Presentation is loading. Please wait.

Presentation is loading. Please wait.

COM850 Computer Hacking and Security Lecture 2. Network Basics

Similar presentations

Presentation on theme: "COM850 Computer Hacking and Security Lecture 2. Network Basics"— Presentation transcript:

1 COM850 Computer Hacking and Security Lecture 2. Network Basics
Prof. Taeweon Suh Computer Science & Engineering Korea University

2 Open Systems Interconnection (OSI)
International Standards Organization (ISO) is a multinational body dedicated to worldwide agreement on international standards. Almost three-fourths of countries in the world are represented in the ISO. An ISO standard that covers all aspects of network communications is the Open Systems Interconnection (OSI) model. It was first introduced in the late 1970s. The OSI model is a layered framework for the design of network systems that allows communication between all types of computer systems

3 OSI 7 Layers Physical: transmit bits over a medium
, POP3, IMAP Physical: transmit bits over a medium Data link: organize bits into a frame Network: move packets from source to destination Transport: provide reliable process-to-process message delivery Session: establish, manage, and terminate sessions Presentation: translate, encrypt and compress data Application: allow access to the network resources

4 TCP/IP Protocol Suite The TCP/IP protocol suite was developed prior to the OSI model Thus, the layer in TCP/IP do not match exactly with those in OSI

5 Encapsulation

6 OSI Layers client server Router A Router B As a message travels from A to B, it may pass through many intermediate nodes. These intermediate nodes usually involve only the first three layers of the OSI model

7 Ethernet Local Area Network (LAN) is a computer network designed for a limited geographic area such as a building or a campus Most LANs are linked to a wide area network (WAN) or the Internet There are several technologies for LAN such as Ethernet, Token ring, Token bus, FDDI and ATM LAN Ethernet is by far the dominant technology

8 MAC (Media Access Control) addresses
Ethernet Frame MAC (Media Access Control) addresses CRC: Cyclic Redundancy Checking

9 Ethernet Type Field Source:

10 Internet Protocol (IP)
IP is the transmission mechanism at the network layer IP is an unreliable and connectionless datagram protocol – best-effort delivery Each datagram is handled independently, and each datagram can follow a different route to the destination It implies that datagrams sent by the same source to the same destination could arrive out of order IP packets can be corrupted, lost, arrived out of order or delayed Packets in the network layer are called datagrams

11 IP Datagram TTL Version (VER): IPv4 or IPv6
Header Length (HLEN): 20 (5 x 4) or 60 (15 x 4) depending on options Service Type (TOS): cost, reliability, throughput, delay Total length: header + data in bytes (max B) Max. size of data field, Maximum Transfer Unit (MTU), differs from one physical network to another Ethernet LAN: 1500B, FDDI LAN: 4352B, PPP: 296B ID, Flags, and Fragmentation offset are used in fragmentation

12 IPv4 Addresses The identifier used in the IP layer, to identify each device connected to the Internet is called Internet address, or IP address IPv4 address is 32-bit long The address space of IPv4 is 232, or 4,294,967,296 IPv4 addresses are unique and universal IP addresses use the concept of classes Classful addressing In the mid-1990s, a new architecture called classless addressing was introduced Classless addressing supersedes the classful addressing

13 Classful Addressing

14 Classful Addressing netid defines network. Network address is used in routing a packet to its destination network hostid defines a particular host on the network Class A: 128 (27) blocks that can be assigned to 128 organizations, each block has 16,777,216 addresses Millions of class A address are wasted Class B: 16,384 (214) blocks, each block has addresses Many class B addresses are wasted Class C: 2,097,152 (221) blocks, each block has 256 addresses Not so many organizations are so small to have a class C block

15 Classless Addressing Solutions to the IP address depletion problem
IPv6: 128-bit (or 16B) long Classless addressing: use IPv4, but change the distribution of addresses to provide a fair share to each organization In classless addressing, variable-length blocks are used that belong to no classes Prefix defines network, and suffix defines host The prefix length can be 1 to 32 Slash notation, formally referred to as Classless Interdomain Routing (CIDR)

16 Examples One of the addresses in a block is
Number of addresses: First address in the block: Last address in the block: One of the addresses in a block is /20 256 4096

17 Special Addresses /32 Reserved for communication when a host does not know its own address Normally used at bootstrap time to get IP from DHCP server /32 Reserved for limited broadcast address in the current network /8 Used for the loopback address, which is an address used to test the software on a machine When the loopback address is used, the packet never leaves the machine; It simply returns to the protocol software. For example, an application such as “ping” can send a packet with a loopback address as the destination address to see if the IPv4 software is capable of receiving and processing a packet.

