Networking protocols and administration ITV8030

About This Presentation

Title:

Networking protocols and administration ITV8030

Description:

SYN attacks with rate of only 500 SYN packets per second are enough strong to ... Routers exchange control packets to reflect changes, such as topology changes in ... – PowerPoint PPT presentation

Number of Views:34

Avg rating:3.0/5.0

Slides: 82

Provided by: tane150

Category:

more less

Transcript and Presenter's Notes

Title: Networking protocols and administration ITV8030

1
Networking protocolsand administrationITV8030

Introductory lecture

2
Intro lecture plan

Goals of the course, materials, etc
Defence motivation brief overview of DOS
Refresher
Protocol layers
ISO-OSI general protocol stack
Internet protocol stack
Internet addresses
Layers
Reserved and special addresses
Private networks
Subnets
CIDR

3
Goals of the course

Learn core internet standards/protocols
Addressing
IP
TCP, UDP
ICMP, ARP, DHCP, ...
Learn how crucial methods work routing, NAT,
firewalls, ...
Learn some network administration

4
Not in the course scope

Communication physics frequencies, ...
Underlying low-level comms ATM, Wifi, ...
Upper-level application protocols http, ftp, ...
Cryptography
Actual defence

5
Who creates internet standards?

Application level (not in course scope)
W3C
major software vendors
Internet level (data transmission, this course)
IETF (internet engineering task force)
Internet Architecture Board (IAB), IASA, IRTF,
...
major router vendors
administrative organisations (IANA, RIPE, ...)

6
Course organisation

Lectures
Practical work
Detailed plan of lectures and labs will be
created/tuned during the course, depending on
Background of students
Speed of grasping the principles
Progress of labs

7
Background assumptions

Passed a wide-scope networking course (f.ex based
on Stallings)
Passed a mid-level programming course
Passed system administration course (Kääramees)
Highly recommended passed a C course

8
Materials

Course web site www.lambda.ee/index.php/Andme
side_protokollid
Will use several
Books
Materials on web (wikipedia, RFC-s, ...)
Course materials (ppt, pdf) from CISCO and other
universities
Recommended books
C. Hunt "TCP/IP network administration"
D.Comer, S.Stevens "Internetworking with TCP/IP"
Stallings "Data and computer communications"

9
Requirements for passing

Exam lab results
Details will be determined during April,
depending on student background and progress

10
Security-oriented motivation

Crucial security issues depend on protocol
details
DOS uses TCP SYN flood, etc
Most attacks use spoofing
...
Countermeasures and administration requires
detailed understanding of
protocols
core techniques

11
Denial of service example

Currently prevailing attack type DOS attack
A set of attacks intended to consume the
resources of a remote host or network, thereby
denying or degrading service to legitimate users
Let us see some excerpts from DOS attack
explanations just for basic motivation

12
Attack classification

System Attacked
Firewall, Router, Load Balancer, WEB Server,
DBs
Part of the System Attacked
Network Card, CPU, Storage
Operating System, TCP/IP Stack
Bug or Overload
Bugs, Configuration Error

13
DOS attack taxonomy
14
Flooding DOS attacks
15
SYN attack based on TCP

Recent experiments shown that
SYN attacks with rate of only 500 SYN packets per
second are enough strong to overwhelm a server
Even a specialized firewall, which is designed to
resist SYN floods, becomes futile under a flood
of 14,000 packets per second

16
some SYN stats

Graph analysis
50 of attacks are less than 10 minutes
80 are less than 30 minutes
90 last less than an hour
Most of the DoS attacks are not likely last long
Duration in interval 3- 30 minutes

17
SYN attack idea (TCP-based)

SYN Flooding
Using the Three-way handshake mechanism of TCP
gt During 75 seconds of half-open state,
gt Limited number of half-open connections per
port
maintained by Memory backlog queue.
As long as backlog queue limit is reached,
discard new connection requests from any clients
Usually SYN packet has spoofed source address
gt A victim server never receives the final
ACK packet,
gt Keep waiting until the times up.

