Presentation is loading. Please wait.

Presentation is loading. Please wait.

Lecture 2. Network Basics Prof. Taeweon Suh Computer Science & Engineering Korea University COM850 Computer Hacking and Security.

Similar presentations

Presentation on theme: "Lecture 2. Network Basics Prof. Taeweon Suh Computer Science & Engineering Korea University COM850 Computer Hacking and Security."— Presentation transcript:

1 Lecture 2. Network Basics Prof. Taeweon Suh Computer Science & Engineering Korea University COM850 Computer Hacking and Security

2 Korea Univ Open Systems Interconnection (OSI) International Standards Organization (ISO) is a multinational body dedicated to worldwide agreement on international standards.  Almost three-fourths of countries in the world are represented in the ISO. An ISO standard that covers all aspects of network communications is the Open Systems Interconnection (OSI) model.  It was first introduced in the late 1970s. The OSI model is a layered framework for the design of network systems that allows communication between all types of computer systems 2

3 Korea Univ OSI 7 Layers 3 Physical: transmit bits over a medium Data link: organize bits into a frame Network: move packets from source to destination Transport: provide reliable process-to-process message delivery Session: establish, manage, and terminate sessions Presentation: translate, encrypt and compress data Application: allow access to the network resources, POP3, IMAP

4 Korea Univ TCP/IP Protocol Suite The TCP/IP protocol suite was developed prior to the OSI model  Thus, the layer in TCP/IP do not match exactly with those in OSI 4

5 Korea Univ Encapsulation 5

6 Korea Univ OSI Layers 6 As a message travels from A to B, it may pass through many intermediate nodes. These intermediate nodes usually involve only the first three layers of the OSI model client server Router ARouter B

7 Korea Univ Ethernet Local Area Network (LAN) is a computer network designed for a limited geographic area such as a building or a campus Most LANs are linked to a wide area network (WAN) or the Internet There are several technologies for LAN such as Ethernet, Token ring, Token bus, FDDI and ATM LAN Ethernet is by far the dominant technology 7

8 Korea Univ Ethernet Frame 8 CRC: Cyclic Redundancy Checking MAC (Media Access Control) addresses

9 Korea Univ Ethernet Type Field 9 Source:

10 Korea Univ Internet Protocol (IP) IP is the transmission mechanism at the network layer IP is an unreliable and connectionless datagram protocol – best-effort delivery  Each datagram is handled independently, and each datagram can follow a different route to the destination  It implies that datagrams sent by the same source to the same destination could arrive out of order  IP packets can be corrupted, lost, arrived out of order or delayed 10 Packets in the network layer are called datagrams

11 Korea Univ IP Datagram 11 Version (VER): IPv4 or IPv6 Header Length (HLEN): 20 (5 x 4) or 60 (15 x 4) depending on options Service Type (TOS): cost, reliability, throughput, delay Total length: header + data in bytes (max 65535 B)  Max. size of data field, Maximum Transfer Unit (MTU), differs from one physical network to another  Ethernet LAN: 1500B, FDDI LAN: 4352B, PPP: 296B ID, Flags, and Fragmentation offset are used in fragmentation TTL

12 Korea Univ IPv4 Addresses The identifier used in the IP layer, to identify each device connected to the Internet is called Internet address, or IP address IPv4 address is 32-bit long  The address space of IPv4 is 2 32, or 4,294,967,296 IPv4 addresses are unique and universal IP addresses use the concept of classes  Classful addressing In the mid-1990s, a new architecture called classless addressing was introduced  Classless addressing supersedes the classful addressing 12

13 Korea Univ Classful Addressing 13

14 Korea Univ Classful Addressing 14 Class A: 128 (2 7 ) blocks that can be assigned to 128 organizations, each block has 16,777,216 addresses  Millions of class A address are wasted Class B: 16,384 (2 14 ) blocks, each block has 65536 addresses  Many class B addresses are wasted Class C: 2,097,152 (2 21 ) blocks, each block has 256 addresses  Not so many organizations are so small to have a class C block netid defines network. Network address is used in routing a packet to its destination network hostid defines a particular host on the network

15 Korea Univ Classless Addressing Solutions to the IP address depletion problem  IPv6: 128-bit (or 16B) long  Classless addressing: use IPv4, but change the distribution of addresses to provide a fair share to each organization In classless addressing, variable-length blocks are used that belong to no classes  Prefix defines network, and suffix defines host  The prefix length can be 1 to 32 15 Slash notation, formally referred to as Classless Interdomain Routing (CIDR)

16 Korea Univ Examples One of the addresses in a block is  Number of addresses:  First address in the block:  Last address in the block: One of the addresses in a block is  Number of addresses:  First address in the block:  Last address in the block: 16 256 4096

17 Korea Univ Special Addresses  Reserved for communication when a host does not know its own address  Normally used at bootstrap time to get IP from DHCP server  Reserved for limited broadcast address in the current network  Used for the loopback address, which is an address used to test the software on a machine 17

