Single Network: applications, client and server hosts, switches, access links, trunk links, frames, path. Review of TCP/IP Internetworking

Similar documents
Layer 4: UDP, TCP, and others. based on Chapter 9 of CompTIA Network+ Exam Guide, 4th ed., Mike Meyers

CHAPTER-2 IP CONCEPTS

Hands-On Ethical Hacking and Network Defense

Lecture 17 Overview. Last Lecture. Wide Area Networking (2) This Lecture. Internet Protocol (1) Source: chapters 2.2, 2.3,18.4, 19.1, 9.

network security s642 computer security adam everspaugh

Internet Layers. Physical Layer. Application. Application. Transport. Transport. Network. Network. Network. Network. Link. Link. Link.

Configuring attack detection and prevention 1

TCP /IP Fundamentals Mr. Cantu

Chapter 2 - Part 1. The TCP/IP Protocol: The Language of the Internet

Interconnecting Networks with TCP/IP

Business Data Networks and Security 10th Edition by Panko Test Bank

Configuring attack detection and prevention 1


CCNA Exploration Network Fundamentals. Chapter 04 OSI Transport Layer

Introduction to Internetworking

Internet Control Message Protocol (ICMP)

Networking Technologies and Applications

Attack Prevention Technology White Paper

EE 610 Part 2: Encapsulation and network utilities

Position of IP and other network-layer protocols in TCP/IP protocol suite

Internetwork Protocols

CS 457 Lecture 11 More IP Networking. Fall 2011

CPSC156a: The Internet Co-Evolution of Technology and Society. Lecture 4: September 16, 2003 Internet Layers and the Web

CS519: Computer Networks. Lecture 2: Feb 2, 2004 IP (Internet Protocol)

Network Layer. The Network Layer. Contents Connection-Oriented and Connectionless Service. Recall:

Network Layer. Recall: The network layer is responsible for the routing of packets The network layer is responsible for congestion control

Interconnecting Networks with TCP/IP. 2000, Cisco Systems, Inc. 8-1

Transport: How Applications Communicate

IP - The Internet Protocol. Based on the slides of Dr. Jorg Liebeherr, University of Virginia

ch02 True/False Indicate whether the statement is true or false.

Ping of death Land attack Teardrop Syn flood Smurf attack. DOS Attack Methods

Vorlesung Kommunikationsnetze

Table of Contents. 1 Intrusion Detection Statistics 1-1 Overview 1-1 Displaying Intrusion Detection Statistics 1-1

ICS 451: Today's plan

OSI Transport Layer. objectives

OSI Network Layer. Network Fundamentals Chapter 5. Version Cisco Systems, Inc. All rights reserved. Cisco Public 1

Introduction to TCP/IP networking

TCP/IP Protocol Suite

CSc 466/566. Computer Security. 18 : Network Security Introduction

TSIN02 - Internetworking

TSIN02 - Internetworking

R (2) Implementation of following spoofing assignments using C++ multi-core Programming a) IP Spoofing b) Web spoofing.

Network and Security: Introduction

EITF25 Internet Techniques and Applications L7: Internet. Stefan Höst

User Datagram Protocol

Chapter 5 Network Layer

TRANSMISSION CONTROL PROTOCOL. ETI 2506 TELECOMMUNICATION SYSTEMS Monday, 7 November 2016

TSIN02 - Internetworking

06/02/ Local & Metropolitan Area Networks 0. INTRODUCTION. 1. History and Future of TCP/IP ACOE322

TSIN02 - Internetworking

ECE4110 Internetwork Programming. Introduction and Overview

Lecture 6. Internet Security: How the Internet works and some basic vulnerabilities. Thursday 19/11/2015

UDP and TCP. Introduction. So far we have studied some data link layer protocols such as PPP which are responsible for getting data

CSE 565 Computer Security Fall 2018

Packet Header Formats

Network Security. Evil ICMP, Careless TCP & Boring Security Analyses. Mohamed Sabt Univ Rennes, CNRS, IRISA Thursday, October 4th, 2018

