Review of TCP/IP Internetworking

1
Review of TCP/IP Internetworking

• Chapter 3

2
Single Network applications, client and server
hosts, switches, access links, trunk links,
frames, path
Path
Frame
Server Host
Client Host
Trunk Link
Access Link
Server Host
Mobile Client Host
3
Frame Organization
Frame
Trailer
Header
Data Field
Other Header Field
Destination Address Field
Message Structure
4
Switching Decision
Switch receives A frame, sends It back out Based
on Destination Address
Switch
Frame with Station C In the destination Address
field
5
Figure 3-1 Internet

• An internet is two or more individual switched
  networks connected by routers

Switched Network 1
Router
Switched Network 3
Switched Network 2
6
Figure 1.11 An Internet
Multiple Networks Connected by Routers Path of a
Packet is its Route
Single Network
Routers
Packet
Route
Single Network
7
Figure 1.13 The Internet
The global Internet has thousands of networks
Network
Webserver Software
Browser
Packet
Packet
Router
Route
Router
Router
Packet
8
Figure 3-6 Frames and Packets
Frame 1 Carrying Packet in Network 1
Packet
Router A
Frame 2 Carrying Packet in Network 2
Switch
Client PC
Frame 3 Carrying Packet in Network 3
Packet
Switch
Router B
Server
9
Figure 1.12 Frames and Packets

• Like passing a shipment (the packet) from a truck
  (frame) to an airplane (frame) at an airport.

Receiver
Shipper
Same Shipment
Airport
Airport
Truck
Truck
Airplane
10
Figure 3-2 TCP/IP Standards (Study Figure)

• Origins
• Defense Advanced Research Projects Agency (DARPA)
  created the ARPANET
• An internet connects multiple individual networks
• Global Internet is capitalized
• Internet Engineering Task Force (IETF)
• Most IETF documents are requests for comments
  (RFCs)
• Internet Official Protocol Standards List of
  RFCs that are official standards

11
Figure 3-2 TCP/IP Standards (Study Figure)

• Hybrid TCP/IP-OSI Architecture (Figure 3-3)
• Combines TCP/IP standards at layers 3-5 with
• OSI standards at layers 1-2

TCP/IP
OSI
Hybrid TCP/IP-OSI
Application
Application
Application
Presentation
Session
Transport
Transport
Transport
Internet
Network
Internet
Subnet Access Use OSI Standards Here
Data Link
Data Link
Physical
Physical
12
Figure 3-2 TCP/IP Standards (Study Figure)

• OSI Layers
• Physical (Layer 1) defines electrical signaling
  and media between adjacent devices
• Data link (Layer 2) control of a frame through a
  single network, across multiple switches

Physical Link
Frame
Switched Network 1
Data Link
13
Figure 3-2 TCP/IP Standards

• Internet Layer
• Governs the transmission of a packet across an
  entire internet. Path of the packet is its route

Packet
Switched Network 1
Router
Switched Network 3
Route
Switched Network 2
14
Figure 3-2 TCP/IP Standards (Study Figure)

• Frames and Packets
• Frames are messages at the data link layer
• Packets are messages at the internet layer
• Packets are carried (encapsulated) in frames
• There is only a single packet that is delivered
  from source to destination host
• This packet is carried in a separate frame in
  each network

15
Figure 3-7 Internet and Transport Layers
Transport Layer End-to-End (Host-to-Host) TCP is
Connection-Oriented, Reliable UDP is
Connectionless Unreliable
Client PC
Server
Internet Layer (Usually IP) Hop-by-Hop
(Host-Router or Router-Router) Connectionless,
Unreliable
16
Figure 3-2 TCP/IP Standards (Study Figure)

• Internet and Transport Layers
• Purposes
• Internet layer governs hop-by-hop transmission
  between routers to achieve end-to-end delivery
• Transport layer is end-to-end (host-to-host)
  protocol involving only the two hosts

17
Figure 3-2 TCP/IP Standards (Study Figure)

• Internet and Transport Layers
• Internet Protocol (IP)
• IP at the internet layer is unreliabledoes not
  correct errors in each hop between routers
• This is good reduces the work each router along
  the route must do

18
Figure 3-2 TCP/IP Standards (Study Figure)

• Transport Layer Standards
• Transmission Control Protocol (TCP)
• Reliable and connection-oriented service at the
  transport layer
• Corrects errors
• User Datagram Protocol (UDP)
• Unreliable and connectionless service at the
  transport layer
• Lightweight protocol good when catching errors is
  not important