18 Korea Univ Special Addresses Private addresses  A number of blocks are assigned for private use. They are not recognized globally. These addresses are used either in isolation or in connection with network address translation (NAT) techniques Multicast addresses  is reserved for multicast communication 18

19 Korea Univ Special Addresses in Each block Network Address: the first address (with the suffix set all to 0s) in a block defines the network address.  It defines the network itself and not any host in the network Direct Broadcast Address: the last address in a block  It is usually used by a router to send a packet to all hosts in a specific network  All hosts will accept a packet having this type of destination address  This address can be used only as a destination address in an IPv4 packet 19

20 Korea Univ TTL TTL is used for controlling the maximum number of hops (routers) visited by the datagram  When a source host sends the datagram, it stores a number in TTL, which is approximately 2X the max. number of hops between any 2 hosts  TTL is needed because routing tables in the Internet can become corrupted, resulting in packet’s looping or cycling the network endlessly. TTL is used intentionally to limit the journey of the packet  If the source wants to confine the packet to the local network, it can store 1 in TTL 20

21 Korea Univ Transmission Control Protocol (TCP) TCP is connection-oriented  It establishes a virtual path between the source and destination. All of the segments belonging to a message are then sent over this virtual path.  You may wonder how TCP, which uses the services of IP, a connectionless protocol, can be connection- oriented. A TCP connection is virtual, not physical. TCP uses the services of IP to deliver individual segments to the receiver, but it controls the connection itself. If a segment is lost or corrupted, it is retransmitted 21

22 Korea Univ TCP 22 Header Length (HLEN): 20 (5 x 4) or 60 (15 x 4) depending on options Window Size: Normally receiving window (rwnd) in bytes Checksum: Used to detect errors over the entire user datagram (header + data) Urgent Pointer  Valid only if the URG flag is set.  Used when the segment contains urgent data  Define a value that must be added to the sequence number to obtain the number of the last urgent byte in the data section of the segment

23 Korea Univ Port Addresses The local host and the remote host are defined using IP addresses To define the client and server programs, the 2 nd IDs are needed. They are called port numbers In TCP/IP, the port numbers are integers between 0 and 65,535  The server uses well-known port numbers, which are less than 1,024  A client program on the local computer defines itself with a port number (called ephemeral port number), chosen randomly by the TCP software. 23

24 Korea Univ TCP Control Field 24 PSH: Should be processed immediately URG: Urgent data RST: Reset the connection  Deny a connection request  Abort an existing connection  Terminate an idle connection

25 Korea Univ IP + TCP 25

26 Korea Univ TCP Connection Establishment 26

27 Korea Univ SYN Flooding Attack A SYN flood tries to exhaust states in the TCP/IP stack  Since TCP maintains “reliable” connections, each connection needs to be tracked somewhere; The TCP/IP stack in the kernel handles this, but it has a finite table that can only track so many incoming connections Attackers flood the victim’s system with many SYN packets, using spoofed non-existing source addresses  Victim machine sends a SYN/ACK packet to the non-existing IP address and never get the ACK response A kind of denial-of-service (DoS) attacks 27

28 Korea Univ TCP Connection Termination with 3-way Handshaking 28

29 Korea Univ Notes A SYN can’t carry data, but it consumes one sequence number A SYN + ACK segment can’t carry data, but it consumes one sequence number An ACK segment, if carrying no data, consumes no sequence number The FIN segment consumes one sequence number if it does not carry data The FIN + ACK segment consumes one sequence number if it does not carry data 29

30 Korea Univ Data Transfer with TCP 30

31 Korea Univ Flow Control 31 ClientServer

32 Korea Univ Flow Control Example 32

33 Korea Univ TCP Retransmission Timer To control a lost or discarded segment, TCP employs a retransmission timer that handles the retransmission time.  When TCP sends a segment, it creates a retransmission timer for that particular segment If the timer goes off before the acknowledgement arrives, the segment is retransmitted and the timer is reset TCP uses the dynamic retransmission time,  A retransmission time is different for each connection  A retransmission time may be different during the same connection The most common retransmission time: 2 x RTT 33

34 Korea Univ Round Trip Time (RTT) Calculation 2 methods  TCP uses the timestamp option 10-B option  TCP sends a segment, start a timer, and waits for an acknowledge Measure the time between the sending of the segment and the receiving of the acknowledgement RTT = α x previous RTT + (1 - α ) x current RTT ( α usually 90%) 34

35 Korea Univ Hubs 35 A hub is no more than a repeating device operating on the layer 1 (physical layer) of the OSI model A hub takes packets sent from one port and transmits (repeats) them to every other port on the device A hub can generate a lot of unnecessary traffic and are capable of operating only in half-duplex mode, it is not typically used in most modern networks (switches are used instead)

36 Korea Univ Switches 36 Like a hub, a switch is designed to repeat packets Unlike a hub, a switch (full-duplex device) sends data to only the computer for which the data is intended (rather than broadcasting data to every port) Switches operate on the layer 2 (data link layer) of the OSI model Switches store the layer 2 address (MAC address) of every connected device in a CAM table