CCNA 1 Chapter 7 v5.0 Exam Answers 2013

The Internet Protocol (IP)

TCP/IP Networking. Part 4: Network and Transport Layer Protocols

CCNA 1 v3.11 Module 11 TCP/IP Transport and Application Layers

Guide To TCP/IP, Second Edition UDP Header Source Port Number (16 bits) IP HEADER Protocol Field = 17 Destination Port Number (16 bit) 15 16

OSI Transport Layer. Network Fundamentals Chapter 4. Version Cisco Systems, Inc. All rights reserved. Cisco Public 1

Simulation of TCP Layer

CPSC 826 Internetworking. The Network Layer: Routing & Addressing Outline. The Network Layer

Module 7 Internet And Internet Protocol Suite

Internet Protocol. Outline Introduction to Internet Protocol Header and address formats ICMP Tools CS 640 1

Protocol Layers & Wireshark TDTS11:COMPUTER NETWORKS AND INTERNET PROTOCOLS

20-CS Cyber Defense Overview Fall, Network Basics

Network Layer: Internet Protocol

Transport Layer. The transport layer is responsible for the delivery of a message from one process to another. RSManiaol

CCNA R&S: Introduction to Networks. Chapter 7: The Transport Layer

Unit 2.

Network Layer (4): ICMP

ECE 650 Systems Programming & Engineering. Spring 2018

Prof. Shervin Shirmohammadi SITE, University of Ottawa. Internet Protocol (IP) Lecture 2: Prof. Shervin Shirmohammadi CEG

Chapter 5 OSI Network Layer

Using ICMP to Troubleshoot TCP/IP Networks

ICMP (Internet Control Message Protocol)

Denial of Service. EJ Jung 11/08/10

Applied Networks & Security

The Internetworking Problem. Internetworking. A Translation-based Solution

HP High-End Firewalls

ICS 351: Networking Protocols

Network Security. Introduction to networks. Radboud University, The Netherlands. Autumn 2015

Review of Important Networking Concepts

Internet Protocol and Transmission Control Protocol

Introduction to Network. Topics

TCP/IP Overview. Basic Networking Concepts. 09/14/11 Basic TCP/IP Networking 1

Guide to Networking Essentials, 6 th Edition. Chapter 5: Network Protocols

Transport Layer. Gursharan Singh Tatla. Upendra Sharma. 1

Chapter 11: Wide-Area Networks and the Internet

CSCI-1680 Network Layer: IP & Forwarding Rodrigo Fonseca

CS61C Machine Structures Lecture 37 Networks. No Machine is an Island!

Denial of Service (DoS) attacks and countermeasures

User Datagram Protocol (UDP):

IP Protocols. ALTTC/Oct

ICMP (Internet Control Message Protocol)

II. Principles of Computer Communications Network and Transport Layer

Concept Questions Demonstrate your knowledge of these concepts by answering the following questions in the space that is provided.

Computer Communication & Networks / Data Communication & Computer Networks Week # 03

Transcription:

1 Review of TCP/IP working Single Network: applications, client and server hosts, switches, access links, trunk links, frames, path Frame Path Chapter 3 Client Host Trunk Link Server Host Panko, Corporate Computer and Network Security Copyright 2004 Prentice-Hall Mobile Client Host Access Link Server Host 2 Frame Organization Switching Decision Trailer Frame Data Field Header Switch Frame with Station C In the destination Address field 1 2 3 4 5 6 Switch receives A frame, sends It back out Based on Destination Address Structure Other Header Field Destination Address Field Station A Station B Station C Station D 3 4 Figure 3-1: An internet is two or more individual switched networks connected by routers Switched Network 1 Switched Network 3 Router An Multiple Networks Connected by Routers Path of a is its Route Routers Single Network Switched Network 2 Single Network Route 5 6

