review of TCP/IP networking chapter S1C03.ppt
zulqer1
15 views
31 slides
Oct 09, 2024
Slide 1 of 31
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
About This Presentation
S1C03
review of TCP/IP networking
Slide Content
1
Review of TCP/IP
Internetworking
Chapter 3
Panko, Corporate Computer
and Network Security
Copyright 2004 Prentice-Hall
Review of TCP/IP
Internetworking
Chapter 3
Panko, Corporate Computer
and Network Security
Copyright 2004 Prentice-Hall
2
Figure 3-17: IP Address Spoofing
Trusted Server
60.168.4.6
Victim Server
60.168.47.47
1. Trust Relationship
2.
Attack Packet
Spoofed Source IP Address
60.168.4.6
Attacker’s Identity is
Not Revealed
Attacker’s Client PC
1.34.150.37
3. Server Accepts Attack Packet
Figure 3-17: IP Address Spoofing
Trusted Server
60.168.4.6
Victim Server
60.168.47.47
1. Trust Relationship
2.
Attack Packet
Spoofed Source IP Address
60.168.4.6
Attacker’s Identity is
Not Revealed
Attacker’s Client PC
1.34.150.37
3. Server Accepts Attack Packet
3
Figure 3-13: Internet Protocol (IP)
IP Addresses and Security
IP address spoofing: Sending a message with a
false IP address (Figure 3-17)
Gives sender anonymity so that attacker cannot
be identified
Can exploit trust between hosts if spoofed IP
address is that of a host the victim host trusts
Figure 3-13: Internet Protocol (IP)
IP Addresses and Security
IP address spoofing: Sending a message with a
false IP address (Figure 3-17)
Gives sender anonymity so that attacker cannot
be identified
Can exploit trust between hosts if spoofed IP
address is that of a host the victim host trusts
4
Figure 3-13: Internet Protocol (IP)
(Study Figure)
IP Addresses and Security
LAND attack: send victim a packet with victim’s
IP address in both source and destination
address fields and the same port number for the
source and destination (Figure 3-18). In 1997,
many computers, switches, routers, and even
printers, crashed when they received such a
packet.
Figure 3-13: Internet Protocol (IP)
(Study Figure)
IP Addresses and Security
LAND attack: send victim a packet with victim’s
IP address in both source and destination
address fields and the same port number for the
source and destination (Figure 3-18). In 1997,
many computers, switches, routers, and even
printers, crashed when they received such a
packet.
5
Figure 3-18: LAND Attack Based on
IP Address Spoofing
Victim
60.168.47.47
Port 23 Open
Crashes
From: 60.168.47.47:23
To: 60.168.47.47:23Attacker
1.34.150.37
Source and Destination IP Addresses are the Same
Source and Destination Port Numbers are the Same
Figure 3-18: LAND Attack Based on
IP Address Spoofing
Victim
60.168.47.47
Port 23 Open
Crashes
From: 60.168.47.47:23
To: 60.168.47.47:23Attacker
1.34.150.37
Source and Destination IP Addresses are the Same
Source and Destination Port Numbers are the Same
6
Figure 3-13: Internet Protocol (IP)
(Study Figure)
Other IP Header Fields
Protocol field: Identifies content of IP data field
Firewalls need this information to know how
to process the packet
Figure 3-13: Internet Protocol (IP)
(Study Figure)
Other IP Header Fields
Protocol field: Identifies content of IP data field
Firewalls need this information to know how
to process the packet
7
Figure 3-13: Internet Protocol (IP)
(Study Figure)
Other IP Header Fields
Time-to-Live field
Each router decrements the TTL value by
one
Router decrementing TTL field to zero
discards the packet
Figure 3-13: Internet Protocol (IP)
(Study Figure)
Other IP Header Fields
Time-to-Live field
Each router decrements the TTL value by
one
Router decrementing TTL field to zero
discards the packet
8
Figure 3-13: Internet Protocol (IP)
(Study Figure)
Other IP Header Fields
Time-to-Live field
Router also sends an error advisement
message to the sender
The packet containing this message reveals
the sender’s IP address to the attacker
Traceroute uses TTL to map the route to a
host (Figure 3-19)
Tracert on Windows machines
Figure 3-13: Internet Protocol (IP)
(Study Figure)
Other IP Header Fields
Time-to-Live field
Router also sends an error advisement
message to the sender
The packet containing this message reveals
the sender’s IP address to the attacker