19
Figure 3-8 HTML and HTTP at the Application Layer
Hypertext Transfer Protocol (HTTP) Requests and
Responses
Webserver 60.168.47.47
Client PC with Browser 123.34.150.37
Hypertext Markup Language (HTML) Document or
Other File (jpeg, etc.)
20
Figure 3-2 TCP/IP Standards (Study Figure)

• Application Layer
• To govern communication between application
  programs, which may be written by different
  vendors
• Document transfer versus document format
  standards
• HTTP / HTML for WWW service
• SMTP / RFC 822 (or RFC 2822) in e-mail
• Many application standards exist because there
  are many applications

21
Figure 3-3 TCP/IP and OSI Architectures Recap
TCP/IP
OSI
Hybrid TCP/IP-OSI
Application
Application
Application
Presentation
Session
Transport
Transport
Transport
Internet
Network
Internet
Subnet Access Use OSI Standards Here
Data Link
Data Link
Physical
Physical
Note The Hybrid TCP/IP-OSI Architecture is used
on the Internet and dominates internal corporate
networks.
22
Figure 3-5 IP Packet
IP Version 4 Packet
0100
Bit 0
Bit 31
Total Length (16 bits)
Diff-Serv (8 bits)
Header Length (4 bits)
Version (4 bits)
Identification (16 bits)
Flags
Fragment Offset (13 bits)
Header Checksum (16 bits)
Time to Live (8 bits)
Protocol (8 bits) 1ICMP, 6TCP, 17TCP
Source IP Address (32 bits)
Destination IP Address (32 bits)
Options (if any)
Padding
Data Field
23
Figure 3-5 IP Packet

• Version
• Has value of four (0100)
• Time to Live (TTL)
• Prevents the endless circulation of mis-addressed
  packets
• Value is set by sender
• Decremented by one by each router along the way
• If reaches zero, router throws packet away

24
Figure 3-5 IP Packet

• Protocol Field
• Identifies contents of data field
• 1 ICMP
• 6 TCP
• 17 UDP

IP Header Protocol1
IP Data Field ICMP Message
IP Header Protocol6
IP Data Field TCP Segment
IP Header Protocol17
IP Data Field UDP Datagram
25
Figure 3-5 IP Packet

• Header checksum to check for errors in the header
  only
• Faster than checking the whole packet
• Stops bad headers from causing problems
• IP Version 6 drops eve this checking
• Address Fields
• 32 bits long, of course
• Options field(s) give optional parameters
• Data field contains the payload of the packet.

26
Figure 3-9 Layer Cooperation Through
Encapsulation on the Source Host
Application Process
HTTP Message
Encapsulation of HTTP message in data field of a
TCP segment
Transport Process
HTTP Message
TCP Hdr
Encapsulation of TCP segment in data field of an
IP packet
Internet Process
HTTP Message
TCP Hdr
IP Hdr
27
Figure 3-9 Layer Cooperation Through
Encapsulation on the Source Host
Internet Process
Encapsulation of IP packet in data field of a
frame
Data Link Process
Physical Process
Converts Bits of Frame into Signals
28
Figure 3-9 Layer Cooperation Through
Encapsulation on the Source Host
Note The following is the final frame for
supervisory TCP segments
DL Trlr
TCP Hdr
IP Hdr
DL Hdr
29
Figure 3-10 Layer Cooperation Through
Decapsulation on the Destination Host
Application Process
HTTP Message
Decapsulation of HTTP message from data field
of a TCP segment
Transport Process
HTTP Message
TCP Hdr
Decapsulation of TCP segment from data field of
an IP packet
Internet Process
HTTP Message
TCP Hdr
IP Hdr
30
Figure 3-10 Layer Cooperation Through
Decapsulation on the Destination Host
Internet Process
Decapsulation of IP packet from data field of a
frame
Data Link Process
Data Link Process
Converts Signals into the Bits of the Frame
31
Figure 3-11 Vertical Communication on Router R1
A
Internet Layer Process
Router R1
Packet
Port 1 DL
Port 2 DL
Port 3 DL
Port 4 DL
Decapsulation
Frame
PHY
PHY
PHY
PHY

• Notes
• Router R1 receives frame from Switch X2 in Port
  1.
• Port 1 DL process decapsulates packet.
• Port 1 DL process passes packet to internet
  process.