The The global has thousands of networks Figure 3-6: Frames and s Browser Network Software Frame 1 Carrying in Network 1 Router A Router Router Route Client PC Switch Frame 3 Carrying in Network 3 Frame 2 Carrying in Network 2 Router 7 Server Switch Router B 8 Frames and s Like passing a shipment (the packet) from a truck (frame) to an airplane (frame) at an airport. Shipper Truck Airport Same Shipment Airport Airplane Receiver Truck 9 Figure 3-2: TCP/IP Standards (Study Figure) Origins Defense Advanced Research Projects Agency (DARPA) created the ARPANET An internet connects multiple individual networks Global is capitalized Engineering Task Force (IETF) Most IETF documents are requests for comments (RFCs) Official Protocol Standards: List of RFCs that are official standards 10 Figure 3-2: TCP/IP Standards (Study Figure) Hybrid TCP/IP-OSI Architecture (Figure 3-3) Combines TCP/IP standards at layers 3-5 with OSI standards at layers 1-2 TCP/IP Subnet Access: Use OSI Standards Here OSI Presentation Session Network Physical Hybrid TCP/IP-OSI Physical 11 Figure 3-2: TCP/IP Standards (Study Figure) OSI Layers Physical (Layer 1): defines electrical signaling and media between adjacent devices Data link (Layer 2): control of a frame through a single network, across multiple switches Switched Network 1 Physical Link Frame 12

Figure 3-2: TCP/IP Standards Layer Governs the transmission of a packet across an entire internet. Path of the packet is its route Figure 3-2: TCP/IP Standards (Study Figure) Frames and s Frames are messages at the data link layer s are messages at the internet layer Switched Network 1 Switched Network 2 Switched Network 3 Route Router s are carried (encapsulated) in frames There is only a single packet that is delivered from source to destination host This packet is carried in a separate frame in each network 13 14 Figure 3-7: and Layers Figure 3-2: TCP/IP Standards (Study Figure) Client PC Layer End-to-End (Host-to-Host) TCP is Connection-Oriented, Reliable UDP is Connectionless Unreliable Layer (Usually IP) Hop-by-Hop (Host-Router or Router-Router) Connectionless, Unreliable Server and Layers Purposes layer governs hop-by-hop transmission between routers to achieve endto-end delivery layer is end-to-end (host-to-host) protocol involving only the two hosts Router 1 Router 2 Router 3 15 16 Figure 3-2: TCP/IP Standards (Study Figure) Figure 3-2: TCP/IP Standards (Study Figure) and Layers Protocol (IP) IP at the internet layer is unreliable does not correct errors in each hop between routers This is good: reduces the work each router along the route must do 17 Layer Standards Transmission Control Protocol (TCP) Reliable and connection-oriented service at the transport layer Corrects errors User Datagram Protocol (UDP) Unreliable and connectionless service at the transport layer Lightweight protocol good when catching errors is not important 18

Figure 3-8: HTML and at the Layer Figure 3-2: TCP/IP Standards (Study Figure) Client PC with Browser 123.34.150.37 Hypertext Transfer Protocol () Requests and Responses Layer To govern communication between application programs, which may be written by different vendors Document transfer versus document format standards / HTML for WWW service SMTP / RFC 822 (or RFC 2822) in e-mail Hypertext Markup Language (HTML) Document or Other File (jpeg, etc.) Many application standards exist because there are many applications 19 20 Figure 3-3: TCP/IP and OSI Architectures: Recap TCP/IP Subnet Access: Use OSI Standards Here OSI Presentation Session Network Physical Hybrid TCP/IP-OSI Physical Note: The Hybrid TCP/IP-OSI Architecture is used on the and dominates internal corporate networks. 21 Figure 3-5: IP 0100 IP Version 4 Bit 0 Bit 31 Version (4 bits) Header Length (4 bits) Identification (16 bits) Time to Live (8 bits) Diff-Serv (8 bits) Total Length (16 bits) Flags Fragment Offset (13 bits) Protocol (8 bits) 1=ICMP, 6=TCP, Header Checksum (16 bits) 17=TCP Source IP Address (32 bits) Destination IP Address (32 bits) Options (if any) Padding Data Field 22 Figure 3-5: IP Figure 3-5: IP Version Has value of four (0100) Time to Live (TTL) Prevents the endless circulation of mis-addressed packets Value is set by sender Decremented by one by each router along the way If reaches zero, router throws packet away 23 Protocol Field Identifies contents of data field 1 = ICMP 6 = TCP IP Data Field 17 =UDP ICMP IP Data Field TCP Segment IP Header Protocol=6 IP Data Field UDP Datagram IP Header Protocol=1 IP Header Protocol=17 24

