The some of the materials are excerpted from Michael T. Goodrich & Roberto Tamassia,’s Book, and Ross Anderson’s Book
NETWORKS: IP AND TCP
2
INTERNET PROTOCOL
Connectionless
Each packet is transported independently from other packets
Unreliable
Delivery on a best effort basis
acknowledgments
Packets may be lost, reordered, corrupted, or duplicated
packets
Encapsulate TCP and UDP packets
Encapsulated into link-layer frames
3
Data link frame
IP packet
TCP or UDP packet
IP ADDRESSES AND PACKETS
addresses
IPv4: 32-bit addresses
IPv6: 128-bit addresses
Address subdivided into network, subnet, and host
, 128.148.32.110
Broadcast addresses
, 128.148.32.255
Private networks
not routed outside of a LAN
0.0/8
0.0/12
0.0/16
header includes
Source address
Destination address
Packet length (up to 64KB)
Time to live (up to 255)
protocol version
Fragmentation information
Transport layer protocol information (e.g., TCP)
4
fragmentation info
source
destination
TTL
prot.
length
v
IP ADDRESS SPACE AND ICANN
Hosts on the internet must have unique IP addresses
Internet Corporation for Assigned Names and Numbers
International nonprofit organization
Incorporated in the US
Allocates IP address space
Manages top-level domains
Historical bias in favor of US corporations and nonprofit organizations
Examples
8 May 94 General Electric
8 Aug 92 IBM
8 Jun 95 AT&T Bell Labs
8 Sep 91 Xerox Corporation
8 Jul 94 Hewlett-Packard
8 Jul 92 Apple Computer
8 Jan 94 MIT
8 May 95 Ford Motor
8 Jun 94 Eli Lily
8 Jan 91 Japan Inet
8 Jul 92 Amateur Radio Digital
8 Jan 91 Bell-Northern Res.
8 May 95 Prudential Securities
8 Mar 92 Merck
8 Apr 95 Boeing
8 Jun 94 U.S. Postal Service
5
A TYPICAL UNIVERSITY’S IP SPACE
Most universities separate their network connecting dorms and the network connecting offices and academic buildings
Dorms
Class B network 138.16.0.0/16 (64K addresses)
Academic buildings and offices
Class B network 128.148.0.0/16 (64K addresses)
department
Several class C (/24) networks, each with 254 addresses
6
IP ROUTING
router bridges two or more networks
Operates at the network layer
Maintains tables to forward packets to the appropriate network
Forwarding decisions based solely on the destination address
Routing table
Maps ranges of addresses to LANs or other gateway routers
7
INTERNET CONTROL MESSAGE PROTOCOL (ICMP)
Internet Control Message Protocol (ICMP)
Used for network testing and debugging
Simple messages encapsulated in single IP packets
Considered a network layer protocol
Tools based on ICMP
Ping: sends series of echo request messages and provides statistics on roundtrip times and packet loss
Traceroute: sends series ICMP packets with increasing TTL value to discover routes
8
ICMP ATTACKS
Ping of death
ICMP specifies messages must fit a single IP packet (64KB)
Send a ping packet that exceeds maximum size using IP fragmentation
Reassembled packet caused several operating systems to crash due to a buffer overflow
Smurf
Ping a broadcast address using a spoofed source address
9
SMURF ATTACK
10
Attacker
Victim
Amplifying
Network
echorequest
echoresponse
echoresponse
echoresponse
IP VULNERABILITIES
Unencrypted transmission
Eavesdropping possible at any intermediate host during routing
source authentication
Sender can spoof source address, making it difficult to trace packet back to attacker
integrity checking
Entire packet, header and payload, can be modified while en route to destination, enabling content forgeries, redirections, and man-in-the-middle attacks
bandwidth constraints
Large number of packets can be injected into network to launch a denial-of-service attack
Broadcast addresses provide additional leverage
11
DENIAL OF SERVICE ATTACK
Send large number of packets to host providing service
Slows down or crashes host
Often executed by botnet
Attack propagation
Starts at zombies
Travels through tree of internet routers rooted
Ends at victim
source spoofing
Hides attacker
Scatters return traffic from victim
12
Source:
M.T. Goodrich, Probabalistic Packet Marking for Large-Scale IP Traceback, IEEE/ACM Transactions on Networking 16:1, 2008.
