Single Network: applications, client and server hosts, switches, access links, trunk links, frames, path Review of TCP/IP Internetworking Path Frame

Server Chapter 3 Client Host Host Trunk Link

Panko, Corporate Computer Access and Network Security Link Copyright 2004 Prentice-Hall Server Mobile Client Host Host 1 2

Frame Organization Switching Decision

Switch receives A frame, sends Frame Switch 123456 It back out Based on Frame with Station C TrailerData Field Header Destination In the destination Address field Address

Other Destination Header Field Address Message Structure Field Station Station Station Station A B C D

3 4

Figure 3-1: Internet An Internet

Multiple Networks „ An internet is two or more individual switched networks connected by routers Connected by Routers Path of a Packet is its Route Single Network Switched Routers Network 1 Packet Switched Network 3 Router

Switched Route Network 2 Single Network

5 6

1 The global The Internet Internet has Figure 3-6: Frames and Packets thousands of networks Frame 1 Packet Webserver Carrying Packet Browser in Network 1 Network Software Router A

Packet Packet Switch Frame 2 Router Carrying Packet Client PC Frame 3 in Network 2 Carrying Packet Route Router Packet in Network 3

Router Packet

Switch Server Router B 7 8

Frames and Packets Figure 3-2: TCP/IP Standards (Study Figure)

„ Like passing a shipment (the packet) from a truck (frame) to an airplane (frame) at an airport. „ Origins

{ Defense Advanced Research Projects Agency Receiver Shipper Same (DARPA) created the ARPANET Shipment { An internet connects multiple individual networks

{ Global Internet is capitalized

{ Internet Engineering Task Force (IETF) Airport Airport Truck Truck { Most IETF documents are requests for comments (RFCs)

Airplane { Internet Official Protocol Standards: List of RFCs that are official standards 9 10

Figure 3-2: TCP/IP Standards (Study Figure 3-2: TCP/IP Standards (Study Figure) Figure)

„ Hybrid TCP/IP-OSI Architecture (Figure 3-3) „ OSI Layers { Combines TCP/IP standards at layers 3-5 with { OSI standards at layers 1-2 { Physical (Layer 1): defines electrical signaling and media between adjacent devices TCP/IP OSI Hybrid TCP/IP-OSI { Data link (Layer 2): control of a frame through a Application Application Application single network, across multiple switches Presentation

Session Physical Link Frame Transport Transport Transport Switched Internet Network Internet Network 1 Subnet Access: Use Data Link Data Link OSI Standards Here Physical Physical Data Link 11 12

2 Figure 3-2: TCP/IP Standards (Study Figure 3-2: TCP/IP Standards Figure)

„ Internet Layer „ Frames and Packets { Governs the transmission of a packet across an entire internet. Path of the packet is its route { Frames are messages at the data link layer

Packet { Packets are messages at the internet layer

Switched { Packets are carried (encapsulated) in frames Network 1 { There is only a single packet that is delivered from source to destination host Switched Network 3 Router Route { This packet is carried in a separate frame in each network Switched Network 2 13 14

Figure 3-2: TCP/IP Standards (Study Figure 3-7: Internet and Transport Layers Figure)

Transport Layer „ Internet and Transport Layers End-to-End (Host-to-Host) TCP is Connection-Oriented, Reliable { Purposes UDP is Connectionless Unreliable „ Internet layer governs hop-by-hop Client PC Server transmission between routers to achieve end- Internet Layer to-end delivery (Usually IP) Hop-by-Hop (Host-Router or Router-Router) „ Transport layer is end-to-end (host-to-host) Connectionless, Unreliable protocol involving only the two hosts

Router 1 Router 2 Router 3 15 16

Figure 3-2: TCP/IP Standards (Study Figure 3-2: TCP/IP Standards (Study Figure) Figure)

„ Internet and Transport Layers „ Transport Layer Standards

{ (IP) { Transmission Control Protocol (TCP)

„ IP at the internet layer is unreliable—does not „ Reliable and connection-oriented service at correct errors in each hop between routers the transport layer „ Corrects errors „ This is good: reduces the work each router along the route must do { (UDP) „ Unreliable and connectionless service at the transport layer „ Lightweight protocol good when catching errors is not important