Traceroute uses TTL to map the route to a
host (Figure 3-19)
Tracert on Windows machines
9
Figure 3-19: Tracert Program in
Windows
Figure 3-19: Tracert Program in
Windows
10
Figure 3-13: Internet Protocol (IP)
(Study Figure)
Other IP Header Fields
Header Length field and Options
With no options, Header Length is 5
Expressed in units of 32 bits
So, 20 bytes
Many options are dangerous
So if Header Length is More Than 5, be
Suspicious
Some firms drop all packets with options
Figure 3-13: Internet Protocol (IP)
(Study Figure)
Other IP Header Fields
Header Length field and Options
With no options, Header Length is 5
Expressed in units of 32 bits
So, 20 bytes
Many options are dangerous
So if Header Length is More Than 5, be
Suspicious
Some firms drop all packets with options
11
Figure 3-13: Internet Protocol (IP)
(Study Figure)
Other IP Header Fields
Length Field
Gives length of entire packet
Maximum is 65,536 bytes
Ping-of-Death attack sent IP packets with
longer data fields
Many systems crashed
Figure 3-13: Internet Protocol (IP)
(Study Figure)
Other IP Header Fields
Length Field
Gives length of entire packet
Maximum is 65,536 bytes
Ping-of-Death attack sent IP packets with
longer data fields
Many systems crashed
12
Figure 3-20: Ping-of-Death Attack
Victim
60.168.47.47
Crashes
IP Packet Containing
ICMP Echo Message
That is Illegally Long
Attacker
1.34.150.37
Figure 3-20: Ping-of-Death Attack
Victim
60.168.47.47
Crashes
IP Packet Containing
ICMP Echo Message
That is Illegally Long
Attacker
1.34.150.37
13
Figure 3-13: Internet Protocol (IP)
(Study Figure)
Other IP Header Fields
Fragmentation
Routers may fragment IP packets (really,
packet data fields) en route
All fragments have same Identification field
value
Fragment offset values allows fragments
to be ordered
More fragments is 0 in the last fragment
Figure 3-13: Internet Protocol (IP)
(Study Figure)
Other IP Header Fields
Fragmentation
Routers may fragment IP packets (really,
packet data fields) en route
All fragments have same Identification field
value
Fragment offset values allows fragments
to be ordered
More fragments is 0 in the last fragment
14
Figure 3-13: Internet Protocol (IP)
(Study Figure)
Other IP Header Fields
Fragmentation
Harms packet inspection: TCP header, etc.
only in first packet in series
Cannot filter on TCP header, etc. in
subsequent packets
Figure 3-13: Internet Protocol (IP)
(Study Figure)
Other IP Header Fields
Fragmentation
Harms packet inspection: TCP header, etc.
only in first packet in series
Cannot filter on TCP header, etc. in
subsequent packets
15
Figure 3-22: TCP Header is Only in the
First Fragment of a Fragmented IP Packet
5. Firewall
60.168.47.47
Can Only
Filter TCP
Header in First
Fragment
Attacker
1.34.150.37
1. Fragmented IP Packet
2. Second
Fragment
4. TCP Data
Field
No
TCP Header
IP
Header
TCP Data
Field
2. First
Fragment
IP
Header
3. TCP Header
Only in First
Fragment
Figure 3-22: TCP Header is Only in the
First Fragment of a Fragmented IP Packet
5. Firewall
60.168.47.47
Can Only
Filter TCP
Header in First
Fragment
Attacker
1.34.150.37
1. Fragmented IP Packet
2. Second
Fragment
4. TCP Data
Field
No
TCP Header
IP
Header
TCP Data
Field
2. First
Fragment
IP
Header
3. TCP Header
Only in First
Fragment
16
Figure 3-13: Internet Protocol (IP)
(Study Figure)
Other IP Header Fields
Fragmentation
Teardrop attack: Crafted fragmented packet
does not make sense when reassembled
Some firewalls drop all fragmented packets,
which are rare today
Figure 3-13: Internet Protocol (IP)
(Study Figure)
Other IP Header Fields
Fragmentation
Teardrop attack: Crafted fragmented packet
does not make sense when reassembled
Some firewalls drop all fragmented packets,
which are rare today
17
Figure 3-21: Teardrop Denial-of-
Service Attack
Victim
60.168.47.47
Crashes
Attack Pretends to be Fragmented
IP Packet When Reassembled,
“Packet” does not Make Sense.
Gaps and Overlaps
Attacker
1.34.150.37
“Defragmented” IP Packet”
Gap Overlap
Figure 3-21: Teardrop Denial-of-
Service Attack
Victim
60.168.47.47
Crashes
Attack Pretends to be Fragmented
IP Packet When Reassembled,
“Packet” does not Make Sense.
