Grant Ho: Security Problems with TCP/IP 1) A few attacks described in this paper had to do with the ability of an attacker to predict a sequence number. Give an example of such an attack and then describe a defense to it. Consider a server that uses a client's IP address to authenticate the client. If an adversary, Mallory, can establish a TCP connection with the server using Alice's IP address as the source address, then the server will inadvertently allow Mallory to operate with all of Alice's privileges. In the original implementation of the TCP protocol, a server deterministically generated its initial sequence number for each connection. As a result, even if Mallory is an off-path adversary without network monitoring capabilities, Mallory could forge a TCP packet with the source set to Alice's IP address and then correctly forge an ACK to the server's initial sequence number. This allows Mallory to establish a live TCP connection between "Alice" and the server. Because Mallory can accurately predict the sequence number for each packet in this connection, she can inject arbitrary data/malicious commands into the TCP stream that gets sent to the server; this data will then get interpreted and executed under Alice's privileges. To prevent Alice's machine from resetting the connection due to an unsolicited ACK, Mallory can conduct a DoS attack on Alice's machine or wait until Alice's machine went offline before spoofing the TCP connection) Aside from using a secure mechanism for authentication, the server can defend against this attack by choosing a random sequence (from a large sequence number space) for each connection it establishes. This will prevent Mallory from tricking the server into setting up a TCP connection with another machine (or injecting packets into an established TCP stream) because Mallory will not be able to guess valid sequence numbers. 2) In the original DNS design described in this paper, how could an attacker impersonate a DNS server and convince a client machine to send traffic to the wrong IP address? What was a consequence of that? If a client machine's DNS resolver uses deterministic port and sequence numbers for issuing and receiving DNS requests/replies (e.g. sequence number of 0), then an adversary can forge a malicious DNS reply to the client whenever the client tries to make a web connection. This malicious DNS reply can trick the user's machine into connecting to an adversary's IP address for any arbitrary URL/hostname. If the website a user tries to connect to does not use https, then this allows the adversary to serve arbitrary web content to the user (displayed to the user under the original URL); this allows the adversary to conduct effective phishing attacks.