17 18

3 Figure 3-8: HTML and HTTP at the Figure 3-2: TCP/IP Standards (Study Application Layer Figure)

„ Application Layer Hypertext Transfer Protocol (HTTP) Requests and Responses { To govern communication between application programs, which may be written by different vendors Webserver Client PC with { Document transfer versus document format Browser 60.168.47.47 standards 123.34.150.37 „ HTTP / HTML for WWW service „ SMTP / RFC 822 (or RFC 2822) in e-mail

{ Many application standards exist because there Hypertext Markup Language (HTML) are many applications Document or Other File (jpeg, etc.) 19 20

Figure 3-3: TCP/IP and OSI Architectures: Recap Figure 3-5: IP Packet

0100 IP Version 4 Packet Bit 0 Bit 31 TCP/IP OSI Hybrid TCP/IP-OSI Header Version Diff-Serv Total Length Application Application Application Length (4 bits) (8 bits) (16 bits) Presentation (4 bits)

Session Identification (16 bits) Flags Fragment Offset (13 bits) Protocol (8 bits) Time to Live Transport Transport Transport 1=ICMP, 6=TCP, Header Checksum (16 bits) (8 bits) Internet Network Internet 17=TCP Source IP Address (32 bits) Subnet Access: Use Data Link Data Link OSI Standards Here Destination IP Address (32 bits) Physical Physical Options (if any) Padding

Note: The Hybrid TCP/IP-OSI Architecture is used on the Internet and Data Field dominates internal corporate networks. 21 22

Figure 3-5: IP Packet Figure 3-5: IP Packet

„ Protocol Field „ Version { Identifies contents of data field { Has value of four (0100) { 1 = ICMP „ Time to Live (TTL) { 6 = TCP IP Data Field IP Header { Prevents the endless circulation of mis-addressed { 17 =UDP ICMP Message Protocol=1 packets

{ Value is set by sender IP Data Field IP Header { Decremented by one by each router along the TCP Segment Protocol=6 way { If reaches zero, router throws packet away IP Data Field IP Header UDP Datagram Protocol=17 23 24

4 Figure 3-9: Layer Cooperation Through Figure 3-5: IP Packet Encapsulation on the Source Host

„ Header checksum to check for errors in the header only Application HTTP Encapsulation of HTTP Process Message message in data field of { Faster than checking the whole packet a TCP segment { Stops bad headers from causing problems { IP Version 6 drops eve this checking Transport HTTP TCP Encapsulation of TCP „ Address Fields Process Message Hdr segment in data field of an IP packet { 32 bits long, of course

„ Options field(s) give optional parameters Internet HTTP TCP IP Process Message Hdr Hdr „ Data field contains the payload of the packet. 25 26

Figure 3-9: Layer Cooperation Through Figure 3-9: Layer Cooperation Through Encapsulation on the Source Host Encapsulation on the Source Host

Internet HTTP TCP IP Encapsulation Note: The following is the final frame for supervisory TCP segments: Process Message Hdr Hdr of IP packet in data field of a frame DL TCP IP DL Data Link DL HTTP TCP IP DL Trlr Hdr Hdr Hdr Process Trlr Message Hdr Hdr Hdr

Physical Converts Bits of Frame into Signals Process

27 28

Figure 3-10: Layer Cooperation Through Figure 3-10: Layer Cooperation Through Decapsulation on the Destination Host Decapsulation on the Destination Host

Application HTTP Decapsulation of HTTP Internet HTTP TCP IP Decapsulation of IP Process Message message from data field of Process Message Hdr Hdr packet from data a TCP segment field of a frame

Transport HTTP TCP Decapsulation of TCP Data Link DL HTTP TCP IP DL Process Message Hdr segment from data field Process Hdr Message Hdr Hdr Hdr of an IP packet

Internet HTTP TCP IP Physical Converts Signals into the Bits of the Frame Process Message Hdr Hdr Process

29 30

5 Figure 3-11: Vertical Communication Figure 3-11: Vertical Communication on Router R1 on Router R1

B A Router R1 Router R1 Internet Layer Process Packet Packet Internet Layer Process Port 1 Port 2 Port 3 Port 4 Encapsulation Decapsulation Port 1 Port 2 Port 3 Port 4 DL DL DL DL DL DL DL DL Frame Frame PHY PHY PHY PHY PHY PHY PHY PHY

B. Internet process sends packet out on Notes: Port 4. A. Router R1 receives frame from Switch X2 DL Process on Port 4 encapsulates Router 2 Switch X2 in Port 1. packet in a PPP frame. Port 1 DL process decapsulates packet. DL process passes frame to Port 4 Port 1 DL process passes packet to PHY. internet process. 31 32

