A1256656109ytkci

1
Advanced Computer Networking Study Notes 2007
2
The need for standards
3
ISO and IEEE
International Standards Organisation (ISO) ISO is
a worldwide network of the national standards
institutes of 157 countries that oversees the
creation of technical standards for anything
requiring international agreement. Example the
ISO Open Systems Interconnection Model is a
computer networking standard globally recognised
by network designers.
Institute of Electrical and Electronic Engineers
(IEEE) IEEE is the worlds leading professional
association for the advancement of technology.
They are also a leading developer of standards
that underpin many of todays technologies.
Example IEEE 802.1D defines the standard for
MAC addressing and the IEEE also administer the
assignment of MAC address blocks to organisations
such as NIC manufacturers.
4
The OSI model layers
Allows applications to access network services.
FTP, SMTP, and Telnet operate at this layer.
(Note Actual software applications are outwith
the scope of this model.)
7 Application
Manages data translation, compression encryption
and conversion.
6 Presentation
6 Presentation
Establishes and maintains communications between
applications.
5 Session
Transmits data, provides flow control and handles
errors. TCP operates at this level making sure
that every packet sent is accounted for.
4 Transport
Routes data between nodes. This layer handles
network or logical addressing via routing
protocols. The IP protocol operates here along
with routers and gateways.
3 Network
Handles physical addressing, packing data into
frames, sequencing data frames and performing
checksums. It has two sub layers Logical Link
Control (LLC) and Media Access Control (MAC).
Ethernet standard and hardware such as bridges
and NICs operate at this level.
2 Data Link
The electrical or mechanical where information is
transmitted over the network medium. Hubs,
switches, repeaters and cables function at this
level.
1 Physical
5
Mapping TCP/IP layers to OSI layers
OSI Model
TCP / IP
Protocols
7 Application
Telnet, FTP, SMTP, POP3, DNS
6 Presentation
4 Application
5 Session
4 Transport
3 Transport
TCP, UDP
3 Network
2 Internet
IP, ICMP
2 Data Link
SLIP, PPP, Ethernet
1 Physical
1 Physical
6
SMTP
SMTP is a simple ASCII-based protocol where one
or more recipients of a message are specified
(and verified to exist), then the email text is
transferred from the client to a mail server.
The address of the outgoing mail server would
be something like smtp.marrcomputing.co.uk
SMTP uses TCP port 25 to open a TCP connection
and map to the mail server process that deals
with receiving the email message.
7
POP3
POP stands for Post Office Protocol. Every time
you login to your POP mail program, it checks on
the mail server for any new mail. It then takes
all that new mail off of the server and moves it
to your computer so that you can read it. The
mail you read is a local copy and once it is on
your desktop, it means there is no longer a
remote copy in existence (the mail has been
deleted from the mail server). The incoming mail
server e.g. pop3.marrcomputing.co.uk
8
Setting up a POP3 email client
To setup a POP3 email client you will need
Incoming POP3 server
Outgoing SMTP server
Username and/or email address
Password
9
IMAP
The main alternative is called an IMAP (Internet
Mail Access Protocol) client. When you login to
your IMAP client, your computer connects with the
server and tells the server to open up its
mailboxes and check for mail. It then displays
the list of mail on the server without removing
it and copying it to your computer. If you choose
to read a message, the IMAP program on your
computer is simply displaying information that
exists on the mail server and not locally on your
computer. Both the POP and IMAP protocols talk
to the same servers and use the same password,
but bring the information to your desktop in a
different way.
10
Setting up an IMAP email client
To setup a IMAP email client you will need
Incoming IMAP server
Outgoing SMTP server
Username and/or email address
Password
11
MIME
12
TCP ports
A port is a special number present in the header
of a data packet. Ports are typically used to
map data to a particular process running on a
computer. Example A server used for sending and
receiving email may provide both an SMTP and a
POP3 service these will be handled by different
server processes, and the port number will be
used to determine which data is associated with
which process
13
IP addressing
14
Binary subnet mask
A subnet allows a networks assigned IP address
to be partitioned, or subnetted, into two or more
networks.
Applying a subnet mask to an IP address splits
the address in two parts an extended network
address and a host (node) address.
Example Class C address subnetted as Class C
network of 2 partitions IP address 11000000
10101000 00000001 00000000 192.168. 1 .
