reader036/viewer/2022070218/612663ef01e5d96bc719018f/html5/thumbnails/7.jpg)
Internetworklayer
• ASFARAS:otherend(end-to-end)• UNIT:packet
![Page 8: Networking stuff, from the real worldsergey/cs60/rob-graham-practical-network… · • Inet_pton() • Inet_ntop() What is the deal with DNS anyway? • How long do you cache the](https://reader036.vdocument.in/reader036/viewer/2022070218/612663ef01e5d96bc719018f/html5/thumbnails/8.jpg)
Transportlayer
• ASFARAS:remoteapplicaNon• UNIT:stream,datagram
![Page 9: Networking stuff, from the real worldsergey/cs60/rob-graham-practical-network… · • Inet_pton() • Inet_ntop() What is the deal with DNS anyway? • How long do you cache the](https://reader036.vdocument.in/reader036/viewer/2022070218/612663ef01e5d96bc719018f/html5/thumbnails/9.jpg)
Sideways/up-downs• Onlytwoup/down
APIs– TCP/IPisaunified
wholeintheoperaNngsystemwithsocketsasAPIontop
– Ethernetisaunifiedwholewithpacketdriverontop
• There’snosideways– It’sabadanalogy
thatleadstoconfusion
![Page 10: Networking stuff, from the real worldsergey/cs60/rob-graham-practical-network… · • Inet_pton() • Inet_ntop() What is the deal with DNS anyway? • How long do you cache the](https://reader036.vdocument.in/reader036/viewer/2022070218/612663ef01e5d96bc719018f/html5/thumbnails/10.jpg)
Physical
Link
Network
Link
Physical
Link Link
Network Network
Transport Transport
![Page 11: Networking stuff, from the real worldsergey/cs60/rob-graham-practical-network… · • Inet_pton() • Inet_ntop() What is the deal with DNS anyway? • How long do you cache the](https://reader036.vdocument.in/reader036/viewer/2022070218/612663ef01e5d96bc719018f/html5/thumbnails/11.jpg)
ThereusedtobemanyInternets
• XeroxIDP/SDP• NovelIPX/SPX• AppleTalk• DECnet• SNA• BanyanVines• GOSIP– ISO/OSItofitthemodel
![Page 12: Networking stuff, from the real worldsergey/cs60/rob-graham-practical-network… · • Inet_pton() • Inet_ntop() What is the deal with DNS anyway? • How long do you cache the](https://reader036.vdocument.in/reader036/viewer/2022070218/612663ef01e5d96bc719018f/html5/thumbnails/12.jpg)
GOSIPfailed
• Itreallywasdesignedtofitthatmodel• OpNmizaNonstoovercomewhat’sbroken– SessionsetupinsideTransportsetuppackets– Sessionlayeraddedinvisiblebytestopackets
• Somuchoverheadcouldneverworkright
• YetwesNllgetX.509intoday’snetworks• AndLDAP
![Page 13: Networking stuff, from the real worldsergey/cs60/rob-graham-practical-network… · • Inet_pton() • Inet_ntop() What is the deal with DNS anyway? • How long do you cache the](https://reader036.vdocument.in/reader036/viewer/2022070218/612663ef01e5d96bc719018f/html5/thumbnails/13.jpg)
WHATDOESIPV6SOLVE?
![Page 14: Networking stuff, from the real worldsergey/cs60/rob-graham-practical-network… · • Inet_pton() • Inet_ntop() What is the deal with DNS anyway? • How long do you cache the](https://reader036.vdocument.in/reader036/viewer/2022070218/612663ef01e5d96bc719018f/html5/thumbnails/14.jpg)
TrickquesNon
• Already10billiondevicesontheIPv4Internet• Soobviously,“moreaddresses”isnotsomethingthatneededtobesolved
![Page 15: Networking stuff, from the real worldsergey/cs60/rob-graham-practical-network… · • Inet_pton() • Inet_ntop() What is the deal with DNS anyway? • How long do you cache the](https://reader036.vdocument.in/reader036/viewer/2022070218/612663ef01e5d96bc719018f/html5/thumbnails/15.jpg)
WHERECOOKIESCOMEFROM
![Page 16: Networking stuff, from the real worldsergey/cs60/rob-graham-practical-network… · • Inet_pton() • Inet_ntop() What is the deal with DNS anyway? • How long do you cache the](https://reader036.vdocument.in/reader036/viewer/2022070218/612663ef01e5d96bc719018f/html5/thumbnails/16.jpg)
Wheredocookiescomefrom?