IP TRACEBACK
Problem
How to identify leaves of DoS propagation tree
Routers next to attacker
Issues
There are more than 2M internet routers
Attacker can spoof source address
Attacker knows that traceback is being performed
Approaches
Filtering and tracing (immediate reaction)
Messaging (additional traffic)
Logging (additional storage)
Probabilistic marking
13
PROBABILISTIC PACKET MARKING
Method
Random injection of information into packet header
Changes seldom used bits
Forward routing information to victim
Redundancy to survive packet losses
Benefits
additional traffic
router storage
packet size increase
Can be performed online or offline
14
TRANSMISSION CONTROL PROTOCOL
TCP is a transport layer protocol guaranteeing reliable data transfer, in-order delivery of messages and the ability to distinguish data for multiple concurrent applications on the same host
Most popular application protocols, including WWW, FTP and SSH are built on top of TCP
TCP takes a stream of 8-bit byte data, packages it into appropriately sized segment and calls on IP to transmit these packets
Delivery order is maintained by marking each packet with a sequence number
Every time TCP receives a packet, it sends out an ACK to indicate successful receipt of the packet.
TCP generally checks data transmitted by comparing a checksum of the data with a checksum encoded in the packet
15
PORTS
TCP supports multiple concurrent applications on the same server
Accomplishes this by having ports, 16 bit numbers identifying where data is directed
The TCP header includes space for both a source and a destination port, thus allowing TCP to route all data
most cases, both TCP and UDP use the same port numbers for the same applications
Ports 0 through 1023 are reserved for use by known protocols.
Ports 1024 through 49151 are known as user ports, and should be used by most user programs for listening to connections and the like
Ports 49152 through 65535 are private ports used for dynamic allocation by socket libraries
16
TCP PACKET FORMAT
17
Bit Offset
3
7
15
18
31
0
Source Port
Destination Port
32
Sequence Number
64
Acknowledgment Number
96
Offset
Reserved
Flags
Window Size
128
Checksum
Urgent Pointer
160
Options
>= 160
Payload
ESTABLISHING TCP CONNECTIONS
TCP connections are established through a three way handshake.
The server generally has a passive listener, waiting for a connection request
The client requests a connection by sending out a SYN packet
The server responds by sending a SYN/ACK packet, indicating an acknowledgment for the connection
The client responds by sending an ACK to the server thus establishing connection
18
SYN
Seq = x
SYN-ACK
Seq = y
Ack = x + 1
ACK
Seq = x + 1
Ack = y + 1
SYN FLOOD
Typically DOS attack, though can be combined with other attack such as TCP hijacking
Rely on sending TCP connection requests faster than the server can process them
Attacker creates a large number of packets with spoofed source addresses and setting the SYN flag on these
The server responds with a SYN/ACK for which it never gets a response (waits for about 3 minutes each)
Eventually the server stops accepting connection requests, thus triggering a denial of service.
Can be solved in multiple ways
One of the common way to do this is to use SYN cookies
19
TCP DATA TRANSFER
During connection initialization using the three way handshake, initial sequence numbers are exchanged
The TCP header includes a 16 bit checksum of the data and parts of the header, including the source and destination
Acknowledgment or lack thereof is used by TCP to keep track of network congestion and control flow and such
TCP connections are cleanly terminated with a 4-way handshake
The client which wishes to terminate the connection sends a FIN message to the other client
The other client responds by sending an ACK
The other client sends a FIN
The original client now sends an ACK, and the connection is terminated
20
TCP DATA TRANSFER AND TEARDOWN
21
Data seq=x
Ack seq=x+1
Data seq=y
Ack seq=y+1
Client
Server
Client
Server
Fin seq=x
Ack seq=x+1
Fin seq=y
Ack seq=y+1
TCP CONGESTION CONTROL
During the mid-80s it was discovered that uncontrolled TCP messages were causing large scale network congestion
TCP responded to congestion by retransmitting lost packets, thus making the problem was worse
What is predominantly used today is a system where ACKs are used to determine the maximum number of packets which should be sent out
Most TCP congestion avoidance algorithms, avoid congestion by modifying a congestion window (cwnd) as more cumulative ACKs are received
Lost packets are taken to be a sign of network congestion
TCP begins with an extremely low cwnd and rapidly increases the value of this variable to reach bottleneck capacity
this point it shifts to a collision detection algorithm which slowly probes the network for additional bandwidth
TCP congestion control is a good idea in general but allows for certain attacks.