Switch X2
32
Figure 3-11 Vertical Communication on Router R1
B
Internet Layer Process
Router R1
Packet
Port 1 DL
Port 2 DL
Port 3 DL
Port 4 DL
Encapsulation
Frame
PHY
PHY
PHY
PHY

• Internet process sends packet out on Port 4.
• DL Process on Port 4 encapsulates packet in a PPP
  frame.
• DL process passes frame to Port 4 PHY.

Router 2
33
Figure 3-12 Site Connection to an ISP
Internet Backbone
1. Frame for This Data Link
Site Network
2. Packet Carried in ISP Carrier Frame
ISP
Border Firewall
4. Data Link Between Site and ISP (Difficult to
Attack)
3. Packet Carried in Site Frame
ISP Router
5. Normally, Only the Arriving Packet is
DangerousNot the Frame Fields
34
Figure 3-13 Internet Protocol (IP)

• Basic Characteristics
• There were already single networks, and many more
  would come in the future
• Developers needed to make a few assumptions about
  underlying networks
• So they kept IP simple

35
Figure 3-13 Internet Protocol (IP)

• Connection-Oriented Service and Connectionless
  Service
• Connection-oriented services have distinct starts
  and closes (telephone calls)
• Connectionless services merely send messages
  (postal letters)
• IP is connectionless

36
IP Packet
PC Internet Process
First Router Internet Process
IP Packet
Connectionless Packets Sent in Isolation Like
Postal Letters Unreliable No Error
Correction Discarded by Receiver if Error is
Detected Leaves Error Correction to Transport
Layer Reduces the Cost of Routers
37
Figure 3-13 Internet Protocol (IP)(Study Figure)

• IP is Unreliable (Checks for Errors but does not
  Correct Errors) (Figure 3-14)
• Not doing error correction at each hop between
  switches reduces switch work and so switch cost
• Does not even guarantee packets will arrive in
  order

38
Figure 3-13 Internet Protocol (IP)(Study Figure)

• Hierarchical IP Addresses
• Postal addresses are hierarchical (state, city,
  postal zone, specific address)
• Most post offices have to look only at state and
  city
• Only the final post offices have to be concerned
  with specific addresses

39
Figure 3-15 Hierarchical IP Address
Network Part (not always 16 bits) Subnet Part
(not always 8 bits) Host Part (not always 8
bits) Total always is 32 bits.
128.171.17.13
The Internet
UH Network (128.171)
CBA Subnet (17)
Host 13 126.171.17.13
40
Figure 3-13 Internet Protocol (IP)(Study Figure)

• Hierarchical IP Addresses
• 32-bit IP addresses are hierarchical (Figure
  3-15)
• Network part tells what network host is on
• Subnet part tells what subnet host is on within
  the network
• Host part specifies the host on its subnet
• Routers have to look only at network or subnet
  parts, except for the router that delivers the
  packet to the destination host

41
Figure 3-13 Internet Protocol (IP)(Study Figure)

• Hierarchical IP Addresses
• 32-bit IP addresses are hierarchical
• Total is 32 bits part sizes vary
• Network mask tells you the size of the network
  part (Figure 3-16)
• Subnet mask tells you the length of the network
  plus subnet parts combined

42
Figure 3-16 IP Address Masking with Network and
Subnet Masks
Network Masking Subnet Masking
Mask Represents Tells the size of the network part Tells the size of the network and the subnet parts combined
Eight ones give the decimal value 255 255
Eight zeros give the decimal value 0 0
Masking gives IP address bit where the mask value is 1 0 where the mask bit is 0 IP address bit where the mask value is 1 0 where mask bit is 0
43
Figure 3-16 IP Address Masking with Network and
Subnet Masks
Example 1 Network Masking Subnet Masking
IP Address 128.171.17.13 128.171.17.13
Mask 255.255.0. 0 255.255.255.0
Result 128.171.0. 0 128.171.17.0
Meaning 16-bit network part is 128.171 Combined 24-bit network plus subnet part are 128.171.17
Example 2
IP Address 60.47.123.7 60.47.123.7
Mask 255.0.0.0 255.255.0.0
Result 60.0.0.0 60.47.0.0
Meaning 8-bit network part is 60 Combined 16-bit network plus subnet parts are 60.47
44
Figure 3-17 IP Address Spoofing
1. Trust Relationship
3. Server Accepts Attack Packet
Trusted Server 60.168.4.6
Victim Server 60.168.47.47
2. Attack Packet Spoofed Source IP
Address 60.168.4.6 Attackers Identity is Not
Revealed
Attackers Client PC 1.34.150.37
45
Figure 3-13 Internet Protocol (IP)

• IP Addresses and Security
• IP address spoofing Sending a message with a
  false IP address (Figure 3-17)
• Gives sender anonymity so that attacker cannot be
  identified
• Can exploit trust between hosts if spoofed IP
  address is that of a host the victim host trusts

46
Figure 3-13 Internet Protocol (IP)(Study Figure)

• IP Addresses and Security
• LAND attack send victim a packet with victims
  IP address in both source and destination address
  fields and the same port number for the source
  and destination (Figure 3-18). In 1997, many
  computers, switches, routers, and even printers,
  crashed when they received such a packet.