Figure 3-12: Site Connection to an ISP Figure 3-13: Internet Protocol (IP)

„ Basic Characteristics 1. Internet Site Network Backbone Frame for This { There were already single networks, and many Data Link Border ISP more would come in the future Firewall Packet { Developers needed to make a few assumptions Packet Packet about underlying networks 3. 4. 2. { So they kept IP simple Packet Carried Data Link Packet Carried in Site Frame Between ISP in ISP Site and ISP Router Carrier Frame (Difficult to Attack)

5. Normally, Only the Arriving Packet is Dangerous—Not the Frame Fields 33 34

Figure 3-13: Internet Protocol (IP) IP Packet

„ Connection-Oriented Service and PC First Router Internet Process Internet Process Connectionless Service IP Packet

{ Connection-oriented services have distinct starts and closes (telephone calls) Connectionless Packets Sent in Isolation { Connectionless services merely send messages Like Postal Letters (postal letters) Unreliable { IP is connectionless No Error Correction Discarded by Receiver if Error is Detected Leaves Error Correction to Transport Layer Reduces the Cost of Routers

35 36

6 Figure 3-13: Internet Protocol (IP) Figure 3-13: Internet Protocol (IP) (Study Figure) (Study Figure)

„ IP is Unreliable (Checks for Errors but does „ Hierarchical IP Addresses not Correct Errors) (Figure 3-14) { Postal addresses are hierarchical (state, city, { Not doing error correction at each hop between postal zone, specific address) switches reduces switch work and so switch cost „ Most post offices have to look only at state { Does not even guarantee packets will arrive in and city order „ Only the final post offices have to be concerned with specific addresses

37 38

Figure 3-15: Hierarchical IP Address Figure 3-13: Internet Protocol (IP) (Study Figure)

Network Part (not always 16 bits) Subnet Part (not always 8 bits) „ Hierarchical IP Addresses Host Part (not always 8 bits) { 32-bit IP addresses are hierarchical (Figure 3- Total always is 32 bits. 15) 128.171.17.13 „ Network part tells what network host is on

„ Subnet part tells what subnet host is on within the network The Internet UH Network (128.171) CBA Subnet „ Host part specifies the host on its subnet (17) „ Routers have to look only at network or Host 13 subnet parts, except for the router that 128.171.17.13 delivers the packet to the destination host 39 40

Figure 3-13: Internet Protocol (IP) Figure 3-16: IP Address Masking with (Study Figure) Network and Subnet Masks

„ Hierarchical IP Addresses Network Masking Subnet Masking Mask Represents Tells the size of the Tells the size of the { 32-bit IP addresses are hierarchical network part network and the subnet parts combined „ Total is 32 bits; part sizes vary Eight ones give the 255 255 decimal value „ Network mask tells you the size of the network part (Figure 3-16) Eight zeros give the 0 0 decimal value „ Subnet mask tells you the length of the network plus subnet parts combined Masking gives IP address bit where the IP address bit where the mask value is 1; 0 where mask value is 1; 0 where the mask bit is 0 mask bit is 0

41 42

7 Figure 3-16: IP Address Masking with Network and Subnet Masks Figure 3-17: IP Address Spoofing

Example 1 Network Masking Subnet Masking IP Address 128.171.17.13 128.171.17.13 1. Trust Relationship Mask 255.255.0. 0 255.255.255.0 Result 128.171.0. 0 128.171.17.0 3. Server Accepts Attack Packet Meaning 16-bit network part is 128.171 Combined 24-bit network plus subnet Trusted Server Victim Server part are 128.171.17 60.168.4.6 60.168.47.47 Example 2 IP Address 60.47.123.7 60.47.123.7 2. Attack Packet Mask 255.0.0.0 255.255.0.0 Spoofed Source IP Address Result 60.0.0.0 60.47.0.0 Attacker’s Client PC 60.168.4.6 Attacker’s Identity is Meaning 8-bit network part is 60 Combined 16-bit network plus subnet 1.34.150.37 parts are 60.47 Not Revealed 43 44

Figure 3-13: Internet Protocol (IP) Figure 3-13: Internet Protocol (IP) (Study Figure)

„ IP Addresses and Security „ IP Addresses and Security

{ IP address spoofing: Sending a message with a { LAND attack: send victim a packet with victim’s false IP address (Figure 3-17) IP address in both source and destination address fields and the same port number for the { Gives sender anonymity so that attacker cannot source and destination (Figure 3-18). In 1997, be identified many computers, switches, routers, and even printers, crashed when they received such a { Can exploit trust between hosts if spoofed IP address is that of a host the victim host trusts packet.

