Security Now 313: How The Internet Works: ICMP & UDP

coming up on security that we got patches from Microsoft we got patches from Adobe we’ve got a password cartoon from xkcd that they have been inspired by Steve Gibson all that and how the internet works part two UDP and ICMP coming up next net guess you love from people you trust this is Troy’s audio bandwidth for security now is provided by the new Wynn app for Android featuring wireless sync in one click iTunes import now with free daily music downloads and full-length CD listening parties download it for free at Winamp dot-com / Android video bandwidth for security now is provided by cash fly at CA CH e FL y comm this is security now with steve gibson episode 313 recorded august 10th 2011 how the internet works ICMP and UDP this episode of security now is brought to you by squarespace comm the fast and easy way to create a high-quality website or blog for a free trial and 10% off your new account for 6 months go to Squarespace comm and use the offer code security now 8 and by Netflix watch thousands of TV episodes and movies on your PC Mac iPad iPhone or TV instantly all streamed directly to you saving you time money and hassle for your free 30-day trial go to slash twit it’s time for security now not security in a few minutes not security later security now the show you that keeps you safe online and of course joining us the man the myth the legend GRC coms Steve Gibson welcome back Steve’s good to be with you again I didn’t think I’d be here but Leo’s got jury duty again yeah he actually and as we know he is not that he’s still waiting to see whether he has jury duty as he was a week ago but he actually did get empaneled as it’s called and he’s one of the twelve jurors or I guess he could be one of the auxiliaries or they’ll look the extras but he’s on a really interesting case which he can’t talk about because you’re not supposed to when you’re on a jury until I guess afterwards then I think you’re released yeah right that’s the once the once the the case is over you’re cleared so we can’t know anything more about it but it sounds from what he was able to say before he actually went it sounds really interesting so but I’ll be curious to hear about it the judge thinks it’ll take two weeks so I’ll be here on security now this week and next week and Leo will be back after that barring some strange courtroom behavior and we’re glad to have you there the number 13 figures oddly in this week’s security now it is we’re episode number 313 and we’re also the second Tuesday we’ve just passed the second Tuesday of the month so we’ve got the standard Microsoft security updates of which there were 13 and an a mega patch from Adobe fixing 13 critical vulnerabilities in flash and air and shockwave so everything is 13 wow that’s interesting well we’re also we’re also got number one involved because not only is this episode number one of year number seven of security now right but we’re also going to be talking about how the internet works ICMP and UDP and if I understand it right ICMP is protocol one I think that’s true yeah and it’s also is 17 or no 6 I think it is it’s also 2011 there I stretched another couple one all right enough numerology we’re gonna get to all the security news and security updates in a second but want to thank our sponsor for today’s show fast and easy way to create a high quality website or blog I use them for forecast I use them for sword and laser we use them for all kinds of TWiT stuff Squarespace is absolutely fantastic and easy try it out for free you don’t have to use a credit card go to Squarespace comm within seconds you can have a blog up and running and it’ll look great you don’t have to hardly do anything but pick a name and it’ll look good then you can start getting in and using the tools to customize it to make it look exactly the way you want to look if you want to get in there and tweak the code you can’t but you don’t have to you can just move things around add modules even import your old blog let’s say you just want to try it out and see how it looks import your old blog from WordPress or type pad or movable-type or or a blogger and say you know I know that looks pretty good I want to try this out if you decide to leave Squarespace anytime you can always take your data with you they are sworn to data portability so check them out that’s one

of the reasons I like Squarespace is they do things right they’re reliable and the nice thing is they provide the backend for you so that as your site gets more popular you don’t have to worry about adding capacity it’s all taken care of for you sign up for a free account you don’t need a credit card to try it out and start building your website and if you actually decide to keep the service we’re gonna give you 10% off for six months when you use the offer code security now eight now that we’re in the month of August yeah more numbers to remember but security now eight that’s the one to use when you go and try out and like I said no credit card no risk go there right now try it out build yourself a website maybe maybe a little personal security blog out there maybe just an update of what’s going on in your life it doesn’t matter whatever you got to say check it out Squarespace comm we thank them for their support of security now and let’s get into the security updates so we are we’re seeing the same pattern that has been noted by a number of other security Watchers and that is that Microsoft is alternating the size of their security patches from large to small and large to small month after month last month we had an almost not worth mentioning little tiny patch month this month we have a big one and two months ago we had a big ones it’s a light design I don’t know but I mean it’s holding its really odd that they’ll just do a mega one and then a little one and then a mega one and a little one so it is it has been noted in the industry that Microsoft’s following that pattern and they do so again so they’ve issued 13 updates which address 22 different vulnerabilities the we get the standard update to the MS RT the malicious software removal tool which they’re continuing to refine and add signatures to month by month and of course we know that that does a quick scan – uh prior to applying patches because what Microsoft discovered the hard way was that patching was failing in instances where users machines were infected with something which which was interacting with their patches so they had to add this pre-emptive em SRT to make sure that it was safe to change the the dll’s that make up Windows because some of these the malware was was was written specifically to particular versions of them of the Microsoft prior patches and so if anything was updated it could cause like the system to break it wouldn’t be able to reboot and users were blaming Microsoft when it was a fad in fact the case that their system was was already in bad shape already had something handle crept into it in these 22 vulnerabilities there were only two that Microsoft rated as really critical we get the sort of the standard cumulative patch for IE which sort of is a reissue of IE and interestingly it was rated critical for version seven eight and nine of ie but only important for number six that’s usually the opposite isn’t it yeah well what we’re seeing is misses also sort of been an ongoing theme for us we noted we also we often note that that older software is just has less problems because it’s had more time to get pounded on yeah and so so Microsoft is doing new things introducing new code in their newer versions of ie and some of it is gonna have problems but you know they’re not messing with it with IE version six anymore so it’s it’s sort of stabilized in fact that’s exactly the case with the second critical problem which exists in the DNS server code that ships only with Windows 2003 and Windows 2008 does the server additions it does not exist in their their earlier server additions because those servers didn’t have support for something called na PTR DNS records this this na PTR is a new type of DNS record which I don’t know I when I look at it I just closed my eyes and I think why don’t we leave well enough alone because it stands for naming Authority pointer and it actually introduces something known as regular expressions or reg X’s mmm into DNS well