47
Figure 3-18 LAND Attack Based on IP Address
Spoofing
From 60.168.47.4723 To 60.168.47.4723
Attacker 1.34.150.37
Victim 60.168.47.47 Port 23 Open Crashes
Source and Destination IP Addresses are the
Same Source and Destination Port Numbers are the
Same
48
Figure 3-13 Internet Protocol (IP)(Study Figure)

• Other IP Header Fields
• Protocol field Identifies content of IP data
  field
• Firewalls need this information to know how to
  process the packet

49
Figure 3-13 Internet Protocol (IP)(Study Figure)

• Other IP Header Fields
• Time-to-Live field
• Each router decrements the TTL value by one
• Router decrementing TTL field to zero discards
  the packet

50
Figure 3-13 Internet Protocol (IP)(Study Figure)

• Other IP Header Fields
• Time-to-Live field
• Router also sends an error advisement message to
  the sender
• The packet containing this message reveals the
  senders IP address to the attacker
• Traceroute uses TTL to map the route to a host
  (Figure 3-19)
• Tracert on Windows machines

51
Figure 3-19 Tracert Program in Windows
52
Figure 3-13 Internet Protocol (IP)(Study Figure)

• Other IP Header Fields
• Header Length field and Options
• With no options, Header Length is 5
• Expressed in units of 32 bits
• So, 20 bytes
• Many options are dangerous
• So if Header Length is More Than 5, be Suspicious
• Some firms drop all packets with options

53
Figure 3-13 Internet Protocol (IP)(Study Figure)

• Other IP Header Fields
• Length Field
• Gives length of entire packet
• Maximum is 65,536 bytes
• Ping-of-Death attack sent IP packets with longer
  data fields
• Many systems crashed

54
Figure 3-20 Ping-of-Death Attack
IP Packet Containing ICMP Echo Message That is
Illegally Long
Attacker 1.34.150.37
Victim 60.168.47.47 Crashes
55
Figure 3-13 Internet Protocol (IP)(Study Figure)

• Other IP Header Fields
• Fragmentation
• Routers may fragment IP packets (really, packet
  data fields) en route
• All fragments have same Identification field
  value
• Fragment offset values allows fragments to be
  ordered
• More fragments is 0 in the last fragment

56
Figure 3-13 Internet Protocol (IP)(Study Figure)

• Other IP Header Fields
• Fragmentation
• Harms packet inspection TCP header, etc. only in
  first packet in series
• Cannot filter on TCP header, etc. in subsequent
  packets

57
Figure 3-22 TCP Header is Only in the First
Fragment of a Fragmented IP Packet
1. Fragmented IP Packet
2. First Fragment
2. Second Fragment
IP Header
TCP Data Field
4. TCP Data Field NoTCP Header
IP Header
Attacker 1.34.150.37
5. Firewall 60.168.47.47 Can Only Filter TCP
Header in First Fragment
3. TCP Header Only in First Fragment
58
Figure 3-13 Internet Protocol (IP)(Study Figure)

• Other IP Header Fields
• Fragmentation
• Teardrop attack Crafted fragmented packet does
  not make sense when reassembled
• Some firewalls drop all fragmented packets, which
  are rare today

59
Figure 3-21 Teardrop Denial-of-Service Attack
Defragmented IP Packet
Gap
Overlap
Attacker 1.34.150.37
Victim 60.168.47.47 Crashes
Attack Pretends to be Fragmented IP Packet When
Reassembled, Packet does not Make Sense. Gaps
and Overlaps
60
Figure 3-24 IP Packet with a TCP Segment Data
Field
Bit 0
Bit 31
IP Header (Usually 20 Bytes)
Source Port Number (16 bits)
Destination Port Number (16 bits)
Sequence Number (32 bits)
Acknowledgment Number (32 bits)
Window Size (16 bits)
Flag Fields (6 bits)
Reserved (6 bits)
Header Length (4 bits)
TCP Checksum (16 bits)
Urgent Pointer (16 bits)
61
Figure 3-23 Transmission Control Protocol (TCP)
(Study Figure)

• TCP Messages are TCP Segments
• Flags field has several one-bit flags ACK, SYN,
  FIN, RST, etc.

