Lecture 14 Review of TCP/IP Internetworking
description
Transcript of Lecture 14 Review of TCP/IP Internetworking
1
Lecture 14
Review of TCP/IP
Internetworking
2
Single Network: applications, client and server hosts, switches, access links, trunk
links, frames, path
ClientHost
Mobile ClientHost
ServerHost
ServerHost
Frame
Trunk Link
AccessLink
Path
3
Frame Organization
Trailer HeaderData Field
DestinationAddress
FieldMessage Structure
Frame
OtherHeaderField
4
Switching Decision
StationA
StationB
StationC
StationD
Switch
Switch receivesA frame, sends
It back outBased on
DestinationAddress
1 2 3 4 5 6
Frame with Station CIn the destination
Address field
5
An Internet
An internet is two or more individual switched networks connected by routers
SwitchedNetwork 1
SwitchedNetwork 2
Switched Network 3 Router
6
An Internet
Routers
RouteSingle Network
Single Network
Multiple Networks
Connected by Routers
Path of a Packet is its Route
Packet
7
Network
The Internet
Browser
Packet
Router
PacketRouter
Packet
Route
WebserverSoftware
Router
The globalInternet has
thousands of networks
8
Frames and Packets
ServerSwitch
Switch
RouterA
Router B
Client PC
Packet
Packet
Frame 1Carrying Packet
in Network 1
Frame 2Carrying Packet
in Network 2Frame 3Carrying Packet
in Network 3
9
Frames and Packets
Like passing a shipment (the packet) from a truck (frame) to an airplane (frame) at an airport.
Truck
SameShipment
Airplane
Airport AirportTruck
Shipper Receiver
10
TCP/IP Standards
Origins Defense Advanced Research Projects Agency
(DARPA) created the ARPANET
An internet connects multiple individual networks
Global Internet is capitalized
Internet Engineering Task Force (IETF)
Most IETF documents are requests for comments (RFCs)
Internet Official Protocol Standards: List of RFCs that are official standards
11
TCP/IP Standards
Hybrid TCP/IP-OSI Architecture Combines TCP/IP standards at layers 3-5 with OSI standards at layers 1-2
TCP/IP
Application
Transport
Internet
OSI
Subnet Access: UseOSI Standards Here
Hybrid TCP/IP-OSI
Application
Presentation
Session
Application
Transport Transport
Network Internet
Data Link Data Link
Physical Physical
12
TCP/IP Standards
OSI Layers Physical (Layer 1): defines electrical signaling
and media between adjacent devices
Data link (Layer 2): control of a frame through a single network, across multiple switches
SwitchedNetwork 1
Data Link
Physical Link Frame
13
TCP/IP Standards
Internet Layer Governs the transmission of a packet across an
entire internet. Path of the packet is its route
SwitchedNetwork 1
SwitchedNetwork 2
Switched Network 3 RouterRoute
Packet
14
TCP/IP Standards
Frames and Packets Frames are messages at the data link layer
Packets are messages at the internet layer
Packets are carried (encapsulated) in frames
There is only a single packet that is delivered from source to destination host
This packet is carried in a separate frame in each network
15
Internet and Transport Layers
Transport LayerEnd-to-End (Host-to-Host)
TCP is Connection-Oriented, ReliableUDP is Connectionless Unreliable
Client PC ServerInternet Layer(Usually IP)
Hop-by-Hop (Host-Router or Router-Router)Connectionless, Unreliable
Router 1 Router 2 Router 3
16
TCP/IP Standards
Internet and Transport Layers Purposes
Internet layer governs hop-by-hop transmission between routers to achieve end-to-end delivery
Transport layer is end-to-end (host-to-host) protocol involving only the two hosts
17
TCP/IP Standards
Internet and Transport Layers Internet Protocol (IP)
IP at the internet layer is unreliable—does not correct errors in each hop between routers
This is good: reduces the work each router along the route must do
18
TCP/IP Standards
Transport Layer Standards Transmission Control Protocol (TCP)
Reliable and connection-oriented service at the transport layer
Corrects errors
User Datagram Protocol (UDP) Unreliable and connectionless service at the
transport layer Lightweight protocol good when catching
errors is not important
19
HTML and HTTP at the Application Layer
Webserver
60.168.47.47
Hypertext Markup Language (HTML) Document or Other File (jpeg, etc.)