reg X’s are an amazingly powerful but also nightmarish technology and the idea of adding reg X’s into DNS queries just I mean it just makes my head spin it’s like okay do we have to just keep messing with this stuff that already works wits you know we’re this show is about how the internet works and we’re moving through taking a very you know take our time slow methodical deep look at the technologies and DNS is one of these that has existed for decades and has been amazingly solid and resilient yet in pushing it forward we’re beginning to break it we’re beginning to create problems and now this is something is this something Microsoft is implementing or something that’s being implemented that Microsoft is is taking the lead from the folks at managed DNS it’s an exhibit is an RFC so it’s a it’s a it’s a standard internet protocol but what happens is that that several people reported to Microsoft privately that if a malicious user were to register a domain where the the domain server contained these na PTR records then arranged to query Microsoft’s DNS server asking it to resolve a na PTR record the Microsoft server would go query this other domain that contained these and there was a standard coding error in Microsoft’s implementation of this na pointer processing which doesn’t surprise me because your regular expressions are a real I mean you’re just asking for trouble messing with regular expressions so we’ve added those to DNS now and Microsoft didn’t do it completely right how does how does this fit in with DNS SEC because isn’t DNS aren’t we supposed to be trying to lock down DNS and make it so secure why would we add regular expressions to it yeah I know I know actually DNS SEC is essentially signing of records to prevent spoofing of them because DNS is a non is a non secure protocol that is it actually travels over UDP which is one of the topics where this week we’re going to talk about ICMP and UDP as the first two of the internet protocols that we discover and DNS is carried by UDP which unlike HTTP which we also often talk about can be protected by you know the SSL also known as TLS security there is no similar security for DNS so it’s very possible for bad guys to perform man-in-the-middle attacks on DNS altering the DNS records as as they’re going out or bet back and forth to a client that that’s making a query so DNS SEC is a means of adding that missing security to DNS so it’s it’s different from the NA pointer records and the good news is it has been around for a long time and this stuff is just slow to get adopted what when you look at when these various standards are created it just inertia on the Internet just I mean another example of that is ipv4 versus oh yeah six has been around forever well not forever but for you know for a decade yeah we’re just now saying oh well I guess we I really have to get around to doing this you know nobody wants to so anyway the point is that in something new which is adding bells and whistles to DNS Microsoft made a mistake and it created what they acknowledge is a critical error in – and in Windows 2003 in 2008 DNS server people who are not running DNS on though on their Windows servers don’t have a problem so it’s only if you do have the DNS service running there’s a mistake in it that can be exploited so that gets patched and then aside from that there were nine other important fixes six of which were potentially you know had a high exploitability rating the way Microsoft now rates these things there were some remote code execution and the data access components a there was a similar remote code execution and Visio so if you had Visio installed and you and someone sent you a maliciously crafted

Visio file and you opened it it could run code on your machine and so forth so you know basically standard standard advice is keep Windows patched all the time yeah and then similarly it’s a Adobe’s turn Adobe’s been really quiet now for a few months we haven’t had much happening with them but now they’re just letting loose the floodgates all of their main components are being updated flash air and shockwave I put a bunch of links in the show notes for users who can go to the show notes to get these links because if you go to slash software slash slash slash about then that will show you that’ll bring up a web page that shows you your current version and also contains links to the latest I had been at ten point three point one eight one point one four and flat four flash and flash has now been moved to ten point three point one eight three point five so anyone who’s behind does need to get themselves made current this fixes thirteen critical vulnerabilities that affect windows mac linux solaris and android platforms so pretty much across the board and of course not iOS because iOS is doesn’t have flash and red refuses to support flash and not Chrome because Chrome automatically updates itself so you don’t have to take any action exactly and as I think what we’ve discussed before is that that apparently Google has a different relationship with Adobe where they’ve got they’re essentially their own version of Flash that they’re building in and may be responsible for themselves or may get updates directly from Adobe which they then push out in chrome so it’s as you said it’s just doing it automatically by itself air also got updated and you know I’m reluctantly using air because I use TweetDeck hosted on air so I think I used to yeah you know and I’m I wish I didn’t have to but I do so you if you are a if you just relaunch the thing you use air with it’s very good I know the TweetDeck is always telling me oh there’s a new version of air so you know let’s you know download it and then then restart TweetDeck and then you’ll be good to go so you can simply do that or you can go to get dot slash air in order to update yourself it just gives you a download and as regards shockwave I’m always reminding people that they probably don’t need it that it’s the kind of thing that you know maybe five years ago you know if you were wanted to like do ELF bowling or something you might have you might have needed the shock I forgot all about ELF bowling yeah but you know unless you really are addicted to ELF bowling I think that you probably aren’t anymore it’s worth removing it now what you can do is you can just go to slash shockwave slash welcome and I did that under and in Firefox and it said oh click here to get the plugin don’t what that means is you don’t now have it and that’s better than you know having a version that just needs to be maintained all the time and represents one more way that bad stuff can get into your computer so the which what you would like to outcome you would like is slash shockwave slash welcome and then to be offered to plug in and you just say all step away and you know close that tab and and just know that you don’t have it and you don’t need it if it does if it is there then I would seriously look at just removing it from whatever browser you have installed it in unless you know you have to have it if you know you need it then yes you do want to make sure that you’re current because it shares these vulnerabilities with the other tools so certainly worth doing unless you’re if you’re really into that that into ELF bowling you probably have more problems just here security issues at this point yeah sure I would say try Angry Birds yeah because it it’s hosted on slash and they alright let’s move into the security news and I was really excited when I saw this xkcd cartoon yesterday randall munroe who does xkcd is really smart really funny and it’s absolutely worth reading this every day but as soon as I saw his cartoon for today password strength I immediately thought of you Steve and and

the haystacks because he’s talking about exactly what you were talking about which is you make these really complicated passwords that you can’t remember and they’re actually less secure than an easy to remember password well yes so it’s a great cartoon I know that I’m in volved in social networking when thousands of people are sending me this cartoon it that it it really filled up my Twitter feed and I was glad for it because I know I appreciated knowing about it so just for those who don’t you can just go to xkcd calm today or if you’re not listening to the podcast today it’s number nine hundred and thirty six so xkcd calm slash 936 which will get you to this you know fun cartoon I have to imagine time that that this was inspired in fact by the haystacks page because the the second frame of the cartoon talks about how how to to the twenty eight bits of entropy or twenty eight bits of entropy is two to the twenty eight combinations which takes three days and he’s correct about that it’s like 72 hours or something at one thousand guesses per second which is exactly the number I use on the haystacks page and then he says parens plausible attack on a week remote web service yes cracking a stolen hash is faster but it’s not what the average user should worry about which is exactly the language or a version of exactly the language I have on that page so I you know I’m delighted that randall picked up on that and probably knew about it the only problem I have is that his math is wrong he it in the first frame he talks about you know he uses little squares and I love how graphical and you know xkcd ish this is it’s it’s typical for the work he does but he’s not assigning bits for entropy correctly and he’s doing it in a way that benefits the point he’s trying to make so I’m not criticizing him I’m just you know for the sake of our listeners if you put his example into the password haystacks page it shows that you’ve got where he says his example has 28 bits of entropy I calculated at 72 point 3 and so rather than it being three days at a thousand guesses per second it’s actually one point eight three billion centuries at a thousand guesses per second so so but that really wasn’t the point he was trying to make he was he was trying to make the point and and the cartoon does beautifully that what we’ve done in trying to create bizarre passwords that are impossible to memorize is we’ve actually in some cases not come up with something that has substantially more strength than in in his cases he suggests taking four easily memorized random words from the dictionary and concatenated them he so he computes them as each having 11 bits of entropy so he’s assuming that we had a dictionary of 2048 words because that’s 11 bits and that we randomly chose them from the dictionary to assemble a four word sentence which is easy to remember so 11 bits of entropy each times four words is 44 bits of entropy and he and then he says two to the 44 is 550 years at a thousand guesses per second so that’s clearly long enough since none of us are gonna land on haystacks it says seventy eight point three billion trillion centuries so it’s it’s it’s it’s an order of magnitude more secure than then the first password still even when you’re comparing it through haystack now the problem with this is that he ends up with seven so his example is correct horse battery staple and that’s a total of 25 characters it’s surprising how many website won’t let you use a 25 character pass bag yeah we’ve talked about this before it’s so fresh yeah so you know some require like