Figure 3-5: IP Figure 3-9: Layer Cooperation Through Encapsulation on the Source Host Header checksum to check for errors in the header only Faster than checking the whole packet Stops bad headers from causing problems IP Version 6 drops eve this checking Address Fields 32 bits long, of course TCP Encapsulation of message in data field of a TCP segment Encapsulation of TCP segment in data field of an IP packet Options field(s) give optional parameters Data field contains the payload of the packet. TCP IP 25 26 Figure 3-9: Layer Cooperation Through Encapsulation on the Source Host Figure 3-9: Layer Cooperation Through Encapsulation on the Source Host Trlr TCP TCP IP IP Encapsulation of IP packet in data field of a frame Note: The following is the final frame for supervisory TCP segments: Trlr TCP IP Physical Converts Bits of Frame into Signals 27 28 Figure 3-10: Layer Cooperation Through Decapsulation on the Destination Host Figure 3-10: Layer Cooperation Through Decapsulation on the Destination Host Decapsulation of message from data field of a TCP segment TCP IP Decapsulation of IP packet from data field of a frame TCP Decapsulation of TCP segment from data field of an IP packet TCP IP TCP IP Physical Converts Signals into the Bits of the Frame 29 30

Figure 3-11: Vertical Communication on Router R1 Figure 3-11: Vertical Communication on Router R1 A Decapsulation Frame Port 1 Layer Port 2 Port 3 Port 4 PHY PHY PHY PHY Router R1 Router R1 Port 1 Layer Port 2 Port 3 Port 4 PHY PHY PHY PHY B Encapsulation Frame Switch X2 Notes: A. Router R1 receives frame from Switch X2 in Port 1. Port 1 process decapsulates packet. Port 1 process passes packet to internet process. 31 B. process sends packet out on Port 4. on Port 4 encapsulates packet in a PPP frame. process passes frame to Port 4 PHY. Router 2 32 Figure 3-12: Site Connection to an ISP Site Network Border Firewall 3. Carried in Site Frame 1. Frame for This 4. Between Site and ISP (Difficult to Attack) ISP ISP Router Backbone 2. Carried in ISP Carrier Frame Basic Characteristics There were already single networks, and many more would come in the future Developers needed to make a few assumptions about underlying networks So they kept IP simple 5. Normally, Only the Arriving is Dangerous Not the Frame Fields 33 34 IP Connection-Oriented Service and Connectionless Service Connection-oriented services have distinct starts and closes (telephone calls) Connectionless services merely send messages (postal letters) IP is connectionless 35 PC IP Connectionless s Sent in Isolation Like Postal Letters Unreliable No Error Correction Discarded by Receiver if Error is Detected Leaves Error Correction to Layer Reduces the Cost of Routers First Router 36

IP is Unreliable (Checks for Errors but does not Correct Errors) (Figure 3-14) Not doing error correction at each hop between switches reduces switch work and so switch cost Does not even guarantee packets will arrive in order Hierarchical IP Addresses Postal addresses are hierarchical (state, city, postal zone, specific address) Most post offices have to look only at state and city Only the final post offices have to be concerned with specific addresses 37 38 Figure 3-15: Hierarchical IP Address 128.171.17.13 Host 13 128.171.17.13 The Network Part (not always 16 bits) Subnet Part (not always 8 bits) Host Part (not always 8 bits) Total always is 32 bits. UH Network (128.171) CBA Subnet (17) 39 Hierarchical IP Addresses 32-bit IP addresses are hierarchical (Figure 3-15) Network part tells what network host is on Subnet part tells what subnet host is on within the network Host part specifies the host on its subnet Routers have to look only at network or subnet parts, except for the router that delivers the packet to the destination host 40 Figure 3-16: IP Address Masking with Network and Subnet Masks Hierarchical IP Addresses 32-bit IP addresses are hierarchical Total is 32 bits; part sizes vary Network mask tells you the size of the network part (Figure 3-16) Subnet mask tells you the length of the network plus subnet parts combined Mask Represents Eight ones give the decimal value Eight zeros give the decimal value Masking gives Network Masking Tells the size of the network part 255 0 IP address bit where the mask value is 1; 0 where the mask bit is 0 Subnet Masking Tells the size of the network and the subnet parts combined 255 0 IP address bit where the mask value is 1; 0 where mask bit is 0 41 42

