1 / 54

Lecture 2. Network Basics

COM850 Computer Hacking and Security. Lecture 2. Network Basics. Prof. Taeweon Suh Computer Science Education Korea University. Open Systems Interconnection (OSI).

ursula
Download Presentation

Lecture 2. Network Basics

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. COM850 Computer Hacking and Security Lecture 2. Network Basics Prof. Taeweon Suh Computer Science Education Korea University

  2. Open Systems Interconnection (OSI) • International Standards Organization (ISO) is a multinational body dedicated to worldwide agreement on international standards. • Almost three-fourths of countries in the world are represented in the ISO. • An ISO standard that covers all aspects of network communications is the Open Systems Interconnection (OSI) model. • It was first introduced in the late 1970s. • The OSI model is a layered framework for the design of network systems that allows communication between all types of computer systems

  3. OSI 7 Layers • Physical: transmit bits over a medium • Data link: organize bits into a frame • Network: move packets from source to destination • Transport: provide reliable process-to-process message delivery • Session: establish, manage, and terminate sessions • Presentation: translate, encrypt and compress data • Application: allow access to the network resources , POP3, SMTP, IMAP

  4. Encapsulation

  5. OSI Layers • As a message travels from A to B, it may pass through many intermediate nodes. • These intermediate nodes usually involve only the first three layers of the OSI model

  6. Ethernet • Local Area Network (LAN) is a computer network designed for a limited geographic area such as a building or a campus • Most LANs are linked to a wide area network (WAN) or the Internet • There are several technologies for LAN such as Ethernet, Token ring, Token bus, FDDI and ATM LAN • Ethernet is by far the dominant technology

  7. Ethernet Frame MAC (Media Access Control) addresses CRC: Cyclic Redundancy Checking

  8. Ethernet Type Field Source: http://www.networkdictionary.com/networking/EtherType.php

  9. Internet Protocol (IP) • IP is the transmission mechanism at the network layer • IP is an unreliable and connectionless datagram protocol – best-effort delivery • Each datagram is handled independently, and each datagram can follow a different route to the destination • It implies that datagrams sent by the same source to the same destination could arrive out of order • IP packets can be corrupted, lost, arrived out of order or delayed Packets in the network layer are called datagrams

  10. IP Datagram TTL • Version (VER): IPv4 or IPv6 • Header Length (HLEN): 20 (5 x 4) or 60 (15 x 4) depending on options • Service Type (TOS): cost, reliability, throughput, delay • Total length: header + data in bytes (max 65535 B) • Max. size of data field, Maximum Transfer Unit (MTU), differs from one physical network to another • Ethernet LAN: 1500B, FDDI LAN: 4352B, PPP: 296B • ID, Flags, and Fragmentation offset are used in fragmentation

  11. IPv4 Addresses • The identifier used in the IP layer, to identify each device connected to the Internet is called Internet address, or IP address • IPv4 address is 32-bit long • The address space of IPv4 is 232, or 4,294,967,296 • IPv4 addresses are unique and universal • IP addresses use the concept of classes • Classful addressing • Classless addressing supersedes the classful addressing

  12. Classful Addressing

  13. Classful Addressing • netid defines network. Network address is used in routing a packet to its destination network • hostid defines a particular host on the network • Class A: 128 (27) blocks that can be assigned to 128 organizations, each block has 16,777,216 addresses • Millions of class A address are wasted • Class B: 16,384 (214) blocks, each block has 65536 addresses • Many class B addresses are wasted • Class C: 2,097,152 (221) blocks, each block has 256 addresses • Not so many organizations are so small to have a class C block

  14. Classless Addressing • Solutions to the IP address depletion problem • IPv6: 128-bit (or 16B) long • Classless addressing: use IPv4, but change the distribution of addresses to provide a fair share to each organization • In classless addressing, variable-length blocks are used that belong to no classes • Prefix defines network, and suffix defines host • The prefix length can be 1 to 32 Slash notation, formally referred to as Classless Interdomain Routing (CIDR)

  15. Examples • One of the addresses in a block is 17.63.110.114/24 • Number of addresses: • First address in the block: • Last address in the block: • One of the addresses in a block is 110.23.120.14/20 • Number of addresses: • First address in the block: • Last address in the block: 256 17.63.110.0 17.63.110.255 4096 110.23.112.0 17.63.127.255

