Network Protocol Theory

Question 1

What is the TCP/IP model

Answer 1

The TCP/IP model, also known as the Internet Protocol Suite, is a more practical framework developed by the U.S. Department of Defense. It is designed to ensure successful communication over the internet and consists of four layers.

Question 2

What are the OSI model layers

Answer 2

1. Physical Layer: Deals with the physical connection between devices and the transmission of binary data over physical mediums.
2. Data Link Layer: Handles error detection and correction, as well as frame synchronization.
3. Network Layer: Manages logical addressing, routing, and packet forwarding.
4. Transport Layer: Provides reliable data transfer, flow control, and error recovery.
5. Session Layer: Manages sessions or connections between applications.
6. Presentation Layer: Ensures data is in a readable format and handles encryption and compression.
7. Application Layer: Interfaces directly with user applications, providing network services.

Question 3

What is the OSI models

Answer 3

The OSI (Open Systems Interconnection) model is a conceptual framework created by the International Organization for Standardization (ISO) to standardize the functions of a telecommunication or computing system into seven distinct layers. Each layer serves specific functions and communicates with the layers directly above and below it.

Question 4

What is the relation between the OSI model and the TCP/IP model

Answer 4

1. Conceptual Layers: The OSI model is more theoretical and detailed, with seven layers, whereas the TCP/IP model is more practical and simplified, with four layers.
2. Layer Mapping:
   • OSI Physical and Data Link Layers correspond to the TCP/IP Link Layer.
   • OSI Network Layer corresponds to the TCP/IP Internet Layer.
   • OSI Transport Layer is the same as the TCP/IP Transport Layer.
   • OSI Session, Presentation, and Application Layers are combined into the TCP/IP Application Layer.
3. Usage: The OSI model is used primarily as a teaching and troubleshooting tool to understand and design network protocols. The TCP/IP model is the basis for the actual implementation of the Internet and related protocols.
4. Development: The OSI model was developed by the ISO, a global standards organization, while the TCP/IP model was developed by the U.S. Department of Defense and is the foundation of the Internet’s architecture.

Question 5

What are the TCP/IP layers

Answer 5

1. Link Layer (Network Interface Layer): Corresponds to the OSI’s Physical and Data Link layers. It deals with the physical transmission of data.
2. Internet Layer: Maps to the OSI’s Network layer. It handles logical addressing and routing (mainly using the IP protocol).
3. Transport Layer: Aligns with the OSI’s Transport layer. It ensures reliable data transfer through protocols like TCP and UDP.
4. Application Layer: Combines the functions of the OSI’s Session, Presentation, and Application layers. It includes protocols such as HTTP, FTP, SMTP, etc.

Question 6

What are the main protocols for each layer in the OSI model?

Answer 6

OSI Model

• Physical Layer: Ethernet, DSL, ISDN, USB, Bluetooth, Wi-Fi

• Data Link Layer: Ethernet, PPP, HDLC, Frame Relay, ATM, ARP

• Network Layer: IP, ICMP, IGMP, IPsec

• Transport Layer: TCP, UDP, SCTP, DCCP

• Session Layer: NetBIOS, PPTP, RPC

• Presentation Layer: SSL/TLS, JPEG, GIF, MPEG, ASCII, EBCDIC

• Application Layer: HTTP, FTP, SMTP, DNS, SNMP, Telnet, SSH, IMAP, POP3, NTP

Question 7

What is packaging capsulation and what it is used for?

Answer 7

Packet encapsulation is the process of enclosing data with protocol-specific information at each layer of the TCP/IP model. This method ensures that data can be transmitted across networks and interpreted correctly by the receiving device.

Question 8

How does the pack encapsulation works?

Answer 8

1. Application Layer: Generates data and adds application-specific headers.
   • Example: HTTP data
   • Encapsulation: [HTTP data]
2. Transport Layer: Encapsulates application layer data within a transport layer segment (TCP/UDP).
   • Example: TCP header + HTTP data
   • Encapsulation: [TCP header + HTTP data]
3. Internet Layer: Encapsulates the transport layer segment within an IP packet.
   • Example: IP header + [TCP header + HTTP data]
   • Encapsulation: [IP header + TCP header + HTTP data]
4. Link Layer: Encapsulates the IP packet within a link layer frame for transmission.
   • Example: Ethernet header + [IP header + TCP header + HTTP data] + Ethernet trailer
   • Encapsulation: [Ethernet header + IP header + TCP header + HTTP data + Ethernet trailer]

Question 9

What are the addresses used for each layer in the TCP/IP model?

Answer 9

Each layer has its own addressing structure

○ Data link layer: MAC address (for Ethernet)
■ A globally unique address “burnt” in the NIC
■ The ARP protocol maps an IP address to a MAC
addr

○ Internet layer: IP address
■ Identifies “globally” a network host
■ There can be private addresses (RFC1918 for
IPv4)

○ Transport layer: port
■ Identifies a specific service on a host

Question 10

What are the main characteristics of UDP protocol?

