Telematics Exam: DNS Security Solutions

Questions and Answers

How and where can DNS be attacked? (Give 3 different answers)

• Cache poisoning (correct)
• Redirection (correct)
• Forging requests or responses (correct)
• Spoofing of DNS servers on different levels (correct)

Why is DNS vulnerable?

Unencrypted requests/responses, non-verified answers, non-authorized servers, unprotected caches - all is based on the simple assumption: “don't lie about others” and trust among the involved systems.

What can happen, if DNS gives wrong answers? What can be done against this (name two solutions)?

• Cutting of part of the name space (correct)
• Choosing DNS server directly (e.g., 8.8.8.8) (correct)
• Using DNSSEC (correct)
• Redirection of mapping name to IP address (correct)

How does DNS ensure the uniqueness of names? Who owns the names in DNS?

Uniqueness of top level, within each top-level uniqueness of second level, within each second level uniqueness of third level etc. On each level NIC/admin of level manages/distributes names to owners, owner is registered in data base.

What is the difference between recursive and iterative name resolution?

Iterative: node will return a pointer to the requestor for further requests (A), Recursive: request will be answered by the requested node, this may include further requests to subsequent nodes without involvement of the requestor (B)

What is the focus of congestion and flow control, respectively? Why are they needed?

Congestion control: focus on network, try to avoid congestion in the network, needed to keep network stable. Flow control: focus on end-system, try to avoid overloading of the receiver, both are needed to avoid packet loss due to buffer overflow (n routers of end-systems, respectively).

What does a duplicated ACK in TCP tell the sender? What is the idea of fast recovery?

At least some packets go through the network, no severe congestion of complete link failure. Fast recovery avoids slow-start (congestion window starts at 1 MSS), but starts right away with ½ old congestion window.

What determines the flow of data in TCP? Name three issues and describe!

Receiver window: shows the capabilities of the receiver, has to be taken into account by receiver, can be even 0 to choke transmission (A), Link layer data rate: will indirectly determine the flow by determining the buffer fill state in e.g. router and thus determining the delay contributing to RTT (B), RTT: determines the time for each round, e.g. increase the congestion window (C), Error rate: determines the amount of retransmission, but also slow start (D)

How can TCP detect a congestion? Describe briefly! What are the pros and cons of the two solutions?

Implicit: sender experiences time-out, ACKs to late, missing ACKs and concludes from late/missing ACKs congestion in network (A), Explicit: using ECN bits in IP header set by routers experiencing congestion (buffers filling up), can be echoed to sender using ECE bit in TCP header (B)

Why can't we build large networks with many nodes based on switches only?

Flat address space, no address aggregation would require storing all addresses individually in switches logical tree structure to avoid loops not feasible in large/world-wide networks, no TTL requires this.

How is routing scalability in the Internet handled?

Hierarchies, routing concerns only limited regions, IGP/EGP, AS with IGP used inside, EGP to connect, AS black box from outside, no complete view of topology needed, routing inside AS independent from outside, only EGP must be compatible worldwide.

What are differences between routing and forwarding? Name two!

Routing often SW, forwarding with HW support (A), Routing not that time-critical, forwarding extremely time critical (B), Routing can result in different paths with different priorities to choose from, forwarding gives one mapping from address to port (C), Routing is a distributed process, forwarding local only (D), Routing table much larger, forwarding table is the final product of the routing process (E)

Give 3 examples for routing metrics!

Drop rate (A), Hop (B), Data rate (C), Interference (D), Cost (E), Delay (F)

Besides scalability, what is missing in standard link-state and distance vector routing protocols? How does BGP handle these issues?

Paths exchanged, different policies can be applied, paths dropped or accepted based on policies, advertisement of paths also based on policies (A), Policies, paths to prefixes, can handle asymmetric routing (B)

Why is it so easy to announce "false" paths?

BGP based on trust between peering partners, original version does not allow for verification of routing data, false announcements cannot be verified, AS can claim to be owner of prefix, path announcements can be manipulated.

Why can RPKI also help in the web ecosystem - isn't it enough to encrypt web pages?

TLS can encrypt content, but can do nothing against e.g. forged certificates or blackholing; attacker can manipulate routing; thus, traffic may never reach web server or may be redirected, web server not wares of attack, DoS made easy.

What does “ossification” of the transport layer mean? What causes this "ossification" (give 2 examples)?

TCP and UDP exist for many years, and thus, their headers are often the only accepted ones for layer 4; these protocols are “hard wired” in many systems, not only end-systems, but also middle boxes (A), Especially middle boxes cause the ossification as updating/changing the OS on end-systems will not be enough to use different layer 4 protocols; middleboxes such as firewalls, load balancers, NAT have to be changes as well to accept new protocols and their headers (B)

Why does simply sending different data packets of a single TCP connection over different paths not work?