18
SMURF attack idea (ICMP-based)

Smurf
Using a forged ICMP Echo Request packet
gt Three parties A attacker, Intermediary,
A victim
gt Setting source address by targeting machine
address,
gt ICMP type field as 8, and broadcast to
intermediary network.
After receiving a redirected ICMP Echo Request,
each machine of the Intermediary will send ICMP
Echo reply by setting type field 0 to the
victim.
Intermediary also experience unintended heavy
traffic

19
TEARDROP idea (IP fragmentation)

Teardrop
Using a IP fragmentation mechanism
gt If there is too large packet to be handled
by next
router, then divide into fragments.
gt Each fragment will be identified by offset
when
needs to be re-assembly
gt Attacker put some confusing offset value in
the
second or later fragment.
gt If the receiving O.S. doesnt have plan for
this
situation, it cause the system to crash.
minor effect, a simple reboot will recover the
system

20
Bad control packets (routing)

Bad control packets
A malicious router generates a sequence of bad
control packets
Control packets are ordered according to the SN
such that one is fresher than another and thus
is formed a cycle
Because control packets receive a higher priority
than data packets, routers spent more of their
time handling these routing updates

21
Black holes (routing)

Black Holes
Routers exchange control packets to reflect
changes, such as topology changes in the network
A Black Hole router sends out routing updates
claiming that it is on a zero-cost (or low cost)
path to all destinations
Black Hole router drops the packets that receive
from its neighbors

22
Refresher networking levels

Applications http, ftp, ...
Finding addresses DNS
Creating channel, using ports TCP, UDP
Sending and routing packets IP, ICMP, ARP, ...
Local network typically ethernet
Hardware

23
Protocols/layers

Slides from Stallings

24
Main comm layering idea

25
Packets and header layers
26
Protocol layers add headers

27
OSI layers
28
OSI layers/headers
29
Internet layers

Internet layers are not exactly like ISO-OSI
layers
Most of the ISO-OSI layers are missing or merged
Normal internet layers with three headers
Raw data using application-specific encoding
TCP or UDP header (ports and control)
IP header (addressing)
Ethernet frame header and trailer (local
network, not wide-area)
Slides from CISCO

30
History and Future of TCP/IP

The U.S. Department of Defense (DoD) created the
TCP/IP reference model because it wanted a
network that could survive any conditions.
Some of the layers in the TCP/IP model have the
same name as layers in the OSI model.

31
Application Layer

Handles high-level protocols, issues of
representation, encoding, and dialog control.
The TCP/IP protocol suite combines all
application related issues into one layer and
ensures this data is properly packaged before
passing it on to the next layer.

32
Application Layer Examples
33
Transport Layer

Five basic services
Segmenting upper-layer application data
Establishing end-to-end operations
Sending segments from one end host to another end
host
Ensuring data reliability
Providing flow control

34
Transport Layer Protocols
35
Internet Layer
The purpose of the Internet layer is to send
packets from a network node and have them arrive
at the destination node independent of the path
taken.
36
Network Access Layer

The network access layer is concerned with all of
the issues that an IP packet requires to actually
make a physical link to the network media.
It includes the LAN and WAN technology details,
and all the details contained in the OSI physical
and data link layers.

37
Comparing the OSI Model and TCP/IP Model
38
Similarities of the OSI and TCP/IP Models

Both have layers.
Both have application layers, though they include
very different services.
Both have comparable transport and network
layers.
Packet-switched, not circuit-switched, technology
is assumed.
Networking professionals need to know both
models.

39
Differences of the OSI and TCP/IP Models

TCP/IP combines the presentation and session
layer into its application layer.
TCP/IP combines the OSI data link and physical
layers into one layer.
TCP/IP appears simpler because it has fewer
layers.
TCP/IP transport layer using UDP does not always
guarantee reliable delivery of packets as the
transport layer in the OSI model does.

40
Internet Architecture

Two computers, anywhere in the world, following
certain hardware, software, protocol
specifications, can communicate, reliably even
when not directly connected.
LANs are no longer scalable beyond a certain
number of stations or geographic separation.

41
Addressing

Several kinds of addresses are used in the normal
internet activities
MAC address ("ethernet card address", like
0123456789ab)
six bytes
used in a local network
IP address (like 234.14.189.23)
four bytes for IPv4, sixteen bytes for IPv6
used for actual routing of packets worldwide
mapped to MAC address by ARP and RARP services in
local system
Host name (like www.ttu.ee)
not used for actual routing of packets
mapped to IP address by the worldwide DNS server
system

42
Internet addresses

Basic internet address and related issues
4-byte integer
Every machine on the internet must have a unique
address to which packets are sent
IP addresses of a machine may change (f.ex. DHCP)
Routing is a complex problem, tables grow big
Every machine has ports (two-byte integer) to
which applications are connected
Four-byte addresses are not enough
Network address translation (NAT) may map/change
addresses when packet is entering a local system
Using slides and materials from
Univ of Virginia / Univ of Toronto
CISCO
Wikipedia
some other presentations

43
IP Address

An IP address is a 32-bit sequence of 1s and 0s.
To make the IP address easier to use, the address
is usually written as four decimal numbers
separated by periods.
This way of writing the address is called the
dotted decimal format.