• Mostweb-appwritersaren’ttoclearonthis– “It’spartofPHP”
• TheycomefromtheHTTPheader
GET / HTTP/1.0 Host: www.example.com Cookie: foo=bar;
200 OKServer: Apache/1.0Set-Cookie: foo=bar2
![Page 17: Networking stuff, from the real worldsergey/cs60/rob-graham-practical-network… · • Inet_pton() • Inet_ntop() What is the deal with DNS anyway? • How long do you cache the](https://reader036.vdocument.in/reader036/viewer/2022070218/612663ef01e5d96bc719018f/html5/thumbnails/17.jpg)
Whythisimportant
• Everythinggoesacrossthewireinaconcreteform– It’snevermagic– It’salwayssomethingthatfollowsconcreterules
• Hackerscanmanipulatethisonthewire• OrhackerscanmanipulatethisfromhosNlesystems
• Nothingcanbetrusted
![Page 18: Networking stuff, from the real worldsergey/cs60/rob-graham-practical-network… · • Inet_pton() • Inet_ntop() What is the deal with DNS anyway? • How long do you cache the](https://reader036.vdocument.in/reader036/viewer/2022070218/612663ef01e5d96bc719018f/html5/thumbnails/18.jpg)
ThefailureofRPC
• Remoteprocedurecall– SunRPC(ONCRPC)withNFS– MS-RPC(DCERPC)withWindows
• DCOMobjectorientedRPC• Passedinternaldatabetweenmachinesinvisibly– BlasterWorm– \\machinename– Evenpointervalues
![Page 19: Networking stuff, from the real worldsergey/cs60/rob-graham-practical-network… · • Inet_pton() • Inet_ntop() What is the deal with DNS anyway? • How long do you cache the](https://reader036.vdocument.in/reader036/viewer/2022070218/612663ef01e5d96bc719018f/html5/thumbnails/19.jpg)
TCPCHECKSUMS
![Page 20: Networking stuff, from the real worldsergey/cs60/rob-graham-practical-network… · • Inet_pton() • Inet_ntop() What is the deal with DNS anyway? • How long do you cache the](https://reader036.vdocument.in/reader036/viewer/2022070218/612663ef01e5d96bc719018f/html5/thumbnails/20.jpg)
TCPchecksums
• Detectsall1-biterrors• Detectsmost2-biterrors– “most”isn’tenough– Itmeans“some”aren’tdetected
![Page 21: Networking stuff, from the real worldsergey/cs60/rob-graham-practical-network… · • Inet_pton() • Inet_ntop() What is the deal with DNS anyway? • How long do you cache the](https://reader036.vdocument.in/reader036/viewer/2022070218/612663ef01e5d96bc719018f/html5/thumbnails/21.jpg)
Everystepshouldbeprotected
• Ethernet/linksareCRCprotected• PCIetransfersareCRCprotected• CPUcachesareparityorECCprotected• Intrachiptransfersareprotected• RAMisECCprotectedonhigh-endsystems
![Page 22: Networking stuff, from the real worldsergey/cs60/rob-graham-practical-network… · • Inet_pton() • Inet_ntop() What is the deal with DNS anyway? • How long do you cache the](https://reader036.vdocument.in/reader036/viewer/2022070218/612663ef01e5d96bc719018f/html5/thumbnails/22.jpg)
Howitreallyworks
• Notsomuch• Especiallyincheaperdevices• EspeciallyRAM• EspeciallypermanenterrorsinRAMcells• Visiblecomparingpacketswithretransmits– Errorssmearedacrossadjacentbytes
BadRAMinnon-ECCdevicesisthe#1causeofundetectedTCPerrors
![Page 23: Networking stuff, from the real worldsergey/cs60/rob-graham-practical-network… · • Inet_pton() • Inet_ntop() What is the deal with DNS anyway? • How long do you cache the](https://reader036.vdocument.in/reader036/viewer/2022070218/612663ef01e5d96bc719018f/html5/thumbnails/23.jpg)
Bit-rot
• gmail.com->gmakl.com
![Page 24: Networking stuff, from the real worldsergey/cs60/rob-graham-practical-network… · • Inet_pton() • Inet_ntop() What is the deal with DNS anyway? • How long do you cache the](https://reader036.vdocument.in/reader036/viewer/2022070218/612663ef01e5d96bc719018f/html5/thumbnails/24.jpg)
Bit-rotcomesfromeverywhere
• Bitsflippedonthenetwork• BitsflippedinRAM• Bitsflippedonharddrives
• Consequence:– Gmakl.comgetssteadystreamofspam
![Page 25: Networking stuff, from the real worldsergey/cs60/rob-graham-practical-network… · • Inet_pton() • Inet_ntop() What is the deal with DNS anyway? • How long do you cache the](https://reader036.vdocument.in/reader036/viewer/2022070218/612663ef01e5d96bc719018f/html5/thumbnails/25.jpg)
SoluNon
• Independentchecksums– BitTorrent– Bitcoin– AnythingSHA2
• Youreallyneedtodothisinyourcustomsolware
• Googledoeswiththeirinternalstuff
