Slide 1

Download Report

Transcript Slide 1 

COM850 Computer Hacking and Security
Lecture 2. Network Basics
Prof. Taeweon Suh
Computer Science & Engineering
Korea University
Open Systems Interconnection (OSI)
• International Standards Organization (ISO) is a
multinational body dedicated to worldwide agreement on
international standards.
 Almost three-fourths of countries in the world are represented in
the ISO.
• An ISO standard that covers all aspects of network
communications is the Open Systems Interconnection
(OSI) model.
 It was first introduced in the late 1970s.
• The OSI model is a layered framework for the design of
network systems that allows communication between all
types of computer systems
2
Korea Univ
OSI 7 Layers
, POP3, IMAP
•
•
•
•
•
•
•
Physical: transmit bits over a medium
Data link: organize bits into a frame
Network: move packets from source to destination
Transport: provide reliable process-to-process
message delivery
Session: establish, manage, and terminate
sessions
Presentation: translate, encrypt and compress data
Application: allow access to the network resources
3
Korea Univ
TCP/IP Protocol Suite
• The TCP/IP protocol suite was developed prior to the OSI model
 Thus, the layer in TCP/IP do not match exactly with those in OSI
4
Korea Univ
Encapsulation
5
Korea Univ
OSI Layers
client
•
•
Router A
Router B
server
As a message travels from A to B, it may pass through many intermediate nodes.
These intermediate nodes usually involve only the first three layers of the OSI model
6
Korea Univ
Ethernet
• Local Area Network (LAN) is a computer network
designed for a limited geographic area such as a
building or a campus
• Most LANs are linked to a wide area network (WAN)
or the Internet
• There are several technologies for LAN such as
Ethernet, Token ring, Token bus, FDDI and ATM
LAN
• Ethernet is by far the dominant technology
7
Korea Univ
Ethernet Frame
MAC (Media Access
Control) addresses
CRC: Cyclic Redundancy Checking
8
Korea Univ
Ethernet Type Field
9
Source: http://www.networkdictionary.com/networking/EtherType.php
Korea Univ
Internet Protocol (IP)
• IP is the transmission mechanism at the network layer
• IP is an unreliable and connectionless datagram protocol
– best-effort delivery
 Each datagram is handled independently, and each datagram
can follow a different route to the destination
 It implies that datagrams sent by the same source to the same
destination could arrive out of order
 IP packets can be corrupted, lost, arrived out of order or delayed
Packets in the network layer are called datagrams
10
Korea Univ
IP Datagram
TTL
•
•
•
•
Version (VER): IPv4 or IPv6
Header Length (HLEN): 20 (5 x 4) or 60 (15 x 4) depending on options
Service Type (TOS): cost, reliability, throughput, delay
Total length: header + data in bytes (max 65535 B)


•
Max. size of data field, Maximum Transfer Unit (MTU), differs from one physical network to another
Ethernet LAN: 1500B, FDDI LAN: 4352B, PPP: 296B
ID, Flags, and Fragmentation offset are used in fragmentation
11
Korea Univ
IPv4 Addresses
• The identifier used in the IP layer, to identify each
device connected to the Internet is called Internet
address, or IP address
• IPv4 address is 32-bit long
 The address space of IPv4 is 232, or 4,294,967,296
• IPv4 addresses are unique and universal
• IP addresses use the concept of classes
 Classful addressing
• In the mid-1990s, a new architecture called classless
addressing was introduced
 Classless addressing supersedes the classful addressing
12
Korea Univ
Classful Addressing
13
Korea Univ
Classful Addressing
•
•
netid defines network. Network address is used in routing a packet to its destination network
hostid defines a particular host on the network
•
Class A: 128 (27) blocks that can be assigned to 128
organizations, each block has 16,777,216 addresses

•
Class B: 16,384 (214) blocks, each block has 65536 addresses

•
Millions of class A address are wasted
Many class B addresses are wasted
Class C: 2,097,152 (221) blocks, each block has 256 addresses