22
OPTIMISTIC ACK ATTACK
optimistic ACK attack takes advantage of the TCP congestion control
begins with a client sending out ACKs for data segments it hasn’t yet received
This flood of optimistic ACKs makes the servers TCP stack believe that there is a large amount of bandwidth available and thus increase cwnd
This leads to the attacker providing more optimistic ACKs, and eventually bandwidth use beyond what the server has available
This can also be played out across multiple servers, with enough congestion that a certain section of the network is no longer reachable
There are no practical solutions to this problem
23
SESSION HIJACKING
Also commonly known as TCP Session Hijacking
security attack over a protected network
Attempt to take control of a network session
Sessions are server keeping state of a client’s connection
Servers need to keep track of messages sent between client and the server and their respective actions
Most networks follow the TCP/IP protocol
Spoofing is one type of hijacking on large network
24
IP SPOOFING
Spoofing is an attempt by an intruder to send packets from one IP address that appear to originate at another
the server thinks it is receiving messages from the real source after authenticating a session, it could inadvertently behave maliciously
There are two basic forms of IP Spoofing
Blind Spoofing
Attack from any source
Non-Blind Spoofing
Attack from the same subnet
25
BLIND IP SPOOFING
The TCP/IP protocol requires that “acknowledgement” numbers be sent across sessions
Makes sure that the client is getting the server’s packets and vice versa
Need to have the right sequence of acknowledgment numbers to spoof an IP identity
26
NON-BLIND IP SPOOFING
Spoofing without inherently knowing the acknowledgment sequence pattern
Done on the same subnet
Use a packet sniffer to analyze the sequence pattern
Packet sniffers intercept network packets
Eventually decodes and analyzes the packets sent across the network
Determine the acknowledgment sequence pattern from the packets
Send messages to server with actual client's IP address and with validly sequenced acknowledgment number
27
PACKET SNIFFERS
Packet sniffers “read” information traversing a network
Packet sniffers intercept network packets, possibly using ARP cache poisoning
Can be used as legitimate tools to analyze a network
Monitor network usage
Filter network traffic
Analyze network problems
Can also be used maliciously
Steal information (i.e. passwords, conversations, etc.)
Analyze network information to prepare an attack
Packet sniffers can be either software or hardware based
Sniffers are dependent on network setup
28
DETECTING SNIFFERS
Sniffers are almost always passive
They simply collect data
They do not attempt “entry” to “steal” data
This can make them extremely hard to detect
Most detection methods require suspicion that sniffing is occurring
Then some sort of “ping” of the sniffer is necessary
should be a broadcast that will cause a response only from a sniffer
Another solution on switched hubs is ARP watch
ARP watch monitors the ARP cache for duplicate entries of a machine
such duplicates appear, raise an alarm
Problem: false alarms
Specifically, DHCP networks can have multiple entires for a single machine
29
STOPPING PACKET SNIFFING
The best way is to encrypt packets securely
Sniffers can capture the packets, but they are meaningless
Capturing a packet is useless if it just reads as garbage
SSH is also a much more secure method of connection
Private/Public key pairs makes sniffing virtually useless
switched networks, almost all attacks will be via ARP spoofing
Add machines to a permanent store in the cache
This store cannot be modified via a broadcast reply
Thus, a sniffer cannot redirect an address to itself
The best security is to not let them in in the first place
Sniffers need to be on your subnet in a switched hub in the first place
All sniffers need to somehow access root at some point to start themselves up
30
PORT KNOCKING
Broadly port knocking is the act of attempting to make connections to blocked ports in a certain order in an attempt to open a port
Port knocking is fairly secure against brute force attacks since there are 65536k combinations, where k is the number of ports knocked
Port knocking however if very susceptible to replay attacks. Someone can theoretically record port knocking attempts and repeat those to get the same open port again
One good way of protecting against replay attacks would be a time dependent knock sequence.
