| Layer |
Purpose |
Implementation |
Example |
Vulnerabilities |
| Social media |
Sharing images of cute animals, political
propaganda, etc. |
Complex algorithms to predict content you'll
engage with. |
Facebook |
Social engineering. Opsec fail. Fake news. |
| Ad Tracking |
Monetize eyeballs by watching browser page
views, mouse clicks, scroll times. |
A little chunk of javascript sets a "third
party tracking cookie" on each visited page. |
Google
Analytics (utm cookies) Facebook Ad Manager |
Creepily
persistent marketing. Malvertizing (delivering targeted malware via ad networks) |
| Web Browser Frontend |
Request web page from a web server, render
page to user, let user interact with page. |
Static content sent via HTML or CSS. Dynamic content sent via JavaScript. |
Chrome Firefox Edge Safari |
Cross-Site
Request Forgery (XSRF) Browser exploits: Modern: PDF, JavaScript, GLSL Older: Flash, Java (these plugins are typically disabled by default now) |
| HTTP |
Request resource from a web server. |
Simple ASCII request / response protocol. |
Apache nginx Microsoft IIS Mongoose |
Server exploits, today mostly in CGI
programmable resources rather than the server itself. |
| Transport Layer Security (TLS) |
Encrypt and authenticate TCP traffic.
Actually optional: bare HTTP on TCP has no privacy or
authentication; HTTPS = HTTP + TLS. |
x509 certificates, Diffie-Hellman key
exchange, secret key encryption (summary) |
LibreSSL OpenSSL Microsoft TLS OS X Secure Transport |
SSL
stripping Heartbleed (caused the LibreSSL fork) |
| Transmission Control Protocol (TCP) |
Provide continuous, orderly byte streams over
unreliable packet networks. Prevent congestive
collapse. |
Add a header to IP packets specifying where
data goes (port and sequence number). Limit size of TCP transmission window |
nc
-l 1234 netstat -tulpan |
Guessing
TCP sequence numbers to inject traffic (e.g., reset
RST packet). |
| User Datagram Protocol (IP) |
Minimize latency for delivering packets. |
Add a header to IP packets specifying which
service (port number). |
nc -u -l 1234 |
Denial of Service attack. (The classic DoS is
a few gigabit/sec of UDP fragments) Sapphire Worm |
| Internet Protocol (IP) |
Forward packets across networks to
destination IP address. |
4 byte (IP v4) or 16 byte (IP v6) addresses. |
ping 8.8.8.8 |
Ping of Death (obsolete) |
| Data Link Layer |
Send data to adjacent machine by Media Access
Control (MAC) address. |
Broadcast routing |
Ethernet Wifi |
MAC spoofing |
| Service |
Purpose |
Implementation |
Example |
Vulnerabilities |
| DNSSEC |
Authenticate DNS queries |
Sign the Zone Signing Keys with a root 2048 bit RSA "Key Signing Key (KSK)" in a signing ceremony. | KSK-2010 KSK-2017 |
DDoS
via DNS reflection attack |
| Domain Name System (DNS) |
Convert host names ("lawlor.cs.uaf.edu") to
IP address (137.229.25.247). Augments local /etc/hosts
file, a simple text file lookup. |
Transmit Resource
Records (RRs) for a domain over UDP port 53. |
whois
lawlor.cs.uaf.edu BIND DNS server |
DNS hijacking DNS Zone Transfer |
| Dynamic
Host Configuration Protocol (DHCP) |
Set up a machine's network connection when it
first connects. |
Server listens on UDP port 67; client listens
on UDP port 68. |
ifconfig dhclient eth0 |
Rogue DHCP server |
| Border Gateway Protocol (BGP) | Dynamically configure shortest routing path
across the internet. |
TCP connections on port 179 between
neighboring routers. |
DoS by advertising bogus routes. |
|
| Static Routing |
Set up static routes to neighboring machines. |
Simple table inside kernel. |
route -n |
|
| Address
Resolution Protocol (ARP) |
Find MAC address for known IP address. |
Send IP layer broadcast "who has
1.2.3.4?". Cache the result in the kernel's ARP table. |
arp -n |
ARP poisoning |