44
IP Addresses in packets
45
IP Addresses example
46
IP addresses contain two parts

4-byte IP address contains two parts
Network address (routers know how to send packet
to that network)
Host number (only local router knows how to send
data inside local network)
Three historic phases for hierachy organisation
Two fixed-length parts (very early) byte 1 (8
bits) for network, bytes 2-4 (24 bits) for host
Fixed types (A, B, C, D, E) of network addresses
Flexible selection of network address and local
address parts (since 1993)

network prefix
host number
47
Example

Example ellington.cs.virginia.edu
Network address is 128.143.0.0 (or 128.143)
Host number is 137.144
Netmask is 255.255.0.0 (or ffff0000)
Prefix or CIDR notation 128.143.137.144/16
Network prefix is 16 bits long

128.143
137.144
48
Why two parts? For routing!

Routers must select next hop for packet
Get route information from other routers via a
routing protocol (RIP, OSPF, EIGRP etc.)
Store routing information in a table
In the simplest form, each network has one entry
in the table
Note the following are non-routable
private networks 10.0.0.0/8, 172.16.0.0/12,
192.168.0.0/16
Loopback 127.0.0.0/24

49
Coming up using two address parts

Next we will cover these addressing issues
Old-style address splitting A, B, C, D, E
classes
Special and reserved addresses
Private addresses
Subnetting host number may again be split into
(local) subnet and host number in this subnet
Modern address splitting CIDR (classless
interdomain routing)
Brief intro to IPv6

50
Internet Address Classes
51
Internet Address Classes

52
Who has A,B,C addresses?

A class IANA, APNIC, RIPE, legacy (US military,
Xerox, IBM, Apple, Ford, ...). See
http//www.iana.org/assignments/ipv4-address-space
for the full list
B class organisations with clear need (more than
32 subnets, more than 4096 hosts) very hard to
get
C class all others, assigned hierarchically.
Lower half of space divided regionally
192.0.0 - 193.255.255 Multi-regional
194.0.0 - 195.255.255 Europe
196.0.0 - 197.255.255 Others
198.0.0 - 199.255.255 North America
200.0.0 - 201.255.255 Central and South America
202.0.0 - 203.255.255 Pacific Rim
204.0.0 - 205.255.255 Others
206.0.0 - 207.255.255 Others
208.0.0 - 209.255.255 ARIN1
210.0.0 - 211.255.255 APNIC

Class summary

54
Special IP adresses

Loopback interfaces (packet sent back to sender)
all addresses 127.0.0.1 - 127.255.255.255
Most systems use 127.0.0.1 as loopback address
loopback interface is associated with name
localhost
Test / Experimental addresses
Certain address ranges are reserved for
experimental use. Packets should get dropped if
they contain this destination address (see RFC
3330)
128.0.0.0-128.0.255.255
191.255.0.0-191.255.255
192.0.0.0-192.0.0.255
192.0.2.0-192.0.2.255
223.255.255.0-223.255.255.255
240.0.0.0-240.0.0.255

55
Reserved IP Addresses

Certain host addresses are reserved and cannot be
assigned to devices on a network.
An IP address that has binary 0s in all host bit
positions is reserved for the network address.
An IP address that has binary 1s in all host bit
positions is reserved for the broadcast address

56
Reserved as private addresses

These ranges are not routable outside of private
networks, and private machines cannot directly
communicate with public networks. They can,
however, do so through network address
translation (NAT)
Name IP address range
number of IPs largest CIDR block
24-bit block 10.0.0.0 10.255.255.255
16,777,216 10.0.0.0/8
20-bit block 172.16.0.0 172.31.255.255
1,048,576 172.16.0.0/12
16-bit block 169.254.0.0 169.254.255.255
65,536 256 169.254.0.0/16
16-bit block 192.168.0.0 192.168.255.255
65,536 256 192.168.0.0/16
The ranges 10.0.0.0/8, 172.16.0.0/12, and
192.168.0.0/16 are reserved for private
networking by RFC 1918,
The 169.254.0.0/16 range is reserved for
Link-Local addressing as defined in RFC 3927.