  16. Special Addresses • 0.0.0.0/32 • Reserved for communication when a host does not know its own address • Normally used at bootstrap time to get IP from DHCP server • 255.255.255.255/32 • Reserved for limited broadcast address in the current network • 127.0.0.0/8 • Used for the loopback address, which is an address used to test the software on a machine

  17. Special Addresses • Private addresses • A number of blocks are assigned for private use. They are not recognized globally. These addresses are used either in isolation or in connection with network address translation (NAT) techniques • Multicast addresses • 224.0.0.0/4 is reserved for multicast communication

  18. Special Addresses in Each block • Network Address: the first address (with the suffix set all to 0s) in a block defines the network address. • It defines the network itself and not any host in the network • Direct Broadcast Address: the last address in a block • It is usually used by a router to send a packet to all hosts in a specific network • All hosts will accept a packet having this type of destination address • This address can be used only as a destination address in an IPv4 packet

  19. TTL • TTL is used for controlling the maximum number of hops (routers) visited by the datagram • When a source host sends the datagram, it stores a number in TTL, which is approximately 2X the max. number of hops between any 2 hosts • TTL is needed because routing tables in the Internet can become corrupted, resulting in packet’s looping or cycling the network endlessly. • TTL is used intentionally to limit the journey of the packet • If the source wants to confine the packet to the local network, it can store 1 in TTL

  20. Transmission Control Protocol (TCP) • TCP is connection-oriented • It establishes a virtual path between the source and destination. • All of the segments belonging to a message are then sent over this virtual path. • You may wonder how TCP, which uses the services of IP, a connectionless protocol, can be connection-oriented. • A TCP connection is virtual, not physical. • TCP uses the services of IP to deliver individual segments to the receiver, but it controls the connection itself. If a segment is lost or corrupted, it is retransmitted

  21. TCP • Header Length (HLEN): 20 (5 x 4) or 60 (15 x 4) depending on options • Window Size: Normally receiving window (rwnd) in bytes • Checksum: Used to detect errors over the entire user datagram (header + data) • Urgent Pointer • Valid only if the URG flag is set. • Used when the segment contains urgent data • Define a value that must be added to the sequence number to obtain the number of the last urgent byte in the data section of the segment

  22. Port Addresses • The local host and the remote host are defined using IP addresses • To define the client and server programs, the 2nd IDs are needed. They are called port numbers • In TCP/IP, the port numbers are integers between 0 and 65,535 • The server uses well-known port numbers, which are less than 1,024 • A client program on the local computer defines itself with a port number (called ephemeral port number), chosen randomly by the TCP software.

  23. TCP Control Field • PSH: Should be processed immediately • URG: Urgent data • RST: Reset the connection • Deny a connection request • Abort an existing connection • Terminate an idle connection

  24. IP + TCP

  25. TCP Connection Establishment

  26. SYN Flooding Attack • A SYN flood tries to exhaust states in the TCP/IP stack • Since TCP maintains “reliable” connections, each connection needs to be tracked somewhere; The TCP/IP stack in the kernel handles this, but it has a finite table that can only track so many incoming connections • Attackers flood the victim’s system with many SYN packets, using spoofed non-existing source addresses • Victim machine sends a SYN/ACK packet to the non-existing IP address and never get the ACK response • A kind of denial-of-service (DoS) attacks

  27. TCP Connection Termination with 3-way Handshaking

  28. Notes • A SYN can’t carry data, but it consumes one sequence number • A SYN + ACK segment can’t carry data, but it consumes one sequence number • An ACK segment, if carrying no data, consumes no sequence number

  29. Data Transfer with TCP

  30. Flow Control Client Server

  31. Flow Control Example

  32. TCP Retransmission Timer • To control a lost or discarded segment, TCP employs a retransmission timer that handles the retransmission time. • When TCP sends a segment, it creates a retransmission timer for that particular segment • If the timer goes off before the acknowledgement arrives, the segment is retransmitted and the timer is reset • TCP uses the dynamic retransmission time, • A retransmission time is different for each connection • A retransmission time may be different during the same connection • The most common retransmission time: 2 x RTT

  33. Round Trip Time (RTT) Calculation • 2 methods • TCP uses the timestamp option • 10-B option • TCP sends a segment, start a timer, and waits for an acknowledge • Measure the time between the sending of the segment and the receiving of the acknowledgement • RTT = α x previous RTT and (1 - α) x current RTT (α usually 90%)

