ercise 2 (IP Second Fragment Interception attack). 1. This question is about the off-path second fragment interception attack, shown in slide 24 in TCP/IP Security lecture. One challenge with the attack as described, mentioned in class, is finding the destination port that the off-path attacker (Oscar) should use in the fragment it sends with MF=1 (sent second), to cause the NAT to send the defragmented packet to Zombie. There are different ways for the attacker to know the correct port; this also depends on the type of NAT, as we show in this question. Note: it may be easier to solve the second item before solving the first item, but we recommend reading the items in the order given. a) Every NAT retains the same mapping from internal (IP, port) to external port and source IP:destination, long enough to be 'sure' that there will not be any further incoming packets sent to the same internal (IP, port). This is usually done simply by waiting 'long enough'; for TCP, the NAT often also detects end-of-connection (using FIN or RST). Utilize this fact (fixed mapping from external port and source IP:port, to an internal IP:port), to find the external port that Oscar should use in that fragment, to intercept the packet. Explain your solution, including sequence diagram. b) Many NATs operate in the method called cone NAT, which assign the same external port to the packets received from all remote source IP:ports to the same internal IP:port pair. Show how, in this case, the attacker can find the external port that Oscar should use in the fragment it sends to intercept the packet. Explain your solution, including sequence diagram. c) Change the attack presented in the lecture, for the case that Alice sends fragments in the reverse order, i.e., 2nd fragment before 1 st fragment. Present sequence diagram. You may use the following assumptions; indicate if, where and why you use them: a) Alice visits the attacker's website, Oscar.org (i.e., assume cross-site functionality). In particular, the connection to Bob is initiated by Oscar, by embedding an object in Oscar's web-page visited by Alice. b) Alice uses globally-incrementing IP-IDs. c) Alice uses globally-incrementing source-ports. d) Alice is behind a FW or NAT that drops unsolicited incoming packets. 2