![Page 26: Networking stuff, from the real worldsergey/cs60/rob-graham-practical-network… · • Inet_pton() • Inet_ntop() What is the deal with DNS anyway? • How long do you cache the](https://reader036.vdocument.in/reader036/viewer/2022070218/612663ef01e5d96bc719018f/html5/thumbnails/26.jpg)
SMALLPACKETS
![Page 27: Networking stuff, from the real worldsergey/cs60/rob-graham-practical-network… · • Inet_pton() • Inet_ntop() What is the deal with DNS anyway? • How long do you cache the](https://reader036.vdocument.in/reader036/viewer/2022070218/612663ef01e5d96bc719018f/html5/thumbnails/27.jpg)
Thesmallpacketproblem
• Thesameas“buyinginbulk”problem– Lotsofsmallpacketsmoreexpensivethanfewerlargepackets
• Typicalsmallpacketproblems– Portscanning– VoIPaudiotraffic– SIP– DNS
![Page 28: Networking stuff, from the real worldsergey/cs60/rob-graham-practical-network… · • Inet_pton() • Inet_ntop() What is the deal with DNS anyway? • How long do you cache the](https://reader036.vdocument.in/reader036/viewer/2022070218/612663ef01e5d96bc719018f/html5/thumbnails/28.jpg)
Benchmarks
• Largepacketperformancesayslinleaboutsmallpacketperformance
• Example:USBEthernet– Fullbandwidthatlargepacketsizes
• 400-mbpsonUSB2.0• 1000-mbpsonUSB3.0
– Noteven100mbpsonsmallpacketsizes• 10,000to100,000packets-per-second• …ratherthan1,500,000packets-per-second
![Page 29: Networking stuff, from the real worldsergey/cs60/rob-graham-practical-network… · • Inet_pton() • Inet_ntop() What is the deal with DNS anyway? • How long do you cache the](https://reader036.vdocument.in/reader036/viewer/2022070218/612663ef01e5d96bc719018f/html5/thumbnails/29.jpg)
Ethernetmaxpacketratefor1gbps
• hnp://blog.erratasec.com/2013/10/whats-max-speed-on-ethernet.html
• 1.488millionpacketspersecondat64-bytesperpacket– Interframegap,Preamble,CRC,padding,etc.
• 476-mbpsusingminimumpacketsizes• ISPmeasuredbandwidth!=Ethernetbandwidthatport– ISPuplinksdon’tincludingEthernetheader,padding,etc.
![Page 30: Networking stuff, from the real worldsergey/cs60/rob-graham-practical-network… · • Inet_pton() • Inet_ntop() What is the deal with DNS anyway? • How long do you cache the](https://reader036.vdocument.in/reader036/viewer/2022070218/612663ef01e5d96bc719018f/html5/thumbnails/30.jpg)
YourUDPapp
• ~250kto~700kpackets-per-secondnaïve• 2-millionwithLinuxmulNcoreopNmizaNons– SO_REUSEPORT:manysocketshandles,oneUDPport
– MulNpleEthernetreceivequeues• 7-millionwithmanymorecoresandextremeLinuxopNmizaNons
• FYI:30-millionifyoubypasstheLinuxkernel
![Page 31: Networking stuff, from the real worldsergey/cs60/rob-graham-practical-network… · • Inet_pton() • Inet_ntop() What is the deal with DNS anyway? • How long do you cache the](https://reader036.vdocument.in/reader036/viewer/2022070218/612663ef01e5d96bc719018f/html5/thumbnails/31.jpg)
LINUXOPTIMIZATIONHOW-TO
![Page 32: Networking stuff, from the real worldsergey/cs60/rob-graham-practical-network… · • Inet_pton() • Inet_ntop() What is the deal with DNS anyway? • How long do you cache the](https://reader036.vdocument.in/reader036/viewer/2022070218/612663ef01e5d96bc719018f/html5/thumbnails/32.jpg)
BasicLinux
• Increasefiledescriptors• RecompilekernelforopNmizaNons• EthernetopNmizaNon• TCP/IPopNmizaNons
![Page 33: Networking stuff, from the real worldsergey/cs60/rob-graham-practical-network… · • Inet_pton() • Inet_ntop() What is the deal with DNS anyway? • How long do you cache the](https://reader036.vdocument.in/reader036/viewer/2022070218/612663ef01e5d96bc719018f/html5/thumbnails/33.jpg)
Perftools
• Use“perf”tofindwhereinkernelthingsarestuck
• Usuallyturnitoff• E.g.– Turnoffnevilterfor4%
![Page 34: Networking stuff, from the real worldsergey/cs60/rob-graham-practical-network… · • Inet_pton() • Inet_ntop() What is the deal with DNS anyway? • How long do you cache the](https://reader036.vdocument.in/reader036/viewer/2022070218/612663ef01e5d96bc719018f/html5/thumbnails/34.jpg)
SEND()DOESN’TSEND
![Page 35: Networking stuff, from the real worldsergey/cs60/rob-graham-practical-network… · • Inet_pton() • Inet_ntop() What is the deal with DNS anyway? • How long do you cache the](https://reader036.vdocument.in/reader036/viewer/2022070218/612663ef01e5d96bc719018f/html5/thumbnails/35.jpg)
send()
• bytes_sent=send(bytes_to_send)– Ifsocketisnon-blocking,bytes_sentmaybefewerthanbytes_to_send
