If an attacker spoofs a packet to a victim, where would the victim's reply be sent to?
The victim would think the spoofed packet came from the fake source address, so the victim’s reply would be sent to the fake source address, not the attacker.
On-path vs. Off-path Spoofing
Which type of attacker is more powerful: on-path, off-path, or neither is strictly stronger than the other?
The on-path attacker is strictly stronger. An on-path attacker can do everything an off-path attacker can do, but the on-path attacker has the extra ability to see the victim’s traffic.
TCP RST Injection
TCP Data Injection
What obstacles does an on-path attacker need to overcome to inject data into a TCP connection?
The on-path attacker needs their injected packet to reach the victim before the legitimate packet (win the race condition).
Note that the on-path attacker already knows the correct sequence numbers because they can see all the victim’s traffic.
TCP Off-path Attacks
In a blind spoofing attack, does the off-path attacker need to guess the sequence number or the acknowledgement number when sending the ACK part of the handshake?
The attacker will know the sequence number to use, since they chose the initial sequence number in the SYN they sent. The attacker needs to guess the acknowledgement number, since the server sent the SYN-ACK with this value to the victim instead of the attacker.
Summary of TCP Security Issues
Host Names vs. IP Addresses
DHCP
Which of the four messages in the DHCP handshake are broadcast? Why do we need to broadcast these?
The two messages sent by the client (discover and request) are broadcast, because the client doesn’t have a configuration to send messages with yet.
DHCP Threats
What type(s) of attacker can execute an attack on DHCP, and what type of attacker do they become after successfully executing the attack?
Any attacker who can read the victim’s traffic (on-path or MITM) can execute the attack. After successfully executing the attack, the attacker becomes a MITM.
CS 161 Summer 2020