Lecture 12 Application Layer Application Layer 1
Agenda The Application Layer (continue) Web and HTTP HTTP Cookies Web Caches Simple Introduction to Network Security Various actions by network attackers Application Layer 2
The Application Layer (recall) Network programs/services that run on (different) end systems communicate over network e.g., web server software communicates with browser software No need to write software for network-core devices Network-core devices do not run user applications applications on end systems allows for rapid app development, propagation application transport network data link physical application transport network data link physical application transport network data link physical Application Layer 3
Web and HTTP Web page consists of objects Object can be HTML file, JPEG image, Java applet, audio file, Web page consists of base HTML-file which includes several referenced objects Each object is addressable by a URL Example URL: www.someschool.edu/somedept/pic.gif host name path name Application Layer 4
HTTP overview HTTP: hypertext transfer protocol Web s application layer protocol client/server model client: browser that requests, receives, displays Web objects server: Web server sends objects in response to requests PC running Explorer Mac running Navigator Server running Apache Web server Application Layer 5
HTTP connections Nonpersistent HTTP At most one object is sent over a TCP connection. Persistent HTTP Multiple objects can be sent over single TCP connection between client and server. Application Layer 6
Non-Persistent HTTP: Response time Definition of RTT: time for a small packet to travel from client to server and back. Response time: one RTT to initiate TCP connection one RTT for HTTP request and first few bytes of HTTP response to return file transmission time total = 2RTT+transmit time initiate TCP connection RTT request file RTT file received time time time to transmit file Application Layer 7
Persistent HTTP Nonpersistent HTTP issues: requires 2 RTTs per object Overhead for each TCP connection browsers often open parallel TCP connections to fetch referenced objects Persistent HTTP server leaves connection open after sending response subsequent HTTP messages between same client/server sent over open connection client sends requests as soon as it encounters a referenced object as little as one RTT for all the referenced objects Application Layer 8
HTTP Cookies What cookies can bring: authorization shopping carts recommendations user session state (Web e-mail) aside Cookies and privacy: cookies permit sites to learn a lot about you you may supply name and e-mail to sites How to keep state : protocol endpoints: maintain state at sender/receiver over multiple transactions cookies: http messages carry state Application Layer 9
Web Caches (Proxy Server) Goal: satisfy client request without involving origin server user sets browser: Web accesses via cache browser sends all HTTP requests to cache client Proxy server origin server object in cache: cache returns object else cache requests object from origin server, then returns object to client client origin server Application Layer 10
More about Web caching cache acts as both client and server typically cache is installed by ISP (university, company, residential ISP) Why Web caching? reduce response time for client request reduce traffic on, for example, an institution s access link. Internet dense with caches: enables content providers to effectively deliver content Application Layer 11
Caching Example Assumptions average object size = 100,000 bits avg. request rate from institution s browsers to origin servers = 15/sec delay from institutional router to any origin server and back to router = 2 sec Consequences utilization on LAN = 15% utilization on access link = 100% total delay = Internet delay + access delay + LAN delay = 2 sec + minutes + milliseconds institutional network public Internet 1.5 Mbps access link 10 Mbps LAN origin servers institutional cache Application Layer 12
Caching Example (cont d) possible solution increase bandwidth of access link to, say, 10 Mbps consequence utilization on LAN = 15% utilization on access link = 15% Total delay = Internet delay + access delay + LAN delay = 0.3 sec + msecs + msecs often a costly upgrade institutional network public Internet 10 Mbps access link 10 Mbps LAN origin servers institutional cache Application Layer 13
Caching Example (cont d) possible solution: install cache suppose hit rate is 0.4 consequence 40% requests will be satisfied almost immediately 60% requests satisfied by origin server utilization of access link reduced to 60%, resulting in negligible delays (say 10 msec) total avg delay = Internet delay + access delay + LAN delay =.6*(2.01) secs +.4*milliseconds < 1.4 secs institutional network public Internet 1.5 Mbps access link 10 Mbps LAN origin servers institutional cache Application Layer 14
Computer Network Security The field of network security is about: how network attackers can attack computer networks how we can defend networks against attacks how to design architectures that are immune to attacks Internet not originally designed with (much) security in mind original vision: a group of mutually trusting users attached to a transparent network Internet protocol designers playing catch-up Security considerations in all layers! Application Layer 15
Various Actions by Network Attackers Attackers can put malicious software (malware) into hosts via Internet Malware can get in host from a virus, worm, or trojan horse. Spyware malware can record keystrokes, web sites visited, upload info to collection site. Infected host can be enrolled in a botnet, used for spam and Distributed Denial of Service (DDoS) attacks. Malware is often self-replicating: from an infected host, seeks entry into other hosts Application Layer 16
Various Actions by Network Attackers Trojan horse hidden part of some otherwise useful software generally non-self-replicating type of malware program Virus infection by receiving object (e.g., e-mail attachment), actively executing with harmful effects generally, code attaching itself to an application self-replicating: propagate itself to other hosts, users Worm: infection by passively receiving object that gets itself executed Generally, a code replicating itself to consume resources (e.g., network bandwidth, servers buffers, etc.) self-replicating: propagates to other hosts, users via networks Application Layer 17
Various Actions by Network Attackers Bad guys can attack servers and network infrastructure Denial of service (DoS): attackers make resources (server, bandwidth) unavailable to legitimate traffic by overwhelming resource with bogus traffic 1. select target 2. break into hosts around the network (see botnet) 3. send packets toward target from compromised hosts target Application Layer 18
Various Actions by Network Attackers Packet sniffing: broadcast media (shared Ethernet, wireless) promiscuous network interface reads/records all packets (e.g., including passwords!) passing by A C src:b dest:a payload Wireshark and Snort software can be used as (free) packet-sniffers B Application Layer 19
Various Actions by Network Attackers IP spoofing: send packet with false source address (false identification) A C src:b dest:a payload B Application Layer 20
Various Actions by Network Attackers record-and-playback: sniff sensitive info (e.g., password), and use later password holder is that user from system point of view A C src:b dest:a user: B; password: foo B Application Layer 21
Intrusion Detection Approaches Signature based approach Searching for known identity or signature Comparing with known patterns Databases of signatures Anomaly based approach Detection based heuristics and analysis (statistics) Learning new patterns Traffic classification (normal/abnormal) Artificial intelligence techniques (e.g., neural networks) Application Layer 22
Lecture Summary Covered material The Application Layer (continue) Web and HTTP HTTP Cookies Web Caches Simple Introduction to Network Security Various actions by network attackers Application Layer 23