Gaps and Overlaps
Attacker
1.34.150.37
“Defragmented” IP Packet”
Gap Overlap
18
Figure 3-23: Transmission Control
Protocol (TCP) (Study Figure)
Reliable
Receiving process sends ACK to sending process if
segment is correctly received
ACK bit is set (1) in acknowledgement segments
If sending process does not get ACK, resends the
segment
PC
Transport Process
Webserver
Transport Process
TCP Segment
TCP Segment (ACK)
Figure 3-23: Transmission Control
Protocol (TCP) (Study Figure)
Reliable
Receiving process sends ACK to sending process if
segment is correctly received
ACK bit is set (1) in acknowledgement segments
If sending process does not get ACK, resends the
segment
PC
Transport Process
Webserver
Transport Process
TCP Segment
TCP Segment (ACK)
19
Figure 3-23: Transmission Control
Protocol (TCP) (Study Figure)
Connections: Opens and Closes
Formal open and close
Three-way open: SYN, SYN/ACK, ACK
(Figure 3-25)
Normal four-way close: FIN, ACK, FIN, ACK
(Figure 3-25)
Abrupt close: RST (Figure 3-26)
Figure 3-23: Transmission Control
Protocol (TCP) (Study Figure)
Connections: Opens and Closes
Formal open and close
Three-way open: SYN, SYN/ACK, ACK
(Figure 3-25)
Normal four-way close: FIN, ACK, FIN, ACK
(Figure 3-25)
Abrupt close: RST (Figure 3-26)
20
Figure 3-25: Communication During a
TCP Session
PC
Transport Process
Webserver
Transport Process
1. SYN (Open)
2. SYN, ACK (1) (Acknowledgement of 1)
3. ACK (2)
Open
(3)
3-Way Open
Figure 3-25: Communication During a
TCP Session
PC
Transport Process
Webserver
Transport Process
1. SYN (Open)
2. SYN, ACK (1) (Acknowledgement of 1)
3. ACK (2)
Open
(3)
3-Way Open
21
Figure 3-25: Communication During a
TCP Session
PC
Transport Process
Webserver
Transport Process
Close
(4)
13. FIN (Close)
14. ACK (13)
15. FIN
16. ACK (15)
Note: An ACK may be combined with the next message if the next message
is sent quickly enough
Normal Four-Way Close
Figure 3-25: Communication During a
TCP Session
PC
Transport Process
Webserver
Transport Process
Close
(4)
13. FIN (Close)
14. ACK (13)
15. FIN
16. ACK (15)
Note: An ACK may be combined with the next message if the next message
is sent quickly enough
Normal Four-Way Close
22
Figure 3-25: Communication During a
TCP Session
PC
Transport Process
Webserver
Transport Process
Close
(1)
RST
Abrupt Close
Either side can send
A Reset (RST) Segment
At Any Time
Ends the Session Immediately
Figure 3-25: Communication During a
TCP Session
PC
Transport Process
Webserver
Transport Process
Close
(1)
RST
Abrupt Close
Either side can send
A Reset (RST) Segment
At Any Time
Ends the Session Immediately
23
Figure 3-26: SYN/ACK Probing
Attack Using Reset (RST)
SYN/ACK Segment
Victim
60.168.47.47
Crashes
Attacker
1.34.150.37
1. Probe
60.168.47.47
5.
60.168.47.47
is Live! 4. Source IP
Addr=
60.168.47.47
3. Go Away!
2. No Connection:
Makes No Sense!
IP HdrRST Segment
Figure 3-26: SYN/ACK Probing
Attack Using Reset (RST)
SYN/ACK Segment
Victim
60.168.47.47
Crashes
Attacker
1.34.150.37
1. Probe
60.168.47.47
5.
60.168.47.47
is Live! 4. Source IP
Addr=
60.168.47.47
3. Go Away!
2. No Connection:
Makes No Sense!