Middle boxes, such as NAT, keep state and, thus, "follow" the states of a TCP connection, may even ACK bytes acting as proxies; incoming packets from an unknown TCP connection (known only via another path) are typically not accepted and, thus, dropped.

How does MPTCP circumvent the "ossification"?

Use of several TCP connections; for the network these TCP-connections belonging to a single MPTCP connection look like “normal” TCP connections with individual states; MPTCP mux/demux the data stream on top of the regular, build-in TCP of the OS.

Why may TCP slow down HTTP and thus the rendering of web pages?

Even HTTP/2 that allows the mux of several http requests and the out-of-order delivery of responses suffers from head-of-line blocking; TCP may cause when a segment is lost; TCP segmentation is independent of the semantics of requests/responses; a lost segment may block the delivery of correct received segments/data to the browser and thus nothing is displayed unless the lost data has been retransmitted; user experience suffers.

How does QUIC solve this issue and how does it circumvent the “ossification” of the transport layer?

QUIC offers several independent streams e.g. for different objects on web pages; data loss in one stream does not influence other streams; using UDP all received data is immediately forwarded to the next higher layer(QUIC); using UDP circumvents the ossification as UDP is well-accepted; QUIC is handled in end-systems only, the network only sees partially encrypted UDP packets (A)

Can we directly transmit data? What is always required?

No, data is something abstract, we always need a physical representation; we need a mapping of data elements to physical signal elements; modulation of physical signals based on data.

What are the effects of bandwidth limitation of a physical medium?

The effective bandwidth of a physical medium limits the max. available data rate; Shannon's law: data rate = bandwidth * log_2 (1 + S/N); limitation of the symbol rate.

How to achieve bit synchronization between sender and receiver? Give two examples!

Provide falling/rising edge always in the middle of a bit (Manchester); ensure that no long sequences of Os (or) 1s exist – then use (differential) NRZ (4B5B etc.); separate clock line if distance is short.

Why is it impossible to detect all possible errors?

A really mean error could map a valid codeword onto another valid one – this is impossible to detect; receiver does not know what the sender has send, thus all legal codewords are fine; CRC does not detect e.g. multiples of the generator polynomial added to transmitted data.

Flashcards

DNS Attacks

Attackers can exploit vulnerabilities in DNS to redirect traffic, manipulate data, or disrupt internet services. This is done by altering or manipulating DNS records, spoofing servers, or intercepting DNS requests and responses.

DNS Vulnerability

DNS is vulnerable due to its reliance on trust and lack of adequate security measures. Unencrypted communication, unverified responses, and the absence of authorization mechanisms make it susceptible to attacks.

Cache Poisoning

Cache poisoning involves manipulating DNS caches with incorrect data, leading to incorrect resolution of domain names. This results in redirection of traffic to malicious servers.

Consequences of Incorrect DNS Answers

When a DNS server provides incorrect responses, it can direct traffic to malicious sites, disrupt service, or compromise user data.

DNSSEC

DNSSEC (Domain Name System Security Extensions) is a security mechanism that adds digital signatures to DNS data, ensuring the authenticity and integrity of records.

Choosing a Specific DNS Server

By choosing a specific DNS resolver, users can control the source of DNS information, potentially avoiding corrupted or manipulated data.

DNS Name Uniqueness

DNS ensures uniqueness of names by creating a hierarchical structure with unique names at each level. The Internet Corporation for Assigned Names and Numbers (ICANN) oversees the management of top-level domains.

Recursive Name Resolution

Recursive name resolution involves receiving a complete answer to a DNS request, even if it requires multiple queries to other servers. The client does not have to be involved in subsequent requests.

Iterative Name Resolution

Iterative name resolution returns a pointer to the next server for further queries. The client needs to send multiple requests to different servers to find the final answer.

Congestion Control

Congestion control focuses on maintaining network stability by preventing congestion in the network. It regulates the flow of data to prevent overloading of network infrastructure.

Flow Control

Flow control aims to prevent buffer overflow at the receiver by regulating the rate of data sent by the sender. It ensures that the receiver can handle the incoming data without dropping packets.

Duplicated ACK in TCP

A duplicated ACK in TCP signals that some packets are reaching the receiver, indicating that the network is not severely congested. It prompts the sender to proceed with sending more data.

Fast Recovery in TCP

Fast Recovery in TCP is a technique that allows the sender to quickly recover from a congestion event. It avoids the slow-start phase and allows the sender to resume transmission at a higher rate.

