Computer Networking Exam 2 Questions and
Answers
In the MITM attack described in the book, the attacker M uses the ARP cache poisoning attack
to redirect the A-to-B packets to M.
1. If the IP forwarding on the attacker machine M is turned off, what will happen to
the packets?
2. If the IP forwarding on M is turned on, what will happen to the packets?
3. If the attacker wants to modify the packet, should the attacker turn on or off the
IP forwarding? - ✔✔1. If the IP forwarding is turned off, the packet will be
dropped.
2. If the IP forwarding is turned on, the packet will be forwarded to B.
3. If the attacker wants to modify the packet, the attacker should turn off the IP forwarding.
In the MITM attack described in the book, the attacker M uses the ARP cache poisoning attack
to redirect the A-to-B packets to M. How does the attacker get this packet? - ✔✔The OS
will not give this packet to the attacker automatically. The attacker needs to sniff the packet to
get a copy of the packet. The original copy still exists. To prevent the original copy from being
forwarded to B, the attacker should turn off the IP forwarding, so the original copy will be
discarded by the OS.
In this MITM attack code, the attacker tries to modify the packets from A to B. After
intercepting such a packet, the attacker makes a copy of the packet, and then does the
following. Why does the attacker have to delete the IP and TCP checksums?
newpkt = IP(bytes(pkt[IP]))
del(newpkt.chksum)
del(newpkt[TCP].chksum) - ✔✔Since the packet will be modified, the checksums (in both IP
and TCP headers) from the original packet will no longer be valid, and they must be re-
calculated. If we do not remove them from the packet, Scapy will keep the original value. If
we remove them, Scapy will re-calculate them for us.
, If a packet's 1st and 2nd fragments have already arrived, but the 3rd fragment never comes, the
OS will deliver the 1st and 2nd fragments to the upper layer (transport layer). Is this true or
false? Please explain. - ✔✔This is false. If a fragment is missing, the OS will not be able to
recover the entire packet, so it will not give it to the upper layer. The OS will wait for certain
period time, and once the timer expires, it will drop all the fragments
In some Ethernet frame that contains an IP packet, the destination MAC address in the
Ethernet header and the destination IP address in the IP header are not the same computer.
What is this scenario? - ✔✔It's most likely a result of ARP cache poisoning
How does a router know whether it should send out an ICMP redirect message or not? -
✔✔When the router gets a packet from interface A and finds out that it needs to forward
the packet out also through the interface A, the router knows that the packet is returned to
the same LAN. The sender should have been able to directly send its packet to the next router.
In this case, the ICMP redirect message will be sent out.
Can we use ICMP redirect attack to redirect the victim to send its packets to a remote machine
(i.e., a machine outside of the LAN) - ✔✔No, ICMP redirect destination must be a machine
on the same LAN, because this destination will be treated as a router, so it must be physically
connected with the victim (i.e., on the same LAN).
If an application needs to ensure the order of the packets, but UDP does not provide such a
guarantee, does the application have to use TCP? Can it still use UDP? - ✔✔It can still
use UDP. The application just has to implement the order-ensuring mechanism by itself. If
the application uses TCP, this is already provided by TCP.
Why is UDP in general more suitable for real-time applications than TCP? - ✔✔UDP does
not need to guarantee the reliability of its service, so it is faster than TCP that does guarantee
the reliability. Moreover, some of the reliable services provided by TCP are not essential for
real-time applications, so they can be sacrificed in exchange for the performance gain.
In the following code snippet, what does the IP address 0.0.0.0 mean?
Answers
In the MITM attack described in the book, the attacker M uses the ARP cache poisoning attack
to redirect the A-to-B packets to M.
1. If the IP forwarding on the attacker machine M is turned off, what will happen to
the packets?
2. If the IP forwarding on M is turned on, what will happen to the packets?
3. If the attacker wants to modify the packet, should the attacker turn on or off the
IP forwarding? - ✔✔1. If the IP forwarding is turned off, the packet will be
dropped.
2. If the IP forwarding is turned on, the packet will be forwarded to B.
3. If the attacker wants to modify the packet, the attacker should turn off the IP forwarding.
In the MITM attack described in the book, the attacker M uses the ARP cache poisoning attack
to redirect the A-to-B packets to M. How does the attacker get this packet? - ✔✔The OS
will not give this packet to the attacker automatically. The attacker needs to sniff the packet to
get a copy of the packet. The original copy still exists. To prevent the original copy from being
forwarded to B, the attacker should turn off the IP forwarding, so the original copy will be
discarded by the OS.
In this MITM attack code, the attacker tries to modify the packets from A to B. After
intercepting such a packet, the attacker makes a copy of the packet, and then does the
following. Why does the attacker have to delete the IP and TCP checksums?
newpkt = IP(bytes(pkt[IP]))
del(newpkt.chksum)
del(newpkt[TCP].chksum) - ✔✔Since the packet will be modified, the checksums (in both IP
and TCP headers) from the original packet will no longer be valid, and they must be re-
calculated. If we do not remove them from the packet, Scapy will keep the original value. If
we remove them, Scapy will re-calculate them for us.
, If a packet's 1st and 2nd fragments have already arrived, but the 3rd fragment never comes, the
OS will deliver the 1st and 2nd fragments to the upper layer (transport layer). Is this true or
false? Please explain. - ✔✔This is false. If a fragment is missing, the OS will not be able to
recover the entire packet, so it will not give it to the upper layer. The OS will wait for certain
period time, and once the timer expires, it will drop all the fragments
In some Ethernet frame that contains an IP packet, the destination MAC address in the
Ethernet header and the destination IP address in the IP header are not the same computer.
What is this scenario? - ✔✔It's most likely a result of ARP cache poisoning
How does a router know whether it should send out an ICMP redirect message or not? -
✔✔When the router gets a packet from interface A and finds out that it needs to forward
the packet out also through the interface A, the router knows that the packet is returned to
the same LAN. The sender should have been able to directly send its packet to the next router.
In this case, the ICMP redirect message will be sent out.
Can we use ICMP redirect attack to redirect the victim to send its packets to a remote machine
(i.e., a machine outside of the LAN) - ✔✔No, ICMP redirect destination must be a machine
on the same LAN, because this destination will be treated as a router, so it must be physically
connected with the victim (i.e., on the same LAN).
If an application needs to ensure the order of the packets, but UDP does not provide such a
guarantee, does the application have to use TCP? Can it still use UDP? - ✔✔It can still
use UDP. The application just has to implement the order-ensuring mechanism by itself. If
the application uses TCP, this is already provided by TCP.
Why is UDP in general more suitable for real-time applications than TCP? - ✔✔UDP does
not need to guarantee the reliability of its service, so it is faster than TCP that does guarantee
the reliability. Moreover, some of the reliable services provided by TCP are not essential for
real-time applications, so they can be sacrificed in exchange for the performance gain.
In the following code snippet, what does the IP address 0.0.0.0 mean?