IP HdrRST Segment
24
Figure 3-23: Transmission Control
Protocol (TCP) (Study Figure)
Port Number
Socket format is IP address: Port, for instance,
128.171.17.13:80
Designates a specific program on a specific
machine
Port spoofing (Figure 3-28)
Incorrect application uses a well-known port
Especially 80, which is often allowed through
firewalls
128.171.17.13:80
Figure 3-23: Transmission Control
Protocol (TCP) (Study Figure)
Port Number
Socket format is IP address: Port, for instance,
128.171.17.13:80
Designates a specific program on a specific
machine
Port spoofing (Figure 3-28)
Incorrect application uses a well-known port
Especially 80, which is often allowed through
firewalls
128.171.17.13:80
25
Figure 3-33: Internet Control Message
Protocol (ICMP)
ICMP is for Supervisory Messages at the
Internet Layer
ICMP and IP
An ICMP message is delivered (encapsulated) in
the data field of an IP packet
Types and Codes (Figure 3-2)
Type: General category of supervisory message
Code: Subcategory of type (set to zero if there is
no code)
Figure 3-33: Internet Control Message
Protocol (ICMP)
ICMP is for Supervisory Messages at the
Internet Layer
ICMP and IP
An ICMP message is delivered (encapsulated) in
the data field of an IP packet
Types and Codes (Figure 3-2)
Type: General category of supervisory message
Code: Subcategory of type (set to zero if there is
no code)
26
Figure 8.13: Internet Control Message Protocol
(ICMP) for Supervisory Messages
“Host Unreachable”
Error Message
Router
“Echo”
“Echo
Reply”
ICMP Message IP Header
Figure 8.13: Internet Control Message Protocol
(ICMP) for Supervisory Messages
“Host Unreachable”
Error Message
Router
“Echo”
“Echo
Reply”
ICMP Message IP Header
27
Figure 3-32: IP Packet with an ICMP
Message Data Field
Bit 31
IP Header (Usually 20 Bytes)
Type (8 bits) Depends on Type and Code
Depends on Type and Code
Bit 0
Code (8 bits)
Figure 3-32: IP Packet with an ICMP
Message Data Field
Bit 31
IP Header (Usually 20 Bytes)
Type (8 bits) Depends on Type and Code
Depends on Type and Code
Bit 0
Code (8 bits)
28
Figure 3-32: Internet control Message
Protocol (ICMP)
Network Analysis Messages
Echo (Type 8, no code) asks target host if it is
operational and available
Echo reply (Type 0, no code). Target host
responds to echo sender
Ping program implements Echo and Echo Reply.
Like submarine pinging a target
Ping is useful for network managers to diagnose
problems based on failures to reply
Ping is useful for hackers to identify potential
targets: live ones reply
Figure 3-32: Internet control Message
Protocol (ICMP)
Network Analysis Messages
Echo (Type 8, no code) asks target host if it is
operational and available
Echo reply (Type 0, no code). Target host
responds to echo sender
Ping program implements Echo and Echo Reply.
Like submarine pinging a target
Ping is useful for network managers to diagnose
problems based on failures to reply
Ping is useful for hackers to identify potential
targets: live ones reply
29
Figure 3-32: Internet control Message
Protocol (ICMP)
Error Advisement Messages
Advise sender of error but there is no error
correction
Host Unreachable (Type 3, multiple codes)
Many codes for specific reasons for host
being unreachable
Host unreachable packet’s source IP address
confirms to hackers that the IP address is live
and therefore a potential victim
Usually sent by a router
Figure 3-32: Internet control Message
Protocol (ICMP)
Error Advisement Messages
Advise sender of error but there is no error
correction
Host Unreachable (Type 3, multiple codes)
Many codes for specific reasons for host
being unreachable
Host unreachable packet’s source IP address
confirms to hackers that the IP address is live
and therefore a potential victim
Usually sent by a router
30
Figure 3-31: Internet control Message
Protocol (ICMP)
Control Codes
Control network/host operation
Source Quench (Type=4, no code)
Tells destination host to slow down its
transmission rate
Legitimate use: Flow control if host sending
source quench is overloaded
Attackers can use for denial-of-service attack
Figure 3-31: Internet control Message
Protocol (ICMP)
Control Codes
Control network/host operation
Source Quench (Type=4, no code)
Tells destination host to slow down its
transmission rate
Legitimate use: Flow control if host sending
source quench is overloaded
Attackers can use for denial-of-service attack
31
Figure 3-31: Internet control Message
Protocol (ICMP)
Control Codes
Redirect (Type 5, multiple codes)
Tells host or router to send packets in
different way than they have
Attackers can disrupt network operations, for
example, by sending packets down black
holes
Many Other ICMP Messages
Figure 3-31: Internet control Message
Protocol (ICMP)
Control Codes
Redirect (Type 5, multiple codes)
Tells host or router to send packets in
different way than they have
Attackers can disrupt network operations, for
example, by sending packets down black
holes
Many Other ICMP Messages
Tags
Categories
GeneralDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 15
- Slides 31
- Age 420 days
Related Slideshows
22
Pray For The Peace Of Jerusalem and You Will Prosper
RodolfoMoralesMarcuc
32 views
26
Don_t_Waste_Your_Life_God.....powerpoint
chalobrido8
35 views
31
VILLASUR_FACTORS_TO_CONSIDER_IN_PLATING_SALAD_10-13.pdf
JaiJai148317
32 views
14
Fertility awareness methods for women in the society
Isaiah47
30 views
35
Chapter 5 Arithmetic Functions Computer Organisation and Architecture
RitikSharma297999
29 views
5
syakira bhasa inggris (1) (1).pptx.......
ourcommunity56
30 views