RTT in TCP

RTT (Round Trip Time) measures the time it takes for a packet to travel from sender to receiver and back. It influences TCP's congestion window size and determines the rate of data transmission.

Error Rate in TCP

The error rate in TCP affects the frequency of retransmissions and influences the rate of data transfer. A high error rate slows down the transmission process.

Receiver Window in TCP

The receiver window in TCP indicates the receiver's capacity to receive data and influences the sending rate. A small or zero receiver window signals a temporary pause or congestion at the receiver.

Link Layer Data Rate in TCP

The link layer data rate affects TCP's flow by influencing buffer fill state in routers. Higher link layer data rates result in faster transmission and potentially larger buffer fill, impacting RTT.

Congestion Window in TCP

The congestion window in TCP limits the rate of data transmission to prevent network congestion. It dynamically adapts to network conditions to avoid overloading the network.

Implicit Congestion Detection in TCP

TCP detects congestion implicitly by observing retransmissions, timeouts, and missing acknowledgments. These events indicate that packets are being lost due to congestion.

Explicit Congestion Detection in TCP

TCP detects congestion explicitly using the ECN (Explicit Congestion Notification) bits in the IP header. Routers experiencing congestion can set these bits to notify the sender.

Limitations of Switches in Large Networks

Switches alone are insufficient for large networks due to limitations in address scalability and lack of support for logical hierarchies.

Routing Scalability in the Internet

The Internet addresses the scalability challenge through hierarchical routing. It uses Autonomous Systems (AS) with internal routing protocols (IGP) and external routing protocols (EGP) to maintain a distributed and scalable system.

Routing vs. Forwarding

Routing involves determining optimal paths for data packets, while forwarding focuses on actually moving packets based on destination addresses.

BGP Routing Features

BGP (Border Gateway Protocol) handles policy-based routing and path selection, addressing limitations of link-state and distance vector protocols. It allows for route control, path selection, and preference.

RPKI and Network Security

RPKI (Resource Public Key Infrastructure) helps secure the internet by verifying the ownership of IP addresses and routes, preventing false announcement of paths and improving network security.

Transport Layer Ossification

Ossification refers to the situation where existing protocols become entrenched and difficult to change due to widespread adoption and reliance. This makes it challenging to introduce new protocols or functionalities.

Middle Box Ossification

Middle boxes, such as firewalls, NATs, and load balancers, act as intermediaries and rely on specific protocols. Updating these boxes with new protocol support is often complex and challenging.

Multipath TCP and Middle Boxes

Sending segments from the same TCP connection over different paths can lead to problems with middle boxes, such as NAT, which track the state of connections. These boxes may not recognize the packets from different paths, causing packets to be dropped.

MPTCP and Ossification

MPTCP circumvents ossification by multiplexing several TCP connections into a single logical connection. For the network, these appear as separate TCP connections, while the application sees a single, faster connection.

TCP Slowdowns in HTTP

TCP's segment-based approach can lead to head-of-line blocking, where loss of a single segment can delay delivery of subsequent segments, impacting web page loading speed.

QUIC and HTTP

QUIC solves the issue of TCP slowdowns in HTTP by providing multiple independent streams for data transfer. Loss in one stream does not affect the others, ensuring faster delivery of web page content.

QUIC and Transport Layer Ossification

QUIC uses UDP as the transport protocol, which is widely accepted and circumvents ossification. By using multiple streams and independent data transfer, QUIC provides faster webpage loading and a more user-friendly experience.

Data Transmission and Physical Representation

We cannot transmit data directly as data is an abstract concept. A physical representation is required, using a mapping between data elements and physical signal elements.

Bandwidth Limitation

Bandwidth limitations of a physical medium restrict the maximum achievable data rate. Shannon's law relates data rate to bandwidth and signal-to-noise ratio, highlighting bandwidth as a limiting factor.

Signal Level Quantization and Interference

Using more discrete signal levels for quantization increases susceptibility to interference. As levels come closer, weaker interference can cause bit errors.

Bit Synchronization

Bit synchronization ensures that sender and receiver agree on the timing of bit transitions. Techniques like Manchester coding or differential NRZ ensure consistent bit timing.

Framing in Data Transmission

Framing is necessary to separate continuous bitstreams into frames for easier processing and error detection. Framing methods include start-of-frame patterns, bit stuffing, or byte counting with length fields.

Limitations of Error Detection

It's impossible to detect all possible errors because a malicious error could transform a valid codeword into another valid codeword. The receiver cannot distinguish between original and corrupted data if they both appear valid.