– Thereisalimitinoutgoingkernelsendbuffers– Thereisalimitonincomingkernelreceivebuffersontheotherside
• Ithappensatscale– Youwon’tseeitunNlitmaners– Reallyhardtocreatetestcasefor
![Page 36: Networking stuff, from the real worldsergey/cs60/rob-graham-practical-network… · • Inet_pton() • Inet_ntop() What is the deal with DNS anyway? • How long do you cache the](https://reader036.vdocument.in/reader036/viewer/2022070218/612663ef01e5d96bc719018f/html5/thumbnails/36.jpg)
WhereIseethis
• Short/longlinesinemailmessages• hnp://harryponer.wikia.com/wiki/Splinching--20cf307813b8ac926404b1628ab5Content-Type: application/msword;
name="Prospectus for a Transportation Technologies Incubator v4.doc"Content-Disposition: attachment;
filename="Prospectus for a Transportation Technologies Incubator v4.doc"Content-Transfer-Encoding: base64X-Attachment-Id: e953d37b7ed4bd1f_0.1
0M8R4KGxGuEAAAAAAAAAAAAAAAAAAAAAPgADAP7/CQAGAAAAAAAAAAAAAAABAAAANAAAAAAAAAAAAAAAAAAAqAMAAAAAAACoAwAAAAAAAKgDAAAAAAAAqAMAABQAAAAAAAAAAAAAALwDAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAAgAACwAAAAsCAAAFAAAALwDAAAAAAAAKg8AAG4BAABMCAAAAAAAAEwIAAAAAAAAAAAAEwIAAAAAAAAJwkAAAAAAAAnCQAAAAAAACcJAAAAAAAAqQ4AAAIAAACrDgAAAAAAAKsOAAAAAAAAqw4AAAAAAACrDgAAAAAAAKsOAAAAAAAAqw4AACQAAACYEAAAaAIAAAATAADUAAAAzw4AABUAAAAAAAAAAAAAAAAAAAAAAAAAqAMAAAAAAABWCgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAnCQAAAAAAACcJAAAAAAAAVgoAAAAAAABWCgAAAAAAAM8OAAAAAAAA
![Page 37: Networking stuff, from the real worldsergey/cs60/rob-graham-practical-network… · • Inet_pton() • Inet_ntop() What is the deal with DNS anyway? • How long do you cache the](https://reader036.vdocument.in/reader036/viewer/2022070218/612663ef01e5d96bc719018f/html5/thumbnails/37.jpg)
Projectidea:DartmouthSMTP
• MonitorallDartmothincoming/outgoingemail
• Count%splinchedemails• CountamountofTCPreceive-windows-fullpackets
![Page 38: Networking stuff, from the real worldsergey/cs60/rob-graham-practical-network… · • Inet_pton() • Inet_ntop() What is the deal with DNS anyway? • How long do you cache the](https://reader036.vdocument.in/reader036/viewer/2022070218/612663ef01e5d96bc719018f/html5/thumbnails/38.jpg)
RECV()DOESN’TRECEIVEENOUGH–ORRECEIVESTOOMUCH
![Page 39: Networking stuff, from the real worldsergey/cs60/rob-graham-practical-network… · • Inet_pton() • Inet_ntop() What is the deal with DNS anyway? • How long do you cache the](https://reader036.vdocument.in/reader036/viewer/2022070218/612663ef01e5d96bc719018f/html5/thumbnails/39.jpg)
recv()
• bytes_recvd=recv(bytes_to_recv)– Othersidemaynothavesentenoughbytes– Othersidemighthavesenttoomanybytes
• Ithappensatscale• Ithappensbecauseofoddsolwareonotherside
![Page 40: Networking stuff, from the real worldsergey/cs60/rob-graham-practical-network… · • Inet_pton() • Inet_ntop() What is the deal with DNS anyway? • How long do you cache the](https://reader036.vdocument.in/reader036/viewer/2022070218/612663ef01e5d96bc719018f/html5/thumbnails/40.jpg)
WhereI’veseenthis
• Line-orientedprotocols– HTTP,FTP,SMTP
• TypicalFTPsolware– AssumesenNrelinehasbeenreceived
• Shortlineswithout\nthengettruncated• Remainderisassumedtobestartofnextline
– Assumesnomorethanonelinereceived• ParsesunNl\n,discardsremainder• Nextpacketassumesstartofnextline
![Page 41: Networking stuff, from the real worldsergey/cs60/rob-graham-practical-network… · • Inet_pton() • Inet_ntop() What is the deal with DNS anyway? • How long do you cache the](https://reader036.vdocument.in/reader036/viewer/2022070218/612663ef01e5d96bc719018f/html5/thumbnails/41.jpg)
HTTPservers
• SendingmulNplerequestsbeforearesponsehasbeenreceived
![Page 42: Networking stuff, from the real worldsergey/cs60/rob-graham-practical-network… · • Inet_pton() • Inet_ntop() What is the deal with DNS anyway? • How long do you cache the](https://reader036.vdocument.in/reader036/viewer/2022070218/612663ef01e5d96bc719018f/html5/thumbnails/42.jpg)
“pipelining”
• Meansyoucansendmoredatathanexpectedandit’snotlost
• Notpipeliningmeansyoucan’t
![Page 43: Networking stuff, from the real worldsergey/cs60/rob-graham-practical-network… · • Inet_pton() • Inet_ntop() What is the deal with DNS anyway? • How long do you cache the](https://reader036.vdocument.in/reader036/viewer/2022070218/612663ef01e5d96bc719018f/html5/thumbnails/43.jpg)
