TCP_Attacks_ex

16.1. This problem is based on the TCP client program shown in Listing C.1 (C is the chapter number of the TCP Attack chapter; its actual value depends on which version of the book you are using). (1) To get responses from the server, the TCP client program should register for a source port number, but in the program, this step seems to be missing. Without this port number, how can the client program get responses? (2) Which line of the code triggers the three-way handshake protocol? (3) There are two write() calls in this client program, will each call trigger a separate TCP packet?

這個問題基于清單C.1所示的TCP用戶端程式（C是TCP攻擊章節的章節号；它的實際價值取決于你所使用的書的版本）(1） 為了從伺服器獲得響應，TCP客戶機程式應該注冊一個源端口号，但是在程式中，這個步驟似乎丢失了。沒有這個端口号，用戶端程式如何獲得響應(2） 哪一行代碼觸發了三方握手協定(3） 這個客戶機程式中有兩個write（）調用，每個調用會觸發一個單獨的TCP包嗎？

16.2. This problem is based on the TCP server program shown in Listing C.2. (C is the chapter number of the TCP Attack chapter; its actual value depends on which version of the book you are using). (1) Does the program get blocked when invoking listen() until a connection comes? (2) What is the purpose of the accept()? (3) Why does the accept() call create a new socket? Why cannot we use the same one that is used in the listen() call?

這個問題基于清單C.2所示的TCP伺服器程式(C是TCP攻擊章節的章節号；它的實際價值取決于你所使用的書的版本）(1） 調用listen（）時程式是否會被阻塞，直到出現連接配接(2） accept（）的用途是什麼(3） 為什麼accept（）調用會建立一個新的套接字？為什麼我們不能使用listen（）調用中使用的同一個？

16.3. We have two machines, A and B. (1) Two TCP client programs on machine A send their data to a TCP server that is listening to port 8023 on machine B. Will the data from these two client programs be mixed together on the server side? Please explain. (2) Two UDP client programs on machine A send their data to a UDP server that is listening to port 8023 on machine B. Will the data from these two client programs be mixed together on the server side? Please explain.

我們有兩台機器，A和B(1） 機器A上的兩個TCP用戶端程式将其資料發送到正在偵聽機器B上端口8023的TCP伺服器。這兩個用戶端程式的資料會在伺服器端混合在一起嗎？請解釋一下(2） 機器A上的兩個UDP用戶端程式将其資料發送到正在偵聽機器B上端口8023的UDP伺服器。這兩個用戶端程式的資料會在伺服器端混合在一起嗎？請解釋一下。

16.4. A program wants to send many pieces of data to a server, each piece will be sent via a separate call. The server needs to know the boundaries among these pieces. (1) If the program uses UDP, how does the server know where the boundaries are? (2) What if the program uses TCP?

一個程式要向伺服器發送許多資料，每個資料都将通過單獨的調用發送。伺服器需要知道這些片段之間的邊界(1） 如果程式使用UDP，伺服器如何知道邊界在哪裡(2） 如果程式使用TCP呢？

16.5. Does a SYN flooding attack cause the victim server to freeze?

半連接配接隊列滿 無法響應其他連接配接

16.6. In the SYN flooding attack, why do we randomize the source IP address? Why cannot we just use the same IP address?

在SYN洪泛攻擊中，為什麼要随機配置設定源IP位址？為什麼我們不能使用相同的IP位址呢？

16.7. What will happen if the spoofed source IP address in a SYN flooding attack does belong to a machine that is currently running?

如果SYN洪泛攻擊中僞造的源IP位址确實屬于目前正在運作的計算機，會發生什麼情況？

16.8. An attacker launches a SYN flooding attack against the telnet server on a target machine. This particular telnet server listens to two ports, port 23 and port 8023. The attack is only targeting the default telnet port 23. When the attack is undergoing, can people still be able to telnet to the server using port 8023?

攻擊者對目标計算機上的telnet伺服器發起SYN洪泛攻擊。這個特定的telnet伺服器監聽兩個端口，端口23和端口8023。攻擊隻針對預設的telnet端口23。當攻擊正在進行時，人們還能使用端口8023遠端登入到伺服器嗎？

16.9. Can we launch a SYN flooding attack from a computer without using the root privilege?

我們能在不使用root權限的情況下從計算機發起SYN洪泛攻擊嗎？

16.10. Why do we choose to fill up the memory used for half-open connections, why cannot we directly target the memory used for holding full connections? The latter requires more memory, so the resource is much easier to exhaust.

為什麼我們選擇填充用于半開連接配接的記憶體，為什麼我們不能直接針對用于容納全連接配接的記憶體？後者需要更多的記憶體，是以資源更容易耗盡。

16.11. If TCP always uses a fixed sequence number (e.g., zero) in its SYN + ACK packet during the three-way handshake protocol, please describe how you can conduct a denial-ofservice attack on the TCP server. Your objective is different from the SYN flooding attack; you want to cause the server to establish connections with many non-existing computers,and thus exhausting the server’s resources, especially its memory.

如果在三方握手協定期間，TCP總是在其SYN+ACK資料包中使用固定的序列号（例如，零），請描述如何在TCP伺服器上進行拒絕服務攻擊。你的目标與SYN flooding攻擊不同；您希望使伺服器與許多不存在的計算機建立連接配接，進而耗盡伺服器的資源，尤其是記憶體。

16.12. All the information that a server needs to know about a connection is not only contained in the SYN packet, but also in the final ACK packet from the client. Therefore, information-wise, there is no need to allocate a buffer to save the information about half-open connections. If we get rid of this buffer, the SYN flooding attack will not be effective any more. Do you agree with such a statement or not. Please justify your answer.