Figure 3-16: IP Address Masking with Network and Subnet Masks Figure 3-17: IP Address Spoofing Example 1 IP Address Mask Result Meaning Example 2 IP Address Mask Result Meaning Network Masking 128.171.17.13 255.255.0. 0 128.171.0. 0 16-bit network part is 128.171 60.47.123.7 255.0.0.0 60.0.0.0 8-bit network part is 60 Subnet Masking 128.171.17.13 255.255.255.0 128.171.17.0 Combined 24-bit network plus subnet part are 128.171.17 60.47.123.7 255.255.0.0 60.47.0.0 Combined 16-bit network plus subnet parts are 60.47 43 Trusted Server 60.168.4.6 Attacker s Client PC 1.34.150.37 1. Trust Relationship 3. Server Accepts Attack 2. Attack Spoofed Source IP Address 60.168.4.6 Attacker s Identity is Not Revealed Victim Server 44 IP Addresses and Security IP address spoofing: Sending a message with a false IP address (Figure 3-17) Gives sender anonymity so that attacker cannot be identified Can exploit trust between hosts if spoofed IP address is that of a host the victim host trusts IP Addresses and Security LAND attack: send victim a packet with victim s IP address in both source and destination address fields and the same port number for the source and destination (Figure 3-18). In 1997, many computers, switches, routers, and even printers, crashed when they received such a packet. 45 46 Figure 3-18: LAND Attack Based on IP Address Spoofing Other IP Header Fields Protocol field: Identifies content of IP data field Attacker 1.34.150.37 From: :23 To: :23 Victim Port 23 Open Crashes Firewalls need this information to know how to process the packet Source and Destination IP Addresses are the Same Source and Destination Port Numbers are the Same 47 48

Other IP Header Fields Time-to-Live field Each router decrements the TTL value by one Router decrementing TTL field to zero discards the packet Other IP Header Fields Time-to-Live field Router also sends an error advisement message to the sender The packet containing this message reveals the sender s IP address to the attacker Traceroute uses TTL to map the route to a host (Figure 3-19) Tracert on Windows machines 49 50 Figure 3-19: Tracert Program in Windows Other IP Header Fields Header Length field and Options With no options, Header Length is 5 Expressed in units of 32 bits So, 20 bytes Many options are dangerous So if Header Length is More Than 5, be Suspicious Some firms drop all packets with options 51 52 Figure 3-20: Ping-of-Death Attack Other IP Header Fields Length Field Gives length of entire packet Maximum is 65,536 bytes Ping-of-Death attack sent IP packets with longer data fields Attacker 1.34.150.37 IP Containing ICMP Echo That is Illegally Long Victim Crashes Many systems crashed 53 54