31
USER DATAGRAM PROTOCOL
UDP is a stateless, unreliable datagram protocol built on top of IP, that is it lies on level 4
does not provide delivery guarantees, or acknowledgments, but is significantly faster
Can however distinguish data for multiple concurrent applications on a single host.
lack of reliability implies applications using UDP must be ready to accept a fair amount of error packages and data loss. Some application level protocols such as TFTP build reliability on top of UDP.
Most applications used on UDP will suffer if they have reliability. VoIP, Streaming Video and Streaming Audio all use UDP.
UDP does not come with built in congestion protection, so while UDP does not suffer from the problems associated with optimistic ACK, there are cases where high rate UDP network access will cause congestion.
32
NETWORK ADDRESS TRANSLATION
Introduced in the early 90s to alleviate IPv4 address space congestion
Relies on translating addresses in an internal network, to an external address that is used for communication to and from the outside world
NAT is usually implemented by placing a router in between the internal private network and the public network.
Saves IP address space since not every terminal needs a globally unique IP address, only an organizationally unique one
While NAT should really be transparent to all high level services, this is sadly not true because a lot of high level communication uses things on IP
33
TRANSLATION
Router has a pool of private addresses 192.168.10.0/24
34
NAT route
global realm
private realm
168.10.237
192.168.10.237d=128.148.36. 11
128.148.36.179
128.148.36.11
128.148.36.11
128.148.36.179
128.148.36.11
192.168.10.237
148.36.11
IP PACKET MODIFICATIONS
35
source IP address
type of service
total length
ident
header checksum
destination IP address
options
data
vers
len
flags
fragment offset
time to live
proto
padding
0
31
Modified on input
Modified on output
????
Computed
COMPUTER NETWORKS
Circuit switching
Legacy phone network
Single route through sequence of hardware devices established when two nodes start communication
Data sent along route
Route maintained until communication ends
Packet switching
Internet
Data split into packets
Packets transported independently through network
Each packet handled on a best efforts basis
Packets may follow different routes
36
PACKET SWITCHING
37
A
C
B
D
F
E
3
2
1
PACKET SWITCHING
38
A
C
B
D
F
E
3
2
1
PACKET SWITCHING
39
A
C
B
D
F
E
3
2
1
PACKET SWITCHING
40
A
C
B
D
F
E
3
2
1
PROTOCOLS
protocol defines the rules for communication between computers
Protocols are broadly classified as connectionless and connection oriented
Connectionless protocol
Sends data out as soon as there is enough data to be transmitted
, user datagram protocol (UDP)
Connection-oriented protocol
Provides a reliable connection stream between two nodes
Consists of set up, transmission, and tear down phases
Creates virtual circuit-switched network
, transmission control protocol (TCP)
41
ENCAPSULATION
packet typically consists of
Control information for addressing the packet: header and footer
Data: payload
network protocol N1 can use the services of another network protocol N2
packet p1 of N1 is encapsulated into a packet p2 of N2
The payload of p2 is p1
The control information of p2 is derived from that of p1
42
Header
Payload
Footer
Header
Payload
Footer
NETWORK LAYERS
Network models typically use a stack of layers
Higher layers use the services of lower layers via encapsulation
layer can be implemented in hardware or software
The bottommost layer must be in hardware
network device may implement several layers
communication channel between two nodes is established for each layer
Two or more labels, separated by dots (e.g., cs166.net)
Rightmost label is the top-level domain (TLD)
Hierarchy of authoritative name servers
Information about root domain
Information about its subdomains (A records) or references to other name servers (NS records)
The authoritative name server hierarchy matches the domain hierarchy: root servers point to DNS servers for TLDs, etc.
