Single Network: applications, client and server hosts, switches, access links, trunk links, frames, path Review of TCP/IP Internetworking Path Frame
Server Chapter 3 Client Host Host Trunk Link
Panko, Corporate Computer Access and Network Security Link Copyright 2004 Prentice-Hall Server Mobile Client Host Host 1 2
Frame Organization Switching Decision
Switch receives A frame, sends Frame Switch 123456 It back out Based on Frame with Station C TrailerData Field Header Destination In the destination Address field Address
Other Destination Header Field Address Message Structure Field Station Station Station Station A B C D
3 4
Figure 3-1: Internet An Internet
Multiple Networks An internet is two or more individual switched networks connected by routers Connected by Routers Path of a Packet is its Route Single Network Switched Routers Network 1 Packet Switched Network 3 Router
Switched Route Network 2 Single Network
5 6
1 The global The Internet Internet has Figure 3-6: Frames and Packets thousands of networks Frame 1 Packet Webserver Carrying Packet Browser in Network 1 Network Software Router A
Packet Packet Switch Frame 2 Router Carrying Packet Client PC Frame 3 in Network 2 Carrying Packet Route Router Packet in Network 3
Router Packet
Switch Server Router B 7 8
Frames and Packets Figure 3-2: TCP/IP Standards (Study Figure)
Like passing a shipment (the packet) from a truck (frame) to an airplane (frame) at an airport. Origins
{ Defense Advanced Research Projects Agency Receiver Shipper Same (DARPA) created the ARPANET Shipment { An internet connects multiple individual networks
{ Global Internet is capitalized
{ Internet Engineering Task Force (IETF) Airport Airport Truck Truck { Most IETF documents are requests for comments (RFCs)
Airplane { Internet Official Protocol Standards: List of RFCs that are official standards 9 10
Figure 3-2: TCP/IP Standards (Study Figure 3-2: TCP/IP Standards (Study Figure) Figure)
Hybrid TCP/IP-OSI Architecture (Figure 3-3) OSI Layers { Combines TCP/IP standards at layers 3-5 with { OSI standards at layers 1-2 { Physical (Layer 1): defines electrical signaling and media between adjacent devices TCP/IP OSI Hybrid TCP/IP-OSI { Data link (Layer 2): control of a frame through a Application Application Application single network, across multiple switches Presentation
Session Physical Link Frame Transport Transport Transport Switched Internet Network Internet Network 1 Subnet Access: Use Data Link Data Link OSI Standards Here Physical Physical Data Link 11 12
2 Figure 3-2: TCP/IP Standards (Study Figure 3-2: TCP/IP Standards Figure)
Internet Layer Frames and Packets { Governs the transmission of a packet across an entire internet. Path of the packet is its route { Frames are messages at the data link layer
Packet { Packets are messages at the internet layer
Switched { Packets are carried (encapsulated) in frames Network 1 { There is only a single packet that is delivered from source to destination host Switched Network 3 Router Route { This packet is carried in a separate frame in each network Switched Network 2 13 14
Figure 3-2: TCP/IP Standards (Study Figure 3-7: Internet and Transport Layers Figure)
Transport Layer Internet and Transport Layers End-to-End (Host-to-Host) TCP is Connection-Oriented, Reliable { Purposes UDP is Connectionless Unreliable Internet layer governs hop-by-hop Client PC Server transmission between routers to achieve end- Internet Layer to-end delivery (Usually IP) Hop-by-Hop (Host-Router or Router-Router) Transport layer is end-to-end (host-to-host) Connectionless, Unreliable protocol involving only the two hosts
Router 1 Router 2 Router 3 15 16
Figure 3-2: TCP/IP Standards (Study Figure 3-2: TCP/IP Standards (Study Figure) Figure)
Internet and Transport Layers Transport Layer Standards
{ Internet Protocol (IP) { Transmission Control Protocol (TCP)
IP at the internet layer is unreliable—does not Reliable and connection-oriented service at correct errors in each hop between routers the transport layer Corrects errors This is good: reduces the work each router along the route must do { User Datagram Protocol (UDP) Unreliable and connectionless service at the transport layer Lightweight protocol good when catching errors is not important
17 18
3 Figure 3-8: HTML and HTTP at the Figure 3-2: TCP/IP Standards (Study Application Layer Figure)