Other IP Header Fields Fragmentation Routers may fragment IP packets (really, packet data fields) en route All fragments have same Identification field value Fragment offset values allows fragments to be ordered More fragments is 0 in the last fragment Other IP Header Fields Fragmentation Harms packet inspection: TCP header, etc. only in first packet in series Cannot filter on TCP header, etc. in subsequent packets 55 56 Figure 3-22: TCP Header is Only in the First Fragment of a Fragmented IP Attacker 1.34.150.37 2. Second Fragment 4. TCP Data IP Field Header No TCP Header 1. Fragmented IP 2. First Fragment TCP Data Field IP Header 3. TCP Header Only in First Fragment 5. Firewall Can Only Filter TCP Header in First Fragment Other IP Header Fields Fragmentation Teardrop attack: Crafted fragmented packet does not make sense when reassembled Some firewalls drop all fragmented packets, which are rare today 57 58 Figure 3-21: Teardrop Denial-of- Service Attack Figure 3-24: IP with a TCP Segment Data Field Bit 0 Bit 31 Defragmented IP Gap Overlap Source Port Number (16 bits) IP Header (Usually 20 Bytes) Destination Port Number (16 bits) Sequence Number (32 bits) Attacker 1.34.150.37 Attack Pretends to be Fragmented IP When Reassembled, does not Make Sense. Gaps and Overlaps Victim Crashes Header Length (4 bits) Reserved (6 bits) TCP Checksum (16 bits) Acknowledgment Number (32 bits) Flag Fields (6 bits) Window Size (16 bits) Urgent Pointer (16 bits) 59 60

Figure 3-23: Transmission Control Protocol (TCP) TCP s are TCP Segments Flags field has several one-bit flags: ACK, SYN, FIN, RST, etc. Figure 3-23: Transmission Control Protocol (TCP) Reliable Receiving process sends ACK to sending process if segment is correctly received ACK bit is set (1) in acknowledgement segments If sending process does not get ACK, resends the segment Header Length (4 bits) Reserved (6 bits) Flag Fields (6 bits) Window Size (16 bits) PC TCP Segment TCP Segment (ACK) 61 62 Figure 3-23: Transmission Control Protocol (TCP) Figure 3-25: Communication During a TCP Session Connections: Opens and Closes Formal open and close Three-way open: SYN, SYN/ACK, ACK (Figure 3-25) Normal four-way close: FIN, ACK, FIN, ACK (Figure 3-25) Abrupt close: RST (Figure 3-26) PC Open (3) 1. SYN (Open) 2. SYN, ACK (1) (Acknowledgement of 1) 3. ACK (2) 3-Way Open 63 64 Figure 3-25: Communication During a TCP Session Figure 3-25: Communication During a TCP Session PC Open (3) Carry Req & Resp (4) 1. SYN (Open) 2. SYN, ACK (1) (Acknowledgement of 1) 3. ACK (2) 4. Data = Request 5. ACK (4) 6. Data = Response 7. ACK (6) 65 PC Carry Req & Resp (4) 8. Data = Request (Error) 9. Data = Request (No ACK so Retransmit) 10. ACK (9) 11. Data = Response 12. ACK (11) Error Handling 66

Figure 3-25: Communication During a TCP Session Figure 3-25: Communication During a TCP Session PC Normal Four-Way Close PC Abrupt Close Close (4) 13. FIN (Close) 14. ACK (13) Close (1) RST 15. FIN 16. ACK (15) Note: An ACK may be combined with the next message if the next message is sent quickly enough Either side can send A Reset (RST) Segment At Any Time Ends the Session Immediately 67 68 Figure 3-26: SYN/ACK Probing Attack Using Reset (RST) Figure 3-23: Transmission Control Protocol (TCP) Attacker 1.34.150.37 1. Probe SYN/ACK Segment 5. is Live! 4. Source IP Addr= 2. No Connection: Makes No Sense! IP RST Segment 3. Go Away! Victim Crashes 69 Sequence and Acknowledgement Number Sequence numbers identify segment s place in the sequence Acknowledgement number identifies which segment is being acknowledged Source Port Number (16 bits) Sequence Number (32 bits) Acknowledgment Number (32 bits) Destination Port Number (16 bits) 70 Figure 3-23: Transmission Control Protocol (TCP) Figure 3-23: Transmission Control Protocol (TCP) Port Number Port numbers identify applications Well-known ports (0-1023) used by applications that run as root (Figure 3-27) =80, Telnet=23, FTP=21 for supervision, 20 for data transfer, SMTP=25 Port Number Registered ports (1024-49152) for any application Ephemeral/dynamic/private ports (49153-65535) used by client (16,383 possible) Not all operating systems uses these port ranges, although all use well-known ports Source Port Number (16 bits) Destination Port Number (16 bits) 71 72