between 8 and 16 so you’d have to drop a word or two or something so really if you end up with a website that that has a ridiculously small or a worrisome ly small maximum password length then you’re really forced to expand the to expand the size of the character set you know he’s using all lowercase and you know I mean so I would say yes that’s a good password but we also know there are other ways to create strength and in fact explain xkcd calm which apparently follows xkcd calms cartoons one for one you know like daily he explains this and has a link to the haystacks page at GRC explaining that this really you know comes from from an understanding of what it takes to make passwords strong and I of course I take the point or the position that as soon as you’re forced to do brute force cracking length matters more than entropy which it was the the theme of the haystacks page show have just sort of a fun little coincidence on the day that we’re recording the podcast so and go ahead I was gonna ask if I use correct horse battery staple I don’t have to my immediate reaction is well those are for dictionary words wouldn’t a dictionary attack find them but the fact that there are four concatenated random words makes it so that it’s harder for that dictionary attack to work well okay so here’s one of the things that’s hardest to get your head around and this is the reason that first frame in the cartoon is a little misleading is for example he pens a number three on the end and he gives that three bits of entropy because you know that could be any one of 10 digits but the key is the attacker doesn’t know that you put a digit on the end if you said to the attacker oh and by the way while you’re trying to guess my password I ended it with a digit well then the attacker would go oh thank you very much now I don’t have to try all the lowercase alpha all the uppercase alpha and special characters I’ll just try you know 0 through 9 and so in that case he’s right that would be about through actually less than 3 bits of entropy no it would be a bit more actually because you’d because 3 bits would be 8 combinations but the point the key of the concept is the bad guy has no idea what you’ve done and if they did have an idea if they if the bad guy knew that for example a password a password was for dictionary words then yes then then you’ve restricted the the domain of experimentation but the bad guy you know has no idea what you’ve done so so the fact is there are it is much easier to make a much stronger password of a certain length by by adding you know changing the case and salting it with some special characters I mean even for example if you took correct horse battery staple and you just you just stuck dashes in between or your own special joiner character that you didn’t tell anyone about that makes it radically stronger because the bad guy doesn’t know what you if you make any change to it because and that was the real the real insight that that the haystacks Page tries to bring across is that that anything that it that you do that is not going to be that is that is going to sort of take it off the map the all the feedback the attacker gets is in either matches or it doesn’t they don’t get you know it’s not horseshoes and hand-grenades there that was a close one yeah yeah yeah I think that’s what our minds do when we look warmer yeah yeah we expect we think that we’re like oh well we’ll get close and then we’ll start to figure it out but I think the only weakness that I can I can think of in this is if somebody cracks a password in some sequel injection attack at a site that was not properly salted and and they get your format and they want to go after you and so they go okay it looks like he takes the last two letters of the domain name and then always has the word dog spelled with a zero and then if they get that little extra bit of information it would undermine this

but otherwise that this is definitely the way to go Quarry doctor on boeing-boeing pointed out there’s a study done at the University of London showing the cost of having these complicated passwords because people can’t remember them and then they rely on the less secure questions that allow you to recover passwords and all that stuff so easy to remember secure passwords as it would would save us time money hassle and all kinds of things or maybe passwords you don’t need to remember yeah now that’s I’m really interested in that are you ready – well not ready to talk about it yet okay I will tell our leaders because you and I were talking about it before we began recording the thing that I have alluded to a number of times that I’ve said to Leo I’m working on something I think it’s good but I’m not ready I know no yet well for quite a while we have known the the the careful analysis of it is has been done and I have a way of doing non software encryption that is paper based encryption just using a piece of paper as sort of like a custom lookup chart of a certain kind it is possible to do really strong encryption with no technology and that’s what I wanted was in fact it’s called off the grid because it uses a grid but it’s also not technologically based it uses software to create the grid but the actual use of it uses no technology so there’s nothing to store nothing to remember it it turns domain names into a custom matching password throw for that domain so each domain will just automatically get a different secure password which you don’t need to store you don’t need to remember you can just use this thing again and it will give always give you the same password when it’s given the same domain name so I’ll have that in a few weeks and we’ll talk about how it works that’s thrilling that’s been shrieking I can’t wait for that the only weakness there is nobody has pen and paper anymore that’s a paper alright ever since we talked about portable Sound Blaster last week I just hear dogs barking everywhere now it’s one of those you know you learn a new word and suddenly notice it everywhere my dogs are really good but I hear it I hear them all around the neighborhood yep I spent a Sunday afternoon with with a friend with dogs barking in other people’s backyards and I think what happens is people must put their dogs out and then they leave yeah so they don’t they don’t realize that their dog is just bored and just sitting there trying to like bark so to be left back in the house you know it’s probably the fact that when the dog barks normally then his the dog’s owners let him in the house he’s happier you know being around so inadvertently they’re training the dog to bark when they let him out in the backyard but they they they leave and don’t know anyway I had a note here because I’ve continued to do some some brainstorming and research in the background and one thing really interesting happened that I wanted to share with our listeners because I know that so many of our listeners have have been reading daemon the book by Daniel Suarez and the who sequel is freedom TM and one of the things that we encounter early in the Berk in the book is Matthew Sobel’s technology No hypersonic audio where he’s able to to geo spatially locate a speaking voice as if it’s in some location right next to you like speaking out of the air they use that a Nora T report – yes and it turns out that’s true it actually can be done and what what intrigues me about it is and it’s actually it’s something that I want to experiment with with this portable sound blaster project is essentially you’re able to you’re able to transmit ultrasonic frequency which cannot be heard by the target that is for example bird hearing falls off around eighty five hundred cycles per second so anything above that birds won’t hear like like 20 kilohertz and if you if you amplitude modulated ultrasonic frequency what what happens is sound the the air it turns out is an is a has a nonlinear response in the