Client PC with Browser 123.34.150.37
Hypertext Transfer Protocol (HTTP) Requests and Responses
20
TCP/IP Standards
Application Layer To govern communication between application
programs, which may be written by different vendors
Document transfer versus document format standards HTTP / HTML for WWW service SMTP / RFC 822 (or RFC 2822) in e-mail
Many application standards exist because there are many applications
21
TCP/IP and OSI Architectures: Recap
TCP/IP
Application
Transport
Internet
OSI
Subnet Access: UseOSI Standards Here
Hybrid TCP/IP-OSI
Application
Presentation
Session
Application
Transport Transport
Network Internet
Data Link Data Link
Physical Physical
Note: The Hybrid TCP/IP-OSI Architecture is used on the Internet anddominates internal corporate networks.
22
IP Packet
Total Length(16 bits)
Identification (16 bits)
Header Checksum (16 bits)Time to Live
(8 bits)
Flags
Protocol (8 bits)1=ICMP, 6=TCP,
17=TCP
Bit 0 Bit 31IP Version 4 Packet
Source IP Address (32 bits)
Fragment Offset (13 bits)
Diff-Serv(8 bits)
HeaderLength(4 bits)
Version(4 bits)
Destination IP Address (32 bits)
Options (if any) Padding
Data Field
0100
23
IP Packet
Version Has value of four (0100)
Time to Live (TTL) Prevents the endless circulation of mis-addressed
packets Value is set by sender Decremented by one by each router along the
way If reaches zero, router throws packet away
24
IP Packet
Protocol Field Identifies contents of data field 1 = ICMP 6 = TCP 17 =UDP
IP HeaderProtocol=1
IP Data FieldICMP Message
IP HeaderProtocol=6
IP Data FieldTCP Segment
IP HeaderProtocol=17
IP Data FieldUDP Datagram
25
IP Packet
Header checksum to check for errors in the header only Faster than checking the whole packet Stops bad headers from causing problems IP Version 6 drops eve this checking
Address Fields 32 bits long, of course
Options field(s) give optional parameters
Data field contains the payload of the packet.
26
Layer Cooperation Through Encapsulation on the Source Host
ApplicationProcess
HTTPMessage
TransportProcess
HTTPMessage
TCPHdr
InternetProcess
HTTPMessage
TCPHdr
IPHdr
Encapsulation of HTTPmessage in data field ofa TCP segment
Encapsulation of TCPsegment in data fieldof an IP packet
27
Layer Cooperation Through Encapsulation on the Source Host
InternetProcess
Data LinkProcess
PhysicalProcess
Encapsulationof IP packet in
data field ofa frame
HTTPMessage
TCPHdr
IPHdr
HTTPMessage
TCPHdr
IPHdr
DLHdr
DLTrlr
Converts Bits of Frame into Signals
28
Layer Cooperation Through Encapsulation on the Source Host
DLTrlr
Note: The following is the final frame for supervisory TCP segments:
TCPHdr
IPHdr
DLHdr
29
Layer Cooperation Through Decapsulation on the Destination Host
ApplicationProcess
HTTPMessage
TransportProcess
HTTPMessage
TCPHdr
InternetProcess
HTTPMessage
TCPHdr
IPHdr
Decapsulation of HTTPmessage from data field ofa TCP segment
Decapsulation of TCPsegment from data fieldof an IP packet
30
Layer Cooperation Through Decapsulation on the Destination Host
InternetProcess
Data LinkProcess
PhysicalProcess
Decapsulation of IPpacket from datafield of a frame
HTTPMessage
TCPHdr
IPHdr
HTTPMessage
TCPHdr
IPHdr
DLHdr
DLHdr
Converts Signals into the Bits of the Frame
31
Vertical Communication on Router R1
Port 1DL
Port 2DL
Port 3DL
Port 4DL
PHY PHY PHY PHY
Internet Layer Process Packet
Frame
Router R1
Switch X2
A
Decapsulation
Notes:A. Router R1 receives frame from Switch X2
in Port 1.Port 1 DL process decapsulates packet.Port 1 DL process passes packet to internet process.