Application Layer Hypertext Transfer Protocol (HTTP) Requests and Responses { To govern communication between application programs, which may be written by different vendors Webserver Client PC with { Document transfer versus document format Browser 60.168.47.47 standards 123.34.150.37 HTTP / HTML for WWW service SMTP / RFC 822 (or RFC 2822) in e-mail
{ Many application standards exist because there Hypertext Markup Language (HTML) are many applications Document or Other File (jpeg, etc.) 19 20
Figure 3-3: TCP/IP and OSI Architectures: Recap Figure 3-5: IP Packet
0100 IP Version 4 Packet Bit 0 Bit 31 TCP/IP OSI Hybrid TCP/IP-OSI Header Version Diff-Serv Total Length Application Application Application Length (4 bits) (8 bits) (16 bits) Presentation (4 bits)
Session Identification (16 bits) Flags Fragment Offset (13 bits) Protocol (8 bits) Time to Live Transport Transport Transport 1=ICMP, 6=TCP, Header Checksum (16 bits) (8 bits) Internet Network Internet 17=TCP Source IP Address (32 bits) Subnet Access: Use Data Link Data Link OSI Standards Here Destination IP Address (32 bits) Physical Physical Options (if any) Padding
Note: The Hybrid TCP/IP-OSI Architecture is used on the Internet and Data Field dominates internal corporate networks. 21 22
Figure 3-5: IP Packet Figure 3-5: IP Packet
Protocol Field Version { Identifies contents of data field { Has value of four (0100) { 1 = ICMP Time to Live (TTL) { 6 = TCP IP Data Field IP Header { Prevents the endless circulation of mis-addressed { 17 =UDP ICMP Message Protocol=1 packets
{ Value is set by sender IP Data Field IP Header { Decremented by one by each router along the TCP Segment Protocol=6 way { If reaches zero, router throws packet away IP Data Field IP Header UDP Datagram Protocol=17 23 24
4 Figure 3-9: Layer Cooperation Through Figure 3-5: IP Packet Encapsulation on the Source Host
Header checksum to check for errors in the header only Application HTTP Encapsulation of HTTP Process Message message in data field of { Faster than checking the whole packet a TCP segment { Stops bad headers from causing problems { IP Version 6 drops eve this checking Transport HTTP TCP Encapsulation of TCP Address Fields Process Message Hdr segment in data field of an IP packet { 32 bits long, of course
Options field(s) give optional parameters Internet HTTP TCP IP Process Message Hdr Hdr Data field contains the payload of the packet. 25 26
Figure 3-9: Layer Cooperation Through Figure 3-9: Layer Cooperation Through Encapsulation on the Source Host Encapsulation on the Source Host
Internet HTTP TCP IP Encapsulation Note: The following is the final frame for supervisory TCP segments: Process Message Hdr Hdr of IP packet in data field of a frame DL TCP IP DL Data Link DL HTTP TCP IP DL Trlr Hdr Hdr Hdr Process Trlr Message Hdr Hdr Hdr
Physical Converts Bits of Frame into Signals Process
27 28
Figure 3-10: Layer Cooperation Through Figure 3-10: Layer Cooperation Through Decapsulation on the Destination Host Decapsulation on the Destination Host
Application HTTP Decapsulation of HTTP Internet HTTP TCP IP Decapsulation of IP Process Message message from data field of Process Message Hdr Hdr packet from data a TCP segment field of a frame
Transport HTTP TCP Decapsulation of TCP Data Link DL HTTP TCP IP DL Process Message Hdr segment from data field Process Hdr Message Hdr Hdr Hdr of an IP packet
Internet HTTP TCP IP Physical Converts Signals into the Bits of the Frame Process Message Hdr Hdr Process
29 30
5 Figure 3-11: Vertical Communication Figure 3-11: Vertical Communication on Router R1 on Router R1
B A Router R1 Router R1 Internet Layer Process Packet Packet Internet Layer Process Port 1 Port 2 Port 3 Port 4 Encapsulation Decapsulation Port 1 Port 2 Port 3 Port 4 DL DL DL DL DL DL DL DL Frame Frame PHY PHY PHY PHY PHY PHY PHY PHY
B. Internet process sends packet out on Notes: Port 4. A. Router R1 receives frame from Switch X2 DL Process on Port 4 encapsulates Router 2 Switch X2 in Port 1. packet in a PPP frame. Port 1 DL process decapsulates packet. DL process passes frame to Port 4 Port 1 DL process passes packet to PHY. internet process. 31 32
Figure 3-12: Site Connection to an ISP Figure 3-13: Internet Protocol (IP)