Projectidea:masscan
• Idea– MasscanFTPport(21)– Sendtruncatedpacketswithout\nfollowedbyrestofline
– Sendexcesspacketswithdataaler\n– Testhowmanyhaveflawedresponses
![Page 44: Networking stuff, from the real worldsergey/cs60/rob-graham-practical-network… · • Inet_pton() • Inet_ntop() What is the deal with DNS anyway? • How long do you cache the](https://reader036.vdocument.in/reader036/viewer/2022070218/612663ef01e5d96bc719018f/html5/thumbnails/44.jpg)
TCPISASTREAM
![Page 45: Networking stuff, from the real worldsergey/cs60/rob-graham-practical-network… · • Inet_pton() • Inet_ntop() What is the deal with DNS anyway? • How long do you cache the](https://reader036.vdocument.in/reader036/viewer/2022070218/612663ef01e5d96bc719018f/html5/thumbnails/45.jpg)
Example:SnortrulesforINTERNALBLUE(WannaCry)
• Testsforpacketpayloadsthatstartwithstring“SMB”
• ButTCPisastream– Icansplitpayloadsarbitrarily– IcansNckSMBattheendofthepreviouspacketinsteadofthestartofthispacket
– EspeciallysinceSMBsupports“pipelining”
![Page 46: Networking stuff, from the real worldsergey/cs60/rob-graham-practical-network… · • Inet_pton() • Inet_ntop() What is the deal with DNS anyway? • How long do you cache the](https://reader036.vdocument.in/reader036/viewer/2022070218/612663ef01e5d96bc719018f/html5/thumbnails/46.jpg)
alerttcp$EXTERNAL_NETany->$HOME_NET445(msg:"OS-WINDOWSMicrosolWindowsSMBremotecodeexecuNonanempt";flow:to_server,established;content:"|FF|SMB3|00000000|";depth:9;offset:4;byte_extract:2,26,TotalDataCount,relaNve,linle;byte_test:2,>,TotalDataCount,20,relaNve,linle;metadata:policybalanced-ipsdrop,policyconnecNvity-ipsdrop,policysecurity-ipsdrop,rulesetcommunity,servicenetbios-ssn;reference:cve,2017-0144;reference:cve,2017-0146;reference:url,isc.sans.edu/forums/diary/ETERNALBLUE+Possible+Window+SMB+Buffer+Overflow+0Day/22304/;reference:url,technet.microsol.com/en-us/security/bulleNn/MS17-010;classtype:anempted-admin;sid:41978;rev:3;)
![Page 47: Networking stuff, from the real worldsergey/cs60/rob-graham-practical-network… · • Inet_pton() • Inet_ntop() What is the deal with DNS anyway? • How long do you cache the](https://reader036.vdocument.in/reader036/viewer/2022070218/612663ef01e5d96bc719018f/html5/thumbnails/47.jpg)
“Packets”arearbitrary
• Thepacketislayer3• Layer2andbelowarenotpartofthepacket• Layer4andabovearenotpartofthepacket– Inthatwherelayer3boundariesmatchlayer4boundariesispurelycoincidental
Packetsareasingleblockofdata,butof
independentparts
![Page 48: Networking stuff, from the real worldsergey/cs60/rob-graham-practical-network… · • Inet_pton() • Inet_ntop() What is the deal with DNS anyway? • How long do you cache the](https://reader036.vdocument.in/reader036/viewer/2022070218/612663ef01e5d96bc719018f/html5/thumbnails/48.jpg)
BYTE-ORDER
![Page 49: Networking stuff, from the real worldsergey/cs60/rob-graham-practical-network… · • Inet_pton() • Inet_ntop() What is the deal with DNS anyway? • How long do you cache the](https://reader036.vdocument.in/reader036/viewer/2022070218/612663ef01e5d96bc719018f/html5/thumbnails/49.jpg)
ntohs()iswrong
• Youshouldbehandlingbyte-orderthesamewayaswitheveryotherlanguage– n=buf[0]<<256|buf[1];– n=buf[0]*256+buf[1];
• Neverusentohs()stylefuncNonswhenparsing– Nevercast/overlaypackedstructures
![Page 50: Networking stuff, from the real worldsergey/cs60/rob-graham-practical-network… · • Inet_pton() • Inet_ntop() What is the deal with DNS anyway? • How long do you cache the](https://reader036.vdocument.in/reader036/viewer/2022070218/612663ef01e5d96bc719018f/html5/thumbnails/50.jpg)
ntohs()iswrong
• Neverstoreintegersinverted– The‘int’typealwaysmeansinthemachinebyte-order
– Ifyoumust,thencreateanewtype,suchas“external_int”tohold(possibly)invertedintegers
– [byte-orderproblemisatypeproblem]• UseitonlywhendictatedbysocketsAPI– sin.sin_port=ntohs(80);– butIPv6getaddrinfo()getsridofthis
![Page 51: Networking stuff, from the real worldsergey/cs60/rob-graham-practical-network… · • Inet_pton() • Inet_ntop() What is the deal with DNS anyway? • How long do you cache the](https://reader036.vdocument.in/reader036/viewer/2022070218/612663ef01e5d96bc719018f/html5/thumbnails/51.jpg)