18 Special Addresses Private addresses Multicast addresses
A number of blocks are assigned for private use. They are not recognized globally. These addresses are used either in isolation or in connection with network address translation (NAT) techniques Multicast addresses /4 is reserved for multicast communication

19 Special Addresses in Each block
Network Address: the first address (with the suffix set all to 0s) in a block defines the network address. It defines the network itself and not any host in the network Direct Broadcast Address: the last address in a block It is usually used by a router to send a packet to all hosts in a specific network All hosts will accept a packet having this type of destination address This address can be used only as a destination address in an IPv4 packet

20 TTL TTL is used for controlling the maximum number of hops (routers) visited by the datagram When a source host sends the datagram, it stores a number in TTL, which is approximately 2X the max. number of hops between any 2 hosts TTL is needed because routing tables in the Internet can become corrupted, resulting in packet’s looping or cycling the network endlessly. TTL is used intentionally to limit the journey of the packet If the source wants to confine the packet to the local network, it can store 1 in TTL

21 Transmission Control Protocol (TCP)
TCP is connection-oriented It establishes a virtual path between the source and destination. All of the segments belonging to a message are then sent over this virtual path. You may wonder how TCP, which uses the services of IP, a connectionless protocol, can be connection-oriented. A TCP connection is virtual, not physical. TCP uses the services of IP to deliver individual segments to the receiver, but it controls the connection itself. If a segment is lost or corrupted, it is retransmitted

22 TCP Header Length (HLEN): 20 (5 x 4) or 60 (15 x 4) depending on options Window Size: Normally receiving window (rwnd) in bytes Checksum: Used to detect errors over the entire user datagram (header + data) Urgent Pointer Valid only if the URG flag is set. Used when the segment contains urgent data Define a value that must be added to the sequence number to obtain the number of the last urgent byte in the data section of the segment

23 Port Addresses The local host and the remote host are defined using IP addresses To define the client and server programs, the 2nd IDs are needed. They are called port numbers In TCP/IP, the port numbers are integers between 0 and 65,535 The server uses well-known port numbers, which are less than 1,024 A client program on the local computer defines itself with a port number (called ephemeral port number), chosen randomly by the TCP software.

24 TCP Control Field PSH: Should be processed immediately
URG: Urgent data RST: Reset the connection Deny a connection request Abort an existing connection Terminate an idle connection p445 * PSH Example: consider an interactive application, where the application program on one site wants to send a keystroke to the application at the other site and receive an immediate response. Delayed transmission and delayed delivery of data may not be acceptable by the application program. TCP can handle such a situation. The application program at the sender can request a push operation. This means that the sending TCP must not wait for the window to be filled. It must create a segment and send it immediately. The sending TCP must also set the PUSH bit to let the receiving TCP know that the segment includes data that must be delivered to the receiving application program as soon as possible. * URG: Data is presented from the application program to TCP as a stream of bytes. Each byte of data has a position in the stream. But there are occasions in which an application program needs to send urgent bytes, some bytes that need to be treated in a special way by the application at the other end. The solution is to send a segment with the URG bit set.

25 IP + TCP

26 TCP Connection Establishment

27 SYN Flooding Attack A SYN flood tries to exhaust states in the TCP/IP stack Since TCP maintains “reliable” connections, each connection needs to be tracked somewhere; The TCP/IP stack in the kernel handles this, but it has a finite table that can only track so many incoming connections Attackers flood the victim’s system with many SYN packets, using spoofed non-existing source addresses Victim machine sends a SYN/ACK packet to the non-existing IP address and never get the ACK response A kind of denial-of-service (DoS) attacks

28 TCP Connection Termination with 3-way Handshaking

29 Notes A SYN can’t carry data, but it consumes one sequence number
A SYN + ACK segment can’t carry data, but it consumes one sequence number An ACK segment, if carrying no data, consumes no sequence number The FIN segment consumes one sequence number if it does not carry data The FIN + ACK segment consumes one sequence number if it does not carry data

30 Data Transfer with TCP

31 Flow Control Client Server

32 Flow Control Example

33 TCP Retransmission Timer
To control a lost or discarded segment, TCP employs a retransmission timer that handles the retransmission time. When TCP sends a segment, it creates a retransmission timer for that particular segment If the timer goes off before the acknowledgement arrives, the segment is retransmitted and the timer is reset TCP uses the dynamic retransmission time, A retransmission time is different for each connection A retransmission time may be different during the same connection The most common retransmission time: 2 x RTT

34 Round Trip Time (RTT) Calculation
2 methods TCP uses the timestamp option 10-B option TCP sends a segment, start a timer, and waits for an acknowledge Measure the time between the sending of the segment and the receiving of the acknowledgement RTT = α x previous RTT + (1 - α) x current RTT (α usually 90%)

35 Hubs A hub is no more than a repeating device operating on the layer 1 (physical layer) of the OSI model A hub takes packets sent from one port and transmits (repeats) them to every other port on the device A hub can generate a lot of unnecessary traffic and are capable of operating only in half-duplex mode, it is not typically used in most modern networks (switches are used instead)

36 Switches Like a hub, a switch is designed to repeat packets
Unlike a hub, a switch (full-duplex device) sends data to only the computer for which the data is intended (rather than broadcasting data to every port) Switches operate on the layer 2 (data link layer) of the OSI model Switches store the layer 2 address (MAC address) of every connected device in a CAM table

37 Routers Routers operate on the layer 3 (Network layer) of the OSI model Routers use IP addresses (layer 3) to uniquely identify devices on a network

