question4.txt

Describe (in 2-3 paragraphs) your evasion strategy:

The idea behind the evasion strategy was to prevent the firewall from seeing the request that is being passed. This is done by fragmenting the request in small chunks that do not have any blocked content as the payload and sending these in multiple “PA” packets. We chose a chunk size of 2 bytes, sending the request 2 bytes at a time and incrementing the sequence number by 2 bytes for subsequent packets. This worked effectively without any RST packets received for a blocked google request and gave a valid response.

We went further into this strategy and sent bogus packets along with the original request. The reason for this is to prevent the case where the firewall might reconstruct our request if we had not sent bogus packets. The flow was as follows: choose 2 random lower case letters in the alphabet for each 2 bytes in the original request. Then send 2 packets with the same sequence number in random order, one containing the original 2 bytes from the request and the other containing the two random letters. Then increment the sequence number by 2 bytes for subsequent packets and repeat this until the entire request has been sent. The time to live (TTL) for the bogus packets was set to be enough to reach the firewall (found via traceroute) but expiring before they reach the server. Should the firewall be able to reconstruct our packets, it would get confused because it sees the bogus packets along with the non-bogus packets with the same sequence numbers. However, the TTL for the non-bogus packets was enough to reach the server. The server will be able to reconstruct the request from the packets because the bogus packets will expire before they reach the server and having all of the original packets and no bogus packets, there is no ambiguity for the server. This effectively bypassed the firewall.