More on Tcp/Ip

1

TCP/IPTransmission Control Protocol / Internet Protocol

Rakhi SaxenaAssistant Professor,

Deshbandhu College,

Delhi University

2

What is TCP/IP? TCP/IP: Transmission Control Protocol/

Internet Protocol TCP/IP is the name of a protocol suite. Applications interface with TCP layer to

communicate with other peer applications

3

History of TCP/IP TCP/IP is the brain child of ARPAnet which

was developed by the USA DoD (Department of Defense) supported project (Advanced Research Project Agency).

TCP/IP was first defined in 1974, meant to be used for geographically distant communication.

It has evolved with many improvements since then.

4

Why TCP/IP is Popular? Popularity of TCP/IP

simpler than ISO-OSI model provides an elegant solution to world wide data

communication. Open Protocol Standards, freely available,

and independent from any hardware platform. The University of Berkeley has incorporated

TCP/IP in their BSD Unix.

5

TCP/IP & OSI

In OSI reference model terminology -the TCP/IP protocol suite covers the network and transport layers.

TCP/IP can be used on many data-link layers (can support many network hardware implementations).

OSI Model Layer

Corresponding TCP/IP Layer

Application Application

Presentation

Session

Transport Transport (TCP)

Network Internet (IP)

Data Link Layer

Network Interface

Physical

6

But First ...

7

Ethernet - Data-Link Layer It will be useful to discuss a real data-link

layer. Ethernet (really IEEE 802.3) is widely

used. CSMA/CD.

8

Ethernet

Multi-access (shared medium). Every Ethernet interface has a unique 48

bit address (a.k.a. hardware address- MAC Address).

Example: C0:B3:44:17:21:17 The broadcast address is all 1’s. Addresses are assigned to vendors by a

central authority.

9

MAC address Is globally unique and is written onto the

hardware at the time of manufacture. MAC address is 48 bits (6 bytes) long The first three bytes identify the

manufacturer; are assigned by IEEE The last three bytes are assigned by the

manufacturer

10

ipconfig/ ifconfig

11

12

Back to TCP/IP

13

Internet ProtocolThe IP in TCP/IP

IP is the network layer packet delivery service (host-to-host). translation between different data-link

protocols.

14

IP Datagrams

IP provides connectionless, unreliable delivery of IP datagrams. Connectionless: each datagram is

independent of all others. Unreliable: there is no guarantee that

datagrams are delivered correctly or even delivered at all.

An IP packet is called a datagram

15

IP Addresses

IP addresses are not the same as the underlying data-link (MAC) addresses.

Why ?Why ?

Rensselaer

16

IP Addresses

IP is a network layer - it must be capable of providing communication between hosts on different kinds of networks (different data-link implementations).

The address must include information about what network the receiving host is on. This is what makes routing feasible.

17

IP Addresses

IP addresses are logical addresses (not physical)

32 bits. 64 bits Includes a network ID and a host ID. Every host must have a unique IP address. IP addresses are assigned by a central

authority (American Registry for Internet Numbers for North America).

IPv4 (version 4)

IPv6 (version 6)

18

Network and Host IDs

A Network ID is assigned to an organization by a global authority.

Host IDs are assigned locally by a system administrator.

Both the Network ID and the Host ID are used for routing.

19

IP Addresses

IP Addresses are usually shown in dotted decimal notation:

1.2.3.4 00000001 00000010 00000011 00000100 cs.rpi.edu is 128.213.1.1

10000000 11010101 00000001 00000001

CS has a class B networkCS has a class B network

20

21

Host and Network Addresses

A single network interface is assigned a single IP address called the host address.

A host may have multiple interfaces, and therefore multiple host addresses.

Hosts that share a network all have the same IP network address (the network ID).

22

Mapping IP Addresses to Hardware Addresses IP Addresses are not recognized by

hardware. If we know the IP address of a host,

how do we find out the hardware address ?

The process of finding the hardware address of a host given the IP address is called

Address ResolutionAddress Resolution

23

ARP

The Address Resolution Protocol is used by a sending host when it knows the IP address of the destination but needs the Ethernet (or whatever) address.

ARP is a broadcast protocol - every host on the network receives the request.

Each host checks the request against it’s IP address - the right one responds.

Arp Arp!

24

ARP (cont.)

ARP does not need to be done every time an IP datagram is sent - hosts remember the hardware addresses of each other.

Part of the ARP protocol specifies that the receiving host should also remember the IP and hardware addresses of the sending host.

25

ARP conversationHEY - Everyone please listen! Will 128.213.1.5 please send me his/her Ethernet address?

not me

Hi Green! I’m 128.213.1.5, and my Ethernet address is 87:A2:15:35:02:C3

26

Services provided by IP

Connectionless Delivery (each datagram is treated individually).