Not so many organizations are so small to have a class C block
14
Korea Univ
Classless Addressing
• Solutions to the IP address depletion problem
 IPv6: 128-bit (or 16B) long
 Classless addressing: use IPv4, but change the distribution of
addresses to provide a fair share to each organization
• In classless addressing, variable-length blocks are used that
belong to no classes
 Prefix defines network, and suffix defines host
 The prefix length can be 1 to 32
Slash notation, formally
referred to as Classless
Interdomain Routing (CIDR)
15
Korea Univ
Examples
• One of the addresses in a block is 17.63.110.114/24
 Number of addresses: 256
 First address in the block: 17.63.110.0
 Last address in the block: 17.63.110.255
• One of the addresses in a block is 110.23.120.14/20
 Number of addresses: 4096
 First address in the block: 110.23.112.0
 Last address in the block: 17.63.127.255
16
Korea Univ
Special Addresses
Source: 0.0.0.0
Destination: 255.255.255.255
• 0.0.0.0/32
 Reserved for communication when a
host does not know its own address
 Normally used at bootstrap time to
get IP from DHCP server
Packet
• 255.255.255.255/32
 Reserved for limited broadcast
address in the current network
Network
221.45.71.64/24
221.45.71.20/24
221.45.71.126/24
221.45.71.178/24
• 127.0.0.0/8
 Used for the loopback address,
which is an address used to test the
software on a machine
17
Korea Univ
Special Addresses
• Private addresses
 A number of blocks are assigned for private use. They
are not recognized globally. These addresses are
used either in isolation or in connection with network
address translation (NAT) techniques
• Multicast addresses
 224.0.0.0/4 is reserved for multicast communication
18
Korea Univ
Special Addresses in Each block
•
Network Address: the first address (with the suffix set all to 0s) in a block
defines the network address.

•
It defines the network itself and not any host in the network
Direct Broadcast Address: the last address in a block



It is usually used by a router to send a packet to all hosts in a specific network
All hosts will accept a packet having this type of destination address
This address can be used only as a destination address in an IPv4 packet
Network: 221.45.71.0/24
221.45.71.64/24
221.45.71.126/24
221.45.71.178/24
221.45.71.20/24
Packet
19
Korea Univ
TTL
• TTL is used for controlling the maximum number of hops
(routers) visited by the datagram
 When a source host sends the datagram, it stores a number in TTL,
which is approximately 2X the max. number of hops between any 2
hosts
 TTL is needed because routing tables in the Internet can become
corrupted, resulting in packet’s looping or cycling the network
endlessly.
• TTL is used intentionally to limit the journey of the packet
 If the source wants to confine the packet to the local network, it
can store 1 in TTL
20
Korea Univ
Transmission Control Protocol (TCP)
• TCP is connection-oriented
 It establishes a virtual path between the source and
destination.
• All of the segments belonging to a message are then sent
over this virtual path.
 You may wonder how TCP, which uses the services of
IP, a connectionless protocol, can be connectionoriented.
• A TCP connection is virtual, not physical.
• TCP uses the services of IP to deliver individual segments to
the receiver, but it controls the connection itself. If a
segment is lost or corrupted, it is retransmitted
21
Korea Univ
TCP
•
•
•
•
Header Length (HLEN): 20 (5 x 4) or 60 (15 x 4) depending on options
Window Size: Normally receiving window (rwnd) in bytes
Checksum: Used to detect errors over the entire user datagram (header + data)
Urgent Pointer



Valid only if the URG flag is set.
Used when the segment contains urgent data
Define a value that must be added to the sequence number to obtain the number of the last urgent
byte in the data section of the segment
22
Korea Univ
Port Addresses
• The local host and the remote host are defined using IP addresses
• To define the client and server programs, the 2nd IDs are needed.
They are called port numbers
• In TCP/IP, the port numbers are integers between 0 and 65,535
 The server uses well-known port numbers, which are less than 1,024
 A client program on the local computer defines itself with a port number
(called ephemeral port number), chosen randomly by the TCP software.
23
Korea Univ
TCP Control Field
• PSH: Should be processed
immediately
• URG: Urgent data
• RST: Reset the connection
 Deny a connection request
 Abort an existing
connection
 Terminate an idle
connection
24
Korea Univ
IP + TCP
25
Korea Univ
TCP Connection Establishment
seq: 8000
UAPRS F
SYN
seq: 15000
ack: 8001
nd: 5000
w
r
F
S
R
P
A
U
SYN + ACK
seq: 8000
ack: 15001
UAPRS F
rwnd: 10000
ACK
26
Korea Univ
SYN Flooding Attack
•
A SYN flood tries to exhaust states in the TCP/IP stack