32
Vertical Communication on Router R1
Port 1DL
Port 2DL
Port 3DL
Port 4DL
PHY PHY PHY PHY
Internet Layer Process Packet
Frame
Router R1
Router 2
B
Encapsulation
B. Internet process sends packet out on Port 4.DL Process on Port 4 encapsulates
packet in a PPP frame.DL process passes frame to Port 4
PHY.
33
Packet
Site Connection to an ISP
2.Packet Carried
in ISP Carrier Frame
4.Data LinkBetween
Site and ISP(Difficult to Attack)
BorderFirewall
3.Packet Carried in Site Frame
Packet
1.Frame for This
Data Link
Site Network
5. Normally, Only the Arriving Packet is Dangerous—Not the Frame Fields
ISP
Packet
ISP Router
Internet Backbone
34
Internet Protocol (IP)
Basic Characteristics
There were already single networks, and many more would come in the future
Developers needed to make a few assumptions about underlying networks
So they kept IP simple
35
Internet Protocol (IP)
Connection-Oriented Service and Connectionless Service
Connection-oriented services have distinct starts and closes (telephone calls)
Connectionless services merely send messages (postal letters)
IP is connectionless
36
IP Packet
PCInternet Process
First RouterInternet Process
IP Packet
ConnectionlessPackets Sent in Isolation
Like Postal Letters
UnreliableNo Error Correction
Discarded by Receiver if Error is DetectedLeaves Error Correction to Transport Layer
Reduces the Cost of Routers
37
Internet Protocol (IP)
IP is Unreliable (Checks for Errors but does not Correct Errors) Not doing error correction at each hop between
switches reduces switch work and so switch cost
Does not even guarantee packets will arrive in order
38
Internet Protocol (IP)
Hierarchical IP Addresses Postal addresses are hierarchical (state, city,
postal zone, specific address)
Most post offices have to look only at state and city
Only the final post offices have to be concerned with specific addresses
39
Hierarchical IP Address
Network Part (not always 16 bits)
Subnet Part (not always 8 bits)
Host Part (not always 8 bits)
Total always is 32 bits.
128.171.17.13
Host 13128.171.17.13
CBA Subnet(17)
UH Network(128.171)
The Internet
40
Internet Protocol (IP)
Hierarchical IP Addresses 32-bit IP addresses are hierarchical (Figure 3-
15)
Network part tells what network host is on
Subnet part tells what subnet host is on within the network
Host part specifies the host on its subnet
Routers have to look only at network or subnet parts, except for the router that delivers the packet to the destination host
41
Internet Protocol (IP)
Hierarchical IP Addresses 32-bit IP addresses are hierarchical
Total is 32 bits; part sizes vary
Network mask tells you the size of the network part (Figure 3-16)
Subnet mask tells you the length of the network plus subnet parts combined
42
IP Address Masking with Network and Subnet Masks
Network Masking Subnet Masking
Mask Represents Tells the size of the network part
Tells the size of the network and the subnet parts combined
Eight ones give the decimal value
255 255
Eight zeros give the decimal value
0 0
Masking gives IP address bit where the mask value is 1; 0 where the mask bit is 0
IP address bit where the mask value is 1; 0 where mask bit is 0
43
IP Address Masking with Network and Subnet Masks
Example 1 Network Masking Subnet Masking
IP Address 128.171.17.13 128.171.17.13
Mask 255.255.0. 0 255.255.255.0
Result 128.171.0. 0 128.171.17.0
Meaning 16-bit network part is 128.171 Combined 24-bit network plus subnet part are 128.171.17
Example 2
IP Address 60.47.123.7 60.47.123.7
Mask 255.0.0.0 255.255.0.0
Result 60.0.0.0 60.47.0.0
Meaning 8-bit network part is 60 Combined 16-bit network plus subnet parts are 60.47
44
IP Address Spoofing
Trusted Server60.168.4.6
Victim Server60.168.47.47
1. Trust Relationship
2. Attack Packet
Spoofed Source IP Address60.168.4.6
Attacker’s Identity is Not Revealed
Attacker’s Client PC1.34.150.37
3. Server Accepts Attack Packet
45
Internet Protocol (IP)
IP Addresses and Security
IP address spoofing: Sending a message with a false IP address (Figure 3-17)
Gives sender anonymity so that attacker cannot be identified
Can exploit trust between hosts if spoofed IP address is that of a host the victim host trusts
46
Internet Protocol (IP)
IP Addresses and Security LAND attack: send victim a packet with victim’s
IP address in both source and destination address fields and the same port number for the source and destination. In 1997, many computers, switches, routers, and even printers, crashed when they received such a packet.