0 Subnet mask 11111111 11111111 11111111
10000000 255.255.255.128 This means a 25-bit
mask will give two subnet addresses 192.168.1.0
with a host address range of 192.168.1.1
192.168.1.127 and 192.168.1.128 with a host
address range of 192.168.1.129 192.168.1.255
So, each additional bit used in the subnet mask
makes it possible to double the number of subnets
that can be created.
15
Calculating a subnet address
A bitwise operation operates on one or two bit
patterns at bit level.
Given the following IP address and subnet mask
calculate the address of the associated subnet.
IP address 152.199.22.7 Subnet mask 255.255.240.0
Bitwise AND operation In each pair, the result is
1 if the first bit is 1 AND the second bit is 1.
Otherwise, the result is zero.
Step 1 - Convert to bit masks Step 2 - Perform
bitwise operation to identify subnet
address Step 3 - Convert back to decimal
IP address 10011000 11000111 00010110
00000111 Subnet mask 11111111 11111111 11110000
00000000 Bitwise operation 10011000 11000111
00010000 00000000 Convert to decimal 152.199.16.
0
Rules of binary AND 0 0 0 0 1 0 1 0 0
1 1 1
So the subnet address is 152.199.16.0
16
Classless Internet Domain Routing (CIDR)
The shortage of IP addresses means that ICANN no
longer gives out class A, B or C addresses.
Many small companies need an Internet domain,
but allocating a Class C network (256 host
addresses) is wasteful if the company only wants
to attach a few machines (email, web, ftp servers
etc.) to the Internet. Even larger firms may
need a few hundred IP addresses more than 256,
but not very many more. Such a firm would be too
big for a Class C, but a bit small for the 65,536
addresses of a Class B network. Therefore ICANN
gives IP addresses under a newer method called
CIDR or slash x networks, where x is the number
of bits that ICANN controls. This flexibility
means that ICANN can in theory not only define A,
B and C Class networks, but it can offer networks
with subnet masks in between the A, B and C
networks. A slash 27 network address would use
the notation 200.100.50.25/27 and some routers
nowadays ask for slashes rather than a subnet
mask.
17
Classless Internet Domain Routing (CIDR)
Example Suppose you want to create a network
of 50 computers. Previously ICCAN would have
to assign you a Class C network with 256
addresses IP address 11001000 00110010
00011001 00001001 (200.50.25.17)
Subnet mask 11111111 11111111
11111111 00000000 (255.255.255.0) With
CIDR IP address 11001000 00110010 00011001
00001001 (200.50.25.17) Subnet mask 11111111
11111111 11111111 11000000 (255.255.255.192) This
gives you 6 bits to play with so 64 host
addresses to do with as you like. This would be
a slash 26 network as 26 bits are used in the
mask. The network address is written as
200.50.25.17/26
18
Parts of an email message
19
Sending and receiving email
20
HTML tags
21
Requesting a web page
22
Plugins, Java applets and Active X
23
Video telephone call
24
Conventional encryption
25
Public-key encryption
26
Internet Architecture security
27
Smurf
What is a Smurf attack? A Smurf attack is a type
of denial of service (DOS) attack (named after a
popular program that generates the attack) where
a network connected to the Internet is swamped
with replies to ICMP echo (PING) requests. This
results in bandwidth consumption. A large amount
of ICMP ECHO requests, with the source address of
the victim spoofed, are sent to a broadcast
network addresses that acts as an amplifier.
Therefore this attack takes advantage of the
directed broadcast functionality of a router
within a network. A single attacker sending
hundreds or thousands of these PING messages per
second can fill a victim's T-1 (or even T-3) line
with ping replies, bring the entire Internet
service to its knees.
28
Smurf
Example A company has an assigned range of
193.169.0.0 193.169.0.255.
As the return address of the PING is spoofed to
be the address of the attacker's victim, all the
hosts reply to the victim's address instead of
the real sender's address.
The attacker PINGs 193.169.0.255 so the ICMP ECHO
packet is broadcast to all the hosts on the
network i.e. 193.169.0.1 193.169.0.254.
29
Smurf
Preventing a Smurf attack There are some means of
preventing Smurf attacks
Configuring border routers and firewalls to
filter ICMP ECHO Reply packets will take the load
off the system being attacked, though internal
machines will not be able to PING external
machines (as the replies will not get returned).
The directed broadcast facility of a router
(amplifier) can be disabled, thereby reducing the
amplification effect.
Also, a smurf can be stopped from being launched
within a network if the networks router(s) are
set to block packets sent from non-internal IP
addresses i.e. spoofed IPs.
30
SYN flood
What is a TCP SYN Flood attack? A TCP SYN flood
is a network connectivity attack that exploits a
vulnerability in the way the TCP protocol
establishes a connection via its three-way
handshake.