face of high pressure sound waves the individual sound waves actually heat up the air a little bit and change its temperature on a wave by wave basis the rate of propagation of sound through a physical medium is a is a function of temperature and pressure and humidity and so that change in temperature changes the speed of sound through the air and what happens is the the individual waves that you’re emitting interact with themselves and and so what what that does is it creates nonlinear propagation well we know that a slide rule is nothing but adding it’s essentially it’s performing addition on a logarithmic scale that is on a nonlinear scale so it that’s the way that addition becomes multiplication well we also know from trigonometry there are a whole raft of trigonometric identities one of them says that if you multiply two sine waves together what you get is the sum and difference of the angles so in terms of frequency if we send out two different frequencies we end up getting the sum and difference of the frequencies so for example if we set out instead of just a twenty kilohertz tone which is inaudible if we sent out a 19 kilohertz tone and a 21 kilohertz tone at the same time that is subtract a thousand and add a thousand then the difference of that is two kilohertz and the sum is 40 kilohertz well we can’t hear 40 kilohertz either but we can hear two kilohertz and so what this does is this creates a means for producing audio that is audible sound from inaudible sound yet it has the same directivity as ultrasound which is highly be mobile you can beam ultrasonic frequencies very easily whereas you cannot beam normal sonic frequencies so anyway that the idea is that this thing would be able to whisper to birds and scare them out of the trees you don’t have to blast them you just make the trees seem like they’re haunted because the birds are like where’s that coming from I’m show lost there was a Glee so so that now is it because there’s interference outside of the direction is that it cancels out is that why you’d only hear it in that ones point that you’re pointing it towards yeah there’s there’s some confusion about how this happens but some of what I’ve read indicates that the sound is actually reconstructed when an Arai at its target that is the actual the act of hitting something there there there’s something called an audio spotlight technology yeah where you you can you can aim this at a wall and when it hits the wall that’s when the ultrasonics is demodulated into sonic frequencies and so it it to anyone standing around the wall appears to be the source of the sound not some some transducer mounted up and back behind somewhere so it’s really cool technology that is that’s fantastic all right well I like hearing the updates on the portable sound blaster we’re gonna get to how the internet works but we have a spinrite testimonial first actually yeah we have a listener bob style bud cyber dodo I might get I’m 97 percent certain it’s tibideaux because I knew someone spelled it the same way pronounce it that way I think you got a Bob Thibodeau his subject was Y at Y 80 yet another testimonial and he said Steve Oh hum just another testimonial about a business saved by spin right tack and he said being an avid Twitter Twi ter not Twitterer Twitter I’ve been addicted to security now since episode number one long long always says long about security now number 50 I decided that I should invest and spin right for the four computers in my business since I don’t have a dedicated IT department and I’m the resident geek and I never made time for routine repo routine tests actually this is the moral of the story but we’ll get it at a second so he says it was Microsoft’s Tuesday update on May 8th

when it began I had updated three of the computers when I was in the shop updating number four all went well until the post update reboot then nothing I tried booting off a boot CD but dur C colon backslash reported nothing I had not backed up this computer in a little too long and on it were critical customer files for some impending jobs yikes what to do after much fretting and wringing of hands I remembered I had invested in spin right after hearing you telling Leo about some of the letters you’d received I got out the CD storage case and found my copy of spin right which I had burned to CD popped it in and ran the recovery after a few hours I came back and it was finished it had recovered some sectors and marked several others as unrecoverable I held my breath and rebooted the C colon backslash Drive was back and windows seemed to start ok but then it choked part way through with the error NT OS KR and l the NT OS kernel XE missing or damaged I’m no IT Pro but I knew that a missing NT OS kernel was not good a windows repair or reinstall was probably in order but I didn’t want to risk losing the critical customer files so I decided to pull the hard drive and pop it into a USB case I plugged it into another system which was working and voila thanks to spinrite the C directory appeared I copied the necessary customer files and directories and reinstalled a hard drive in the system all seemed to be in order until I went to the CD storage case to get the windows install discs but it was not to be found I had the CDs for the other systems but they were XP Pro systems not xp home as this one was I tried running the windows repair but it reported missing file NTFS dot sis I tried copying it from another system but got the same error clearly a reinstall was in order now if only spinrite could recover the missing windows install CD which he says as a joke because of course it was missing he says the rest of the story I was unable to locate the missing CD so I bought a Windows Home upgrade CD and the system is up and running once again jobs got done and products delivered thanks for the great product and for all your white hat products like shields up in the like keep up the good work and the fascinating net casts with Leo regards Bob at imprinted specialty products company and of course the moral here is if he had only run the spin right which he had purchased from time to time it would have prevented this from getting to the point where spin right was able to get the drive back which was good because then he was able to get his critical files off of it but he pushed it a little bit past the point where it was able to bring those particular OS files back to the point that they would be able to boot spin right we’ve heard many stories where spin right did make the system bootable again in this case it had gone to it had gone too far so I’ll just remind people I know that many people have purchased spin right and to support the podcast and and me and my efforts for which I’m eternally grateful but do use it every so often take it out and run it because it’ll keep your dries from getting into a condition where you’ll wish you’d used it sooner an ounce of prevention is worth a pound of kernel headaches especially when you’ve already bought it yeah exactly real quickly thank NewTek they’re the folks who give us the TriCaster that allows us to do all the switching and everything we do the new TriCaster 850 is pretty much like having a giant teeny truck down there with our servers except it doesn’t take up near as much room as a giant TV truck and it gives us all of the capabilities of having a major studio in a box we can take with us when we go remote TriCaster lets us broadcast live stream project and record HD video all at the same time those of you are like where’s that HD video twits gonna have it’s in the works and the reason it’s in the works is because we’ve got the new TriCaster 850 with HD streaming so if you’re interested in TriCaster for your own business or your own broadcasting check it out any W Tek comm and we thank TriCaster for for the eight for making the 850 and giving us a chance to do better transitions better CGS everybody loves it so check it out any W Tek komm let’s get to the the main topic today part two of how the internet works we’re talking about ICMP and UDP you’re right

four weeks ago we started in on a an updated we’re gonna take our time do a real thorough look at the fundamental underlying sort of core technologies of the Internet so last time when we did our first episode of this ongoing series I explained how there was this this fundamental conceptual breakthrough that the pioneers of the internet made where instead of having a a physical connection from one point to another the way we did at the time we had leased lines where there was a telephone line permanently anchoring two endpoints that they could use for communicating or we would do a dial-up with a modem in order to dial in to a modem pool to hook up to CompuServe or the source or you know any of the or all the BBS’s that existed on a much smaller scale than than the big providers but in every instance there was a essentially an unbroken connection from these two points so the concept of of changing that and going to a so called a packet based approach where it was a huge breakthrough the idea that as we discussed four weeks ago you would have routers which were which were linked to each other and you would send your your individual packets which were addressed to a destination IP address and sort of just trust or hope relief that they would get there each routers job was to receive the packets treating them all pretty much the same and just look at the at the IP pack or the IP header in the packet which enclosed whatever payload this was was carrying and all it would see was that it was typically version 4 which is what we’ve always had before and we know that we’re all in the process slowly of moving to version 6 but traditionally it’s been version 4 and really the only information there were there was a few pieces of information that we talked about four weeks ago primarily the destination IP which was a 32-bit number composed of four bytes the router would look in its so-called routing table and essentially just decide when that when the packet came in which one of the connections that the sort of the outgoing connections that connected it to the next router should this packet be put out on and it would send it on its way so I want to talk a little bit about some of the fine points today of of what it took to really make that work and two of the simplest protocols that exist on the LAN on the is the simplest protocol is carried by the IP protocol I use the example for weeks ago of nested Russian dolls where where one of the key concepts is a hierarchy of protocols the beauty of that is that it made it future-proof that is all the router the routers on the internet had to understand was the IP protocol which was as simple as it could possibly be it carried the version number which told it what the phone and the version number was the first four bits of the first byte of the packet so it immediately identified the format of the balance of the packet for example an ipv6 IP packet has a different format it because for example it’s got a hundred and twenty eight bit source IP and destination IP not thirty-two so the header in the packet is different for ipv6 versus ipv4 so it’s the very first four bits that come in tells the router oh here’s the format that you can expect to find in all the bits that follow but the the one of the key insights that the developers of the internet had was we’re not going to worry about anything but the absolute minimum information that we need to get the job done