38 Traffic Classification
Broadcast A broadcast traffic is one that is sent to all ports on a network segment Each broadcast domain extends until it reaches the router Broadcast packets circulate only within specified broadcast domain Layer 2 broadcast: the MAC address, FF:FF:FF:FF:FF:FF is the reserved broadcast address Layer 3 broadcast: The highest possible IP address is reserved for use as the broadcast address IP: xxx Subnet mask: Broadcast address: Multicast Unicast

39 Router Paths and Packet Switching
As a packet travels from one networking device to another The Source and Destination IP addresses NEVER change The Source and Destination MAC addresses CHANGE as packet is forwarded from one router to the next TTL field decrement by one until a value of zero is reached at which pointer router discards packet (prevents packets from endlessly traversing the network) Source: CISCO Network Academy


41 Path Determination and Switching Example
PC1 wants to send something to PC2 Step 1: PC1 encapsulates packet into a frame; The frame contains R1’s destination MAC address Source: CISCO Network Academy

42 Path Determination and Switching Example
Step 2: R1 sees that the destination MAC address matches its own MAC R1 then strips off Ethernet frame R1 examines destination IP R1 consults routing table looking for destination IP After finding destination IP in routing table, R1 now looks up the next hop address R1 re-encapsulates IP packet with a new Ethernet frame R1 forwards Ethernet packet out Fa0/1 interface Source: CISCO Network Academy

43 Path Determination and Switching Example
Source: CISCO Network Academy

44 Path Determination and Switching Example
Step 3 - Packet arrives at R2 R2 receives Ethernet frame R2 sees that destination MAC address matches its own MAC R2 then strips off Ethernet frame R2 examines destination IP R2 consults routing table looking for destination IP After finding destination IP in routing table, R2 now looks up the next hop IP address R2 re-encapsulates IP packet with a new data link frame R2 forwards Ethernet packet out S0/0 interface Source: CISCO Network Academy

45 Path Determination and Switching Example
Step 4 – Packet arrives at R3 R3 receives PPP frame R3 then strips off PPP frame R3 examines destination IP R3 consults routing table looking for destination IP After finding destination IP in routing table, it figures out that R3 is directly connected to destination via its fast Ethernet interface R3 re-encapsulates IP packet with a new Ethernet frame R3 forwards Ethernet packet out Fa0/0 interface Step 5 – IP packet arrive at PC2 Frame is decapsulated and processed by upper layer protocols Source: CISCO Network Academy PPP (Point-to-Point Protocol)

46 Network Address Translation (NAT)
NAT is a technology providing the mapping between the private and universal addresses

47 Network Address Translation (NAT)
Use port numbers for a many-to-many communication between private network hosts and external server programs

48 Address Resolution Protocol (ARP)
ARP (Address Resolution Protocol) In TCP/IP, a protocol for obtaining the physical address of a node when the Internet address is known

49 Example

50 ARP Redirection ARP cache poisoning
No state info about the ARP traffic is kept in a system Attacker sends spoofed ARP replies to certain devices ARP cache is overwritten with attacker’s MAC address

51 Domain Name Service (DNS)
People prefer to use names instead of numeric addresses So, need a system that maps a name to an address or an address to a name

52 POP3, SMTP POP3: Post Office Protocol, Version 3
IMAP4: Internet Mail Access Protocol, Version 4 SMTP: Simple Mail Transfer Protocol for communication between the sender and the sender’s mail server for communication between the 2 mail servers

53 Backup Slides

54 Linksys Router – WRT54G

55 Packet Analysis Programs
tcpdump OmniPeek Wireshark

56 Regarding Multicast Every Ethernet frame with its destination in the range e ~ ff-ff-ff contains data for a multicast group The prefix e identifies the frame as multicast The next bit is always 0 So, the upper 25 bits in MAC address are fixed. Only the lower 23 bits (among 48-bit MAC addr) are used for the multicast address Multicast groups are 28-bits long ( /4) The lower 23-bit of the IP multicast group are placed in the frame (The 5 high-order bits are ignored), resulting in 32 different multicast groups being mapped to the same Ethernet address Both Ethernet and FDDI frames have a 48 bit destination address field. In order to avoid a kind of multicast ARP to map multicast IP addresses to ethernet/FDDI ones, the IANA reserved a range of addresses for multicast: every ethernet/FDDI frame with its destination in the range e to e-ff-ff-ff (hex) contains data for a multicast group. The prefix e identifies the frame as multicast, the next bit is always 0 and so only 23 bits are left to the multicast address. As IP multicast groups are 28 bits long, the mapping can not be one-to-one. Only the 23 least significant bits of the IP multicast group are placed in the frame. The remaining 5 high-order bits are ignored, resulting in 32 different multicast groups being mapped to the same ethernet/FDDI address. This means that the ethernet layer acts as an imperfect filter, and the IP layer will have to decide whether to accept the datagrams the data-link layer passed to it. The IP layer acts as a definitive perfect filter.

Download ppt "COM850 Computer Hacking and Security Lecture 2. Network Basics"

Similar presentations

Ads by Google