ITI 510

1
ITI 510 Computer NetworksMeeting 5

• Rutgers University Internet Institute
• Instructor Chris Uriarte

2
ICMP Internet Control Message Protocol

• ICMP is a message control and error-reporting
  protocol between a host server and a gateway to
  the Internet.
• ICMP uses IP packets to transport its messages.
• ICMP messages are processed by the IP software
  portion of the operating system, and are not
  directly apparent to the application user.

3
ICMP Message Generation

• There are a number of situations that may cause
  an ICMP message to be generated
• A link is down to a host
• A host is down or is not responding
• The TTL (Time-to-Live) IP Hop-count have have
  expired.
• When an error is detected, the IP packet is
  discarded by the router and an ICMP message is
  returned directly to the source host.

4
Types of ICMP Error Messages

• There are several types of ICMP Messages
• Destination Unreachable A packet cannot reach
  its destination host, service or application.
  Usually caused by a network link, host or
  application being down.
• Time Exceeded The Time-To-Live for a packet has
  expired, i.e. the packet hit too many routers in
  its travels. Usually caused by routing loops.
• Parameter Problem Some piece of data in the IP
  header just doesnt make sense.
• Redirect The router notifies the host sender to
  use another gateway for the desired path.

5
Transmission of ICMP Messages

• ICMP Messages are sent in the Data portion of
  an IP packet.
• The Protocol field in the IP packet is set to
  1, signifying to a host that the data portion
  of the packet contains an ICMP message.
• The format of an ICMP message will vary based on
  the type of ICMP message.

6
When ICMP Messages are NOT Sent

• When a particular problem is encountered sending
  an ICMP message back to a host (we dont want
  ICMP errors to create more ICMP packets).
• When a problem is encountered with broadcast or
  multicast packets (packets sent to all hosts on a
  network). (we dont want multiple hosts
  responding with ICMP errors)
• Messages whose source addresses does not identify
  a unique hosts, like 0.0.0.0 or 127.0.0.1

7
The ping Utility

• Ping is a basic Internet program that lets you
  verify that a particular IP address exists and
  can accept requests.
• Generally used for network troubleshooting and to
  verify connectivity between hosts.
• Ping uses the ICMP ECHO function, which simply
  sends ICMP messages round-trip between hosts.
  When a destination host receives an ICMP ECHO
  request, it returns an ICMP ECHO message back to
  the source host.

8
When ping is used

• Ping is typically used for two reasons
• To test whether a remote host is alive on a
  network
• To test the round trip time between two hosts.
• Used together, traceroute and ping are two very
  useful tool when performing network diagnostics.

9
Using ping

• Ping is available on Windows and UNIX platforms
  by issuing the ping command.
• Usage
• ping lthostname or IP addressgt
• ping 128.6.6.4
• ping www.rutgers.edu

10
Ping Results

• Ping returns an output that shows the name of the
  host contacted, the amount of packets sent, the
  size of the packet and the round trip time for
  each packet
• C\gtping www.rutgers.edu
• Pinging ncc1701.rutgers.edu 128.6.4.5 with 32
  bytes
• Reply from 128.6.4.5 bytes32 time10ms TTL240
• Reply from 128.6.4.5 bytes32 time10ms TTL240
• Reply from 128.6.4.5 bytes32 time10ms TTL240
• Reply from 128.6.4.5 bytes32 time10ms TTL240
• Ping statistics for 128.6.4.5
• Packets Sent 4, Received 4, Lost 0 (0
  los
• Approximate round trip times in milli-seconds
• Minimum 10ms, Maximum 10ms, Average
  10ms

11
DNS The Domain Name Service

• IP addresses are usually paired with more
  human-friendly names Domain Name System (DNS).

internet.rutgers.edu
Hostname Organization Top-level domain

• Other top-level domains include .com, .gov, .org,
  etc. There are also country-specific domains
  like .uk, .ca, .jp, etc.

12
DNS, cont.

• Domain name information is maintained through a
  distributed database of host name/ IP address
  pairing.
• The Network Information Center (NIC) manages the
  top-level domains, delegates authority for
  second-level domains, and maintains a database of
  registered name servers for all second-level
  domains.
• Host name assignments maintained through zone
  files on primary DNS server. Secondary DNS server
  gets zone file from primary server.

13
DNS, cont.

• Network Solutions (previously the InterNic)
  registers domain names See http//www.networksol
  utions.com. Other registrars include
  Register.com
• Costs range from 20 to 50 per year.
• ISPs beginning to offer domain name registration
  as part of other packages.
• Need to register a primary and secondary domain
  name servers for your domain and arrange to have
  zone files created on DNS servers.