Unreliable (delivery is not guaranteed).

Fragmentation / Reassembly (based on hardware MTU).

Routing. Error detection.

27

IP

Data Link

Physical

IP

Data Link

Physical

IP

Data Link

Physical

Application

TCP

IP

Data Link

Physical

IP-Layer Operation

XA

B

C

Y

X

A B C

Y

Application

TCP

IP

Data Link

Physical

TCP is end-to-end layer

28

Transport Layer & TCP/IP

Q: We know that IP is the network layer - so TCP must be the transport layer, right ?

A: No… well, almost.

TCP is only part of the TCP/IP transport layer - the other part is UDP (User Datagram Protocol).

29

TCP UDP

IP

802.3

Process Layer

Transport Layer

Network Layer

Data-Link Layer

Process Process

ICMP, ARP &

RARP

30

UDP User Datagram Protocol

UDP is a transport protocol communication between processes

UDP uses IP to deliver datagrams to the right host.

UDP uses ports to provide communication services to individual processes.

31

Ports

TCP/IP uses an abstract destination point called a protocol port.

Ports are identified by a positive integer.

Operating systems provide some mechanism that processes use to specify a port.

32

PortsHost AHost A Host BHost B

Process

Process

Process

Process

Process

Process

33

UDP

Datagram Delivery Connectionless Unreliable Minimal

The term datagram is also used to describe the unit of transfer of UDP!

34

TCPTransmission Control Protocol TCP is an alternative transport layer protocol

supported by TCP/IP. TCP provides:

Connection-oriented Reliable Full-duplex Byte-Stream

35

Connection-Oriented Connection oriented means that a

virtual connection is established before any user data is transferred.

If the connection cannot be established - the user program is notified (finds out).

If the connection is ever interrupted - the user program(s) is finds out there is a problem.

36

Reliable

Reliable means that every transmission of data is acknowledged by the receiver.

If the sender does not receive acknowledgement within a specified amount of time, the sender retransmits the data.

Reliable does not mean that things don't go wrong, it means that we find out when things go wrong.

37

Byte Stream

Stream means that the connection is treated as a stream of bytes.

The user application does not need to package data in individual datagrams (as with UDP).

Somebody needs to do this since IP is delivering all the data, it's just that the application layer doesn't need to do this!

38

Full Duplex

TCP provides transfer in both directions (over a single virtual connection).

To the application program these appear as 2 unrelated data streams, although TCP can piggyback control and data communication by providing control information (such as an ACK) along with user data.

39

TCP Ports

Inter-process communication via TCP is achieved with the use of ports (just like UDP).

Common ports and the services that run on them:

FTP 21 telnet 23 SMTP 25 http 80 POP3 110

40

Addressing in TCP/IP

Each TCP/IP address includes: Internet Address Protocol (UDP or TCP) Port Number

NOTE: TCP/IP is a protocol suite that includes IP, TCP and UDP.

41

TCP/IP Summary

IP: network layer protocol unreliable datagram delivery between

hosts.

UDP: transport layer protocol unreliable datagram delivery between

processes.

TCP: transport layer protocol reliable, byte-stream delivery between

processes.

42

OSI and Protocol StackOSI: Open Systems Interconnect

OSI Model TCP/IP Hierarchy Protocols

7th

Application Layer

6th

Presentation Layer

5th

Session Layer

4th

Transport Layer

3rd

Network Layer

2nd

Link Layer

1st

Physical Layer

Application Layer

Transport Layer

Network Layer

Link Layer

Link Layer : includes device driver and network interface cardNetwork Layer : handles the movement of packets, i.e. RoutingTransport Layer : provides a reliable flow of data between two hostsApplication Layer : handles the details of the particular application

43

TCP vs. UDP

Q: Which protocol is better ?

A: It depends on the application.

TCP provides a connection-oriented, reliable, byte stream service (lots of overhead).

UDP offers minimal datagram delivery service (as little overhead as possible).

44

Hmmmmm. TCP or UDP ?

Electronic commerce? Video server? File transfer? Email ? Chat groups? Robotic surgery controlled remotely over a

network?