noths()neverworkedanyway
• Fordecades,Solarisappsmysteriouslyfailedwith“buserror”becausewhilentohs()solvesbyte-order,itdoesn’tsolvealignment
![Page 52: Networking stuff, from the real worldsergey/cs60/rob-graham-practical-network… · • Inet_pton() • Inet_ntop() What is the deal with DNS anyway? • How long do you cache the](https://reader036.vdocument.in/reader036/viewer/2022070218/612663ef01e5d96bc719018f/html5/thumbnails/52.jpg)
external!=internal
• Internalbyte-orderisunknownandunknowable– It’sabstract
• Externalbyte-orderisknown– It’sconcrete– Even:don’tfear“magicnumbers”,becauseit’sthatconcrete• if(ip_ver==4)…elseif(ip_ver==6)…else…
– Ifyouchangethevalueina.hfile,yourcodewillfailtointeroperatewiththeotherside
![Page 53: Networking stuff, from the real worldsergey/cs60/rob-graham-practical-network… · • Inet_pton() • Inet_ntop() What is the deal with DNS anyway? • How long do you cache the](https://reader036.vdocument.in/reader036/viewer/2022070218/612663ef01e5d96bc719018f/html5/thumbnails/53.jpg)
PARSINGISATHING
![Page 54: Networking stuff, from the real worldsergey/cs60/rob-graham-practical-network… · • Inet_pton() • Inet_ntop() What is the deal with DNS anyway? • How long do you cache the](https://reader036.vdocument.in/reader036/viewer/2022070218/612663ef01e5d96bc719018f/html5/thumbnails/54.jpg)
Wherehackedvulnscomefrom
• Becauseschoolsdon’tteachhowtoparseinput– …sopeoplecomeupwithadhocsoluNonsthemselves
• Allthesevulns(liketheoneinWannaCry)comesfromfailuretoparsecorrectly
• Distrustallinputyoureadfromthenetwork– Assumethesenderisahackertryingtotrickyou– Validatefirstbeforeusingit– …andstuff
![Page 55: Networking stuff, from the real worldsergey/cs60/rob-graham-practical-network… · • Inet_pton() • Inet_ntop() What is the deal with DNS anyway? • How long do you cache the](https://reader036.vdocument.in/reader036/viewer/2022070218/612663ef01e5d96bc719018f/html5/thumbnails/55.jpg)
IPV6APPSANDGETADDRINFO()
![Page 56: Networking stuff, from the real worldsergey/cs60/rob-graham-practical-network… · • Inet_pton() • Inet_ntop() What is the deal with DNS anyway? • How long do you cache the](https://reader036.vdocument.in/reader036/viewer/2022070218/612663ef01e5d96bc719018f/html5/thumbnails/56.jpg)
YourapphastoresolvenamestoIPaddresses
• Getaddrinfo()doesDNSresoluNon• AlsoparsesIPaddressesfromtexttobinary• Nolongerusegethostname()
![Page 57: Networking stuff, from the real worldsergey/cs60/rob-graham-practical-network… · • Inet_pton() • Inet_ntop() What is the deal with DNS anyway? • How long do you cache the](https://reader036.vdocument.in/reader036/viewer/2022070218/612663ef01e5d96bc719018f/html5/thumbnails/57.jpg)
Usegetaddrinfo()
• MagicallymakesyourcodesupportbothIPv4andIPv6
![Page 58: Networking stuff, from the real worldsergey/cs60/rob-graham-practical-network… · • Inet_pton() • Inet_ntop() What is the deal with DNS anyway? • How long do you cache the](https://reader036.vdocument.in/reader036/viewer/2022070218/612663ef01e5d96bc719018f/html5/thumbnails/58.jpg)
Don’tusegetaddrinfo()
• It’snotthreadsafe– UseonlyfromtheconfiguraNonthread– Maycrashotherwise
• It’snotscalable– Don’tusewhenusertriestoconfigurethousandsofaddresses
– Don’tuseittoreverse-lookupincomingIPaddressesonaserverinordertologDNSnames
– Considerusinginet_pton()whenparsingnumericaddresses,maybe
hnps://blog.powerdns.com/2014/05/21/a-surprising-discovery-on-converNng-ipv6-addresses-we-no-longer-prefer-getaddrinfo/
![Page 59: Networking stuff, from the real worldsergey/cs60/rob-graham-practical-network… · • Inet_pton() • Inet_ntop() What is the deal with DNS anyway? • How long do you cache the](https://reader036.vdocument.in/reader036/viewer/2022070218/612663ef01e5d96bc719018f/html5/thumbnails/59.jpg)
Family
• freeaddrinfo()• getpeername()• Inet_pton()• Inet_ntop()
![Page 60: Networking stuff, from the real worldsergey/cs60/rob-graham-practical-network… · • Inet_pton() • Inet_ntop() What is the deal with DNS anyway? • How long do you cache the](https://reader036.vdocument.in/reader036/viewer/2022070218/612663ef01e5d96bc719018f/html5/thumbnails/60.jpg)
WhatisthedealwithDNSanyway?