45 46

Figure 3-18: LAND Attack Based on Figure 3-13: Internet Protocol (IP) IP Address Spoofing (Study Figure)

„ Other IP Header Fields

{ Protocol field: Identifies content of IP data field

„ Firewalls need this information to know how From: 60.168.47.47:23 to process the packet Attacker To: 60.168.47.47:23 Victim 1.34.150.37 60.168.47.47 Port 23 Open Crashes

Source and Destination IP Addresses are the Same Source and Destination Port Numbers are the Same 47 48

8 Figure 3-13: Internet Protocol (IP) Figure 3-13: Internet Protocol (IP) (Study Figure) (Study Figure)

„ Other IP Header Fields „ Other IP Header Fields { Time-to-Live field { Time-to-Live field

„ Each router decrements the TTL value by „ Router also sends an error advisement one message to the sender

„ Router decrementing TTL field to zero „ The packet containing this message reveals discards the packet the sender’s IP address to the attacker

„ Traceroute uses TTL to map the route to a host (Figure 3-19) { Tracert on Windows machines

49 50

Figure 3-19: Tracert Program in Figure 3-13: Internet Protocol (IP) Windows (Study Figure)

„ Other IP Header Fields { Header Length field and Options „ With no options, Header Length is 5 { Expressed in units of 32 bits { So, 20 bytes „ Many options are dangerous { So if Header Length is More Than 5, be Suspicious { Some firms drop all packets with options

51 52

Figure 3-13: Internet Protocol (IP) (Study Figure) Figure 3-20: Ping-of-Death Attack

„ Other IP Header Fields { Length Field

„ Gives length of entire packet

„ Maximum is 65,536 bytes IP Packet Containing Attacker ICMP Echo Message Victim „ Ping-of-Death attack sent IP packets with 1.34.150.37 That is Illegally Long 60.168.47.47 longer data fields Crashes

„ Many systems crashed

53 54

9 Figure 3-13: Internet Protocol (IP) Figure 3-13: Internet Protocol (IP) (Study Figure) (Study Figure)

„ Other IP Header Fields „ Other IP Header Fields { Fragmentation { Fragmentation „ Routers may fragment IP packets (really, „ Harms packet inspection: TCP header, etc. packet data fields) en route only in first packet in series { All fragments have same Identification field value { Cannot filter on TCP header, etc. in subsequent packets { Fragment offset values allows fragments to be ordered { More fragments is 0 in the last fragment

55 56

Figure 3-22: TCP Header is Only in the Figure 3-13: Internet Protocol (IP) First Fragment of a Fragmented IP Packet (Study Figure)

1. Fragmented IP Packet „ Other IP Header Fields 2. Second 2. First { Fragment Fragment Fragmentation „ Teardrop attack: Crafted fragmented packet 4. TCP Data IP TCP Data IP does not make sense when reassembled Field Header Field Header Attacker 5. Firewall „ Some firewalls drop all fragmented packets, 1.34.150.37 No 3. TCP Header 60.168.47.47 which are rare today TCP Header Only in First Can Only Fragment Filter TCP Header in First Fragment

57 58

Figure 3-21: Teardrop Denial-of- Figure 3-24: IP Packet with a TCP Service Attack Segment Data Field

Bit 0 Bit 31 “Defragmented” IP Packet” IP Header (Usually 20 Bytes) Gap Overlap Source Port Number (16 bits) Destination Port Number (16 bits)

Sequence Number (32 bits)

Attacker Victim Acknowledgment Number (32 bits) 1.34.150.37 60.168.47.47 Header Crashes Reserved Flag Fields Window Size Length Attack Pretends to be Fragmented (6 bits) (6 bits) (16 bits) IP Packet When Reassembled, (4 bits) “Packet” does not Make Sense. TCP Checksum (16 bits) Urgent Pointer (16 bits) Gaps and Overlaps

59 60

10 Figure 3-23: Transmission Control Figure 3-23: Transmission Control Protocol (TCP) (Study Figure) Protocol (TCP) (Study Figure)