45

Break

46

TCP Connection Establishment TCP uses a three-way handshake to open a connection:

(1) ACTIVE OPEN: Client sends a segment SYN bit set * port number of client initial sequence number (ISN) of client

(2) PASSIVE OPEN: Server responds with a segment with SYN bit set * initial sequence number of server ACK for ISN of client

(3) Client acknowledges by sending a segment ACK ISN of server (* counts as one byte)

47

Connection Creation

Active participant(client)

Passive participant(server)

48

Connection Creation



49

Connection Creation



50

Connection Creation



51

Why is a two-Way Handshake not enough?

aida.poly.edu mng.poly.edu

S 15322112354:15322112354(0)win 16384 <mss 1460, ...>

S 172488586:172488586(0)

win 8760 <mss 1460>

S 1031880193:1031880193(0)win 16384 <mss 1460, ...>

The redline is adelayedduplicatepacket.

When aida initiates the data transfer (starting with SeqNo=15322112355), mng will reject all data.

Will be discarded as a duplicate

SYN

52

Connection Teardown



53

Connection Teardown



54

Connection Teardown



55

Connection Teardown



56

Connection Teardown



57

Two-Army Problem

Red army Red army

Blue army

58

Two-Army Problem

A B

59

Two-Army Problem

A B

60

Two-Army Problem

A B

61

Two-Army Problem

A B

62

Two-Army Problem

A B

63

Two-Army Problem

A B

So how many acks of acks are enough??

64

Connection Teardown



Connection close is treated as two separate “close’s” of each simplex connection

65

Sockets Server process multiplexes streams with same

source port numbers according to source IP address

Socket = (IP address, port number) Each stream (“flow”) is uniquely identified by

a socket pair For example: 10.1.1.2:80

66

Packet Exchange for TCP Connection

socket() socket()bind()

listen()connect()

write()

read()

read()write()Data reply, ack

Data request

ack of reply

close()

close()

SYN j

SYN k, ack j+1

ack k+1

FIN M

ack M+1

FIN Nack N+1

CLIENT SERVER

accept()

67

netstat –n Lists all active sockets with the address/port number pair

68

netstat –rDisplays the routing table

69

netstat –sDisplays network statistics

70

pingsends a test packet to a given address and reports the round trip time

71

traceroutediscovers the route from a source to a destination

72

TCP/IP Hacks and Attacks Think like Hacker, to stop the intrusion in

your own Network Protect your Network, before they(evil

hacker) attack the vulnerabilities in your Network

73

Some common attacks

74

Denial of Service Attacks Denial of Service attacks attempt to negate service

by exhausting the resources at the victim side (such as

network bandwidth, CPU, memory, etc.) , forcing victim equipment into non operational state hijacking victim equipment/resources for malicious goals.

Distributed Denial of Service (DDoS) attack is a special case of the DoS when multiple distributed network nodes (zombies) are used to multiply DoS effect.

75

Early DOS attacks

ping of death Simple network flood either single very large ping packet, or a flood of

large or small ping packets smurf attack

Amplified network flood widespread pings with faked return address

(broadcast address)

76

TCP SYN Flood

SYN RQST

SYN ACKclient

server

Spoofed SYN RQST

zombie victim

Waiting buffer

overflowsZombies

SYN ACK

77

Distributed Denial of ServiceZombies on innocent computers

Server-level DDoS attacks

Infrastructure-level DDoS attacks

Bandwidth-level DDoS attacks

78

Spoofing

X Y Z

Mr. Z is that you?

Yes I’m here!

79

ARP Cache Poisoning

IP -> 192.168.51.36MAC -> 00:00:00:BB:BB:BB

Internal ARP Cache192.168.51.35 – 00:00:00:CC:CC:CC

System B

IP -> 192.168.51.35MAC -> 00:00:00:AA:AA:AA

Internal ARP Cache192.168.51.36 – 00:00:00:CC:CC:CC

System A

IP -> 192.168.51.37MAC -> 00:00:00:CC:CC:CC

Internal ARP Cache192.168.51.36 – 00:00:00:BB:BB:BB192.168.51.35 – 00:00:00:AA:AA:AA

Attacker

192.168.51.36 is at 00:00:00:CC:CC:CC 192.168.51.35 is at

00:00:00:CC:CC:CC

80

More DoS attacks

ARP Redirect ARPLocal IP address hijack

Middleman attack

Land TCP SYN

Source and destination IP addresses are the same causing the response to loop

SQL/Application server attack

HTTP

Continuous requests for a heavy computational dynamic page

81

Mitigation Techniques

82

ACL – Access Control List Layer 4 filtration rules:

<protocol,srcIP,dstIP,srcPort,dstPort> SQL Slammer prevention ACL:

access-list 101 deny udp any any eq 1434 access-list 101 permit ip any any

83

TCP Intercept

84

References

“TCP/IP Illustrated, Volume 1 The Protocols “

by W. Richard Stevens

“Internet Working with TCP/IP Volume 1”

by Douglas E. Comer

85

THANK YOU!

Education

More on Tcp/Ip