14
DNS Overview If DNS Server could Talk
15
Typical DNS Query Flow

• An end-users PC queries its local DNS servers
  (provided by their company or ISP) for the IP
  address associated with a hostname.
• If the local DNS server does not have the IP
  address locally available, it will contact the
  central root servers and ask for DNS servers
  that do have information for that particular
  domain (the authoritative server for that
  domain).
• The local DNS server will then issue a second
  query to the authoritative DNS server for that
  domain, which will return the correct IP address
  for the hostname.
• The local DNS server will return the correct IP
  address to the end-user PC that initiated the
  request.

16
DNS Caching

• When local DNS servers contact remote DNS servers
  for DNS queries, local servers will cache
  information about that DNS zone (domain). Thus,
  subsequent queries dont require a query across
  the Internet for that domain every time a local
  PC needs DNS information for that domain.
• I.e. the first query for www.yahoo.com from a
  Rutgers PC will cause Rutgerss local DNS servers
  to cache yahoo.com DNS information, so subsequent
  queries on Rutgers networks do not require
  Rutgers nameservers to contact Yahoos
  nameservers every time.
• The amount of time the zone information is cached
  is set by the authoritative DNS server for a
  domain.

17
Sending DNS Queries Messages

• A DNS query packet is formed at the application
  layer.
• DNS is unique, as it can utilize either UDP/IP or
  TCP/IP to send a message.
• Uses UDP by default if message is too bit (gt512
  bytes), it will use TCP

18
Types of DNS Records

• There are several types of DNS records that are
  kept by DNS servers
• A Records give the IP address for a hostname.
• CNAME Records give aliases for hostanmes (i.e.
  web.domain.com www.domain.com)
• MX Records give the IP address of the mail host
  for a hostname or domain (I.e. Mail addressed to
  anyone _at_yahoo.com gets handled by the mail server
  mail.yahoo.com)

19
DNS Tools

• There are several tools for for monitoring DNS
  information
• whois tells you the owner and primary DNS
  servers associated with a domain (e.g. whois
  yahoo.com). Also available via web browser at
  www.networksolutions.com and other places on the
  web.
• nslookup and host (host is only on UNIX machines)
  tell you IP address information for a
  particular hostname on the internet (e.g.
  nslookup www.yahoo.com or host www.rutgers.edu)

20
DNS Exercise

• What are IP addresses of the DNS servers that
  contain information about rutgers.edu?
• What are the IP address of
• www.retaildecisions.com
• abusaday.admin.cju.com
• www.linux.org

21
Network Security

• Security is, quite possibly, the hottest topic in
  network and systems infrastructure today.
• Increased use of the Internet and the extension
  of enterprise computing environments into
  network-based global infrastructures has required
  IT groups to look at security like they never
  have before.
• Recent innovations that greatly effect security
• Heavy dependence on the Internet
• Telecommuting
• Invasive client programs like Napster, Instant
  Messenger, etc.
• Electronic Mail
• In most organizations today, security must be a
  core competency, rather than a specialty.

22
What type of attacks are we afraid of?

• Opportunistic Attacks
• Hackers take advantage of holes in an
  infrastructure to gain access to or bring down a
  network.
• Targeted Attacks
• Competitors attempt to gain trade secrets
• Malicious users specifically target an
  organization (ex employees, disgruntled
  customers, etc.)
• Internal Attacks
• Employees attempt to get access to information or
  resources they should not have access to.
• Distributed Network Attacks
• Exploits that spread from one infracted computer
  to another.

23
Business Risks

• Insecure systems and networks can cause
• System downtime (loss of productivity and/or
  direct loss of revenue)
• Loss of critical business information due to lost
  or damaged system.
• Distribution of trade secrets and customer data.

24
Types of Network Attacks

• There are a number of different types of attacks
  that we see on computer networks today. Some of
  those include
• Denial of Service Attacks
• Viral Attacks
• Distributed Network Attacks
• Data Sniffing

25
Denial of Service Attacks

• Denial of Service (DoS) attacks are network
  attacks targeted at network hosts, including
  servers, routers and switches.
• Typically targeted at networks attached to the
  Internet.
• The goal is to cripple a device or network so
  that external users no longer have access to your
  network resources.
• Without hacking password files or stealing
  sensitive data, a denial-of-service hacker simply
  fires up a program that will generate enough
  traffic to your site that it denies service to
  the site's legitimate users

26
Popular DoS Attacks

• TCP SYN Floods A client computer initiates a
  large number of TCP/IP connections to a host, but
  purposely does not implement the TCP protocol
  correctly. The client sends a SYN packet to
  initiate the connection, but never responds to
  the servers SYN-ACK response. This floods
  buffers (memory segments) on the server and stops
  it from being able to take additional
  connections.
• Broadcast Storms - A large number of packets are
  rapidly sent to all computers on a network,
  flooding the network with a large amount of
  traffic.