•
Attackers flood the victim’s system with many SYN packets, using spoofed
non-existing source addresses

•
Since TCP maintains “reliable” connections, each connection needs to be tracked
somewhere; The TCP/IP stack in the kernel handles this, but it has a finite table that
can only track so many incoming connections
Victim machine sends a SYN/ACK packet to the non-existing IP address and never get
the ACK response
A kind of denial-of-service (DoS) attacks
27
Korea Univ
TCP Connection Termination with 3-way
Handshaking
28
Korea Univ
Notes
• A SYN can’t carry data, but it consumes one
sequence number
• A SYN + ACK segment can’t carry data, but it
consumes one sequence number
• An ACK segment, if carrying no data, consumes no
sequence number
• The FIN segment consumes one sequence number if
it does not carry data
• The FIN + ACK segment consumes one sequence
number if it does not carry data
29
Korea Univ
Data Transfer with TCP
Connection Termination
30
Korea Univ
Flow Control
Client
Messages
are pushed
1
Server
5
Flow control
feedback
3 Messages
are pulled
2
Segements are pushed
4
Flow control feedback
31
Korea Univ
Flow Control Example
32
Korea Univ
TCP Retransmission Timer
• To control a lost or discarded segment, TCP employs a
retransmission timer that handles the retransmission
time.
 When TCP sends a segment, it creates a retransmission timer for
that particular segment
• If the timer goes off before the acknowledgement arrives, the segment
is retransmitted and the timer is reset
• TCP uses the dynamic retransmission time,
 A retransmission time is different for each connection
 A retransmission time may be different during the same
connection
• The most common retransmission time: 2 x RTT
33
Korea Univ
Round Trip Time (RTT) Calculation
• 2 methods
 TCP uses the timestamp option
• 10-B option
 TCP sends a segment, start a timer, and waits for an acknowledge
• Measure the time between the sending of the segment and the receiving of
the acknowledgement
• RTT = α x previous RTT + (1 - α) x current RTT (α usually
90%)
34
Korea Univ
Hubs
•
•
•
A hub is no more than a repeating device operating on the layer 1
(physical layer) of the OSI model
A hub takes packets sent from one port and transmits (repeats) them to
every other port on the device
A hub can generate a lot of unnecessary traffic and are capable of
operating only in half-duplex mode, it is not typically used in most modern
networks (switches are used instead)
35
Korea Univ
Switches
• Like a hub, a switch is designed to repeat packets
• Unlike a hub, a switch (full-duplex device) sends data to only the
computer for which the data is intended (rather than broadcasting
data to every port)
• Switches operate on the layer 2 (data link layer) of the OSI model
• Switches store the layer 2 address (MAC address) of every
connected device in a CAM table
36
Korea Univ
Routers
• Routers operate on the layer 3 (Network layer) of the OSI model
 Routers use IP addresses (layer 3) to uniquely identify devices on a
network
37
Korea Univ
Traffic Classification
•
Broadcast

A broadcast traffic is one that is sent to all ports on a network segment
• Each broadcast domain extends until it reaches the router
• Broadcast packets circulate only within specified broadcast domain


•
•
Layer 2 broadcast: the MAC address, FF:FF:FF:FF:FF:FF is the reserved broadcast
address
Layer 3 broadcast: The highest possible IP address is reserved for use as the
broadcast address
• IP: 192.168.0.xxx
• Subnet mask: 255.255.255.0
• Broadcast address: 192.168.0.255
Multicast
Unicast
38
Korea Univ
Router Paths and Packet Switching
• As a packet travels from one networking device to another
 The Source and Destination IP addresses NEVER change
 The Source and Destination MAC addresses CHANGE as packet is
forwarded from one router to the next
 TTL field decrement by one until a value of zero is reached at
which pointer router discards packet (prevents packets from
endlessly traversing the network)
Source: CISCO Network Academy
39
Korea Univ
http://www.cisco.com/en/US/products/hw/routers/ps282/products_tech_note09186a008035b051.shtml
40
Korea Univ
Path Determination and Switching
Example
• PC1 wants to send something to PC2
 Step 1: PC1 encapsulates packet into a frame; The frame
contains R1’s destination MAC address
Source: CISCO Network Academy
41
Korea Univ
Path Determination and Switching
Example
• Step 2:
 R1 sees that the destination MAC address matches its own MAC
 R1 then strips off Ethernet frame
 R1 examines destination IP
 R1 consults routing table looking for destination IP
• After finding destination IP in routing table, R1 now looks up the next
hop address
 R1 re-encapsulates IP packet with a new Ethernet frame
 R1 forwards Ethernet packet out Fa0/1 interface
Source: CISCO Network Academy
42
Korea Univ
Path Determination and Switching
Example
Source: CISCO Network Academy
Korea Univ
Path Determination and Switching
Example
• Step 3 - Packet arrives at R2