47
LAND Attack Based on IP Address Spoofing
Victim
60.168.47.47 Port 23 Open
Crashes
From: 60.168.47.47:23 To: 60.168.47.47:23Attacker
1.34.150.37
Source and Destination IP Addresses are the Same
Source and Destination Port Numbers are the Same
48
Internet Protocol (IP)
Other IP Header Fields Protocol field: Identifies content of IP data field
Firewalls need this information to know how to process the packet
49
Internet Protocol (IP)
Other IP Header Fields Time-to-Live field
Each router decrements the TTL value by one
Router decrementing TTL field to zero discards the packet
50
Internet Protocol (IP)
Other IP Header Fields Time-to-Live field
Router also sends an error advisement message to the sender
The packet containing this message reveals the sender’s IP address to the attacker
Traceroute uses TTL to map the route to a host (Figure 3-19) Tracert on Windows machines
51
Tracert Program in Windows
52
Internet Protocol (IP)
Other IP Header Fields Header Length field and Options
With no options, Header Length is 5 Expressed in units of 32 bits So, 20 bytes
Many options are dangerous So if Header Length is More Than 5, be
Suspicious Some firms drop all packets with options
53
Internet Protocol (IP)
Other IP Header Fields Length Field
Gives length of entire packet
Maximum is 65,536 bytes
Ping-of-Death attack sent IP packets with longer data fields
Many systems crashed
54
Ping-of-Death Attack
Victim 60.168.47.47
Crashes
IP Packet Containing ICMP Echo Message That is Illegally Long
Attacker 1.34.150.37
55
Internet Protocol (IP)
Other IP Header Fields Fragmentation
Routers may fragment IP packets (really, packet data fields) en route All fragments have same Identification field
value Fragment offset values allows fragments
to be ordered More fragments is 0 in the last fragment
56
Internet Protocol (IP)
Other IP Header Fields Fragmentation
Harms packet inspection: TCP header, etc. only in first packet in series
Cannot filter on TCP header, etc. in subsequent packets
57
TCP Header is Only in the First Fragment of a Fragmented IP Packet
5. Firewall 60.168.47.47
Can Only Filter TCP
Header in First Fragment
Attacker 1.34.150.37
1. Fragmented IP Packet
2. Second Fragment
4. TCP Data Field
NoTCP Header
IP Header
TCP Data Field
2. First Fragment
IP Header
3. TCP Header Only in First Fragment
58
Internet Protocol (IP)
Other IP Header Fields Fragmentation
Teardrop attack: Crafted fragmented packet does not make sense when reassembled
Some firewalls drop all fragmented packets, which are rare today
59
Teardrop Denial-of-Service Attack
Victim 60.168.47.47
CrashesAttack Pretends to be Fragmented
IP Packet When Reassembled, “Packet” does not Make Sense.
Gaps and Overlaps
Attacker 1.34.150.37
“Defragmented” IP Packet”
Gap Overlap
60
IP Packet with a TCP Segment Data Field
Source Port Number (16 bits) Destination Port Number (16 bits)
Bit 0 Bit 31
Acknowledgment Number (32 bits)
Sequence Number (32 bits)
TCP Checksum (16 bits)
Window Size(16 bits)
Flag Fields(6 bits)
Reserved(6 bits)
HeaderLength(4 bits)
Urgent Pointer (16 bits)
IP Header (Usually 20 Bytes)
61
Transmission Control Protocol (TCP)
TCP Messages are TCP Segments Flags field has several one-bit flags: ACK, SYN,
FIN, RST, etc.