• Howlongdoyoucachethenamereturnedbygetaddrinfo(),beforerefreshingit?
• Whatifitreturnsanerror?Doyouaskforitagain?
• CanIreuseanoldoneifrefreshingfails?• WhenabotnettakesdownDNS,doesthismeanyourinternalappfails?
![Page 61: Networking stuff, from the real worldsergey/cs60/rob-graham-practical-network… · • Inet_pton() • Inet_ntop() What is the deal with DNS anyway? • How long do you cache the](https://reader036.vdocument.in/reader036/viewer/2022070218/612663ef01e5d96bc719018f/html5/thumbnails/61.jpg)
INTERNETSCALEANDASYNCHRONOUS
![Page 62: Networking stuff, from the real worldsergey/cs60/rob-graham-practical-network… · • Inet_pton() • Inet_ntop() What is the deal with DNS anyway? • How long do you cache the](https://reader036.vdocument.in/reader036/viewer/2022070218/612663ef01e5d96bc719018f/html5/thumbnails/62.jpg)
Howyoulearn
• Hownetworkingworksatall– Spawnthreads– recv()/send()withblockingcalls– ThisisbadbecauseitsupportsonlyafewthousandconnecNons
– BecausetheoperaNng-systemcanonlyscheduleafewthousandacNvethreads
![Page 63: Networking stuff, from the real worldsergey/cs60/rob-graham-practical-network… · • Inet_pton() • Inet_ntop() What is the deal with DNS anyway? • How long do you cache the](https://reader036.vdocument.in/reader036/viewer/2022070218/612663ef01e5d96bc719018f/html5/thumbnails/63.jpg)
Threadschedulerispacketscheduler
• ThismeansthateveryincomingTCPpacketcausesthethreadassociatedwiththesockettobescheduledasrunnable
• ServicesexposedtotheInternet– WithmillionsofincomingTCPconnecNons– Withhackerstryingtomessthingsup
![Page 64: Networking stuff, from the real worldsergey/cs60/rob-graham-practical-network… · • Inet_pton() • Inet_ntop() What is the deal with DNS anyway? • How long do you cache the](https://reader036.vdocument.in/reader036/viewer/2022070218/612663ef01e5d96bc719018f/html5/thumbnails/64.jpg)
Notevenkidding
![Page 65: Networking stuff, from the real worldsergey/cs60/rob-graham-practical-network… · • Inet_pton() • Inet_ntop() What is the deal with DNS anyway? • How long do you cache the](https://reader036.vdocument.in/reader036/viewer/2022070218/612663ef01e5d96bc719018f/html5/thumbnails/65.jpg)
Asynchronous
• Onethread– …oronethreadperCPU
• epoll(),libevent,orlibuv– Selectswhicheversockethaspendingdata– Don’tuseselect()orpoll()astheyaren’tscalableeither
• Canhandle100,000– Or1-millionwithOStuningandhelyCPU
![Page 66: Networking stuff, from the real worldsergey/cs60/rob-graham-practical-network… · • Inet_pton() • Inet_ntop() What is the deal with DNS anyway? • How long do you cache the](https://reader036.vdocument.in/reader036/viewer/2022070218/612663ef01e5d96bc719018f/html5/thumbnails/66.jpg)
Project:testwithmasscan
• masscancangeneratemillionsofTCPconnecNons
• Icouldgetnginxto450,000TCPconnecNons
![Page 67: Networking stuff, from the real worldsergey/cs60/rob-graham-practical-network… · • Inet_pton() • Inet_ntop() What is the deal with DNS anyway? • How long do you cache the](https://reader036.vdocument.in/reader036/viewer/2022070218/612663ef01e5d96bc719018f/html5/thumbnails/67.jpg)
ISLANDOFMISFITPACKETS
![Page 68: Networking stuff, from the real worldsergey/cs60/rob-graham-practical-network… · • Inet_pton() • Inet_ntop() What is the deal with DNS anyway? • How long do you cache the](https://reader036.vdocument.in/reader036/viewer/2022070218/612663ef01e5d96bc719018f/html5/thumbnails/68.jpg)
Projectidea
• ResponsesfromwrongIPaddress– BothUDPandTCP– ShouldbeimpossibleforTCP
• Checksumerrors• Constantreplies– SomeNmesapplicaNonlayer– SomeNmesunderlyingstack
• 2millionaddressesrespondtoanySYN• Somany“accelerators”
![Page 69: Networking stuff, from the real worldsergey/cs60/rob-graham-practical-network… · • Inet_pton() • Inet_ntop() What is the deal with DNS anyway? • How long do you cache the](https://reader036.vdocument.in/reader036/viewer/2022070218/612663ef01e5d96bc719018f/html5/thumbnails/69.jpg)
SOMECODE