Root servers, and servers for TLDs change infrequently
DNS servers refer to other DNS servers by name, not by IP: sometimes must bootstrap by providing an IP along with a name, called a glue record
64
Domain namesand labels
65
Namespace Management
ICANN: Internet Corporation for Assigned Names and Numbers
ICANN has the overall responsibility for managing DNS. It controls the root domain, delegating control over each top-level domain to a domain name registry
Along with a small set of general TLDs, every country has its own TLD -- (cTLDS) – controlled by the government.
ICANN is the governing body for all general TLDs
Until 1999 all .com, .net and .org registries were handled by Network Solutions Incorporated.
After November, 1999, ICANN and NSI had to allow for a shared registration system and there are currently over 500 registrars in the market
Also since 1999, ICANN has created additional gTLDs including some which are sponsored by consortiums or groups of companies.
66
TOP LEVEL DOMAINS
Started in 1984
Originally supposed to be named by function
.com for commercial websites, .mil for military
Eventually agreed upon unrestricted TLDs for .com, .net, .org, .info
1994 started allowing country TLDs such as .it, .us
Tried to move back to hierarchy of purpose in 2000 with creation of .aero, .museum, etc.
67
Domains
68
Hierarchy of name servers
69
Zones and domains
Zone: collection of connected nodes with the same authoritative DNS server
70
Name Resolution
Resolution method when answer not in cache:
Where is www.example.com?
Where is www.example.com?
Try com nameserver
Where is www.example.com?
Try example.com nameserver
Where is www.example.com?
77.188.166
77.188.166
Client
ISP DNS
Server
root
name server
com
name server
example.com
name server
71
Recursive resolution
72
Iterative resolution
73
AUTHORITATIVE NAME SERVERS
Control distributed among authoritative name servers (ANSs)
Responsible for specific domains
Can designate other ANS for subdomains
ANS can be master or slave
Master contains original zone table
Slaves are replicas, automatically updating
Makes DNS fault tolerant, automatically distributes load
ANS must be installed as a NS in parents' zone
74
DYNAMIC RESOLUTION
Many large providers have more than one authoritative name server for a domain
Problem: need to locate the instance of domain geographically closest to user
Proposed solution: include first 3 octets of requester's IP in recursive requests to allow better service
Content distribution networks already do adaptive DNS routing
75
DNS Caching
There would be too much network traffic if a path in the DNS tree would be traversed for each query
Root zone would be rapidly overloaded
DNS servers cache results for a specified amount of time
Specified by ANS reply's time-to-live field
Operating systems and browsers also maintain resolvers and DNS caches
View in Windows with command ipconfig /displaydns
Associated privacy issues
DNS queries are typically issued over UDP on port 53
bit request identifier in payload
76
DNS CACHING
Step 1: query yourdomain.org
Local Machine
Application
Resolver
cache
Local NS
Resolver
cache
Authoritative
Name Server
Step 2: receive reply and cache at local NS and host
Local Machine
Application
Resolver
cache
Local NS
Resolver
cache
Authoritative
Name Server
query
query
answer
answer
77
DNS CACHING (CON'D)
Step 3: use cached results rather than querying the ANS
uses authentication server separate from access point
8-115
AP: access point
AS:
Authentication
server
wired
network
CS:
client station
1 Discovery of
security capabilities
3
CS and AS mutually authenticate, together
generate Master Key (MK). AP servers as “pass through”
2
3
CS derives
Pairwise Master
Key (PMK)
AS derives
same PMK,
sends to AP
4
CS, AP use PMK to derive
Temporal Key (TK) used for message
encryption, integrity
802.11I: FOUR PHASES OF OPERATION
VIRUSES, WORMS, TROJANS, ROOTKITS
Malware can be classified into several categories, depending on propagation and concealment
Propagation
Virus: human-assisted propagation (e.g., open email attachment)
Worm: automatic propagation without human assistance
Concealment
Rootkit: modifies operating system to hide its existence
Trojan: provides desirable functionality but hides malicious operation
Various types of payloads, ranging from annoyance to crime
116
INSIDER ATTACKS
insider attack is a security breach that is caused or facilitated by someone who is a part of the very organization that controls or builds the asset that should be protected.
the case of malware, an insider attack refers to a security hole that is created in a software system by one of its programmers.