Window Size(16 bits)
Flag Fields(6 bits)
Reserved(6 bits)
HeaderLength(4 bits)
62
Transmission Control Protocol (TCP)
Reliable Receiving process sends ACK to sending process if
segment is correctly received ACK bit is set (1) in acknowledgement segments
If sending process does not get ACK, resends the segment
PCTransport Process
WebserverTransport Process
TCP Segment
TCP Segment (ACK)
63
Transmission Control Protocol (TCP)
Connections: Opens and Closes Formal open and close
Three-way open: SYN, SYN/ACK, ACK (Figure 3-25)
Normal four-way close: FIN, ACK, FIN, ACK (Figure 3-25)
Abrupt close: RST (Figure 3-26)
64
Communication During a TCP Session
PCTransport Process
WebserverTransport Process
1. SYN (Open)
2. SYN, ACK (1) (Acknowledgement of 1)
3. ACK (2)
Open(3)
3-Way Open
65
Communication During a TCP Session
PCTransport Process
WebserverTransport Process
1. SYN (Open)
2. SYN, ACK (1) (Acknowledgement of 1)
3. ACK (2)
4. Data = HTTP Request
5. ACK (4)
6. Data = HTTP Response
7. ACK (6)
Open(3)
CarryHTTPReq &Resp
(4)
66
Communication During a TCP Session
PCTransport Process
WebserverTransport Process
8. Data = HTTP Request (Error)CarryHTTPReq &Resp
(4)
9. Data = HTTP Request (No ACK so Retransmit)
10. ACK (9)
11. Data = HTTP Response
12. ACK (11)
Error Handling
67
Communication During a TCP Session
PCTransport Process
WebserverTransport Process
Close(4)
13. FIN (Close)
14. ACK (13)
15. FIN
16. ACK (15)
Note: An ACK may be combined with the next message if the next messageis sent quickly enough
Normal Four-Way Close
68
Communication During a TCP Session
PCTransport Process
WebserverTransport Process
Close(1)
RST
Abrupt Close
Either side can sendA Reset (RST) Segment
At Any TimeEnds the Session Immediately
69
SYN/ACK Probing Attack Using Reset (RST)
SYN/ACK Segment
Victim 60.168.47.47
Crashes
Attacker 1.34.150.37
1. Probe 60.168.47.47
5. 60.168.47.47
is Live! 4. Source IP Addr=
60.168.47.473. Go Away!
2. No Connection: Makes No Sense!
IP Hdr RST Segment
70
Transmission Control Protocol (TCP)
Sequence and Acknowledgement Number
Sequence numbers identify segment’s place in the sequence
Acknowledgement number identifies which segment is being acknowledged
Source Port Number (16 bits) Destination Port Number (16 bits)
Acknowledgment Number (32 bits)
Sequence Number (32 bits)
71
Transmission Control Protocol (TCP)
Port Number
Port numbers identify applications
Well-known ports (0-1023) used by applications that run as root (Figure 3-27)
HTTP=80, Telnet=23, FTP=21 for supervision, 20 for data transfer, SMTP=25
Source Port Number (16 bits) Destination Port Number (16 bits)
72
Transmission Control Protocol (TCP)
Port Number
Registered ports (1024-49152) for any application
Ephemeral/dynamic/private ports (49153-65535) used by client (16,383 possible)
Not all operating systems uses these port ranges, although all use well-known ports
73
Transmission Control Protocol (TCP)
Port Number
Socket format is IP address: Port, for instance, 128.171.17.13:80 Designates a specific program on a specific
machine
Port spoofing (Figure 3-28) Incorrect application uses a well-known port Especially 80, which is often allowed through
firewalls
128.171.17.13:80
74
Use of TCP and UDP Port Number
Client60.171.18.22
From: 60.171.18.22:50047To: 60.171.17.13:80
SMTP Server123.30.17.120
Port 25
Webserver60.171.17.13
Port 80
75
Use of TCP and UDP Port Number
Client60.171.18.22
From: 60.171.17.13:80To: 60.171.18.22:50047
SMTP Server123.30.17.120
Port 25
Webserver60.171.17.13
Port 80From: 60.171.18.22:50047
To: 60.171.17.13:80
76
Use of TCP and UDP Port Number
From: 60.171.18.22:60003To: 123.30.17.120:25
Client60.171.18.22
SMTP Server123.30.17.120
Port 25
Webserver60.171.17.13
Port 80
77
Use of TCP and UDP Port Number
From: 60.171.18.22:60003To: 123.30.17.120:25
Client60.171.18.22
From: 60.171.18.22:50047To: 60.171.17.13:80
SMTP Server123.30.17.120
Port 25
Webserver60.171.17.13
Port 80
Clients Used DifferentEphemeral Ports for
Different Connections
78
User Data Protocol (UDP)
UDP Datagrams are Simple Source and destination port numbers (16 bits
each) UDP length (16 bits) UDP checksum (16 bits)
Bit 0 Bit 31
IP Header (Usually 20 Bytes)
Source Port Number (16 bits) Destination Port Number (16 bits)