meaning that and this is where this that this nested dolls visualization comes in is the the IP packet itself is the IP header with an undefined payload the packet doesn’t care what it’s carrying the router doesn’t care or even know what it’s carrying its job is simply a little bit of housekeeping and then forwarding the packet on and this is why net neutrality and deep packet inspection really drives some people nutty because it messes with that yeah exactly it’s beginning to break these rules which I mean and it’s it’s the integrity of these rules which is so responsible for for the internet surviving as well as that have and for the internet being as a political you know like that in the true sense of politics it doesn’t it doesn’t like or dislike any particular traffic it doesn’t know or care what what this traffic or that traffic is it just gets it and it sends it towards its destination now one of the problems that the designers realized they would have is the is is the question of what’s called router loops that is you we have this imagine just a a complex network of interconnected routers and each router has a routing table which when it receives a packet an IP packet it looks at the destination IP and it looks in this routing table to determine the a direction that the package should be sent that is which of its outgoing connections to other routers take it take this packet towards its destination and that’s all it does it essentially puts it in the output queue and and when there’s bandwidth available out it goes on the next hop towards its journey well the designers realized if you had a big network of these routers it was possible for a router to make a mistake if its routing table weren’t configured correctly so that a packet might bounce in the wrong direction that is it might be sent out the wrong interface and it was possible that it could come back around to an earlier router in a you know just an in a in a network of interconnected links so if that happened you’d get a loop it’s done in a circle just go into the same routers over and over again right exactly and so the problem is what would potentially happen is you’d have packets that would never die I mean very much like we have you know like malware and spyware and viruses and worms that are still out there from a decade ago trying to reproduce they never die zombie packets yet they’re on some they’re on some server in a closet somewhere that got infected with Code Red or nimda or something and it’s just out there try it’s just out there randomly probing the internet the way it has been for 10 years and it’s never gonna go away so they said so the designer said ok we need we need expiration of packets we need we want the packet to be able to get to its destination but we need it not to live forever because that would be bad I mean he’ll go the entire internet would end up getting clogged up potentially with packets that never die that just go around in circles forever and bog the whole system down so what they added to this this fundamental outer layer the IP layer that that the outer wrapper no matter how deep this wrappers goes the outer layer that’s handled by the routers has has something called TTL the time to live and it’s a byte which we know can have up to 256 different values they and again here’s where we get brilliance on the part of these guys the any-any router that receives an incoming packet and that’s what all routers do every router that receives this packet decrements the TTL value that the packet currently has from whatever value it comes in add it subtracts one if that

number ever goes to zero that is if after subtracting one it’s now zero so the incoming packet had a TTL of one which the router set subtract one from it goes to zero the router simply drops the packet it will not forward it on and and that simple just something that simple that measure solves the problem of packets living forever and in fact what what the router will do is it reports this is one problem that it reports we talked we talked last week about how if routers got congested they would not generate a report that is if a router was trying to forward a packet and the buffer on the outgoing link couldn’t hold any more packets waiting for transmission it would it had permission formal permission from the original designers to simply discard the packet well that that was one of the things that freaked out the original designers because this meant that sending traffic across the internet was unreliable you couldn’t count on it getting there but they said hey that’s a consequence of packet routing where it we’ll worry about that later we’re just gonna do a best-effort forwarding of packets across routers and we do not want to generate more traffic in in in the case of congestion because that would be bad so we’re just gonna drop it in the case of a of a routers packet expiring though the router will send back a message to the packets originator since the IP packet coming in has most a destination IP address where it’s going to where it would like to go to or was trying to get to and a source IP that tells the router the IP address that that generated that packet all other things being equal we know that there are like spoofing of source IPs and so forth we’ll be talking about that at length in the future but the router will send back sort of a maintenance level packet and that’s where this first protocol that lives on top of or inside of the IP protocol comes in that’s ICMP the the router sends back a message saying time exceeded essentially in the it encodes in the ICMP packet the there’s a there’s like a a type of of ICMP packet and then a subtype and so the router sends back a message saying the time exceeded meaning that your packet didn’t make it to its destination for whatever reason it timed out it died it’s time to live fired before it got to its destination so so this does a number of things first of all historically this was really interesting because the internet didn’t used to be very large in the beginning it wasn’t you know it wasn’t global in scope it started off just being a bunch of universities and and a few government entities interconnected experimentally to see this whole thing worked so packets never had to jump very many times remember that time to live doesn’t mean seconds it isn’t and know it even though it’s called time to live it’s not the flow of time it’s the number of routers it’s the number of hops that it’s like it’s like a counter it’s like balls and strikes exactly so we’re in this yes exactly so the original operating systems were setting the TTL to a relatively no low number like 16 or maybe 32 they because that was enough that the internet didn’t have it wasn’t that big it didn’t have that many routers but as ISPs came onboard as as ISPs had their own tiers of routers and as ISPs were connected to ISPs the internet grew and there was this notion of the internet diameter which is a cool concept in the same way that a circles diameter is the distance between the furthest points on a circle the internet

diameter is the largest number of hops between the furthest two points anywhere on the Internet I mean we probably never you never thought about it yeah yeah I think having a diameter but it the analogy applies so the idea would be someone that location trying to send a packet to the machine at the other farthest away point on the Internet well even with everything working correctly no router loops no routing table problems if the operating system generating the source the original IP packet we’re setting its TTL too low it couldn’t reach the destination right and that happened there was a period of time Durand this wasn’t long ago this was maybe ten years ago when we had Windows and we had UNIX I mean the Internet was maturing some people in some locations were unable ever to get to other web sites they were too far away from the website they were too far it’s weird to think about that isn’t that neat yeah and so there was when that was recognized as a problem there was a quick flurry and and and again it’s like the guys who originally designed these they were there’s like this sort of this approach of conservatism it’s you know the TTL was eight bits they didn’t give it 32 because the Internet could never be 4 billion hops in diameter they gave it 8 and they thought well but that’s you know and they initially set it to 16 so just count it down from that so if anything was more than 16 routers away and no one was in the beginning sure then there’d be a problem but what they realized was oh crap you know the internet got bigger all of a sudden and we weren’t paying attention and our operating systems are still setting the TTL too low so operating systems quickly change that and in fact there are some that are 128 many are now setting the TTL to 255 which is the maximum value it can have don’t we ever going to run out of TTL it’s actually a problem I mean it it if we ever had that many hops I mean that you’d have to you know be very deep probably in a very deep hole somewhere trying to reach somebody else in a very deep hole somewhere else Mars so that you had to go many routers out to the top than many routers along the so-called Internet backbone and then many routers back down into another hole somewhere in order to not to be able to get there because that’s an awful lot of hops but so so that’s where and why this whole TTL this time-to-live occurred now one of the things which this creates is which has been a mixed blessing for ISPs is the ability to trace the route that packets take ions trace route exactly so the way that works is you’re normally you emit an IP packet of whatever sort with a TTL deliberately large enough to get to the other end wherever it’s going and these days we set them to 128 or sometimes to 55 and off they go and that’s all you hear about it but we do know that any router that is responsible for expiring a packet by decrementing that TTL value to zero it has a responsibility to send back and notice that sorry the this thing died on the vine it we couldn’t like I’m not allowed to send it any further and you know and I’m not going to so I’m gonna send you back and notice letting me know well what and the the ICMP packet that it sends back has its IP that is the IP address of of its own interface that that it uses for originating that packet back to you so when when you the sender of a packet that died out there on the internet somewhere receives