Study Notes

Exam Telematics - Solutions

• The solutions provided are examples, not exhaustive, but sufficient for full marks. Correct keywords and coherent arguments are essential.

DNS (16 points)

• DNS Attacks (3):

  • Cache poisoning
  • Spoofing of DNS servers (at various levels)
  • Forging requests/responses
  • Redirection

• DNS Vulnerability (2):

  • Unencrypted requests/responses
  • Non-verified answers
  • Unauthorised servers
  • Unprotected caches

• Incorrect DNS Answers (4):

  • Consequences: Name to IP mapping errors, redirection to wrong servers, reduced web access.
  • Solutions: Direct use of trusted DNS servers (e.g., 8.8.8.8), DNSSEC implementation

• DNS Name Uniqueness (3):

  • Uniqueness ensured through hierarchical structure (top-level, second-level, etc).
  • Each level's Network Information Center (NIC)/administrator manages/assigns names to owners.
  • Owner registration in a database.

• Recursive vs. Iterative Resolution (4):

  • Recursive: Query answered by the requested node, possibly involving further requests without user involvement.
  • Iterative: Node provides pointers to the requester for further queries.

Congestion and Flow Control (20 points)

• Congestion Control Focus (4):

  • Focus on the network
  • Aims to prevent congestion
  • Necessary for network stability

• Flow Control Focus (4):

  • Focus on the end-system
  • Prevents receiver overload
  • Necessary for preventing packet loss

• Duplicated ACKs in TCP (4):

  • Indication of successful packet transmission.
  • Fast recovery avoids 'slow start'. 'Slow start' initializes the congestion window at one maximum segment size (MSS) but starts right away.

• TCP Flow Determination (6):

  • RTT: Round trip time
  • Error rate: Determines retransmission amount
  • Receiver window: Defines receiver capacity

• TCP Congestion Detection (6):

  • Explicit: Using ECN bits in the IP header (set by routers experiencing congestion, reflected to sender).
  • Implicit: Sender detects time-outs or missing ACKs (indicating congestion).

Routing (18 points)

• Limitations of Switches (2):

  • Flat address space requires storing all addresses
  • Inefficient for large networks.
  • Requires logical tree structure to avoid loops.

• Routing Scalability (2):

  • Hierarchies
  • Interior Gateway Protocols (IGPs) and Exterior Gateway Protocols (EGPs)
  • Autonomous Systems (AS) boundaries

• Routing vs. Forwarding (3):

  • Forwarding is time-critical with one choice
  • Routing is less time-critical and multiple paths.

• Routing Metrics (3):

  • Delay
  • Hop count
  • Data rate

• Routing Issue Handling (Routing Protocols) (3):

  • Policies and paths
  • Handling asymmetric routing
  • Different policies applied to paths

• False Path Announcement (2):

  • Lack of verification mechanisms
  • Trust-based system
  • Manipulating announcements

• RPKI Support on Web (3):

  • Enables encrypting website content
  • Protection against routing manipulation
  • Protection against Denial of Service (DoS).

Ossification/New Protocols (18 points)

• Transport Layer Ossification (4):

  • Established protocols (TCP/UDP) are widely used and integrated.
  • Changes to protocols are difficult due to widespread use.
  • Middleboxes cause dependency on existing protocols.

• TCP Connection Handling (4):

  • Maintaining state during packet delivery over different paths often fails.
  • Middleboxes follow connections, making it difficult.

• MPTCP Circumvention (2):

  • Breaks up connections into multi-path TCP (MPTCP) individual segments.

• HTTP Slowdown (4):

  • Lost segments block correct data delivery
  • TCP congestion can cause delays
  • User experience is negatively affected.

Bits and Signals (18 points)

• Data Transmission Requirement (4):

  • Physical representation mapping needed
  • Signal modulation crucial

• Bandwidth Limitation (2):

  • Shannon's law defines data rates dependent on bandwidth and signal-to-noise ratio.

• Quantization Challenges (2):

  • Decreasing signal levels lead to increasing interference, potential for data corruption.

• Bit Synchronization (4):

  • Manchester encoding (edge-based): Transitions in the middle of a bit
  • Differential encoding: Transitions based on difference between previous and current bit values

• Frame Alignment (4):

  • Defining and separating frame starts/limits.
  • Including checksums/length information for error checks.

• Transmission Error Detection (2):

  • CRC (Cyclic Redundancy Check).

Description

This quiz covers the solutions to DNS attacks, vulnerabilities, and incorrect answers. It explores the importance of DNSSEC implementation and the uniqueness of DNS names. Assess your understanding of these concepts relevant to telematics and network security.