  34. Hubs • A hub is no more than a repeating device operating on the layer 1 (physical layer) of the OSI model • A hub takes packets sent from one port and transmits (repeats) them to every other port on the device • A hub can generate a lot of unnecessary traffic and are capable of operating only in half-duplex mode, it is not typically used in most modern networks (switches are used instead)

  35. Switches • Like a hub, a switch is designed to repeat packets • Unlike a hub, a switch (full-duplex device) sends data to only the computer for which the data is intended (rather than broadcasting data to every port) • Switches operate on the layer 2 (data link layer) of the OSI model • Switches store the layer 2 address (MAC address) of every connected device in a CAM table

  36. Routers • Routers operate on the layer 3 (Network layer) of the OSI model • Routers use IP addresses (layer 3) to uniquely identify devices on a network

  37. Traffic Classification • Broadcast • A broadcast traffic is one that is sent to all ports on a network segment • Each broadcast domain extends until it reaches the router • Broadcast packets circulate only within specified broadcast domain • Layer 2 broadcast: the MAC address, FF:FF:FF:FF:FF:FF is the reserved broadcast address • Layer 3 broadcast: The highest possible IP address is reserved for use as the broadcast address • IP: 192.168.0.xxx • Subnet mask: 255.255.255.0 • Broadcast address: 192.168.0.255 • Multicast • Unicast

  38. Router Paths and Packet Switching • As a packet travels from one networking device to another • The Source and Destination IP addresses NEVERchange • The Source and Destination MAC addresses CHANGE as packet is forwarded from one router to the next • TTL field decrement by one until a value of zero is reached at which pointer router discards packet (prevents packets from endlessly traversing the network) Source: CISCO Network Academy

  39. http://www.cisco.com/en/US/products/hw/routers/ps282/products_tech_note09186a008035b051.shtmlhttp://www.cisco.com/en/US/products/hw/routers/ps282/products_tech_note09186a008035b051.shtml

  40. Path Determination and Switching Example • PC1 wants to send something to PC2 • Step 1: PC1 encapsulates packet into a frame; The frame contains R1’s destination MAC address Source: CISCO Network Academy

  41. Path Determination and Switching Example • Step 2: • R1 sees that the destination MAC address matches its own MAC • R1 then strips off Ethernet frame • R1 examines destination IP • R1 consults routing table looking for destination IP • After finding destination IP in routing table, R1 now looks up the next hop address • R1 re-encapsulates IP packet with a new Ethernet frame • R1 forwards Ethernet packet out Fa0/1 interface Source: CISCO Network Academy

  42. Path Determination and Switching Example Source: CISCO Network Academy

  43. Path Determination and Switching Example • Step 3 - Packet arrives at R2 • R2 receives Ethernet frame • R2 sees that destination MAC address matches its own MAC • R2 then strips off Ethernet frame • R2 examines destination IP • R2 consults routing table looking for destination IP • After finding destination IP in routing table, R2 now looks up the next hop IP address • R2 re-encapsulates IP packet with a new data link frame • R2 forwards Ethernet packet out S0/0 interface Source: CISCO Network Academy

  44. Path Determination and Switching Example • Step 4 – Packet arrives at R3 • R3 receives PPP frame • R3 then strips off PPP frame • R3 examines destination IP • R3 consults routing table looking for destination IP • After finding destination IP in routing table, it figures out that R3 is directly connected to destination via its fast Ethernet interface • R3 re-encapsulates IP packet with a new Ethernet frame • R3 forwards Ethernet packet out Fa0/0 interface • Step 5 – IP packet arrive at PC2 • Frame is decapsulated and processed by upper layer protocols Source: CISCO Network Academy PPP (Point-to-Point Protocol)

  45. Network Address Translation (NAT) • NAT is a technology providing the mapping between the private and universal addresses

  46. Network Address Translation (NAT) 200.24.5.8 Use port numbers for a many-to-many communication between private network hosts and external server programs

  47. Address Resolution Protocol (ARP) • ARP (Address Resolution Protocol) • In TCP/IP, a protocol for obtaining the physical address of a node when the Internet address is known

  48. Example

  49. ARP Redirection • ARP cache poisoning • No state info about the ARP traffic is kept in a system • Attacker sends spoofed ARP replies to certain devices • ARP cache is overwritten with attacker’s MAC address

  50. Domain Name Service (DNS) • People prefer to use names instead of numeric addresses • So, need a system that maps a name to an address or an address to a name

More Related