Basic Characteristics 1. Internet Site Network Backbone Frame for This { There were already single networks, and many Data Link Border ISP more would come in the future Firewall Packet { Developers needed to make a few assumptions Packet Packet about underlying networks 3. 4. 2. { So they kept IP simple Packet Carried Data Link Packet Carried in Site Frame Between ISP in ISP Site and ISP Router Carrier Frame (Difficult to Attack)
5. Normally, Only the Arriving Packet is Dangerous—Not the Frame Fields 33 34
Figure 3-13: Internet Protocol (IP) IP Packet
Connection-Oriented Service and PC First Router Internet Process Internet Process Connectionless Service IP Packet
{ Connection-oriented services have distinct starts and closes (telephone calls) Connectionless Packets Sent in Isolation { Connectionless services merely send messages Like Postal Letters (postal letters) Unreliable { IP is connectionless No Error Correction Discarded by Receiver if Error is Detected Leaves Error Correction to Transport Layer Reduces the Cost of Routers
35 36
6 Figure 3-13: Internet Protocol (IP) Figure 3-13: Internet Protocol (IP) (Study Figure) (Study Figure)
IP is Unreliable (Checks for Errors but does Hierarchical IP Addresses not Correct Errors) (Figure 3-14) { Postal addresses are hierarchical (state, city, { Not doing error correction at each hop between postal zone, specific address) switches reduces switch work and so switch cost Most post offices have to look only at state { Does not even guarantee packets will arrive in and city order Only the final post offices have to be concerned with specific addresses
37 38
Figure 3-15: Hierarchical IP Address Figure 3-13: Internet Protocol (IP) (Study Figure)
Network Part (not always 16 bits) Subnet Part (not always 8 bits) Hierarchical IP Addresses Host Part (not always 8 bits) { 32-bit IP addresses are hierarchical (Figure 3- Total always is 32 bits. 15) 128.171.17.13 Network part tells what network host is on
Subnet part tells what subnet host is on within the network The Internet UH Network (128.171) CBA Subnet Host part specifies the host on its subnet (17) Routers have to look only at network or Host 13 subnet parts, except for the router that 128.171.17.13 delivers the packet to the destination host 39 40
Figure 3-13: Internet Protocol (IP) Figure 3-16: IP Address Masking with (Study Figure) Network and Subnet Masks
Hierarchical IP Addresses Network Masking Subnet Masking Mask Represents Tells the size of the Tells the size of the { 32-bit IP addresses are hierarchical network part network and the subnet parts combined Total is 32 bits; part sizes vary Eight ones give the 255 255 decimal value Network mask tells you the size of the network part (Figure 3-16) Eight zeros give the 0 0 decimal value Subnet mask tells you the length of the network plus subnet parts combined Masking gives IP address bit where the IP address bit where the mask value is 1; 0 where mask value is 1; 0 where the mask bit is 0 mask bit is 0
41 42
7 Figure 3-16: IP Address Masking with Network and Subnet Masks Figure 3-17: IP Address Spoofing
Example 1 Network Masking Subnet Masking IP Address 128.171.17.13 128.171.17.13 1. Trust Relationship Mask 255.255.0. 0 255.255.255.0 Result 128.171.0. 0 128.171.17.0 3. Server Accepts Attack Packet Meaning 16-bit network part is 128.171 Combined 24-bit network plus subnet Trusted Server Victim Server part are 128.171.17 60.168.4.6 60.168.47.47 Example 2 IP Address 60.47.123.7 60.47.123.7 2. Attack Packet Mask 255.0.0.0 255.255.0.0 Spoofed Source IP Address Result 60.0.0.0 60.47.0.0 Attacker’s Client PC 60.168.4.6 Attacker’s Identity is Meaning 8-bit network part is 60 Combined 16-bit network plus subnet 1.34.150.37 parts are 60.47 Not Revealed 43 44
Figure 3-13: Internet Protocol (IP) Figure 3-13: Internet Protocol (IP) (Study Figure)
IP Addresses and Security IP Addresses and Security
{ IP address spoofing: Sending a message with a { LAND attack: send victim a packet with victim’s false IP address (Figure 3-17) IP address in both source and destination address fields and the same port number for the { Gives sender anonymity so that attacker cannot source and destination (Figure 3-18). In 1997, be identified many computers, switches, routers, and even printers, crashed when they received such a { Can exploit trust between hosts if spoofed IP address is that of a host the victim host trusts packet.