伺服器需要知道的關于連接配接的所有資訊不僅包含在SYN包中，而且還包含在來自用戶端的最終ACK包中。是以，在資訊方面，不需要配置設定緩沖區來儲存關于半開放連接配接的資訊。如果我們去掉這個緩沖區，SYN泛洪攻擊将不再有效。你同意這樣的說法嗎。請證明你的回答是正确的。

16.13. To reset a connection between two remote machines, i.e., we will not be able to see the packets between these two machines, what are the main challenges?

要重置兩台遠端機器之間的連接配接，即我們将無法看到這兩台機器之間的資料包，主要挑戰是什麼？

16.14. Are TCP Reset attacks effective against encrypted connections, such as SSH?

TCP重置攻擊對加密連接配接（如SSH）有效嗎？

16.15. Is UDP communication subject to reset attacks?

UDP通信是否受到重置攻擊？

16.16. There is an active Telnet connection from a client (10.0.2.5) to a Telnet server (10.0.2.9). The server has just acknowledged a sequence number 1000, and the client has just acknowledged a sequence number 3000. An attacker wants to launch the TCP session hijacking attack on the connection, so he can execute a command on the server. He is on the same local area network as these two computers. You need to construct a TCP packet for the attacker. Please fill in the following fields:

• Source IP and Destination IP
• Source port and Destination port
• Sequence number
• The TCP data field.

存在從用戶端（10.0.2.5）到Telnet伺服器（10.0.2.9）的活動Telnet連接配接。伺服器剛剛确認了序列号1000，用戶端剛剛确認了序列号3000。攻擊者希望對連接配接發起TCP會話劫持攻擊，以便在伺服器上執行指令。他和這兩台計算機在同一個區域網路上。您需要為攻擊者構造一個TCP資料包。請填寫以下字段：

16.17. In a TCP session hijacking attack, if the server is waiting for data starting from sequence number X, but we used X + 100 in our attack packet. Will our attack succeed or fail?

在TCP會話劫持攻擊中，如果伺服器正在等待從序列号X開始的資料，但我們在攻擊資料包中使用了X+100。我們的進攻是成功還是失敗？

16.18. Can we launch a TCP session hijacking attack against an SSH connection?

我們可以對SSH連接配接發起TCP會話劫持攻擊嗎？

16.19. The Mitnick attack is a variation of the TCP session hijacking attack. This attack involved two computers (we will call them A and B) in San Diego Supercomputer Center. B trusted A, so if somebody logs in from A, no password would be asked. Kevin Mitnick wanted to log into B, but he did not know the password, and he had no access to A either. He could only do that remotely. To get in, he would have to fool B to believe that his login request was from A.

Before the login program runs, a TCP connection needs to be made first. Therefore, Mitnick needed to forge a TCP connection request from A to B first. If the connection is established successfully, Mitnick would have all the parameters about the connection, including the port numbers and sequence numbers. He could then use this connection to log into B, and steal information from there.

To simplify the scenario, let us assume that computer A was not even running; only B is running. Please describe how Mitnick would get B to establish a connection with A. In TCP Attacks 3 those days, TCP’s initial sequence numbers were not randomized, and they were quite predictable.

Mitnick攻擊是TCP會話劫持攻擊的變種。這次攻擊涉及聖地亞哥超級計算機中心的兩台計算機（我們稱之為A和B）。B信任A，是以如果有人從A登入，則不會詢問密碼。Kevin Mitnick想登入到B，但他不知道密碼，也無法通路A。他隻能遠端操作。要想進去，他必須騙B相信他的登入請求來自A。

在登入程式運作之前，首先需要建立TCP連接配接。是以，Mitnick需要首先僞造從a到B的TCP連接配接請求。如果成功建立連接配接，Mitnick将擁有有關連接配接的所有參數，包括端口号和序列号。然後他可以使用這個連接配接登入到B，并從那裡竊取資訊。

為了簡化場景，讓我們假設計算機A甚至沒有運作；隻有B在運作。請描述Mitnick如何讓B與a建立聯系。在那三天的TCP攻擊中，TCP的初始序列号不是随機的，而且它們是可預測的。

16.20. UDP services can be used for amplification attacks. Why cannot TCP be used for the same attack?

UDP服務可用于放大攻擊。為什麼TCP不能用于相同的攻擊？

16.21. In the past, we wrote a SYN flooding program using Python, but we could never get the attack to work; there is nothing wrong in the program. After a close look at the attack, we found out that he speed of our Python program is too slow: it can only send out a few spoofed packets in a second. We also found out that there are many Rest packets coming back to the victim machine. Based on this observation, please explain why our Python program could not get the attack to work.

在過去，我們使用Python編寫了一個SYN flooding程式，但是我們無法讓攻擊生效；這個程式沒有錯。在仔細觀察了攻擊之後，我們發現Python程式的速度太慢了：它隻能在一秒鐘内發送幾個僞造的資料包。我們還發現有許多Rest包傳回到受害者機器。基于這一觀察，請解釋為什麼我們的Python程式無法使攻擊生效。