37 Korea Univ Routers 37 Routers operate on the layer 3 (Network layer) of the OSI model  Routers use IP addresses (layer 3) to uniquely identify devices on a network

38 Korea Univ Traffic Classification Broadcast  A broadcast traffic is one that is sent to all ports on a network segment Each broadcast domain extends until it reaches the router Broadcast packets circulate only within specified broadcast domain  Layer 2 broadcast: the MAC address, FF:FF:FF:FF:FF:FF is the reserved broadcast address  Layer 3 broadcast: The highest possible IP address is reserved for use as the broadcast address IP: Subnet mask: Broadcast address: Multicast Unicast 38

39 Korea Univ Router Paths and Packet Switching As a packet travels from one networking device to another  The Source and Destination IP addresses NEVER change  The Source and Destination MAC addresses CHANGE as packet is forwarded from one router to the next  TTL field decrement by one until a value of zero is reached at which pointer router discards packet (prevents packets from endlessly traversing the network) 39 Source: CISCO Network Academy

40 Korea Univ 40

41 Korea Univ Path Determination and Switching Example PC1 wants to send something to PC2  Step 1: PC1 encapsulates packet into a frame; The frame contains R1’s destination MAC address 41 Source: CISCO Network Academy

42 Korea Univ Path Determination and Switching Example Step 2:  R1 sees that the destination MAC address matches its own MAC  R1 then strips off Ethernet frame  R1 examines destination IP  R1 consults routing table looking for destination IP After finding destination IP in routing table, R1 now looks up the next hop address  R1 re-encapsulates IP packet with a new Ethernet frame  R1 forwards Ethernet packet out Fa0/1 interface 42 Source: CISCO Network Academy

43 Korea Univ Path Determination and Switching Example Source: CISCO Network Academy

44 Korea Univ Path Determination and Switching Example Step 3 - Packet arrives at R2  R2 receives Ethernet frame  R2 sees that destination MAC address matches its own MAC  R2 then strips off Ethernet frame  R2 examines destination IP  R2 consults routing table looking for destination IP After finding destination IP in routing table, R2 now looks up the next hop IP address  R2 re-encapsulates IP packet with a new data link frame  R2 forwards Ethernet packet out S0/0 interface 44 Source: CISCO Network Academy

45 Korea Univ Path Determination and Switching Example Step 4 – Packet arrives at R3  R3 receives PPP frame  R3 then strips off PPP frame  R3 examines destination IP  R3 consults routing table looking for destination IP After finding destination IP in routing table, it figures out that R3 is directly connected to destination via its fast Ethernet interface  R3 re-encapsulates IP packet with a new Ethernet frame  R3 forwards Ethernet packet out Fa0/0 interface Step 5 – IP packet arrive at PC2  Frame is decapsulated and processed by upper layer protocols 45 Source: CISCO Network Academy PPP (Point-to-Point Protocol)

46 Korea Univ Network Address Translation (NAT) NAT is a technology providing the mapping between the private and universal addresses 46

47 Korea Univ Network Address Translation (NAT) 47 Use port numbers for a many-to-many communication between private network hosts and external server programs

48 Korea Univ Address Resolution Protocol (ARP) ARP (Address Resolution Protocol)  In TCP/IP, a protocol for obtaining the physical address of a node when the Internet address is known 48

49 Korea Univ Example 49

50 Korea Univ ARP Redirection ARP cache poisoning  No state info about the ARP traffic is kept in a system  Attacker sends spoofed ARP replies to certain devices ARP cache is overwritten with attacker’s MAC address 50

51 Korea Univ Domain Name Service (DNS) 51 People prefer to use names instead of numeric addresses So, need a system that maps a name to an address or an address to a name

52 Korea Univ POP3, SMTP POP3: Post Office Protocol, Version 3 IMAP4: Internet Mail Access Protocol, Version 4 SMTP: Simple Mail Transfer Protocol  for communication between the sender and the sender’s mail server  for communication between the 2 mail servers 52

53 Korea Univ 53 Backup Slides

54 Korea Univ Linksys Router – WRT54G 54

55 Korea Univ Packet Analysis Programs tcpdump OmniPeek Wireshark 55

56 Korea Univ Regarding Multicast 56 Every Ethernet frame with its destination in the range 01-00- 5e-00-00-00 ~ 01-00-53-ff-ff-ff contains data for a multicast group  The prefix 01-00-5e identifies the frame as multicast  The next bit is always 0  So, the upper 25 bits in MAC address are fixed. Only the lower 23 bits (among 48-bit MAC addr) are used for the multicast address Multicast groups are 28-bits long (  The lower 23-bit of the IP multicast group are placed in the frame (The 5 high-order bits are ignored), resulting in 32 different multicast groups being mapped to the same Ethernet address

Download ppt "Lecture 2. Network Basics Prof. Taeweon Suh Computer Science & Engineering Korea University COM850 Computer Hacking and Security."

Similar presentations

Ads by Google