57
Subnetting

Problem Organizations have multiple networks
which are independently managed
Solution 1 Allocate a separate network address
for each network
Difficult to manage
From the outside of the organization, each
network must be addressable.
Solution 2 Add another level of hierarchy to the
IP addressing structure

University Network
Engineering School
Medical School
Library
58
Address assignment with subnetting

Each part of the organization is allocated a
range of IP addresses (subnets or subnetworks)
Addresses in each subnet can be administered
locally

University Network
128.143.0.0/16
128.143.56.0/24
Engineering School
Medical School
128.143.71.0/24128.143.136.0/24
Library
128.143.121.0/24
59
Basic Idea of Subnetting

Split the host number portion of an IP address
into a subnet number and a (smaller) host number.
Result is a 3-layer hierarchy
Then
Subnets can be freely assigned within the
organization
Internally, subnets are treated as separate
networks
Subnet structure is not visible outside the
organization

network prefix
host number
subnet number
network prefix
host number
extended network prefix
60
Subnetmask

Routers and hosts use an extended network prefix
(subnetmask) to identify the start of the host
numbers

61
Advantages of Subnetting

With subnetting, IP addresses use a 3-layer
hierarchy
Network
Subnet
Host
Reduces router complexity. Since external routers
do not know about subnetting, the complexity of
routing tables at external routers is reduced.
Note Length of the subnet mask need not be
identical at all subnetworks.

62
Example Subnetmask

128.143.0.0/16 is the IP address of the network
128.143.137.0/24 is the IP address of the subnet
128.143.137.144 is the IP address of the host
255.255.255.0 (or ffffff00) is the subnetmask of
the host
When subnetting is used, one generally speaks of
a subnetmask (instead of a netmask) and a
subnet (instead of a network)
Use of subnetting or length of the subnetmask if
decided by the network administrator
Consistency of subnetmasks is responsibility of
administrator

63
No Subnetting

All hosts think that the other hosts are on the
same network

64
With Subnetting

Hosts with same extended network prefix belong to
the same network

65
With Subnetting

Different subnetmasks lead to different views of
the size of the scope of the network

66
Problems with Classful IP Addresses

By the early 1990s, the original classful address
scheme had a number of problems
Flat address space. Routing tables on the
backbone Internet need to have an entry for each
network address. When Class C networks were
widely used, this created a problem. By the 1993,
the size of the routing tables started to outgrow
the capacity of routers.
Other problems
Too few network addresses for large networks
Class A and Class B addresses were gone
Limited flexibility for network addresses
Class A and B addresses are overkill (gt64,000
addresses)
Class C address is insufficient (requires 40
Class C addresses)

67
Allocation of Classful Addresses
68
CIDR - Classless Interdomain Routing

IP backbone routers have one routing table entry
for each network address
With subnetting, a backbone router only needs to
know one entry for each Class A, B, or C networks
This is acceptable for Class A and Class B
networks
27 128 Class A networks
214 16,384 Class B networks
But this is not acceptable for Class C networks
221 2,097,152 Class C networks
In 1993, the size of the routing tables started
to outgrow the capacity of routers
Consequence The Class-based assignment of IP
addresses had to be abandoned

69
CIDR - Classless Interdomain Routing

Goals
New interpretation of the IP address space
Restructure IP address assignments to increase
efficiency
Permits route aggregation to minimize route table
entries
CIDR (Classless Interdomain routing)
abandons the notion of classes
Key Concept The length of the network prefix in
the IP addresses is kept arbitrary
Consequence Size of the network prefix must be
provided with an IP address

70
CIDR Notation

CIDR notation of an IP address
192.0.2.0/18
"18" is the prefix length. It states that the
first 18 bits are the network prefix of the
address (and 14 bits are available for specific
host addresses)
CIDR notation can replace the use of subnetmasks
(but is more general)
IP address 128.143.137.144 and subnetmask
255.255.255.0 becomes 128.143.137.144/24
CIDR notation allows to drop trailing zeros of
network addresses
192.0.2.0/18 can be written as 192.0.2/18