![chztfzup[1]](data:image/jpeg;base64,/9j/4AAQSkZJRgABAQIAdgB2AAD/2wBDABALDA4MChAODQ4SERATGCgaGBYWGDEjJR0oOjM9PDkz
ODdASFxOQERXRTc4UG1RV19iZ2hnPk1xeXBkeFxlZ2P/2wBDARESEhgVGC8aGi9jQjhCY2NjY2Nj
Y2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2P/wAARCADBAIoDASIA
AhEBAxEB/8QAGwAAAgMBAQEAAAAAAAAAAAAAAAcEBQYDAQL/xABIEAAABAEGCAwCCQMDBQAAAAAA
AQIDBAUGETZzshIVNVNykrHRBxMWITE0VFV0kZPBFFEiMkFSYXGho+EzZKIXQ4EkQmKk4v/EABcB
AQEBAQAAAAAAAAAAAAAAAAABAwX/xAAeEQEBAAICAgMAAAAAAAAAAAAAAQIRAxIEMRMhwf/aAAwD
AQACEQMRAD8AycpyjHJlOKSmMiCInlkRE6rm+kf4iNjSUO3RPrK3jyVMqxluu8YYE1prSNKE3oSK
ioMnHnCUalcYoqfpGX2GJJBgMaSh26J9ZW8GM4/t0T6qt4avIqb/AHeXqr3g5FTf7vL1V7w0FTjO
P7dE+qrePcaSh26J9ZW8NXkVN/u8vVXvFbOOakiwUgRkTDQRIebbpSrjFHQdP4mGoF5jSUO3RPrK
3jzGcf22J9VW8cYdJLiWkKKlKlkRl/yG5yKm/wB3l6q94agVWNJQ7dE+sreDGkoduifWVvDV5Fzf
7v8A3V7wci5v93/ur3hoKnGcf22J9VW8e40lDt0T6yt4avIub/d/7q94ORc3+7/3V7w1AqsaSh26
J9ZW8eYzj+2xPqq3hrci5v8Ad/7q94ORc3+7/wB1e8NQKnGcf26J9VW8e40lDt0T6yt4avIub/d/
7q94ORU3+7y9Ve8NQKrGcf26J9VW8fZSjHUF/wBbE+sreOcqMoh5Ui2Wk4Lbby0pKnoIjOgci6CD
UHWVcqxluu8YbEyKpwGiq8YU8q5VjLdd4w2JkVTgNFV4xYL4Ay05p4HIEeiF+B4/DbJeFxuDRzmV
FFB/IU/+ph90/wDsf/IBgimnfVaULL3IVk3J6Y9lMoP4DiKUKXh8dhdH4UELOd9VpQsvcgCehOuM
2idob88VqbmvHLQpSVEgqDSdBl9IgoITrjNonaG9PSqkfoFeIArIbGUUlSmYh0ySdB0umXuO3wsr
59z1j3jvN/qzun7CwiXeIh1u4OFgFTR8wFR8LK+fc9Y94PhZXz7nrHvHTHyeznr/AMAx8ns56/8A
ADn8LK+fc9Y94PhZXz7nrHvHTHyeznr/AMCxg4goqHS8ScHCp5qaQFLEIlOGa4x2IdJNNHM8Z+4Z
HB+4t2bSFOLUtXGr51HSfSMRLmTz0yG04O6rt2q9oBay3luP8Q5eMRy6CEiW8tx/iHLxiOXQQDrK
uVYy3XeMNiZFU4DRVeMKeVcqxluu8YbEyKpwGiq8YQY3hMy8x4crxirSzD8QRm23Tg/IvkLThMy8
x4crxjOlJjptkvDRQZU/aMeWS63dOj4GWeNy64dvxd8HVZk2K/Yb6d9VpQsvchgeDqsybFfsN9O+
q0oWXuQ2c4noTrjNonaG9PSqkfoFeIKGE64zaJ2hvT0qpH6BXiALaQ3W24d0luJSZr+06PsFkqIh