R2
R2
R2
R2
R2
receives Ethernet frame
sees that destination MAC address matches its own MAC
then strips off Ethernet frame
examines destination IP
consults routing table looking for destination IP
• After finding destination IP in routing table, R2 now looks up the next hop IP
address
 R2 re-encapsulates IP packet with a new data link frame
 R2 forwards Ethernet packet out S0/0 interface
Source: CISCO Network Academy
44
Korea Univ
Path Determination and Switching
Example
•
Step 4 – Packet arrives at R3




R3
R3
R3
R3
receives PPP frame
then strips off PPP frame
examines destination IP
consults routing table looking for destination IP
• After finding destination IP in routing table, it figures out that R3 is directly connected to
destination via its fast Ethernet interface


•
R3 re-encapsulates IP packet with a new Ethernet frame
R3 forwards Ethernet packet out Fa0/0 interface
Step 5 – IP packet arrive at PC2

Frame is decapsulated and processed by upper layer protocols
Source: CISCO Network Academy
45
PPP (Point-to-Point Protocol)
Korea Univ
Network Address Translation (NAT)
• NAT is a technology providing the mapping between the
private and universal addresses
Source: 172.18.3.1
172.18.3.1
Source: 200.24.5.8
172.18.3.2
Internet
172.18.3.20
Destination: 172.18.3.1
Site using private addresses
46
Destination: 200.24.5.8
Korea Univ
Network Address Translation (NAT)
200.24.5.8
Use port numbers for a many-to-many
communication between private network
hosts and external server programs
47
Korea Univ
Address Resolution Protocol (ARP)
• ARP (Address Resolution Protocol)
 In TCP/IP, a protocol for obtaining the physical address of
a node when the Internet address is known
Type: 0x0806
Preamble
and SFD
Destination
address
Source
address
Type
8 bytes
6 bytes
6 bytes
2 bytes
48
Data
CRC
4 bytes
Korea Univ
Example
49
Korea Univ
ARP Redirection
• ARP cache poisoning
 No state info about the ARP traffic is kept in a system
 Attacker sends spoofed ARP replies to certain devices
• ARP cache is overwritten with attacker’s MAC address
50
Korea Univ
Domain Name Service (DNS)
• People prefer to use names instead of numeric addresses
• So, need a system that maps a name to an address or an
address to a name
User
1
Host
name
2
Host
name
5
IP address
6
IP address
3
Query
Response
4
Transport layer
51
Korea Univ
POP3, SMTP
• POP3: Post Office Protocol, Version 3
• IMAP4: Internet Mail Access Protocol, Version 4
• SMTP: Simple Mail Transfer Protocol
 for communication between the sender and the sender’s mail server
 for communication between the 2 mail servers
52
Korea Univ
Backup Slides
53
Korea Univ
Linksys Router – WRT54G
54
Korea Univ
Packet Analysis Programs
• tcpdump
• OmniPeek
• Wireshark
55
Korea Univ
Regarding Multicast
• Every Ethernet frame with its destination in the range 01-005e-00-00-00 ~ 01-00-53-ff-ff-ff contains data for a multicast
group
 The prefix 01-00-5e identifies the frame as multicast
 The next bit is always 0
 So, the upper 25 bits in MAC address are fixed. Only the lower 23
bits (among 48-bit MAC addr) are used for the multicast address
• Multicast groups are 28-bits long (244.0.0.0/4)
 The lower 23-bit of the IP multicast group are placed in the frame
(The 5 high-order bits are ignored), resulting in 32 different
multicast groups being mapped to the same Ethernet address
http://www.tldp.org/HOWTO/Multicast-HOWTO-2.html
56
Korea Univ