Figure 3-23: Transmission Control Protocol (TCP) Figure 3-27: Use of TCP and UDP Port Number Port Number 128.171.17.13:80 Socket format is IP address: Port, for instance, 128.171.17.13:80 Designates a specific program on a specific machine Client 60.171.18.22 From: 60.171.18.22:50047 To: 60.171.17.13:80 60.171.17.13 Port 80 Port spoofing (Figure 3-28) Incorrect application uses a well-known port Especially 80, which is often allowed through firewalls SMTP Server 123.30.17.120 Port 25 73 74 Figure 3-27: Use of TCP and UDP Port Number Figure 3-27: Use of TCP and UDP Port Number Client 60.171.18.22 From: 60.171.18.22:50047 To: 60.171.17.13:80 60.171.17.13 Port 80 Client 60.171.18.22 60.171.17.13 Port 80 From: 60.171.17.13:80 To: 60.171.18.22:50047 SMTP Server 123.30.17.120 Port 25 From: 60.171.18.22:60003 To: 123.30.17.120:25 SMTP Server 123.30.17.120 Port 25 75 76 Figure 3-27: Use of TCP and UDP Port Number Client 60.171.18.22 From: 60.171.18.22:50047 To: 60.171.17.13:80 From: 60.171.18.22:60003 To: 123.30.17.120:25 Clients Used Different Ephemeral Ports for Different Connections SMTP Server 123.30.17.120 Port 25 60.171.17.13 Port 80 77 Figure 3-29: User Data Protocol (UDP) UDP Datagrams are Simple (Figure 3-30) Source and destination port numbers (16 bits each) UDP length (16 bits) UDP checksum (16 bits) Bit 0 Bit 31 Source Port Number (16 bits) UDP Length (16 bits) IP Header (Usually 20 Bytes) Data Field Destination Port Number (16 bits) UDP Checksum (16 bits) 78

Figure 3-29: User Data Protocol (UDP) Figure 3-33: Control Protocol (ICMP) Port Spoofing Still Possible UDP Datagram Insertion Insert UDP datagram into an ongoing dialog stream Hard to detect because no sequence numbers in UDP 79 ICMP is for Supervisory s at the Layer ICMP and IP An ICMP message is delivered (encapsulated) in the data field of an IP packet Types and Codes (Figure 3-2) Type: General category of supervisory message Code: Subcategory of type (set to zero if there is no code) 80 Figure 8.13: Control Protocol (ICMP) for Supervisory s Figure 3-32: IP with an ICMP Data Field Host Unreachable Error Router Bit 0 Type (8 bits) Bit 31 IP Header (Usually 20 Bytes) Code (8 bits) Depends on Type and Code Echo Reply Echo ICMP IP Header Depends on Type and Code 81 82 Figure 3-32: control Protocol (ICMP) Network Analysis s Echo (Type 8, no code) asks target host if it is operational and available Echo reply (Type 0, no code). Target host responds to echo sender Ping program implements Echo and Echo Reply. Like submarine pinging a target Ping is useful for network managers to diagnose problems based on failures to reply Ping is useful for hackers to identify potential targets: live ones reply 83 Figure 3-32: control Protocol (ICMP) Error Advisement s Advise sender of error but there is no error correction Host Unreachable (Type 3, multiple codes) Many codes for specific reasons for host being unreachable Host unreachable packet s source IP address confirms to hackers that the IP address is live and therefore a potential victim Usually sent by a router 84