45 46
Figure 3-18: LAND Attack Based on Figure 3-13: Internet Protocol (IP) IP Address Spoofing (Study Figure)
Other IP Header Fields
{ Protocol field: Identifies content of IP data field
Firewalls need this information to know how From: 60.168.47.47:23 to process the packet Attacker To: 60.168.47.47:23 Victim 1.34.150.37 60.168.47.47 Port 23 Open Crashes
Source and Destination IP Addresses are the Same Source and Destination Port Numbers are the Same 47 48
8 Figure 3-13: Internet Protocol (IP) Figure 3-13: Internet Protocol (IP) (Study Figure) (Study Figure)
Other IP Header Fields Other IP Header Fields { Time-to-Live field { Time-to-Live field
Each router decrements the TTL value by Router also sends an error advisement one message to the sender
Router decrementing TTL field to zero The packet containing this message reveals discards the packet the sender’s IP address to the attacker
Traceroute uses TTL to map the route to a host (Figure 3-19) { Tracert on Windows machines
49 50
Figure 3-19: Tracert Program in Figure 3-13: Internet Protocol (IP) Windows (Study Figure)
Other IP Header Fields { Header Length field and Options With no options, Header Length is 5 { Expressed in units of 32 bits { So, 20 bytes Many options are dangerous { So if Header Length is More Than 5, be Suspicious { Some firms drop all packets with options
51 52
Figure 3-13: Internet Protocol (IP) (Study Figure) Figure 3-20: Ping-of-Death Attack
Other IP Header Fields { Length Field
Gives length of entire packet
Maximum is 65,536 bytes IP Packet Containing Attacker ICMP Echo Message Victim Ping-of-Death attack sent IP packets with 1.34.150.37 That is Illegally Long 60.168.47.47 longer data fields Crashes
Many systems crashed
53 54
9 Figure 3-13: Internet Protocol (IP) Figure 3-13: Internet Protocol (IP) (Study Figure) (Study Figure)
Other IP Header Fields Other IP Header Fields { Fragmentation { Fragmentation Routers may fragment IP packets (really, Harms packet inspection: TCP header, etc. packet data fields) en route only in first packet in series { All fragments have same Identification field value { Cannot filter on TCP header, etc. in subsequent packets { Fragment offset values allows fragments to be ordered { More fragments is 0 in the last fragment
55 56
Figure 3-22: TCP Header is Only in the Figure 3-13: Internet Protocol (IP) First Fragment of a Fragmented IP Packet (Study Figure)
1. Fragmented IP Packet Other IP Header Fields 2. Second 2. First { Fragment Fragment Fragmentation Teardrop attack: Crafted fragmented packet 4. TCP Data IP TCP Data IP does not make sense when reassembled Field Header Field Header Attacker 5. Firewall Some firewalls drop all fragmented packets, 1.34.150.37 No 3. TCP Header 60.168.47.47 which are rare today TCP Header Only in First Can Only Fragment Filter TCP Header in First Fragment
57 58
Figure 3-21: Teardrop Denial-of- Figure 3-24: IP Packet with a TCP Service Attack Segment Data Field
Bit 0 Bit 31 “Defragmented” IP Packet” IP Header (Usually 20 Bytes) Gap Overlap Source Port Number (16 bits) Destination Port Number (16 bits)
Sequence Number (32 bits)
Attacker Victim Acknowledgment Number (32 bits) 1.34.150.37 60.168.47.47 Header Crashes Reserved Flag Fields Window Size Length Attack Pretends to be Fragmented (6 bits) (6 bits) (16 bits) IP Packet When Reassembled, (4 bits) “Packet” does not Make Sense. TCP Checksum (16 bits) Urgent Pointer (16 bits) Gaps and Overlaps
59 60
10 Figure 3-23: Transmission Control Figure 3-23: Transmission Control Protocol (TCP) (Study Figure) Protocol (TCP) (Study Figure)
Reliable TCP Messages are TCP Segments { Receiving process sends ACK to sending process if { Flags field has several one-bit flags: ACK, SYN, segment is correctly received FIN, RST, etc. ACK bit is set (1) in acknowledgement segments { If sending process does not get ACK, resends the segment
Header Reserved Flag Fields Window Size Length PC Webserver (6 bits) (6 bits) (16 bits) (4 bits) Transport Process Transport Process TCP Segment TCP Segment (ACK)