Window Size (16 bits)
Flag Fields (6 bits)
Reserved (6 bits)
Header Length (4 bits)
62
Figure 3-23 Transmission Control Protocol (TCP)
(Study Figure)

• Reliable
• Receiving process sends ACK to sending process if
  segment is correctly received
• ACK bit is set (1) in acknowledgement segments
• If sending process does not get ACK, resends the
  segment

PC Transport Process
Webserver Transport Process
TCP Segment
TCP Segment (ACK)
63
Figure 3-23 Transmission Control Protocol (TCP)
(Study Figure)

• Connections Opens and Closes
• Formal open and close
• Three-way open SYN, SYN/ACK, ACK (Figure 3-25)
• Normal four-way close FIN, ACK, FIN, ACK (Figure
  3-25)
• Abrupt close RST (Figure 3-26)

64
Figure 3-25 Communication During a TCP Session
PC Transport Process
Webserver Transport Process
1. SYN (Open)
Open (3)
2. SYN, ACK (1) (Acknowledgement of 1)
3. ACK (2)
3-Way Open
65
Figure 3-25 Communication During a TCP Session
PC Transport Process
Webserver Transport Process
1. SYN (Open)
Open (3)
2. SYN, ACK (1) (Acknowledgement of 1)
3. ACK (2)
4. Data HTTP Request
Carry HTTP Req Resp (4)
5. ACK (4)
6. Data HTTP Response
7. ACK (6)
66
Figure 3-25 Communication During a TCP Session
PC Transport Process
Webserver Transport Process
8. Data HTTP Request (Error)
Carry HTTP Req Resp (4)
9. Data HTTP Request (No ACK so Retransmit)
10. ACK (9)
11. Data HTTP Response
12. ACK (11)
Error Handling
67
Figure 3-25 Communication During a TCP Session
PC Transport Process
Webserver Transport Process
Normal Four-Way Close
13. FIN (Close)
Close (4)
14. ACK (13)
15. FIN
16. ACK (15)
Note An ACK may be combined with the next
message if the next message is sent quickly enough
68
Figure 3-25 Communication During a TCP Session
PC Transport Process
Webserver Transport Process
Abrupt Close
RST
Close (1)
Either side can send A Reset (RST) Segment At Any
Time Ends the Session Immediately
69
Figure 3-26 SYN/ACK Probing Attack Using Reset
(RST)
1. Probe 60.168.47.47
2. No Connection Makes No Sense!
SYN/ACK Segment
IP Hdr
RST Segment
Attacker 1.34.150.37
5. 60.168.47.47 is Live!
Victim 60.168.47.47 Crashes
4. Source IP Addr 60.168.47.47
3. Go Away!
70
Figure 3-23 Transmission Control Protocol (TCP)
(Study Figure)

• Sequence and Acknowledgement Number
• Sequence numbers identify segments place in the
  sequence
• Acknowledgement number identifies which segment
  is being acknowledged

Source Port Number (16 bits)
Destination Port Number (16 bits)
Sequence Number (32 bits)
Acknowledgment Number (32 bits)
71
Figure 3-23 Transmission Control Protocol (TCP)
(Study Figure)

• Port Number
• Port numbers identify applications
• Well-known ports (0-1023) used by applications
  that run as root (Figure 3-27)
• HTTP80, Telnet23, FTP21 for supervision, 20
  for data transfer, SMTP25

Source Port Number (16 bits)
Destination Port Number (16 bits)
72
Figure 3-23 Transmission Control Protocol (TCP)
(Study Figure)

• Port Number
• Registered ports (1024-49152) for any application
• Ephemeral/dynamic/private ports (49153-65355)
  used by client (16,384 possible)
• Not all operating systems uses these port ranges,
  although all use well-known ports

73
Figure 3-23 Transmission Control Protocol (TCP)
(Study Figure)
128.171.17.1380

• Port Number
• Socket format is IP address Port, for instance,
  128.171.17.1380
• Designates a specific program on a specific
  machine
• Port spoofing (Figure 3-28)
• Incorrect application uses a well-known port
• Especially 80, which is often allowed through
  firewalls