lEZKdaMj6SNRCik6TSjW1rN00YKqKCTSJeIU9oVqfyAnUwP9v/iCmB/t/wDEQcQo7QrU/kGIUdoV
qfyAnUwP9v8A4jol+GQnBS60kvkSiIVuIUdoVqfyDEKO0K1P5AdJZeacgTShxCjwi5iVSNxwd1Xb
tV7Qu4+S0wkNxpPGvnIqMGgMTg7qu3ar2gFrLeW4/wAQ5eMRy6CEiW8tx/iHLxiOX1SAdZVyrGW6
7xhsTIqnAaKrxhTyrlWMt13jDYmRVOA0VXjEgxvCZl5jw5XjGeKVFk2SOLTQRUdI0PCZl5jw5XjF
WlUPxBfSapwfmXyGXLZNbm3R8DHkyuXTPqm8HVZk2K/Yb6d9VpQsvchgeDqsybFfsN9O+q0oWXuQ
2c4noTrjNonaG9PSqkfoFeIKGE64zaJ2hvT0qpH6BXiALmb/AFZ3T9hPizdTDOGyRm4RfRoKnnFL
JcoMwbTiHSWZqVSWCQnY7hfuu+RbwETj5X+4v0yBx8r/AHF+mQl47hfuu+RbwY7hfuu+RbwETj5X
+4v0yFtBKeVCoOIIyc56aSo+0RMdwv3XfIt4Mdwv3XfIt4D6lzJ56ZDacHdV27Ve0L6UpTYioXim
yWSsIj5yDB4O6rt2q9oBay3luP8AEOXjEdP1S/ISJby3H+IcvGI6fql+QDrKuVYy3XeMNiZFU4DR
VeMKeVcqxluu8YbEyKpwGiq8YQY3hMy8x4crxipTN81Mk58SXOnCowPwp+YuOEptapdYNKFGXw5d
Bf8AkYo0ytHpaJsmU0EnB/pn8hlyzk+ujDmnLdfHVnwdVmTYr9hvp31WlCy9yGD4O21pnKRqQoi4
lfSX5DeTvqtKFl7kNW5PQnXGbRO0N6elVI/QK8QUMJ1xm0TtDenpVSP0CvEAWcjQjEQw4p5slmSq
CM/yFhi2DL/YT5mIs3+rO6fsLCKZOIhnGiPBNZUUgOGLoHMo1gYugcyjWFfiFztCdUwYhc7QnVMB
YYugcyjWHuLYI+hhPmYrsQudoTqmLWDYOGhUMmolGmnnIBXStBQ7EEa2miSrCIqSMxvODuq7dqva
MXLmTz0yG04O6rt2q9oBay3luP8AEOXjEdP1S/ISJby3H+IcvGI6fql+QDrKuVYy3XeMNiZFU4DR
VeMKeVcqxluu8YbEyKpwGiq8YkF6ZEfSQ8wS+ReQ+gCjwiIvsIU876rShZe5C5FNO+q0oWXuQBPQ
nXGbRO0N6elVI/QK8QUMJ1xm0TtDenpVSP0CvEAVEDGRMM2pLDZLIzpP6JmJONY/MFqGJE3+rO6f
sLN11LLSnFqMkpKkzAUmNY/MFqGDGsfmC1DE/HEHnVapgxxB51WqYCBjWPzBahgxrH5gtQxPxxB5
1WqYlsvJfaJxtRmlXQfQAz0ZHRUQxgPNElFJHTgmQZHB3Vdu1XtGLlzJ56ZDacHdV27Ve0AtZby3
H+IcvGI5dBCRLeW4/wAQ5eMRy6CAdZVyrGW67xhsTIqnAaKrxhTyrlWMt13jDYmRVOA0VXjEgvgA
AKAU076rShZe5C5FNO+q0oWXuQBPQnXGbRO0N6elVI/QK8QUMJ1xm0TtDenpVSP0CvEAXM3+rO6f
sLJ1pLzSm1kZpUVBjOQULFvtqVDOYKSOgywzLnEnF0p58/VMBPxPB5tWsY8xPB5tWsYg4ulPPn6p
gxdKefP1TAT8TwebVrGJTDKGGibbIySnoI+cU2LpTz5+qYMXSnnz9UwE2XMnnpkNpwd1XbtV7Qt4