61 62
Figure 3-23: Transmission Control Figure 3-25: Communication During a Protocol (TCP) (Study Figure) TCP Session
Connections: Opens and Closes PC Webserver Transport Process Transport Process { Formal open and close 1. SYN (Open) Open 2. SYN, ACK (1) (Acknowledgement of 1) Three-way open: SYN, SYN/ACK, ACK (3) (Figure 3-25) 3. ACK (2)
Normal four-way close: FIN, ACK, FIN, ACK (Figure 3-25) 3-Way Open Abrupt close: RST (Figure 3-26)
63 64
Figure 3-25: Communication During a Figure 3-25: Communication During a TCP Session TCP Session
PC Webserver PC Webserver Transport Process Transport Process Transport Process Transport Process 1. SYN (Open) Open 8. Data = HTTP Request (Error) 2. SYN, ACK (1) (Acknowledgement of 1) Carry (3) HTTP 9. Data = HTTP Request (No ACK so Retransmit) 3. ACK (2) Req & 10. ACK (9) 4. Data = HTTP Request Resp Carry (4) 11. Data = HTTP Response HTTP 5. ACK (4) Req & 6. Data = HTTP Response 12. ACK (11) Resp (4) 7. ACK (6) Error Handling
65 66
11 Figure 3-25: Communication During a Figure 3-25: Communication During a TCP Session TCP Session
PC Webserver PC Webserver Transport Process Transport Process Transport Process Transport Process Normal Four-Way Close Abrupt Close
13. FIN (Close) RST Close Close (4) 14. ACK (13) (1)
15. FIN Either side can send A Reset (RST) Segment 16. ACK (15) At Any Time Ends the Session Immediately Note: An ACK may be combined with the next message if the next message is sent quickly enough 67 68
Figure 3-26: SYN/ACK Probing Figure 3-23: Transmission Control Attack Using Reset (RST) Protocol (TCP) (Study Figure)
Sequence and Acknowledgement Number 1. Probe 2. No Connection: { 60.168.47.47 Sequence numbers identify segment’s place in Makes No Sense! the sequence SYN/ACK Segment { Acknowledgement number identifies which IP Hdr RST Segment segment is being acknowledged Attacker 5. Victim 1.34.150.37 60.168.47.47 60.168.47.47 is Live! 4. Source IP Crashes Addr= 3. Go Away! Source Port Number (16 bits) Destination Port Number (16 bits) 60.168.47.47 Sequence Number (32 bits)
Acknowledgment Number (32 bits)
69 70
Figure 3-23: Transmission Control Figure 3-23: Transmission Control Protocol (TCP) (Study Figure) Protocol (TCP) (Study Figure)
Port Number Port Number
{ Port numbers identify applications { Registered ports (1024-49152) for any application { Well-known ports (0-1023) used by applications that run as root (Figure 3-27) { Ephemeral/dynamic/private ports (49153-65535) used by client (16,383 possible) HTTP=80, Telnet=23, FTP=21 for supervision, 20 for data transfer, SMTP=25 { Not all operating systems uses these port ranges, although all use well-known ports
Source Port Number (16 bits) Destination Port Number (16 bits)
71 72
12 Figure 3-23: Transmission Control Figure 3-27: Use of TCP and UDP Protocol (TCP) (Study Figure) Port Number
Webserver 128.171.17.13:80 60.171.17.13 Port Number Client 60.171.18.22 Port 80 From: 60.171.18.22:50047 { Socket format is IP address: Port, for instance, To: 60.171.17.13:80 128.171.17.13:80 Designates a specific program on a specific machine
{ Port spoofing (Figure 3-28) Incorrect application uses a well-known port Especially 80, which is often allowed through SMTP Server firewalls 123.30.17.120 Port 25
73 74
Figure 3-27: Use of TCP and UDP Figure 3-27: Use of TCP and UDP Port Number Port Number
Webserver Webserver Client 60.171.17.13 Client 60.171.17.13 60.171.18.22 Port 80 60.171.18.22 Port 80 From: 60.171.18.22:50047 To: 60.171.17.13:80
From: 60.171.17.13:80 To: 60.171.18.22:50047
From: 60.171.18.22:60003 To: 123.30.17.120:25 SMTP Server SMTP Server 123.30.17.120 123.30.17.120 Port 25 Port 25
75 76
Figure 3-27: Use of TCP and UDP Figure 3-29: User Data Protocol Port Number (UDP) (Study Figure)