71
Why do people still talk about

CIDR eliminates the concept of class A, B, and C
networks and replaces it with a network prefix
Existing classful network addresses are converted
to CIDR addresses
128.143.0.0 ? 128.143.0.0/16
The change has not affected many (previously
existing) enterprise networks
Many network administrators (especially on
university campuses) have not noticed the change
(and still talk about classes A,B,C)
(Note CIDR was introduced with the role-out of
BGPv4 as interdomain routing protocol. )

72
CIDR address blocks

CIDR notation can nicely express blocks of
addresses
Blocks are used when allocating IP addresses for
a company and for routing tables (route
aggregation)
CIDR Block Prefix of Host
Addresses
/27 32
/26 64
/25 128
/24 256
/23 512
/22 1,024
/21 2,048
/20 4,096
/19 8,192
/18 16,384
/17 32,768
/16 65,536
/15 131,072
/14 262,144
/13 524,288

73
CIDR and Address assignments

Backbone ISPs obtain large block of IP addresses
space and then reallocate portions of their
address blocks to their customers.
Example
Assume that an ISP owns the address block
206.0.64.0/18, which represents 16,384 (214) IP
addresses
Suppose a client requires 800 host addresses
With classful addresses need to assign a class B
address (and waste 64,700 addresses) or four
individual Class Cs (and introducing 4 new routes
into the global Internet routing tables)
With CIDR Assign a /22 block, e.g.,
206.0.68.0/22, and allocated a block of 1,024
(210) IP addresses.

74
CIDR and Routing

Aggregation of routing table entries
128.143.0.0/16 and 128.144.0.0/16 are represented
as 128.142.0.0/15
Longest prefix match Routing table lookup finds
the routing entry that matches the longest prefix
What is the outgoing interface for
128.143.137.0/24 ?
Route aggregation can be exploited
when IP address blocks are assigned
in an hierarchical fashion

Routing table
75
CIDR and Routing Information
Company X 206.0.68.0/22
ISP X owns
206.0.64.0/18 204.188.0.0/15 209.88.232.0/21
Internet Backbone
ISP y 209.88.237.0/24
Organization z1 209.88.237.192/26
Organization z2 209.88.237.0/26
76
CIDR and Routing Information
Backbone routers do not know anything about
Company X, ISP Y, or Organizations z1, z2.
Company X 206.0.68.0/22
ISP X owns
ISP y sends everything which matches the prefix
209.88.237.192/26 to Organizations z1
209.88.237.0/26 to Organizations z2
ISP X does not know about Organizations z1, z2.
206.0.64.0/18 204.188.0.0/15 209.88.232.0/21
Internet Backbone
ISP X sends everything which matches the prefix
206.0.68.0/22 to Company X, 209.88.237.0/24 to
ISP y
ISP y 209.88.237.0/24
Backbone sends everything which matches the
prefixes 206.0.64.0/18, 204.188.0.0/15,
209.88.232.0/21 to ISP X.
Organization z1 209.88.237.192/26
Organization z2 209.88.237.0/26
77
IPv6 - IP Version 6

IP Version 6
Is the successor to the currently used IPv4
Specification completed in 1994
Makes improvements to IPv4 (no revolutionary
changes)
One (not the only !) feature of IPv6 is a
significant increase in of the IP address to 128
bits (16 bytes)
IPv6 will solve for the foreseeable future
the problems with IP addressing
1024 addresses per square inch on the surface of
the Earth.

78
IPv6 Header
79
IPv6 vs. IPv4 Address Comparison

IPv4 has a maximum of
232 ? 4 billion addresses
IPv6 has a maximum of
2128 (232)4 ? 4 billion x 4 billion x 4 billion
x 4 billion addresses

80
Notation of IPv6 addresses

Convention The 128-bit IPv6 address is written
as eight 16-bit integers (using hexadecimal
digits for each integer)
CEDFBP7632454464FACE2E503025DF12
Short notation
Abbreviations of leading zeroes
CEDFBP7600000000009E00003025DF12 ?
CEDFBP76009E 03025DF12
000000000000 can be written as
CEDFBP7600FACE03025DF12 ?
CEDFBP76FACE03025DF12
IPv6 addresses derived from IPv4 addresses have
96 leading zero bits. Convention allows to use
IPv4 notation for the last 32 bits.
808F8990 ? 128.143.137.144