this this ICMP time exceeded message you get the you get the the source IP of that message is is the router IP where the packet died well now clever UNIX guys who are putting this all together in the beginning said hey it would be cool to be able to trace the route and actually more than cool it might be very necessary in some cases err to trace the route that a packet takes so let’s let’s come up with a command in initially this was in UNIX where we will deliberately set the TTL to 1 and launched the packet well we know what happens the first router it hits decrements that one to a zero and goes oh crap this packet died and so it sends back an ICMP time exceeded message with its IP which we the the entity trying to trace route this we we like print that out on the screen or record it then we send a packet to the same goal the same destination but this time with TTL set to two so it goes for the first router which decrements it to one then it goes to the second router which decrements it to zero and that router now has the dilemma of being onion Oh unable to forward it so it sends back its ICMP time exceeded message with a source IP of you know of its source IP back to us and so clearly by simply sending out packets successively with with an incrementing TTL we’re able to get back the IP address of every router the way that this particular packet addressed to this particular destination would take and not only to get the map but you know by the TTL number how many hops it was independent of counting up the number of IP addresses you get yep and then then you can do one other thing which is a little bit flaky but it can be useful which and this is what software does you can measure the length of time for that roundtrip the reason it’s I say it’s a little flaky is that you never really can know when a packet goes a few hops out and then comes a few hops back there’s no way to to individually know like which link might have been slow but if you do it oh if you do it often then because you are getting sort of a a total loop time for a packet that expires and comes back if there were a one router that we’re like really really bogged down and having a problem and if you’re if the if the round-trip time suddenly increased when you want one router further than that that would be a way of sort of nailing the responsibility of of a slow router at a you know at a specific location now is that how we get ping well ping is a little different ping is it’s actually whereas the the destination unreachable message is message is type code three in in the ICMP packet the the so called echo reply is zero it’s like the original the original message I’m not sure why echo request is eight but the idea is ping is a little different but since the same sort of like underlying internet plumbing them you ping is another command that will probably all internet savvy users know about where you just say ping space and then you’re able to put for example WWF Microsoft comm and your computer will look up the the IP address of Microsoft comm in the same way that your browser does and then send off a packet in that direction what it’s doing is it takes a standard IP packet gives it the normal TTL that is what alters when to expire we wanted to actually get to its destination and the payload of that of that IP packet is an ICMP packet so here again we get this nesting of the protocols that the IP packet contains an

ICMP packet of type 8 which is echo request and so this is this is the the originator just asking to verify connectivity and that thus the word ping which sort of comes from a sonar radar where you you ping something and get back an echo from the you know a a sonar echo from from the burst of sound that you sent out this is sort of exactly the same thing from on an on in in the internet world the idea being that by agreement universal agreement all machines connected to the Internet should when they when when the machine itself not the not programs running in it not servers running in it or or services or applications over anything else nothing running on the machine the operating system itself which is hosting the so-called IP stack when when that IP stack receives a packet and looks at it to decide what to do with it it sees that that IP packet contains an ICMP echo request right there and then requiring no other processing it’s supposed to send back an echo reply and that is sort of fundamental low level plumbing of the internet that allows engineers that the convenience of making sure that routers are routing that links are up that that you know things are working that you’re able to ping the destination IP what that says is I gave an IP or domain name but oftentimes an IP if you’re like working with the actual plumbing of the Internet you’re not looking at at web domain names you’re actually looking at IP addresses I was able to ping that IP address and got a response back the beauty of that is it relies upon nothing else you know the maybe the web servers not up maybe it’s not answering email maybe you know all these other problems can happen so that you want to go to the lowest common denominator and determine whether your traffic any traffic is making it there and back because if you if it doesn’t respond to ping then we’re talking a little bit about the original days because unfortunately these rules have been broken but if it doesn’t respond to ping then that’s where you start it’s like you got to get that working first then you know you that you your traffic is getting there and back and you can then start working your way sort of up into more sophisticated levels the problem is both ping and ICMP and and traceroute have security problems I’m I’m guilty of of popularizing the notion of of computers being stealth full of them not revealing themselves at all and one of the things that ping does is it says ah there’s somebody at that IP address well you know if everybody were wearing white hats and we were all you know being good guys then this wouldn’t be a problem but it’s sometimes the case unfortunately that bad guys are using these protocols against us and ping can create a security vulnerability just verifying that that machine is there and in fact you can flood a user with pings and that’s what some of the early botnets did is all they did was just ping people like crazy right because all operating systems are able to use it and so it’s a simple way of just flooding a given IP with with traffic that will just bury it Poorman DDoS exactly exactly the other problem is that that traceroute because but by by deliberately expiring packets and route towards a destination it’s possible for bad guys to map the topology that is the interconnectedness through ISPs or into corporations if every link along the way responds with its IP address back to the sender then again malicious you know people with with malicious intent can use traceroute in order to get the IP addresses which the intermediate routers inside of

corporations which corporations may not want outsiders to have or even ISPs may not want outsiders to have so so unfortunately due to abuse of these fundamental protocols overtime rules have been broken for example many consumer routers now have an option of whether or not to respond to a ping mm-hmm because it’s the router itself the router at that public IP prior to it doing its NAT translation into a private network it’s the router there that is receiving the ping because it’s the destination IP address if all you know if the protocols were all going to be obeyed that the little IP stack in that router would respond with it to an echo request with an echo reply but unless I’m running a server I don’t want that I don’t want anybody to know my routers there there’s no reason for that exactly and I mean on one hand it’s sort of it’s it’s unfortunate that it’s it’s been abused but it really has been there were many you know years ago when script kiddies were we’re running little botnets and it hadn’t gone sort of big-time as it has now they would use the the ping responses of people they wanted to like blast out of IRC chat rooms in order to see whether they’ve taken someone down yeah and you know and the like overloaded their router by by pinging their router so so exactly as you say Tom it’s it seems to me it’s unfortunate but if the if the end-user wants more security beings stealth full-looking like there’s nobody there you know and not responding to a ping is is the way to do that and and on a much greater scale ISPs are now often blocking traceroute they will they will suppress by configuration there they’re suppressing their own routers response to time exceeded messages they they will if or if a packet expires inside an ISP it just the router drops it not sending back a time exceeded so people may have noticed in some cases if any of our listeners have done trace routes you’ll you’ll sometimes notice that you’ll you’ll get back a few like first a few hops and then there’s like a dead zone of some number of hops and then suddenly it comes alive again what that dead zone is is is a is a range of routers that have been administratively configured not to send back time exceeded messages when they expire packets on route there they’re just they they won’t reveal their presence so there’s like it’s just a you know a blacked-out area in a in a in a traceroute then it’ll come alive again because they are willing to pass those are those time exceeded passes those time exceeded packets through their network just not to originate them and so so then you’ll you’ll continue trace routing out till you’ll finally reached your destination and the other thing I should mention is that some ISPs will block ICMP trace routes which is why many users who have state-of-the-art internet probing utilities will notice that trace routes can use other protocols they can use UDP protocol or TCP that we’ll be talking about in the future because all of those are encapsulated in the IP the outer wrapping the IP protocol packet which is where the destination IP lives and this TTL the time to lift the time to live lives and I should finally talk about the other the other purposes that I’m that the ICMP packet has we talked about how it’s because it’s sort of like your lowest level internet engineering plumbing protocol it it can it is the packet where you do a ping by it by sending out eight a type eight echo request and all other things being equal receiving a type 0 which is echo reply the other thing it has is I talked about this time exceeded message well that’s contained within eight a