„ Reliable „ TCP Messages are TCP Segments { Receiving process sends ACK to sending process if { Flags field has several one-bit flags: ACK, SYN, segment is correctly received FIN, RST, etc. „ ACK bit is set (1) in acknowledgement segments { If sending process does not get ACK, resends the segment

Header Reserved Flag Fields Window Size Length PC Webserver (6 bits) (6 bits) (16 bits) (4 bits) Transport Process Transport Process TCP Segment TCP Segment (ACK)

61 62

Figure 3-23: Transmission Control Figure 3-25: Communication During a Protocol (TCP) (Study Figure) TCP Session

„ Connections: Opens and Closes PC Webserver Transport Process Transport Process { Formal open and close 1. SYN (Open) Open 2. SYN, ACK (1) (Acknowledgement of 1) „ Three-way open: SYN, SYN/ACK, ACK (3) (Figure 3-25) 3. ACK (2)

„ Normal four-way close: FIN, ACK, FIN, ACK (Figure 3-25) 3-Way Open „ Abrupt close: RST (Figure 3-26)

63 64

Figure 3-25: Communication During a Figure 3-25: Communication During a TCP Session TCP Session

PC Webserver PC Webserver Transport Process Transport Process Transport Process Transport Process 1. SYN (Open) Open 8. Data = HTTP Request (Error) 2. SYN, ACK (1) (Acknowledgement of 1) Carry (3) HTTP 9. Data = HTTP Request (No ACK so Retransmit) 3. ACK (2) Req & 10. ACK (9) 4. Data = HTTP Request Resp Carry (4) 11. Data = HTTP Response HTTP 5. ACK (4) Req & 6. Data = HTTP Response 12. ACK (11) Resp (4) 7. ACK (6) Error Handling

65 66

11 Figure 3-25: Communication During a Figure 3-25: Communication During a TCP Session TCP Session

PC Webserver PC Webserver Transport Process Transport Process Transport Process Transport Process Normal Four-Way Close Abrupt Close

13. FIN (Close) RST Close Close (4) 14. ACK (13) (1)

15. FIN Either side can send A Reset (RST) Segment 16. ACK (15) At Any Time Ends the Session Immediately Note: An ACK may be combined with the next message if the next message is sent quickly enough 67 68

Figure 3-26: SYN/ACK Probing Figure 3-23: Transmission Control Attack Using Reset (RST) Protocol (TCP) (Study Figure)

„ Sequence and Acknowledgement Number 1. Probe 2. No Connection: { 60.168.47.47 Sequence numbers identify segment’s place in Makes No Sense! the sequence SYN/ACK Segment { Acknowledgement number identifies which IP Hdr RST Segment segment is being acknowledged Attacker 5. Victim 1.34.150.37 60.168.47.47 60.168.47.47 is Live! 4. Source IP Crashes Addr= 3. Go Away! Source Port Number (16 bits) Destination Port Number (16 bits) 60.168.47.47 Sequence Number (32 bits)

Acknowledgment Number (32 bits)

69 70

Figure 3-23: Transmission Control Figure 3-23: Transmission Control Protocol (TCP) (Study Figure) Protocol (TCP) (Study Figure)

„ Port Number „ Port Number

{ Port numbers identify applications { Registered ports (1024-49152) for any application { Well-known ports (0-1023) used by applications that run as root (Figure 3-27) { Ephemeral/dynamic/private ports (49153-65535) used by client (16,383 possible) „ HTTP=80, =23, FTP=21 for supervision, 20 for data transfer, SMTP=25 { Not all operating systems uses these port ranges, although all use well-known ports

Source Port Number (16 bits) Destination Port Number (16 bits)

71 72

12 Figure 3-23: Transmission Control Figure 3-27: Use of TCP and UDP Protocol (TCP) (Study Figure) Port Number

Webserver 128.171.17.13:80 60.171.17.13 „ Port Number Client 60.171.18.22 Port 80 From: 60.171.18.22:50047 { Socket format is IP address: Port, for instance, To: 60.171.17.13:80 128.171.17.13:80 „ Designates a specific program on a specific machine

{ Port spoofing (Figure 3-28) „ Incorrect application uses a well-known port „ Especially 80, which is often allowed through SMTP Server firewalls 123.30.17.120 Port 25