27
Popular DoS Attacks (cont)

• PING Floods - A Ping Flood consists of sending a
  continuous series of ICMP Echo Request (Ping)
  packets to a target host on the network, which
  responds with ICMP Echo Replies. The continuing
  combination of requests and replies can slow the
  network and cause legitimate traffic to continue
  at a significantly reduced speed or, in extreme
  cases, to disconnect.

28
Viral Attacks

• Computer virus files are attached to an email or
  an Internet download.
• Virus files typically do one or several of the
  following
• Damage the host system
• Open security holes or back doors into the
  system
• Propagate to other system.

29
Distributed Network Attacks

• The newest form of network attacks. Sometimes
  referred to as worms.
• An attacker takes advantage of a security exploit
  on a particular operating system running network
  software (such as a web server) and infects that
  system.
• The infected system then scans the Internet and
  infects other servers with the same security
  exploit.
• The exploit can grow exponentially, infecting
  many system in a short period of time.

30
Data Sniffing

• Hackers or Employees setup network sniffer
  software that captures all packets moving across
  a network.
• The attacker can then decode the packets and gain
  full access to usernames and passwords, email
  messages, instant messenger sessions, etc.
• Often used to sniff usernames and passwords to
  gain access to unauthorized resources.

31
Preventive Measures

• Preventing network attacks requires a combination
  of approaches, which typically include
• Hardware solutions Using Firewalls and switches
• Software solutions Using Intrusion Detection
  Systems Updating Operating system and firmware
  patches.
• Good Practices

32
Firewalls

• A firewall is a piece of hardware or software
  that examines network packets and makes a
  determination as to whether a packet should be
  passed through the firewall onto the destination
  network or denied.
• Firewall rules typically examine
• Source IP addresses
• Destination IP addresses
• Destination TCP Port Number
• Example of firewall rules
• Deny all unsollicited inbound traffic
• Allow all traffic from our branch office IP
  address block 128.5.5.0/255.255.255.0

33
Firewalls (cont)

• Many routers have firewall capabilities built in,
  so traffic can be filtered at the router level.
• Other firewalls can be placed behind a router,
  filtering traffic before it gets to the general
  network.
• Firewall software can be loaded on a PC to do
  filtering between the router and network.
• Firewall appliances can be purchased and do
  filtering between the router and network.

34
Some Popular Firewall Solutions

• Cisco PIX Firewall (appliance)
• Checkpoint Firewall (available as software for
  Windows NT/2000 and Solaris or as an appliance).
• Raptor Firewall (software)
• Access lists and packet filtering on Cisco
  Routers
• Personal Firewall Software that can run on
  individual PCs for home use, such as Norton
  Internet Security.

35
Using Switches as Security Devices

• Using switches over hubs in a network environment
  greatly increases overall network security.
• Switch technologies do not share packets with all
  computers on a network like hubs do.
• Greatly reduces packet sniffing capabilities
• Greatly reduces the effect of flood attacks
• Switches have the ability to recognize and stop
  attacks like broadcast storms.

36
Intrusion Detection Systems (IDS)

• IDS are hardware or software devices that
  interact with other network infrastructure
  devices (typically routers and firewalls) to
  analyze network traffic patterns with the goal of
  recognizing and thwarting attacks.
• IDS systems are typically expensive, but provide
  a constant intelligent eye on network traffic.
• Starting to become standards for organizations
  that require the highest level of security, such
  as financial firms and government agencies.

37
Operating System and Firmware Patches

• Security exploits are often discovered as flaws
  in Operating Systems (Windows, etc.) or the
  firmware that controls devices like firewalls and
  routers.
• It is of paramount importance that network and
  system administrators keep up to date with
  security patches that vendors publish on a
  regular basis
• Every major vendor maintains a website for
  security patches and known exploits
• Un-patched devices, servers and software
  contributed to the largest overall
  security-related loss in the IT industry last
  year (100 billion in 2001)

38
Best Practices

• Good technology cant always solve security
  problems. Some other major problems include
• Bad password practices (sharing pws, writing
  down pws, not changing pws often enough)
• Giving too many people access to system or
  network resources (Give access on a need-to-know
  basis only!)
• Poor auditing of network activity (not checking
  basic logs on systems and network devices).
• Un-educated users.