ping Type three there’s but ping Type three is is sort of a generic destination unreachable message and then there’s a subtype in the ICMP packet where you could have like the reason for its unreachable so type three means there was a problem we couldn’t something was unreachable there might it might be that the network is unreachable which is a subtype zero the host is unreachable it’s a subtype one the protocol is unreachable the port is unreachable or fragmentation was needed along the way and then finally the other major type is time exceeded fragmentation comes up because as we talked about four weeks ago there it is possible for a router to receive a packet of a certain size on an incoming link but routers are are sort of heterogeneous lis connected to a to a collection of other routers it might be that the router needs to forward the packet across a network that for whatever reason can only handle smaller packets that used to be the case on on telephone lines with modems you might have for example a chunk of a network that was bridged or or interconnected using a high-speed modem or some other protocol than than IP so it would it would carry the packet but it wasn’t able to but by virtue of the the protocol it was using it wasn’t able to to to carry a large packet so the the interface at the the outgoing interface would be configured to know what the maximum packet size is that it’s able to send so again the bright people who designed all this from day one they recognized this could be a problem so they designed into the outer wrapper that original IP wrapper the ability for payments to become fragmented that is where the where the all not all of the of the packet might be forwardable across the next link that is the next hop toward his destination if that if that happened the router had the ability and the permission not by default to chop that packet into one or two or more pieces and then send them on instead of you know bite-sized pieces no router reassembles packets that have been fragmented it’s simply it simply forwards them on so if a link is encountered where this where a packet needs to be fragmented it will it will chop the packet up into what however many number of pieces are necessary and send them each on toward their destination and they’re packed the router that receives it just now it sees them just like any other smaller IP packets and sends them on their way the problem is that this does create problems for some protocols like like audio protocols where where we care about performance suddenly we’ve got like lots of little packets where they’re having to be broken up and and forwarded it would be nice the the original engineers decided if there was some way to to probe the network to have it tell us what the maximum size packet it’s able to send is so there is a bit in the header there’s a there’s an 8-bit field of flags just sort of general purpose flag bits in this in the original IP header and one of them is is actually it’s four bits come to think of it I’m just doing this from memory but I think it’s actually just four bits one of them says this is is instructs the router not to fragment its it’s called the DF bit for don’t fragment and if that bit is in the same way that the TTL going to zero expires the packet and / and prevents the router from forwarding it

if the do not fragment bit is set in an IP packet that must be fragmented in order for it to move outbound from the router the router will instead send back another one of these ICMP low-level plumbing packets saying destination unreachable and the reason is fragmentation needed and the router that generates that will include in that message the size of the of the maximum size packet that the link it was trying to send the packet out of can handle so that’s called that it’s called the path MTU MTU is maximum transmission unit which is to say what is the maximum size that we’re able to use from the these from where we are to where we’re trying to get to and so what will happen is if if we are sending a packet out that is too large for any link on its way towards its destination we consent we can set and if we want to we on a proactively discover the maximum size packet that we’re able to send without causing it’s it’s fragmentation along the way we’re able to do that by setting the do not fragment bit which says to whatever router receives it and is unable to forward it because the link it’s trying to forward it across can’t handle a packet of that size because of what for whatever reason the protocol that it’s trying to use then it sends an error back to us the maximum size that link can handle so we received that and go oh okay good to know we then send out packets no larger than that and again we may leave the donut fragment bit on until we’re sure that we’re able to get to the destination that would tell us that there’s any other link even smaller than what we have now so it’s a means of discovering how large a packet were able to send from from where we are to where we’re trying to get to along the way and and by again by receiving this these ICMP sort of low-level plumbing packets from for any trouble that we have of various sorts and there actually have been instances where routers or or even sometimes inexpensive consumer products have not properly handled these critical internet plumbing problems and have messed up traffic as a consequence so I mean there are some of these these protocols that you know some we can ignore it’s like okay you could have you you you if you could say that not responding to a ping is okay except even that has caused problems thereby remembering this right is this what took you to Boff off the internet problem with the with the with the routers in some country and maybe it wasn’t YouTube but I remember something with the MTU being set by a country in it and it caused huge problems like you’re saying yes it can because and and it would be a streaming media company because they really do need to establish you know they can’t have all their pac-man there there there I was gonna say they’re they’re magnets being fragmented but their packets being fragmented they they need to determine what that is and so I think you’re right Tom I don’t remember if it was YouTube but I’m sure that I remember that there were that if that is not handled correctly you can end up with some serious problems that you know nothing will get around also there was there was one type of server I want to say it was an IRC server where but I don’t know why it would have been oh yeah I I think IRC well I don’t remember now there was some server where it was you would make a connection to it and maybe was just FTP but I thought it was a little more exotic than that you would make a connection to it and it would ping you back to sort of like verify your that you were there and and and if you didn’t respond to that it

would not finish negotiating the protocol and so there were some instances I remember that’s one of the reasons that I thought I thought that the original zone alarm firewall years ago was clever was that they had adaptive stell thing if if somebody you were not connecting to tried to ping you the zone alarm firewall would drop the packet but if you had an outbound you’re an outbound dialogue with a given remote IP and you’ve got an ICMP echo request from them then it would respond and and that zone alarm firewall at the time was the only one that had this smart adaptive ping response which allowed it to do a better job at creating whatever it was I want to say IRC for some reason I don’t know why the IRC server would have been doing that but anyway it’s been a while since I’ve been thinking about that and we have time so I want to just just I want to discuss the one one additional protocol aside from ICMP which is another simple perfect example of nesting protocols and that’s the so-called UDP protocol it stands for user Datagram protocol although some people call it unreliable Datagram protocol sometimes yes and it’s actually and it’s it’s got both designations and it’s actually sort of a play on the fact that it is in fact unreliable but like the pieces yes exactly like the geniuses who created all this in the beginning they designed the system so that it would still work in the face of designed in unreliability as we talked about for four weeks ago and I’ve reminded us earlier if a router gets congested it has permission to just discard packets that it’s unable to route because its outbound buffers are full and there’s too many packets trying to get out on a link that is congested it’s able to just drop it and say oops sorry wasn’t able to do anything with that so so we have the the the outer layer IP packet which contains the version number of the IP protocol typically for some day more typically six we hope we know that it contains some flags like like like lack of fragmentation permission it contains the overall length of the entire packet so that the router knows as data is coming in where the packet ends we know that it contains the source IP and destination IP we know it contains the TTL the time to live for that packet and it contains a checksum which allows the router to verify that there has been no communication error so far as this packet is moving from hop to hop across the internet there’s no notion of ports we will all heard about and talk about ports a lot that’s not in the IP packet and that’s again this is one of the brilliant innovations of the originators all at the lowest level all we care about is individual IP addresses what happens after the Paquette gets there is is where we begin to add a next layer of complexity we know that we have the I that IP packet can can carry this ICMP payload which is used for low-level plumbing well in the next the next level up in complexity is it can also carry a UDP packet and true to form this UDP packet can is the minimum necessary to add just one more little layer of complexity the UDP packet contains the source port the destination port the length of its own payload and a checksum followed by whatever it contains and that’s the point anything also what what what UDP adds to what we already have which is really not much it’s just just enough to get us there and handle handle specifying where we want to go and handle dying on the vine if we can’t get