Answer 10

1. Connectionless: Unlike TCP, UDP does not establish a connection before sending data. Each UDP datagram is treated as an independent message, and there is no handshake or acknowledgment mechanism.
2. Unreliable: UDP does not guarantee delivery or order of datagrams. It does not perform error checking or retransmission of lost packets. If reliability is needed, it must be implemented at the application layer.
3. Minimal Overhead: UDP has a smaller header size compared to TCP, which reduces overhead. This makes UDP suitable for applications where low latency and efficiency are more important than reliability.

Question 11

What are the main characteristics of the TCP protocol?

Answer 11

1. Connection-Oriented: TCP establishes a connection between the sender and receiver before transmitting data. This connection is maintained until all data has been exchanged, and it ensures that data is delivered in order and without loss or duplication.
2. Reliable Delivery: TCP guarantees the reliable delivery of data by using acknowledgments, sequence numbers, and retransmissions. It ensures that data is delivered correctly and in the same order it was sent.
3. Three-Way Handshake: TCP uses a three-way handshake to establish a connection. This process involves the exchange of SYN (synchronize) and ACK (acknowledge) packets between the client and server to synchronize sequence numbers and establish communication parameters.

Question 12

What are the typical network protocol attacks?

Answer 12

Denial of service (against availability)

Sniffing (against confidentiality)

Spoofing (against integrity and authenticity)

Question 13

What are some examples of network protocol attacks that promotes denial of service

Answer 13

Killer packets

SYN flood

Smurf, multiplication or amplification attacks

Distributed DoS

Question 14

To witch taxonomy killer packets belong to and what are some examples of this type of attack

Answer 14

It belongs to the denial of service taxonomy

The examples are ping of death, teardrop, land attack

Question 15

To each type of denial of service attack, the ping of death belongs to and how does it works?

Answer 15

The “Ping of Death” attack is a type of cyber attack that exploits vulnerabilities in the way some computer systems handle ICMP (Internet Control Message Protocol) packets, particularly ICMP Echo Request packets (commonly known as “ping” packets).

1. Normal ICMP Echo Request: Normally, when you send a “ping” command from one computer to another, it sends a small ICMP Echo Request packet to the target computer, asking it to respond with an ICMP Echo Reply packet. This is a common way to test network connectivity and measure response times.
2. Oversized ICMP Packet: In a Ping of Death attack, the attacker manipulates the ICMP packet to make it much larger than the standard maximum size allowed by the Internet Protocol (IP). Typically, the maximum size for an IP packet is 65,535 bytes, but older systems may not properly handle packets of this size.
3. Buffer Overflow: When the oversized ICMP packet is received by the target computer, its network stack may not be able to handle the packet properly. This can lead to a buffer overflow, where the data in the packet overflows the buffer allocated to store it. As a result, the system may crash, become unresponsive, or exhibit other unexpected behavior.
4. Denial of Service (DoS): The goal of the Ping of Death attack is often to disrupt the target computer or network by causing it to crash or become unavailable. By sending a series of oversized ICMP packets, the attacker can overwhelm the target system’s resources, leading to a denial of service (DoS) condition where legitimate users are unable to access the system or network services.

Question 16

To what type of denial of service attack the teardrop attack belongs to and how does it works?

Answer 16

The “Teardrop” attack is a type of cyber attack that exploits vulnerabilities in the way some computer systems handle fragmented IP packets. Here’s a simple explanation of how the Teardrop attack works:

1. IP Packet Fragmentation: When data is sent over a network, it is divided into smaller units called packets. If the size of the data exceeds the maximum transmission unit (MTU) of the network, the data is fragmented into smaller packets for transmission.
2. Fragmented Packets: In the Teardrop attack, the attacker manipulates the fragments of an IP packet to create overlapping or malformed fragments. Specifically, the attacker sends a series of fragmented packets where the offset and length fields are manipulated in such a way that when the packets are reassembled by the target system, they overlap or conflict with each other.
3. Reassembly Vulnerability: When the target system receives the maliciously crafted fragmented packets, it attempts to reassemble them into the original complete packet. However, due to the overlapping or conflicting fragments, the system may encounter errors or inconsistencies during the reassembly process.
4. System Crash or Unresponsiveness: If the target system’s network stack is unable to handle the overlapping or conflicting fragments properly, it may crash, become unresponsive, or exhibit other unexpected behavior. This can lead to a denial of service (DoS) condition where legitimate users are unable to access the system or network services.

Question 17

To what type of denial of service attack the land attack belongs to and how does it works?