UDP Length (16 bits) UDP Checksum (16 bits)
Data Field
79
User Data Protocol (UDP)
Port Spoofing Still Possible
UDP Datagram Insertion Insert UDP datagram into an ongoing dialog
stream Hard to detect because no sequence numbers in
UDP
80
Internet Control Message Protocol (ICMP)
ICMP is for Supervisory Messages at the Internet Layer
ICMP and IP An ICMP message is delivered (encapsulated) in
the data field of an IP packet
Types and Codes Type: General category of supervisory
message Code: Subcategory of type (set to zero if there is
no code)
81
Internet Control Message Protocol (ICMP) for Supervisory Messages
“Host Unreachable”
Error Message
Router
“Echo”“EchoReply”
ICMP Message IP Header
82
IP Packet with an ICMP Message Data Field
Bit 31
IP Header (Usually 20 Bytes)
Type (8 bits) Depends on Type and Code
Depends on Type and Code
Bit 0
Code (8 bits)
83
Internet control Message Protocol (ICMP)
Network Analysis Messages Echo (Type 8, no code) asks target host if it is
operational and available Echo reply (Type 0, no code). Target host
responds to echo sender Ping program implements Echo and Echo Reply.
Like submarine pinging a target Ping is useful for network managers to diagnose
problems based on failures to reply Ping is useful for hackers to identify potential
targets: live ones reply
84
Internet control Message Protocol (ICMP)
Error Advisement Messages Advise sender of error but there is no error
correction Host Unreachable (Type 3, multiple codes)
Many codes for specific reasons for host being unreachable
Host unreachable packet’s source IP address confirms to hackers that the IP address is live and therefore a potential victim
Usually sent by a router
85
Internet control Message Protocol (ICMP)
Error Advisement Messages Time Exceeded (Type 11, no codes)
Router decrementing TTL to 0 discards packet, sends time exceeded message
IP header containing error message reveals router’s IP address
By progressively incrementing TTL values by 1 in successive packets, attacker can scan progressively deeper into the network, mapping the network
Also usually sent by a router
86
Internet control Message Protocol (ICMP)
Control Codes Control network/host operation Source Quench (Type=4, no code)
Tells destination host to slow down its transmission rate
Legitimate use: Flow control if host sending source quench is overloaded
Attackers can use for denial-of-service attack
87
Internet control Message Protocol (ICMP)
Control Codes Redirect (Type 5, multiple codes)
Tells host or router to send packets in different way than they have
Attackers can disrupt network operations, for example, by sending packets down black holes
Many Other ICMP Messages
88
Topics Covered
Network Elements
Client and server stations
Applications
Trunk lines and access lines
Switches and routers
Messages (frames)
89
Topics Covered
Messages (frames) may have headers, data fields, and trailers
Headers have source and destination address fields
Switches forward (switch) frames based on the value in the destination address field
Based on field value, switch sends frames out a different port that the one on which the frame arrived
90
Topics Covered
Internets Group of networks connected by routers
The Internet is a global internet Organizations connect via ISPs
Internet messages are called packets Path of a packet is its route
Packets travel within frames in networks If route goes through four networks, There will be one packet and four frames
91
Topics Covered
TCP/IP Standards Dominate the Internet Created by the Internet Engineering Task Force
(IETF) Documents are called requests for comments
(RFCs)
OSI Standards Dominate for single networks Physical and data link layers
92
Topics Covered
TCP/IP
Application
Transport
Internet
OSI
Subnet Access: UseOSI Standards Here
Hybrid TCP/IP-OSI
Application
Presentation
Session
Application
Transport Transport
Network Internet
Data Link Data Link
Physical Physical
93
Topics Covered
Internetworking Layers Internet layer
Internet Protocol (IP) Governs packet organization Governs hop-by-hop router forwarding
(routing)
Transport layer Governs end-to-end connection between the
two hosts TCP adds reliability, flow control, etc. UDP is simpler, offers no reliability, etc.