Webserver Client 60.171.17.13 UDP Datagrams are Simple (Figure 3-30) Port 80 60.171.18.22 { Source and destination port numbers (16 bits From: 60.171.18.22:50047 To: 60.171.17.13:80 each) { UDP length (16 bits) Clients Used Different { UDP checksum (16 bits) Ephemeral Ports for Different Connections Bit 0 Bit 31 IP Header (Usually 20 Bytes) From: 60.171.18.22:60003 To: 123.30.17.120:25 Source Port Number (16 bits) Destination Port Number (16 bits) SMTP Server UDP Length (16 bits) UDP Checksum (16 bits) 123.30.17.120 Port 25 Data Field 77 78
13 Figure 3-29: User Data Protocol Figure 3-33: Internet Control Message (UDP) (Study Figure) Protocol (ICMP)
Port Spoofing Still Possible ICMP is for Supervisory Messages at the Internet Layer UDP Datagram Insertion { Insert UDP datagram into an ongoing dialog ICMP and IP stream { An ICMP message is delivered (encapsulated) { Hard to detect because no sequence numbers in in the data field of an IP packet UDP Types and Codes (Figure 3-2) { Type: General category of supervisory message { Code: Subcategory of type (set to zero if there is no code)
79 80
Figure 8.13: Internet Control Message Protocol Figure 3-32: IP Packet with an ICMP (ICMP) for Supervisory Messages Message Data Field
Router Bit 0 Bit 31 “Host Unreachable” IP Header (Usually 20 Bytes) Error Message Type (8 bits) Code (8 bits) Depends on Type and Code
ICMP Message IP Header Depends on Type and Code “Echo” “Echo Reply”
81 82
Figure 3-32: Internet control Message Figure 3-32: Internet control Message Protocol (ICMP) Protocol (ICMP)
Network Analysis Messages Error Advisement Messages { Echo (Type 8, no code) asks target host if it is { Advise sender of error but there is no error operational and available correction { Echo reply (Type 0, no code). Target host { Host Unreachable (Type 3, multiple codes) responds to echo sender Many codes for specific reasons for host { Ping program implements Echo and Echo Reply. Like submarine pinging a target being unreachable { Ping is useful for network managers to diagnose Host unreachable packet’s source IP address problems based on failures to reply confirms to hackers that the IP address is live and therefore a potential victim { Ping is useful for hackers to identify potential targets: live ones reply Usually sent by a router
83 84
14 Figure 3-31: Internet control Message Figure 3-31: Internet control Message Protocol (ICMP) Protocol (ICMP)
Error Advisement Messages Control Codes { Time Exceeded (Type 11, no codes) { Control network/host operation Router decrementing TTL to 0 discards packet, sends time exceeded message { Source Quench (Type=4, no code)
IP header containing error message reveals Tells destination host to slow down its router’s IP address transmission rate
By progressively incrementing TTL values by Legitimate use: Flow control if host sending 1 in successive packets, attacker can scan source quench is overloaded progressively deeper into the network, Attackers can use for denial-of-service attack mapping the network
Also usually sent by a router 85 86
Figure 3-31: Internet control Message Protocol (ICMP) Topics Covered
Control Codes Network Elements { Redirect (Type 5, multiple codes) { Client and server stations Tells host or router to send packets in different way than they have { Applications
Attackers can disrupt network operations, for { Trunk lines and access lines example, by sending packets down black holes { Switches and routers
Many Other ICMP Messages { Messages (frames)
87 88
Topics Covered Topics Covered
Messages (frames) may have headers, data Internets fields, and trailers { Group of networks connected by routers
{ Headers have source and destination address { The Internet is a global internet fields Organizations connect via ISPs
{ Switches forward (switch) frames based on the { Internet messages are called packets value in the destination address field Path of a packet is its route
{ Based on field value, switch sends frames out a { Packets travel within frames in networks different port that the one on which the frame If route goes through four networks, arrived There will be one packet and four frames
89 90
15 Topics Covered Topics Covered