Answer 17

Killer packets attack

The “Land” attack is a type of cyber attack that exploits vulnerabilities in the TCP/IP protocol stack to disrupt network communication. Here’s a simple explanation of how the Land attack works:

1. TCP/IP Handshake: When two computers communicate over a network using the TCP/IP protocol, they establish a connection through a process called a three-way handshake. During this handshake, the client sends a SYN (synchronize) packet to the server, and the server responds with a SYN-ACK (synchronize-acknowledge) packet, and finally, the client sends an ACK (acknowledge) packet to confirm the connection.
2. Spoofed SYN Packets: In a Land attack, the attacker sends spoofed SYN packets to the target system. These SYN packets are crafted to appear as if they are coming from the target system itself, with the source IP address and port set to match the destination IP address and port.
3. TCP Connection Loop: When the target system receives the spoofed SYN packets, it attempts to establish a TCP connection with itself. However, because the source IP address and port of the SYN packets match the destination IP address and port, the target system becomes stuck in a loop, continuously attempting to establish a connection with itself.
4. Resource Exhaustion: As the target system becomes stuck in the TCP connection loop, it consumes system resources such as CPU cycles, memory, and network bandwidth. This can eventually lead to a denial of service (DoS) condition, where the system becomes overwhelmed and unable to respond to legitimate network requests.

Question 18

To what taxonomy the SYN flood attack belongs to and how does it works?

Answer 18

It belongs to the denial of service taxonomy

Or generates a high volume of SYN request with spoofed source addresses. This way many half open TCP/IPP connections fill the queue.

The filled queue results in the dropping off legitimate clients request

Question 19

How do we mitigate SYN flood attacks?

Answer 19

With SYN-cookies

1. Normal TCP Handshake: In a normal TCP handshake, when a client wants to establish a connection with a server, it sends a SYN (synchronize) packet to the server. The server then responds with a SYN-ACK (synchronize-acknowledge) packet, and finally, the client sends an ACK (acknowledge) packet to complete the handshake and establish the connection.
2. SYN Flood Attack: In a SYN flood attack, the attacker floods the target server with a large number of SYN packets, but does not complete the handshake by sending the final ACK packet. This causes the server to allocate resources for each half-open connection and eventually exhaust its resources, leading to a denial of service (DoS) condition where legitimate users are unable to establish connections with the server.
3. SYN Cookie Generation: In a SYN cookie implementation, when the server receives a SYN packet from a client, instead of allocating resources and maintaining a half-open connection, it generates a SYN cookie. The SYN cookie is a cryptographic hash of the client’s IP address, port number, and other connection parameters, along with a secret server-side key.
4. SYN Cookie Response: The server then responds to the client’s SYN packet with a SYN-ACK packet that contains the SYN cookie instead of allocating resources for the connection. The server does not maintain any state for the connection until the final ACK packet is received from the client.
5. SYN Cookie Verification: When the client sends the final ACK packet to complete the handshake, it includes the SYN cookie generated by the server. The server verifies the SYN cookie to ensure that it matches the expected value based on the client’s connection parameters and the secret server-side key.
6. Connection Establishment: If the SYN cookie is valid, the server establishes the connection with the client as usual. If the SYN cookie is invalid or missing, the server ignores the connection request, preventing the allocation of resources for unauthorized or malicious connections.

Question 20

What type of taxonomy distributed DoS attack belongs to how does it works?

Answer 20

He belongs to the denial of service taxonomy

A Distributed Denial of Service (DDoS) attack works by overwhelming a target system or network with a flood of traffic from multiple sources, making it inaccessible to legitimate users. Here’s how a DDoS attack typically works:

1. Botnet Formation: The attacker first creates or gains control of a large number of compromised computers or devices. These compromised devices, often referred to as “bots” or “zombies,” are typically infected with malware and can be controlled remotely by the attacker.
2. Command and Control (C&C): The attacker uses a command and control infrastructure to coordinate the actions of the botnet. This infrastructure allows the attacker to issue commands to the compromised devices, such as directing them to launch a DDoS attack against a specific target.
3. Traffic Generation: Once the botnet is assembled and under the attacker’s control, the attacker instructs the compromised devices to generate a flood of traffic targeting the victim’s system or network. This traffic can take various forms, including:
   • Volume-based attacks: Flood the target with a high volume of network traffic, such as UDP (User Datagram Protocol) or ICMP (Internet Control Message Protocol) packets.
   • Protocol-based attacks: Exploit vulnerabilities in specific protocols or services, such as SYN flooding attacks targeting the TCP handshake process.
   • Application-layer attacks: Target specific applications or services running on the victim’s system, such as HTTP flood attacks targeting web servers.
4. Traffic Amplification: In some cases, the attacker may use techniques to amplify the volume of traffic generated by the botnet. For example, the attacker may exploit misconfigured servers or services that respond with larger-than-expected responses to specific requests, such as DNS amplification attacks or NTP amplification attacks.
5. Traffic Redirection: To further obfuscate the source of the attack and evade detection or mitigation efforts, the attacker may use techniques such as IP spoofing or distributed reflection to make the attack traffic appear to originate from legitimate sources.
6. Target Overwhelmed: As the flood of malicious traffic reaches the target system or network, it consumes available bandwidth, processing resources, or other critical resources, causing the target to become overwhelmed and unable to respond to legitimate requests. This results in a denial of service (DoS) condition, where legitimate users are unable to access the targeted services or resources.