73 74

Figure 3-27: Use of TCP and UDP Figure 3-27: Use of TCP and UDP Port Number Port Number

Webserver Webserver Client 60.171.17.13 Client 60.171.17.13 60.171.18.22 Port 80 60.171.18.22 Port 80 From: 60.171.18.22:50047 To: 60.171.17.13:80

From: 60.171.17.13:80 To: 60.171.18.22:50047

From: 60.171.18.22:60003 To: 123.30.17.120:25 SMTP Server SMTP Server 123.30.17.120 123.30.17.120 Port 25 Port 25

75 76

Figure 3-27: Use of TCP and UDP Figure 3-29: User Data Protocol Port Number (UDP) (Study Figure)

Webserver Client 60.171.17.13 „ UDP Datagrams are Simple (Figure 3-30) Port 80 60.171.18.22 { Source and destination port numbers (16 bits From: 60.171.18.22:50047 To: 60.171.17.13:80 each) { UDP length (16 bits) Clients Used Different { UDP checksum (16 bits) Ephemeral Ports for Different Connections Bit 0 Bit 31 IP Header (Usually 20 Bytes) From: 60.171.18.22:60003 To: 123.30.17.120:25 Source Port Number (16 bits) Destination Port Number (16 bits) SMTP Server UDP Length (16 bits) UDP Checksum (16 bits) 123.30.17.120 Port 25 Data Field 77 78

13 Figure 3-29: User Data Protocol Figure 3-33: Internet Control Message (UDP) (Study Figure) Protocol (ICMP)

„ Port Spoofing Still Possible „ ICMP is for Supervisory Messages at the Internet Layer „ UDP Datagram Insertion { Insert UDP datagram into an ongoing dialog „ ICMP and IP stream { An ICMP message is delivered (encapsulated) { Hard to detect because no sequence numbers in in the data field of an IP packet UDP „ Types and Codes (Figure 3-2) { Type: General category of supervisory message { Code: Subcategory of type (set to zero if there is no code)

79 80

Figure 8.13: Internet Control Message Protocol Figure 3-32: IP Packet with an ICMP (ICMP) for Supervisory Messages Message Data Field

Router Bit 0 Bit 31 “Host Unreachable” IP Header (Usually 20 Bytes) Error Message Type (8 bits) Code (8 bits) Depends on Type and Code

ICMP Message IP Header Depends on Type and Code “Echo” “Echo Reply”

81 82

Figure 3-32: Internet control Message Figure 3-32: Internet control Message Protocol (ICMP) Protocol (ICMP)

„ Network Analysis Messages „ Error Advisement Messages { Echo (Type 8, no code) asks target host if it is { Advise sender of error but there is no error operational and available correction { Echo reply (Type 0, no code). Target host { Host Unreachable (Type 3, multiple codes) responds to echo sender „ Many codes for specific reasons for host { Ping program implements Echo and Echo Reply. Like submarine pinging a target being unreachable { Ping is useful for network managers to diagnose „ Host unreachable packet’s source IP address problems based on failures to reply confirms to hackers that the IP address is live and therefore a potential victim { Ping is useful for hackers to identify potential targets: live ones reply „ Usually sent by a router

83 84

14 Figure 3-31: Internet control Message Figure 3-31: Internet control Message Protocol (ICMP) Protocol (ICMP)

„ Error Advisement Messages „ Control Codes { Time Exceeded (Type 11, no codes) { Control network/host operation „ Router decrementing TTL to 0 discards packet, sends time exceeded message { Source Quench (Type=4, no code)

„ IP header containing error message reveals „ Tells destination host to slow down its router’s IP address transmission rate

„ By progressively incrementing TTL values by „ Legitimate use: Flow control if host sending 1 in successive packets, attacker can scan source quench is overloaded progressively deeper into the network, „ Attackers can use for denial-of-service attack mapping the network

„ Also usually sent by a router 85 86

Figure 3-31: Internet control Message Protocol (ICMP) Topics Covered

„ Control Codes „ Network Elements { Redirect (Type 5, multiple codes) { Client and server stations „ Tells host or router to send packets in different way than they have { Applications

„ Attackers can disrupt network operations, for { Trunk lines and access lines example, by sending packets down black holes { Switches and routers

„ Many Other ICMP Messages { Messages (frames)

87 88

Topics Covered Topics Covered

„ Messages (frames) may have headers, data „ Internets fields, and trailers { Group of networks connected by routers