TCP/IP Standards TCP/IP OSI Hybrid TCP/IP-OSI Application Application Application { Dominate the Internet Presentation { Created by the Internet Engineering Task Force (IETF) Session { Documents are called requests for comments Transport Transport Transport (RFCs) Internet Network Internet OSI Standards Subnet Access: Use Data Link Data Link OSI Standards Here { Dominate for single networks Physical Physical { Physical and data link layers
91 92
Topics Covered Topics Covered
Internetworking Layers Application Layer Standards { Internet layer Internet Protocol (IP) { Govern interaction between two application Governs packet organization programs Governs hop-by-hop router forwarding { Usually, a message formatting standard and a (routing) message transfer standard { Transport layer HTML / HTTP in WWW Governs end-to-end connection between the RFC 2822 / SMTP in e-mail two hosts TCP adds reliability, flow control, etc. UDP is simpler, offers no reliability, etc. 93 94
Topics Covered Topics Covered
IP Packet IP Packet { Version 4 { Version 4
32-bit source and destination addresses Option fields may be used, but more likely to be used by hackers rather than legitimately Time to live (TTLS) Packet may be fragmented; this too is done Header checksum mainly by attackers Protocol (type of message in data field) Data field Data field { Version 6 128-bit addresses to allow more addresses
95 96
16 Topics Covered Topics Covered
Vertical Communication on the Source Host Process is Reversed on the Destination Host { One layer (Layer N) creates a message { Decapsulation occurs at each layer { Passes message down to the next-lower layer (Layer N-1) Vertical Processes on Router
{ The Layer N-1 process encapsulates the Layer { The router first receives, then sends N message in the data field of a Layer N-1 { So the router first decapsulates, then record encapsulates
{ Layer N-1 passes the Layer N-1 message down { There is one internet layer process on each to Layer N-2 router
97 98
Topics Covered Topics Covered
Firewalls Only Need to Look at Internet, IP Transport, and Application Messages { Connectionless and unreliable { The attacker cannot manipulate the frame going from the ISP to the organization { Hierarchical IP addresses Network part Subnet part Host part Part lengths vary
99 100
Topics Covered Topics Covered
IP IP address spoofing
{ Masks { Change the source IP address
You cannot tell by looking at an IP address { To conceal identity of the attacker what its network or subnet parts are { To have the victim think the packet comes from Network mask has 1s in the network part, a trusted host followed by all zeros { LAND attack Subnet mask has 1s in the network and subnet parts, followed by all zeros
101 102
17 Topics Covered Topics Covered
TCP Messages TCP Messages
{ Called TCP segments { Normally, FIN is used in a four-way close
{ Flags fields for SYN, ACK, FIN, RST { RST can create a single-message close { 3-way handshake with SYN to open Attackers try to generate RSTs because the RST message is in a packet revealing the { Each segment is received correctly is ACKed victim’s IP address This provides reliability
103 104
Topics Covered Topics Covered
Port Numbers ICMP { Used in both TCP and UDP { For supervisory messages at the internet layer { 16-bit source and destination port numbers { ICMP messages are encapsulated in the data { Clients use ephemeral port numbers fields of IP packets Randomly generated by the client { Type and code designate contents of IP packet 49153-65536 { Attackers use ICMP messages in scanning { Major applications on servers use well-known port numbers Replies tell them IP addresses 0 to 1023
105 106
Topics Covered
ICMP { Echo (Type 8, no code) asks target host if it is operational and available Echo reply (Type 0, no code). Target host responds to echo sender Ping program implements Echo and Echo Reply. Like submarine pinging a target
{ ICMP error messages of several types
{ Allow only ICMP echo replies in border router ingress filtering
107
18