there and handle fragmentation just enough what the UDP adds is some abstraction of what we want to do once we get there and that’s port numbers ports are nothing but 16-bit values carried in the packet that’s all they are it’s I mean it’s you know we talk about them like they’re magic you know like port 80 and port 443 and and and or get to email or exactly and we get email from you know I am a pond 143 or from pop one on 110 we send it to SMTP on port 25 and so you know ports ports ports for DNS you know it is on 53 so you know everything is about ports but all it is is just a number it’s a it’s a donation port where we came from which is mostly used for the sake of sending something back to us and the I’m sorry the source port I got that wrong the source port where we came from which is is the source of this traffic which is used for the further for the sake of getting something back to us and then the dist and then the destination port is like the destination IP the destination IP contained in the outer IP wrapper in the IP header that gets us to the machine then if the if the protocol is UDP that says oh UDP packets contain port numbers the IP doesn’t the IP header doesn’t the UDP packet does so what all that does is because it contains a destination port that tells the software running in the computer which service to send this to so when services start up like an SMTP Simple Mail Transfer Protocol service starts up in a UNIX machine or whatever server hardware it’s running in it registers itself to listen on port 25 that is listen for incoming traffic on that port number which which essentially says when traffic comes in actually tip technically this is TCP protocol which we’ll be talking about next but for example a DNS server listens for UDP traffic on port 53 and so all these ports are is agreement they’re just abstractions that that have been sort of universally agreed to servers you know mail servers will listen on port 110 what 143 and 25 DNS servers listen on port 53 web servers listen on port 80 and for secure traffic on for three and so there’s this array of port numbers the idea being that that allows a sender to identify the class of traffic the type of traffic that it’s sending simply by saying I want to send traffic to the following IP that is a machine at this IP and to the service at this lit the service listening for traffic on this port number so it’s so the port number which is a 16-bit value so it can have any value actually port 0 is sort of reserved so it can from it can have any value from 1 up to 65535 and by convention the first one pay ports the first 10 23 since we’re not counting 0 or it’d be 1024 the first 10 23 ports are reserved as service ports or server ports and by again by convention services typically a set themselves up and listen for connections on those ports and within in within systems like UNIX the user processes that are running are unable to listen on those service ports only services that are registered with the proper permissions are able to set up shop and listen on those lower numbered the first from ports 1 to 2 port 10 23 though those are reserved for that other user processes are able to listen on higher numbered ports and so for example you’ll you’ll often find like a system will

start up an irq server and it runs on port 6 6 6 6 for example and also sort of the beast 6 7 exactly and sometimes people will run on also an alternative web server on port 8080 which being above that 10:23 boundary is up in user space so it’s not where you normally run a web server which is why it in order to reach on the URL that your your you’re using you’ve got to put a colon after the URL and then manually override then your web browser is normal you support 80 and put a colon eight zero eight zero to tell your web browser ah we’re gonna connect to this location but we want the you you to connect on port 8080 rather than on port 80 which is what normal web trout browser traffic would be using we’re gonna have to wrap it up Steve but I know I want to get to the important point about UDP at the end here which is what it’s good for right well yeah it is a general purpose traffic carrying protocol so it’s used for UDP UDP is probably the thing most often it’s used for but because it doesn’t have we mentioned its unreliable meaning you can’t guarantee it gets there there’s there’s there’s no mechanism for the application that generates UDP traffic for knowing that it gets there so for example when DNS which uses UDP sends a DNS query in a UDP packet to some servers port 53 which is by agreement just the 16 bit number where the the DNS server is living if it doesn’t hear a response that can happen so it’ll send it again and then he’ll wait a little bit longer it backs off a little bit and and then sends it again so it’ll retry until it gets a response because nothing that we’ve talked about guarantees delivery of UDP traffic that’s why it’s also known as you mentioned at the beginning of this as the unreliable Datagram Datagram protocol because it’s up to the application itself to deal with that delivery one of the things that that it’s used for often if we’re using a for right now Tom and that is is real-time communications audio and video that is to say media streaming on the Internet we’re I’m sending traffic to you as I’m speaking it’s streaming to you over the UDP protocol which was chosen because it is so simple if something gets lost in the way the audio reconstruction at the other end will try to like make up for that lost gap in one little pixel gets dropped it can be interpolated in our eyes even can fix things when that you know if the if the framerate drops a little low so it that’s why it’s so great for things that are that are not like we have to have every little piece of it we just want to get there fast and that that kind of that boeing-boeing sound that our listeners will hear from time to time in this podcast that is a lost packet that is a packet that was either lost or delayed too long and the and the the codec which is reconstructing that couldn’t wait any longer it had to guess so it tried to fill in using the audio that had already had to source or there isn’t an actual dead spot it figures that that that finding a little kind of that springy sound is better than then just having nothing right there I of the lost packet so we don’t have congestion control we don’t know if things are too busy we don’t know if things are missing oh we also don’t know if they even arrive out of order that’s one of the things that the next protocol we talk about TCP handles all of these problems for us transparently the problem is it introduces overhead that that can cause a problem so that’s that’s useful for downloading files where we we have to have the packets arriving and reassembled in the proper sequence or our file would get broken we don’t it’s just not so important for what when it’s not important when we really care about minimal overhead UDP is the protocol we want we want when we want the convenience of making sure that something gets to its destination exact the right then we use TCP that’s why sometimes you hear me say of sentenced

before end of okay so anything else before UDP because we have to we I’m getting the rap sign before we go to twig and we will we will continue when we continue the series with talking about the TCP protocol which is so brilliantly conceived it’s equal to all the brilliance that we’ve talked about so far it is just a spectacular protocol TC these the one people most likely have heard of because they hear about tcp/ip that probably that an HTTP or the the famous ones I would say it is probably demonstratable that TCP is the most used protocol in the history of Earth as protocols go there it is the protocol I mean you could argue that IP is always there because if TCP is there then IP is encapsulating it so okay definitely yes but I mean in terms of a high-level protocol TCP is it because it’s all of our downloads all of our web browsing I mean most of what the Internet is used for is over TCP and we will discuss it in detail next time all right look forward to it thank you Steve I’ll be back with you next week leo be on jury duty for one more week and and we’ll be covering another Q&A session next week don’t forget you can find all the things Steve does and he does some great stuff over at GRC comm shields up spin right the the haystack protocol we were talking about earlier in the show with xkcd you can get that there good place to test out your passwords make some more secure password Steve always great to talk to you thanks for letting me sit in for the it’s a pleasure Tom talk to you next week alright that’s it for security now we’ll see you next time