Figure 3-31: control Protocol (ICMP) Error Advisement s Time Exceeded (Type 11, no codes) Router decrementing TTL to 0 discards packet, sends time exceeded message IP header containing error message reveals router s IP address By progressively incrementing TTL values by 1 in successive packets, attacker can scan progressively deeper into the network, mapping the network Also usually sent by a router 85 Figure 3-31: control Protocol (ICMP) Control Codes Control network/host operation Source Quench (Type=4, no code) Tells destination host to slow down its transmission rate Legitimate use: Flow control if host sending source quench is overloaded Attackers can use for denial-of-service attack 86 Figure 3-31: control Protocol (ICMP) Control Codes Redirect (Type 5, multiple codes) Tells host or router to send packets in different way than they have Attackers can disrupt network operations, for example, by sending packets down black holes Many Other ICMP s Network Elements Client and server stations s Trunk lines and access lines Switches and routers s (frames) 87 88 s (frames) may have headers, data fields, and trailers Headers have source and destination address fields Switches forward (switch) frames based on the value in the destination address field Based on field value, switch sends frames out a different port that the one on which the frame arrived 89 s Group of networks connected by routers The is a global internet Organizations connect via ISPs messages are called packets Path of a packet is its route s travel within frames in networks If route goes through four networks, There will be one packet and four frames 90

TCP/IP Standards Dominate the Created by the Engineering Task Force (IETF) Documents are called requests for comments (RFCs) OSI Standards Dominate for single networks Physical and data link layers TCP/IP Subnet Access: Use OSI Standards Here OSI Presentation Session Network Physical Hybrid TCP/IP-OSI Physical 91 92 working Layers layer Protocol (IP) Governs packet organization Governs hop-by-hop router forwarding (routing) layer Governs end-to-end connection between the two hosts TCP adds reliability, flow control, etc. UDP is simpler, offers no reliability, etc. 93 Layer Standards Govern interaction between two application programs Usually, a message formatting standard and a message transfer standard HTML / in WWW RFC 2822 / SMTP in e-mail 94 IP Version 4 32-bit source and destination addresses Time to live (TTLS) Header checksum Protocol (type of message in data field) Data field IP Version 4 Option fields may be used, but more likely to be used by hackers rather than legitimately may be fragmented; this too is done mainly by attackers Data field Version 6 128-bit addresses to allow more addresses 95 96

Vertical Communication on the Source Host One layer (Layer N) creates a message Passes message down to the next-lower layer (Layer N-1) The Layer N-1 process encapsulates the Layer N message in the data field of a Layer N-1 record Layer N-1 passes the Layer N-1 message down to Layer N-2 is Reversed on the Destination Host Decapsulation occurs at each layer Vertical es on Router The router first receives, then sends So the router first decapsulates, then encapsulates There is one internet layer process on each router 97 98 Firewalls Only Need to Look at,, and s The attacker cannot manipulate the frame going from the ISP to the organization IP Connectionless and unreliable Hierarchical IP addresses Network part Subnet part Host part Part lengths vary 99 100 IP Masks You cannot tell by looking at an IP address what its network or subnet parts are Network mask has 1s in the network part, followed by all zeros Subnet mask has 1s in the network and subnet parts, followed by all zeros IP address spoofing Change the source IP address To conceal identity of the attacker To have the victim think the packet comes from a trusted host LAND attack 101 102

TCP s Called TCP segments Flags fields for SYN, ACK, FIN, RST 3-way handshake with SYN to open Each segment is received correctly is ACKed This provides reliability TCP s Normally, FIN is used in a four-way close RST can create a single-message close Attackers try to generate RSTs because the RST message is in a packet revealing the victim s IP address 103 104 Port Numbers Used in both TCP and UDP 16-bit source and destination port numbers Clients use ephemeral port numbers Randomly generated by the client 49153-65536 Major applications on servers use well-known port numbers 0 to 1023 ICMP For supervisory messages at the internet layer ICMP messages are encapsulated in the data fields of IP packets Type and code designate contents of IP packet Attackers use ICMP messages in scanning Replies tell them IP addresses 105 106 ICMP Echo (Type 8, no code) asks target host if it is operational and available Echo reply (Type 0, no code). Target host responds to echo sender Ping program implements Echo and Echo Reply. Like submarine pinging a target ICMP error messages of several types Allow only ICMP echo replies in border router ingress filtering 107

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback