Welcome to

Computer Network Security

(ATTP Course)
Instructor
Piyu Tripathy

NIST (Autonomous)
 References
1. Gert De Laet and Gert Schauwers,
“Network Security Fundamentals,” Cisco
Press, 2005.

2. Mark Stamp, Information Security:

Principles and Practices, John Wiley &
Sons, Hoboken, NJ, 2011.

3. Behrouza Forouzan, Data Communications

and Networking, McGraw-Hill, 2006
 Overview of Network
Security
 TCP Segment Format, Connection Setup, Disconnect
 IP: Address Spoofing, Covert Channel, Fragment Attacks, ARP,
DNS
 TCP Flags: Syn Flood, Ping of Death, Smurf, Fin
 UDP Flood Attack
 Connection Hijacking
 Application: E-Mail, Web spoofing
 Network Protocols
 Study of networking focused on protocols
 Networking protocols precisely specify
“communication rules”
 Details are given in RFCs
o RFC is essentially an Internet standard
 Stateless protocols do not “remember”
 Stateful protocols do “remember”
 Many security problems related to stateful
o E.g., DoS is a problem with stateful protocols
 Protocol Stack
 Application layer protocols user
o HTTP, FTP, SMTP, etc. application space
 Transport layer protocols transport
o TCP, UDP OS
 Network layer protocols network
o IP, routing protocols
link
 Link layer protocols NIC
card
o Ethernet, PPP physical
 Physical layer
 Layering in Action
router
data application application data
transport transport
network network network
link link link
host physical physical physical
host
 At source, data goes “down” the protocol stack
 Each router processes packet “up” to network layer
o That’s where routing info lives
 Router then passes packet down the protocol stack
 Destination processes packet up to application layer
o That’s where the application data lives
 Encapsulation data X

 X = application data at source application

 As X goes down protocol stack, each
transport
layer adds header information:
o Application layer: (H, X)
network
o Transport layer: (H, (H, X))
o Network layer: (H, (H, (H, X))) link
o Link layer: (H, (H, (H, (H, X))))
physical
 Header has info required by layer
 Note that app data is on the “inside” packet
(H,(H,(H,(H,X))))
 Application Layer
 Applications
o For example, Web browsing, email, P2P, etc.
o Applications run on hosts
o To hosts, network details should be transparent
 Application layer protocols
o HTTP, SMTP, IMAP, Gnutella, etc., etc.
 Protocol is only one part of an application
o For example, HTTP only a part of web browsing
 Client-Server Model
 Client
o “speaks first”
 Server
o responds to client’s request
 Hosts are clients or servers
 Example: Web browsing
o You are the client (request web page)
o Web server is the server
 Peer-to-Peer Paradigm
 Hosts act as clients and servers
 For example, when sharing music
o You are client when requesting a file
o You are a server when someone
downloads a file from you
 In P2P, how does client find server?
o Many different P2P models for this
 HTTP Example
HTTP request

HTTP response

 HTTP  HyperText Transfer Protocol

 Client (you) requests a web page
 Server responds to your request
 cookie
Web Cookies
initial HTTP r
session eq uest
HTTP r
esp onse, co
o kie
Cookie
o okie database
q u e s t , c
cookie HT T P r e
r es p o n se
later HTTP
session

 HTTP is stateless  cookies used to add state

 Initially, cookie sent from server to browser
 Browser manages cookie, sends it to server
 Server uses cookie database to “remember” you
 Web Cookies
 Web cookies used for…
o Shopping carts, recommendations, etc.
o A very (very) weak form of authentication
 Privacy concerns
o Web site can learn a lot about you
o Multiple web sites could learn even more
 SMTP
 SMTP used to deliver email from sender to
recipient’s mail server
 Then POP3, IMAP or HTTP (Web mail) used
to get messages from server
 As with many application protocols, SMTP
commands are human readable

Sender Recipient
SMTP SMTP
POP3
 Application Layer
 DNS  Domain Name Service
o Convert human-friendly names such as
www.google.com into 32-bit IP address
o A distributed hierarchical database
 Only 13 “root” DNS server clusters
o Essentially, a single point of failure for Internet
o Attacks on root servers have succeeded…
o …but, attacks did not last long enough (yet)
 Transport Layer
 The network layer offers unreliable, “best
effort” delivery of packets
 Any improved service must be provided by
the hosts
 Transport layer: 2 protocols of interest
o TCP  more service, more overhead
o UDP  less service, less overhead
 TCP and UDP run on hosts, not routers

Appendix 16
 TCP
 TCP assures that packets…
o Arrive at destination
o Are processed in order
o Are not sent too fast for receiver: flow control
 TCP also attempts to provide…
o Network-wide congestion control
 TCP is connection-oriented
o TCP contacts server before sending data
o Orderly setup and take down of “connection”
o But no true connection, only logical “connection”
Appendix 17
 TCP Header
bits
0 8 16 24 31

Source Port Destination Port

Sequence Number
Acknowledgement Number
Offset reserved U A P R S F Window
Checksum Urgent Pointer
Options Padding
Data (variable length)

 Source and destination port

 Sequence number
 Flags (ACK, SYN, RST, etc.)
 Header usually 20 bytes (if no options)
Appendix 18
TCP segment format
20 to 60 Byte
header
Description of flags in the control field
 Connection establishment using
three-way handshaking
 A SYN segment
cannot carry data,
but it consumes
one sequence
number.
 A SYN + ACK
segment cannot
carry data, but
does consume one
sequence number.
 An ACK segment, if
carrying no data,
consumes no
sequence number.
 Connection termination using
three-way handshaking
 The FIN
segment
consumes one
sequence
number if it
does not carry
data.
 The FIN + ACK
segment
consumes
one sequence
number if it
does not carry
data.
 TCP Three-Way Handshake
SYN request

SYN-ACK

ACK (and data)

 SYN  synchronization requested

 SYN-ACK  acknowledge SYN request
 ACK  acknowledge SYN-ACK (send data)
 Then TCP “connection” established
o Connection terminated by FIN or RST
 TCP Disconnection
 Fin  No more data. Connection can be closed.
 Four-way handshake

Fin
Ack

Fin
Ack
User Datagram Protocol (UDP)
 UDP is minimalist, “no frills” service
o No assurance that packets arrive
o No assurance packets are in order, etc., etc.
 Why does UDP exist?
o More efficient (header only 8 bytes)
o No flow control to slow down sender
o No congestion control to slow down sender
 If packets sent too fast, will be dropped
o Either at intermediate router or at destination
o But in some apps this may be OK (audio/video)
 Network Layer
 Core of network/Internet
o Interconnected mesh of routers
 Purpose of network layer
o Route packets through this mesh
 Network layer protocol of interest is IP
o Follows a best effort approach
 IP runs in every host and every router
 Routers also run routing protocols
o Used to determine the path to send packets
o Routing protocols: RIP, OSPF, BGP, …
 IP Addresses
 IP address is 32 bits
 Every host has an IP address
 Big problem  Not enough IP addresses!
o Lots of tricks used to extend address space
 IP addresses given in dotted decimal notation
o For example: 195.72.180.27
o Each number is between 0 and 255
 Usually, a host’s IP address can change
 Socket
 Each host has a 32 bit IP address
 But, many processes can run on one host
o E.g., you can browse web, send email at same time
 How to distinguish processes on a host?
 Each process has a 16 bit port number
o Numbers below 1024 are “well-known” ports
(HTTP is port 80, POP3 is port 110, etc.)
o Port numbers above 1024 are dynamic (as needed)
 IP address + port number = socket
o Socket uniquely identifies process, Internet-wide
Port numbers
IP addresses versus port numbers
Socket address
Well-known ports used with UDP
Network Address Translation
 Network Address Translation (NAT)
o Trick to extend IP address space
 Use
one IP address (different port
numbers) for multiple hosts
o “Translates” outside IP address (based
on port number) to inside IP address
 NAT-less Example

source 11.0.0.1:1025
destination 12.0.0.1:80

source 12.0.0.1:80
destination 11.0.0.1:1025
Web
server Alice
IP: 12.0.0.1 IP: 11.0.0.1
Port: 80 Port: 1025
 NAT Example

src 11.0.0.1:4000 src 10.0.0.1:1025

dest 12.0.0.1:80 dest 12.0.0.1:80

src 12.0.0.1:80 src 12.0.0.1:80

dest 11.0.0.1:4000 dest 10.0.0.1:1025
Web
server Firewall Alice
IP: 12.0.0.1 IP: 11.0.0.1 IP: 10.0.0.1
NAT Table
4000 10.0.0.1:1025
 NAT: The Last Word
 Advantage(s)?
o Extends IP address space
o One (or a few) IP address(es) can be
shared by many users
 Disadvantage(s)?
o End-to-end security is more difficult
o Might make IPSec less effective
(IPSec discussed later in this course)
 IP Header

 IP header has necessary info for routers

o E.g., source and destination IP addresses
 Time to live (TTL) limits number of “hops”
o So packets can’t circulate forever
 Fragmentation information (see next slide)
 IP Fragmentation
fragmented

re-assembled

 Each link limits maximum size of packets

 If packet is too big, router fragments it
 Re-assembly occurs at destination
 IP Fragmentation
 One packet becomes multiple packets
 Packets reassembled at destination
o Prevents multiple fragmentation/reassemble
 Fragmentation is a security issue…
o Fragments may obscure real purpose of packet
o Fragments can overlap when reassembled
o Must reassemble packet to fully understand it
o Lots of work for firewalls, for example
 IPv6
 Current version of IP is IPv4
 IPv6 is a “new-and-improved” version of IP
 IPv6 is “bigger and better” than IPv4
o Bigger addresses: 128 bits
o Better security: IPSec
 How to migrate from IPv4 to IPv6?
o Unfortunately, nobody thought about that…
 So IPv6 has not really taken hold (yet?)
 Link Layer
 Link layer sends
packet from one
node to next
 Links can be
different
o Wired
o Wireless
o Ethernet
o Point-to-point…
 Link Layer
 Onhost, implemented in adapter:
Network Interface Card (NIC)
o Ethernet card, wireless 802.11 card, etc.
o NIC is “semi-autonomous” device
 NIC is (mostly) out of host’s control
o Implements both link and physical layers
 Ethernet
 Ethernet is a multiple access protocol
 Many hosts access a shared media
o On a local area network, or LAN
 With multiple access, packets can “collide”
o Data is corrupted and packets must be resent
 How to efficiently deal with collisions in
distributed environment?
o Many possibilities, ethernet is most popular
 We won’t discuss details here…
 Link Layer Addressing
 IP addresses live at network layer
 Link layer also needs addresses  Why?
o MAC address (LAN address, physical address)
 MAC address
o 48 bits, globally unique
o Used to forward packets over one link
 Analogy…
o IP address is like your home address
o MAC address is like a social security number
 ARP
 Address Resolution Protocol (ARP)
 Used by link layer  given IP address, find
corresponding MAC address
 Each host has ARP table, or ARP cache
o Generated automatically
o Entries expire after some time (about 20 min)
o ARP used to find ARP table entries
 ARP
 ARP is stateless
 ARP can send request and receive reply
 Reply msgs used to fill/update ARP cache

IP: 111.111.111.001 IP: 111.111.111.002

LAN
MAC: AA-AA-AA-AA-AA-AA MAC: BB-BB-BB-BB-BB-BB

111.111.111.002 BB-BB-BB-BB-BB-BB 111.111.111.001 AA-AA-AA-AA-AA-AA

Alice’s ARP cache Bob’s ARP cache

 IP address Spoofing
 Send requests to server with someone
X's IP address. The response is
received at X and discarded. Both X and
server can be kept busy ⇒ DoS attack
 Covert Channel
 A covert channel is a pipe between two entities
that can be exploited by an application
transferring information that violets the system
security specifications.
 In TCP/IP covert channels are established and
data can be secretly passed between two end
systems.
 For example, ICMP messages are sent to testing
reachability using echo and echo-reply message.
 ICMP Echo Request packet consist of 8-byte
header and 56-byte payload.
 The ICMP packets are altered slightly to carry
secret data in the payload.
 Covert Channel
Loki - a client server application tool use this covert
channel technique
 Uses ICMP echo to send covert commands

 http://xforce.iss.net/xforce/xfdb/1452

 The alteration of ICMP Echo Request and Reply

packets gives intruders the opportunity to
program specialized client-server pairs.
 These small pieces of code export confidential
information without alerting the network
administrator.
 IP Fragment Attacks
 Fragments can overlap
 Final packets can be too large
 IP Normal Fragmentation
• IP largest data is 65.535 == 2^16-1
• IP fragments a large datagram into
smaller datagrams to fit the MTU
• fragments are identified by fragment
offset field
• destination host reassembles the
original datagram
NTW 2000 © 2000, Cisco Systems, Inc. 51
 IP Normal Fragmentation (Cont.)
Before fragmentation:
TL=1300, FO=0 data length 1280

IP Header IP data

After fragmentation (MTU = 500):

TL=500, FO=0 data length 480

TL=500, FO=480 data length 480

TL=360, FO=960 data length 340

52
 IP Normal Reassembly
Received from the network:

TL=500, FO=0 data length

480

TL=360, FO=960 data length 340

TL=500, FO=480 data length

Reassembly
480buffer, 65.535 bytes

Kernel memory at destination host

53
 IP Reassembly Attack

• send invalid IP datagram

• fragment offset + fragment size > 65.535
• usually containing ICMP echo request
(ping)
• not limited to ping of death !
 IP Reassembly Attack
(Cont.)
Received from the network:

TL=1020, FO=0 data length 1000

… 64 IP fragments with data length 1000 ...

TL=1020, FO=65000 data length 1000

BUG: buffer exceeded

BUG: buffer exceeded

Reassembly buffer, 65.535 bytes

64 IP fragments

Kernel memory at destination host

 TCP Flags
 Invalid combinations

 May cause recipient to crash or hang

 Abuse of the normal operation or setting
of these flags can be used by attackers to
launch DoS attacks.
 Sync Flood
 The TCP 3-way handshake makes denial of
service (DoS) attacks possible
 Whenever SYN packet is received, server
remembers this “half-open” connection
o Remembering consumes resources
o Too many half-open connections and server’s
resources will be exhausted, and then…
o …server can’t respond to legitimate connections
 This occurs because TCP is stateful
 SYN Flood Attacks

Gildas Chapter 2: Network Attacks 58

Avoine
 Sync Flood
 A sends Syn request with IP address of X to
Server V.
 V sends a syn+ack to X
 X discards syn+ack leaving an half open
connection at V.
 Many open connections exhausts resources at V
⇒ DoS
 Ping of Death
 Send a ping (ICMP Echo Request)
packet with more than 65535 byte in
the data field.
 One of the earlier Denial of Service
attack.
 Most systems would crash, hang or
reboot.
 Smurf
 Send a broadcast ICMP echo request
with the V's source address.
 All the echo replies will make V very
busy.
 Fin
• In the middle of conversation between
X and V.
• H sends a packet with Fin flag to V.
• V closes the connection and disregards
all further packets from X.
• RST flag can be used similarly

SA=V |DA=X, Fin+Ack

Victim X

Hacker SA=X |DA=V, Fin Victim V

 RST
• In the middle of conversation between
A and B.
• Hacker sends a packet with RST flag to A.
• B closes the connection and disregards all
further packets from A.
HACKER’s TCP Reset Packet
 UDP Flood Attack
• Character Generator (CHARGEN Protocol) request results
in a response with random characters being returned.
• It is defined in RFC 864.
• Used to diagnose lost packets on the path between two
hosts.
• Uses TCP/UDP port 19.
• H can send a chargen request from X to V.
• V can respond to X wasting their bandwidth.

SA=V |DA=X, Char

Victim X

Hacker SA=X |DA=V, Chargen Victim V

 Connection Hijacking
 H sends packets to server V which increments
the sequence number at X.
 All further packets from X are discarded at
V.
 Responses for packets from H are sent to V -
confusing him.
 TCP Session Hijacking
• If a hacker can spy on a TCP connection, he can insert
a TCP packet with correct sequence numbers.

• Inserting an additional packet in a TCP connection

creates a packet avalanche:
◦ The source, who has never sent the packet, does not
Gildas Chapter 2: Network Attacks 67
Avoine

agree with the acknowledged sequence number and

emits an acknowledgement.

◦ The destination, who has seen the packet, insists on the

sequence number and also sends an acknowledgement.
TCP Session Hijacking
 ARP Cache Piosoning
 ARP is stateless
 ARP can send request and receive reply
 Reply msgs used to fill/update ARP cache

IP: 111.111.111.001 IP: 111.111.111.002

LAN
MAC: AA-AA-AA-AA-AA-AA MAC: BB-BB-BB-BB-BB-BB

111.111.111.002 BB-BB-BB-BB-BB-BB 111.111.111.001 AA-AA-AA-AA-AA-AA

Alice’s ARP cache Bob’s ARP cache

Appendix 69
 ARP Cache Poisoning
 ARP is stateless, so…
 Accept “reply”, even if no request sent

111.111.111.003
Trudy CC-CC-CC-CC-CC-CC

ARP “reply” ARP “reply”

111.111.111.002 111.111.111.001
CC-CC-CC-CC-CC-CC CC-CC-CC-CC-CC-CC

111.111.111.001
LAN 111.111.111.002
AA-AA-AA-AA-AA-AA BB-BB-BB-BB-BB-BB

111.111.111.002 CC-CC-CC-CC-CC-CC
BB-BB-BB-BB-BB-BB 111.111.111.001 AA-AA-AA-AA-AA-AA
CC-CC-CC-CC-CC-CC

Alice’s ARP cache Bob’s ARP cache

 Host CC-CC-CC-CC-CC-CC is man-in-the-middle
Appendix 70
 ARP Spoofing
X tries to find the MAC address of
Victim V
 Hacker H responds to ARP request
pretending to be V.
 All communication for V is captured by
H.
 Countermeasure: Use static ARP
 DNS Spoofing
 DNS server is compromised to
provide H's IP address for V's name.
 Email Spoofing

 From address is spoofed.

 Malware attachment comes from a
friendly address.
 From: [email protected]
 Web Spoofing
 The web site looks like another
 Southwest Airline,

http://airlines.ws/southwest-airline.h
tm
 For every .gov site there is a .com,
.net giving similar information
 For misspellings of popular
businesses, there are web sites.
Application Layer Attacks
 Application Layer Attacks
 Scripting vulnerabilities
 Cookie poisoning
 Buffer overflow
 Hidden field manipulation
 Parameter tampering
 Cross-site scripting
 SQL injection
 Summary
1. TCP port numbers, Sequence numbers, ack, flags
2. IP addresses are easy to spoof. ARP and DNS
are not secure.
3. Flags: Syn Flood, Ping of Death, Smurf, Fin,
Connection Hijacking
4. UDP Flood Attack
5. Application layer attacks