yEjWWMOIdNSKSKjDM+cMjg7qu3ar2gFrLeW4/wAQ5eMRy6CEiW8tx/iHLxiOXQQDrKuVYy3XeMNi
ZFU4DRVeMKeVcqxluu8YbEyKpwGiq8YkF8AABQCmnfVaULL3IXIpp31WlCy9yAJ6E64zaJ2hvT0q
pH6BXiChhOuM2idob09KqR+gV4gC5m/1Z3T9hYRTxw8M46ScI0FTR8xVSLEsMMOE66lBmukiM/wF
icfBmVBxDfmArcfL7OnWMGPl9nTrGLH42CzzQPjYLPNAK7Hy+zp1jFpBvnEwyHjTgmqnmIfHxsFn
mh6UfBl0RDZf8gOEuZPPTIbTg7qu3ar2jCyvFQ70EaGnkLVhEdBGN1wd1XbtV7QC1lvLcf4hy8Yj
l0EJEt5bj/EOXjEcuggHWVMqxduu8YbEyKpwGiq8YU8qZVi7dd4w2JkVTgNFV4xIL4AACgFNO+q0
oWXuQuRTTvqtKFl7kAT0J1xm0TtDenpVSP0CvEFDCdcZtE7Q3p6VUj9ArxAFbJknNxrS1uLWk0qo
+jQJmIofOu/oCb/VndP2FqAqsRQ+dd/QGIofOu/oLUACqxFD5139AYih867+gtQAKGUZLahIbjUL
Wo8IioOgMLg7qu3ar2jFy5k89MhtODuq7dqvaAWst5bj/EOXjEcughIlvLcf4hy8YjF0EA7SplWL
t13jDYmRVOA0VXjCnlTKkXbLvGGxMiqcBoqvGJBfAAAUApp31WlCy9yFyKad9VpQsvcgCehOuM2i
dob09KqR+gV4goYTrjNonaG9PSqkfoFeIAuZv9Wd0/YWoqpv9Wd0/YWoAAAAAAAACvlzJ56ZDacH
dV27Ve0ZecEEbEhG65/UNxNBfIucajg7qu3ar2gFrLeW4/xDl4xGLoISZby3H+IcvGIxdBAO0qZU
i7Zd4w2JkVTgNFV4wp5TypF2y7xhsTIqnAaKrxiT0L4AACgFNO+q0oWXuQuRTTvqtKFl7kAT0J1x
m0TtDenpVSP0CvEFDCdcZtE7Q3p6VUj9ArxAFzN/qzun7C1Gdk2UUQTS0KbUrCVTzGJmPmswvzIB
bAFTj5rML8yBj5rML8yAWwuJPgOKodeL6f2J+7/IzMHOSFYXhuQri1F9X6RUEJETPFDjeA1DOIM+
kzUVICRPCLQuTjYRz0OEaj8+YaLg7qu3ar2hdyhKiIuG4pLSknhEdJmGJwd1XbtV7QC1lvLcf4hy
8YjF0EJMt5bj/EOXjEYuggHaU8qRdsu8YbEyTIppwPP/ANqrxhTynlSLtl3jHBLriSoStRF8iMxJ
6D8wi+ZAwi+ZBCce7nF6xg493OL1jFD7wi+ZCmneZcl5Q5/9r3IJ3j3c4vWMeG84ojI3FGR/YajA
fcJ1xm0TtDzi4aHjYZcPEoS4ysqFJM+Ywhh0493OL1jAODknIHdzPme8HJOQO7mfM94T/Hu5xesY
OPdzi9YwDg5JyB3cz5nvByTkDu5nzPeE/wAe7nF6xg493OL1jAODknIHdzPme8HJOQO7mfM94T/H
u5xesYOPdzi9YwDg5JyB3cz5nvFlAwULJ0OUPBtJaaIzPBSf2mEbx7ucXrGDj3c6vWMBJlvLcf4h
y8YjF0EOZmZnSfOY6F0EA7SnlSLtl3jEUABJ6AAABQAAAAAAAAAAAAAAAAAAAAAAAAD6LoAAB//Z)