94
Topics Covered
Application Layer Standards
Govern interaction between two application programs
Usually, a message formatting standard and a message transfer standard HTML / HTTP in WWW RFC 2822 / SMTP in e-mail
95
Topics Covered
IP Packet Version 4
32-bit source and destination addresses
Time to live (TTLS)
Header checksum
Protocol (type of message in data field)
Data field
96
Topics Covered
IP Packet Version 4
Option fields may be used, but more likely to be used by hackers rather than legitimately
Packet may be fragmented; this too is done mainly by attackers
Data field
Version 6 128-bit addresses to allow more addresses
97
Topics Covered
Vertical Communication on the Source Host
One layer (Layer N) creates a message
Passes message down to the next-lower layer (Layer N-1)
The Layer N-1 process encapsulates the Layer N message in the data field of a Layer N-1 record
Layer N-1 passes the Layer N-1 message down to Layer N-2
98
Topics Covered
Process is Reversed on the Destination Host Decapsulation occurs at each layer
Vertical Processes on Router The router first receives, then sends
So the router first decapsulates, then encapsulates
There is one internet layer process on each router
99
Topics Covered
Firewalls Only Need to Look at Internet, Transport, and Application Messages The attacker cannot manipulate the frame going
from the ISP to the organization
100
Topics Covered
IP
Connectionless and unreliable
Hierarchical IP addresses Network part Subnet part Host part Part lengths vary
101
Topics Covered
IP Masks
You cannot tell by looking at an IP address what its network or subnet parts are
Network mask has 1s in the network part, followed by all zeros
Subnet mask has 1s in the network and subnet parts, followed by all zeros
102
Topics Covered
IP address spoofing
Change the source IP address
To conceal identity of the attacker
To have the victim think the packet comes from a trusted host
LAND attack
103
Topics Covered
TCP Messages
Called TCP segments
Flags fields for SYN, ACK, FIN, RST
3-way handshake with SYN to open
Each segment is received correctly is ACKed This provides reliability
104
Topics Covered
TCP Messages
Normally, FIN is used in a four-way close
RST can create a single-message close Attackers try to generate RSTs because the
RST message is in a packet revealing the victim’s IP address
105
Topics Covered
Port Numbers Used in both TCP and UDP
16-bit source and destination port numbers
Clients use ephemeral port numbers Randomly generated by the client 49153-65536
Major applications on servers use well-known port numbers 0 to 1023
106
Topics Covered
ICMP
For supervisory messages at the internet layer
ICMP messages are encapsulated in the data fields of IP packets
Type and code designate contents of IP packet
Attackers use ICMP messages in scanning Replies tell them IP addresses
107
Topics Covered
ICMP Echo (Type 8, no code) asks target host if it is
operational and available Echo reply (Type 0, no code). Target host
responds to echo sender Ping program implements Echo and Echo
Reply. Like submarine pinging a target
ICMP error messages of several types
Allow only ICMP echo replies in border router ingress filtering
108
End of Lecture