![Page 70: Networking stuff, from the real worldsergey/cs60/rob-graham-practical-network… · • Inet_pton() • Inet_ntop() What is the deal with DNS anyway? • How long do you cache the](https://reader036.vdocument.in/reader036/viewer/2022070218/612663ef01e5d96bc719018f/html5/thumbnails/70.jpg)
Someofmygithubstuff
• RunsonWindows,Linux,andmacOS• WrineninC• Clientsandservers• Virtuallynohtons()stylefuncNons– Justforse�ngsin_port
![Page 71: Networking stuff, from the real worldsergey/cs60/rob-graham-practical-network… · • Inet_pton() • Inet_ntop() What is the deal with DNS anyway? • How long do you cache the](https://reader036.vdocument.in/reader036/viewer/2022070218/612663ef01e5d96bc719018f/html5/thumbnails/71.jpg)
Telnetlogger(server)
• UsedfortheMiraiIoTbotnet• LogspasswordsforincomingTCPconnecNons
• hnps://github.com/robertdavidgraham/telnetlogger/
![Page 72: Networking stuff, from the real worldsergey/cs60/rob-graham-practical-network… · • Inet_pton() • Inet_ntop() What is the deal with DNS anyway? • How long do you cache the](https://reader036.vdocument.in/reader036/viewer/2022070218/612663ef01e5d96bc719018f/html5/thumbnails/72.jpg)
BINDtkill
• Simpleclient,sendsDoStobind• hnps://github.com/robertdavidgraham/cve-2015-5477/
• getaddrinfo()example– Connectstoallhostsreturnedbygetaddrinfo()DNSquery,IPv4orIPv6
• Nohtons()stylefuncNons
![Page 73: Networking stuff, from the real worldsergey/cs60/rob-graham-practical-network… · • Inet_pton() • Inet_ntop() What is the deal with DNS anyway? • How long do you cache the](https://reader036.vdocument.in/reader036/viewer/2022070218/612663ef01e5d96bc719018f/html5/thumbnails/73.jpg)
Heartleech(client)
• ExploitsHeartbleedtoscrapeSSLcerNficatesfromvulnerablesystems
• ExamplehowtouseSSL– Warning:needsspecialversionofSSLtocompiletoexploitheartbleed
• hnps://github.com/robertdavidgraham/heartleech
• (nohtons()atall)
![Page 74: Networking stuff, from the real worldsergey/cs60/rob-graham-practical-network… · • Inet_pton() • Inet_ntop() What is the deal with DNS anyway? • How long do you cache the](https://reader036.vdocument.in/reader036/viewer/2022070218/612663ef01e5d96bc719018f/html5/thumbnails/74.jpg)
masscan
• hnps://github.com/robertdavidgraham/masscan
• Millionsofpackets-per-second• MillionsofconcurrentTCPconnecNons• CustomTCP/IP– verylimited– Likeyourhomework
![Page 75: Networking stuff, from the real worldsergey/cs60/rob-graham-practical-network… · • Inet_pton() • Inet_ntop() What is the deal with DNS anyway? • How long do you cache the](https://reader036.vdocument.in/reader036/viewer/2022070218/612663ef01e5d96bc719018f/html5/thumbnails/75.jpg)
HOWBIGIS4BILLION?
![Page 76: Networking stuff, from the real worldsergey/cs60/rob-graham-practical-network… · • Inet_pton() • Inet_ntop() What is the deal with DNS anyway? • How long do you cache the](https://reader036.vdocument.in/reader036/viewer/2022070218/612663ef01e5d96bc719018f/html5/thumbnails/76.jpg)
Masscandemo
• masscan0.0.0.0/0–p<something>--banners–rate<something>
![Page 77: Networking stuff, from the real worldsergey/cs60/rob-graham-practical-network… · • Inet_pton() • Inet_ntop() What is the deal with DNS anyway? • How long do you cache the](https://reader036.vdocument.in/reader036/viewer/2022070218/612663ef01e5d96bc719018f/html5/thumbnails/77.jpg)
![Page 78: Networking stuff, from the real worldsergey/cs60/rob-graham-practical-network… · • Inet_pton() • Inet_ntop() What is the deal with DNS anyway? • How long do you cache the](https://reader036.vdocument.in/reader036/viewer/2022070218/612663ef01e5d96bc719018f/html5/thumbnails/78.jpg)
![Page 79: Networking stuff, from the real worldsergey/cs60/rob-graham-practical-network… · • Inet_pton() • Inet_ntop() What is the deal with DNS anyway? • How long do you cache the](https://reader036.vdocument.in/reader036/viewer/2022070218/612663ef01e5d96bc719018f/html5/thumbnails/79.jpg)
![Page 80: Networking stuff, from the real worldsergey/cs60/rob-graham-practical-network… · • Inet_pton() • Inet_ntop() What is the deal with DNS anyway? • How long do you cache the](https://reader036.vdocument.in/reader036/viewer/2022070218/612663ef01e5d96bc719018f/html5/thumbnails/80.jpg)