31
SYN flood

• Example
• Attacker sends SYN packet from spoofed address
• Host sends SYN/ACK packet to spoofed address
• Host does not receive ACK from spoofed address
  and connection remains until timed out

These attacks consist of a large number of
spoofed TCP connection set-up messages that
overload the victim, usually a server. Its TCP/IP
stack is not able to handle any further
connections and processing queues are completely
filled with malicious nonsense packets.
32
SYN flood
Preventing a SYN flood attack There are a few
things that can be done to protect against SYN
flood Decrease the TCP connection-established
timeout period so that the server does not wait
as long for the unsent ACK. Increase the length
of the connection queue for TCP ports that may be
bombarded. Microsoft Windows has a mechanism to
detect and start SYN Flood protection. The SYN
flooding attack protection feature detects
symptoms of SYN flooding and responds by reducing
the time the server spends on connection requests
that it cannot acknowledge.
33
DNS attack
What is a DNS attack? An attacker can try to
convince a target name server to cache a victims
domain name that resolves to a nonexistent IP
address effectively denying that service. Also,
can resolve victims domain name to attackers IP
address to collect confidential
data. Prevention upgrade to latest version of
BIND
34
Firewall
A firewall protects networked computers from
intentional hostile intrusion.
It can be a hardware device or a software program
running on a secure host computer.
Its job is to filter all inbound and outbound
traffic routed between two networks to see if it
meets certain criteria. If it does the data is
allowed through, otherwise it is blocked.
Firewalls can filter packets based on source and
destination addresses and port numbers and can
block data sent by the protocol used e.g.
telnet. They may also use a complex rule base
that analyse data to determine if it should be
allowed through. Network administrators can offer
access to specific services to selected LAN users
via the firewall.
35
Firewall rules
36
Firewall rules
37
Backup
38
Bandwidth
39
Wireless communication
IEEE 802.11b Bandwidth of 11 Mbps over 50 250
metres at frequency of 2.4 Ghz. Advantages Low
cost, good signal range. Disadvantages Slowest
speed, supports less users, and devices like
mobile phones can interfere with it.
IEEE 802.11a Bandwidth of 54 Mbps over 18 30
metres at frequency of 5 Ghz. Advantages High
speed, more users and less interference. Disadvant
ages More expensive and weaker signal.
IEEE 802.11g Same as 802.11b (successor) but
operates at 54 Mbps Advantages Supports more
users than 802.11b. Disadvantages More expensive
than 802.11b.
40
Dial-up protocols SLIP and PPP
Serial Line Internet Protocol (SLIP_ is a
protocol that enables TCP/IP datagrams to be
carried over a serial connection rather than over
a network such as Ethernet. It enables home users
to connect to the Internet using a modem and a
public telephone line to reach their ISPs
server. SLIP requires that an IP address be
allocated before each connection is made.
Point to Point Protocol (PPP) is a newer
alternative to SLIP that is commonly used by ISPs
to provide dial-up Internet access. The main
difference is that PPP can dynamically obtain an
IP address after a connection is made.
41
Virtual Private Network (VPN)
A Virtual Private Network (VPN) is a private
network that uses a public network i.e. the
Internet to connect remote sites or users
together. Instead of using a leased-line it uses
virtual connections routed through the Internet
from the private network to the remote site or
user.
VPNs rely on tunnelling as this is the technique
that implements the VPN. Tunnelling is the
process of placing an entire data packet within
another packet and sending it over a network.
Advantages are safe and secure data transfer e.g.
a packet that uses a private non-routable IP
address on the network could be sent over the
Internet.
42
VPN protocols PPTP and L2TP
Point to Point Tunnelling Protocol (PPTP) is
Microsofts tunnelling protocol that works by
embedding its data, encrypted separately, into a
TCP/IP datagram.
Layer 2 Tunnelling Protocol (L2TP) is a
tunnelling protocol that is an extension to PPP
protocol and combines the best features of two
other tunnelling protocols PPTP and L2F. It
allows the use of multiple tunnels between end
points in addition to encryption and
authentication (when combined with IPSec)
43
Berkeley Internet Name Domain (BIND)
BIND is a software package that runs the Domain
Name System when installed on a server. The
software is compatible with a number of Operating
Systems including Microsoft and Unix. There are
several diagnostic, administrative and monitoring
tools and provides resolution services to local
clients. It is the most common DNS application
in use on domain name servers on the Internet.