{ Headers have source and destination address { The Internet is a global internet fields „ Organizations connect via ISPs

{ Switches forward (switch) frames based on the { Internet messages are called packets value in the destination address field „ Path of a packet is its route

{ Based on field value, switch sends frames out a { Packets travel within frames in networks different port that the one on which the frame „ If route goes through four networks, arrived „ There will be one packet and four frames

89 90

15 Topics Covered Topics Covered

„ TCP/IP Standards TCP/IP OSI Hybrid TCP/IP-OSI Application Application Application { Dominate the Internet Presentation { Created by the Internet Engineering Task Force (IETF) Session { Documents are called requests for comments Transport Transport Transport (RFCs) Internet Network Internet „ OSI Standards Subnet Access: Use Data Link Data Link OSI Standards Here { Dominate for single networks Physical Physical { Physical and data link layers

91 92

Topics Covered Topics Covered

„ Internetworking Layers „ Application Layer Standards { Internet layer „ Internet Protocol (IP) { Govern interaction between two application „ Governs packet organization programs „ Governs hop-by-hop router forwarding { Usually, a message formatting standard and a (routing) message transfer standard { Transport layer „ HTML / HTTP in WWW „ Governs end-to-end connection between the „ RFC 2822 / SMTP in e-mail two hosts „ TCP adds reliability, flow control, etc. „ UDP is simpler, offers no reliability, etc. 93 94

Topics Covered Topics Covered

„ IP Packet „ IP Packet { Version 4 { Version 4

„ 32-bit source and destination addresses „ Option fields may be used, but more likely to be used by hackers rather than legitimately „ Time to live (TTLS) „ Packet may be fragmented; this too is done „ Header checksum mainly by attackers „ Protocol (type of message in data field) „ Data field „ Data field { Version 6 „ 128-bit addresses to allow more addresses

95 96

16 Topics Covered Topics Covered

„ Vertical Communication on the Source Host „ Process is Reversed on the Destination Host { One layer (Layer N) creates a message { Decapsulation occurs at each layer { Passes message down to the next-lower layer (Layer N-1) „ Vertical Processes on Router

{ The Layer N-1 process encapsulates the Layer { The router first receives, then sends N message in the data field of a Layer N-1 { So the router first decapsulates, then record encapsulates

{ Layer N-1 passes the Layer N-1 message down { There is one internet layer process on each to Layer N-2 router

97 98

Topics Covered Topics Covered

„ Firewalls Only Need to Look at Internet, „ IP Transport, and Application Messages { Connectionless and unreliable { The attacker cannot manipulate the frame going from the ISP to the organization { Hierarchical IP addresses „ Network part „ Subnet part „ Host part „ Part lengths vary

99 100

Topics Covered Topics Covered

„ IP „ IP address spoofing

{ Masks { Change the source IP address

„ You cannot tell by looking at an IP address { To conceal identity of the attacker what its network or subnet parts are { To have the victim think the packet comes from „ Network mask has 1s in the network part, a trusted host followed by all zeros { LAND attack „ Subnet mask has 1s in the network and subnet parts, followed by all zeros

101 102

17 Topics Covered Topics Covered

„ TCP Messages „ TCP Messages

{ Called TCP segments { Normally, FIN is used in a four-way close

{ Flags fields for SYN, ACK, FIN, RST { RST can create a single-message close „ { 3-way handshake with SYN to open Attackers try to generate RSTs because the RST message is in a packet revealing the { Each segment is received correctly is ACKed victim’s IP address „ This provides reliability

103 104

Topics Covered Topics Covered

„ Port Numbers „ ICMP { Used in both TCP and UDP { For supervisory messages at the internet layer { 16-bit source and destination port numbers { ICMP messages are encapsulated in the data { Clients use ephemeral port numbers fields of IP packets „ Randomly generated by the client { Type and code designate contents of IP packet „ 49153-65536 { Attackers use ICMP messages in scanning { Major applications on servers use well-known port numbers „ Replies tell them IP addresses „ 0 to 1023

105 106

Topics Covered

„ ICMP { Echo (Type 8, no code) asks target host if it is operational and available „ Echo reply (Type 0, no code). Target host responds to echo sender „ Ping program implements Echo and Echo Reply. Like submarine pinging a target

{ ICMP error messages of several types

{ Allow only ICMP echo replies in border router ingress filtering

107

18