74
Figure 3-27 Use of TCP and UDP Port Number
Webserver 60.171.17.13 Port 80
Client 60.171.18.22
From 60.171.18.2250047 To 60.171.17.1380
SMTP Server 123.30.17.120 Port 25
75
Figure 3-27 Use of TCP and UDP Port Number
Webserver 60.171.17.13 Port 80
Client 60.171.18.22
From 60.171.18.2250047 To 60.171.17.1380
From 60.171.17.1380 To 60.171.18.2250047
SMTP Server 123.30.17.120 Port 25
76
Figure 3-27 Use of TCP and UDP Port Number
Webserver 60.171.17.13 Port 80
Client 60.171.18.22
From 60.171.18.2260003 To 123.30.17.12025
SMTP Server 123.30.17.120 Port 25
77
Figure 3-27 Use of TCP and UDP Port Number
Webserver 60.171.17.13 Port 80
Client 60.171.18.22
From 60.171.18.2250047 To 60.171.17.1380
Clients Used Different Ephemeral Ports
for Different Connections
From 60.171.18.2260003 To 123.30.17.12025
SMTP Server 123.30.17.120 Port 25
78
Figure 3-29 User Data Protocol (UDP) (Study
Figure)

• UDP Datagrams are Simple (Figure 3-30)
• Source and destination port numbers (16 bits
  each)
• UDP length (16 bits)
• UDP checksum (16 bits)

Bit 0
Bit 31
IP Header (Usually 20 Bytes)
Source Port Number (16 bits)
Destination Port Number (16 bits)
UDP Length (16 bits)
UDP Checksum (16 bits)
Data Field
79
Figure 3-29 User Data Protocol (UDP) (Study
Figure)

• Port Spoofing Still Possible
• UDP Datagram Insertion
• Insert UDP datagram into an ongoing dialog stream
• Hard to detect because no sequence numbers in UDP

80
Figure 3-33 Internet Control Message Protocol
(ICMP)

• ICMP is for Supervisory Messages at the Internet
  Layer
• ICMP and IP
• An ICMP message is delivered (encapsulated) in
  the data field of an IP packet
• Types and Codes (Figure 3-2)
• Type General category of supervisory message
• Code Subcategory of type (set to zero if there
  is no code)

81
Figure 8.13 Internet Control Message Protocol
(ICMP) for Supervisory Messages
Router
Host Unreachable
Error Message
ICMP Message
IP Header
Echo
Echo Reply
82
Figure 3-32 IP Packet with an ICMP Message Data
Field
Bit 0
Bit 31
IP Header (Usually 20 Bytes)
Type (8 bits)
Depends on Type and Code
Code (8 bits)
Depends on Type and Code
83
Figure 3-32 Internet control Message Protocol
(ICMP)

• Network Analysis Messages
• Echo (Type 8, no code) asks target host if it is
  operational and available
• Echo reply (Type 0, no code). Target host
  responds to echo sender
• Ping program implements Echo and Echo Reply.
  Like submarine pinging a target
• Ping is useful for network managers to diagnose
  problems based on failures to reply
• Ping is useful for hackers to identify potential
  targets live ones reply

84
Figure 3-32 Internet control Message Protocol
(ICMP)

• Error Advisement Messages
• Advise sender of error but there is no error
  correction
• Host Unreachable (Type 3, multiple codes)
• Many codes for specific reasons for host being
  unreachable
• Host unreachable packets source IP address
  confirms to hackers that the IP address is live
  and therefore a potential victim
• Usually sent by a router

85
Figure 3-31 Internet control Message Protocol
(ICMP)

• Error Advisement Messages
• Time Exceeded (Type 11, no codes)
• Router decrementing TTL to 0 discards packet,
  sends time exceeded message
• IP header containing error message reveals
  routers IP address
• By progressively incrementing TTL values by 1 in
  successive packets, attacker can scan
  progressively deeper into the network, mapping
  the network
• Also usually sent by a router

86
Figure 3-31 Internet control Message Protocol
(ICMP)

• Control Codes
• Control network/host operation
• Source Quench (Type4, no code)
• Tells destination host to slow down its
  transmission rate
• Legitimate use Flow control if host sending
  source quench is overloaded
• Attackers can use for denial-of-service attack

87
Figure 3-31 Internet control Message Protocol
(ICMP)

• Control Codes
• Redirect (Type 5, multiple codes)
• Tells host or router to send packets in different
  way than they have
• Attackers can disrupt network operations, for
  example, by sending packets down black holes
• Many Other ICMP Messages