Question 21

What is the DDoS Smurf attack?

Answer 21

The DDoS Smurf attack is a type of distributed denial-of-service (DDoS) attack that exploits the Internet Control Message Protocol (ICMP) and IP broadcast addresses to amplify the volume of attack traffic directed at a victim. Here’s how a DDoS Smurf attack works:

1. ICMP Echo Requests: In a DDoS Smurf attack, the attacker sends a large number of ICMP Echo Request packets (commonly known as “ping” packets) to IP broadcast addresses. These packets contain the IP address of the victim as the source address, making it appear as if the victim is sending the requests.
2. Broadcast Amplification: When the ICMP Echo Request packets are sent to a broadcast address, they are broadcasted to all devices on the same network segment. Each device on the network segment that receives the broadcasted ICMP packet responds to it by sending an ICMP Echo Reply packet, which is directed back to the source IP address specified in the ICMP Echo Request packet.
3. Amplified Response: Since the attacker has spoofed the victim’s IP address in the ICMP Echo Request packets, the ICMP Echo Reply packets generated by the devices on the network segment are sent back to the victim’s IP address instead of the actual source of the ICMP Echo Request packets.
4. Traffic Amplification: The DDoS Smurf attack leverages the amplification effect of the responses generated by the devices on the network segment. By sending a relatively small number of ICMP Echo Request packets to broadcast addresses, the attacker can generate a significantly larger volume of ICMP Echo Reply packets directed at the victim’s IP address, overwhelming the victim’s network bandwidth and resources.
5. Denial of Service: As the victim’s network becomes inundated with a flood of ICMP Echo Reply packets, it may become overwhelmed and unable to respond to legitimate network traffic. This results in a denial-of-service (DoS) condition, where legitimate users are unable to access the victim’s services or resources.
6. Detection and Mitigation: Detecting and mitigating DDoS Smurf attacks can be challenging due to the distributed nature of the attack and the use of IP address spoofing. Network administrators can implement measures such as ingress filtering, which blocks spoofed IP addresses from entering the network, and rate limiting ICMP traffic to reduce the impact of DDoS Smurf attacks.

Question 22

What is Network-level sniffing and how does it works

Answer 22

Network-level sniffing, also known as packet sniffing or packet capture, is the process of capturing and analyzing network traffic at the network layer (Layer 3) of the OSI model. Here’s an explanation of how network-level sniffing works:

1. Capturing Packets: Network-level sniffing involves capturing packets as they traverse a network segment. This can be done using specialized software tools called packet sniffers or network analyzers. These tools put network interfaces (such as Ethernet, Wi-Fi, or others) into “promiscuous mode,” allowing them to capture all packets passing through the network segment, regardless of their intended destination.
2. Analyzing Packets: Once packets are captured, they can be analyzed to extract useful information about the network traffic. This analysis can include examining packet headers (such as IP addresses, port numbers, protocol types, etc.) and packet payloads (the actual data being transmitted).
3. Understanding Traffic Patterns: By inspecting captured packets, network administrators can gain insights into traffic patterns, network usage, and potential issues or anomalies. This information can be used for troubleshooting network problems, optimizing network performance, and identifying security threats.
4. Security Implications: While network-level sniffing can be a valuable tool for network analysis and troubleshooting, it also poses security risks. Unauthorized individuals or malicious actors could use packet sniffers to eavesdrop on network communications and capture sensitive information, such as usernames, passwords, or confidential data.
5. Protection Measures: To mitigate the risks associated with network-level sniffing, organizations can implement various security measures, including:
   • Encrypting sensitive data to protect it from eavesdropping.
   • Implementing network segmentation and access controls to limit access to sensitive network segments.
   • Monitoring network traffic for signs of unauthorized sniffing activity.
   • Using intrusion detection/prevention systems (IDS/IPS) to detect and block suspicious network traffic.

Question 23

What is ARP and how does it works?

Answer 23

ARP stands for Address Resolution Protocol. It is a communication protocol used in computer networks to map IP addresses to MAC (Media Access Control) addresses. Here’s how ARP works:

1. IP Address to MAC Address Mapping: In computer networks, devices communicate with each other using IP addresses (at the network layer) and MAC addresses (at the data link layer). When a device wants to communicate with another device on the same local network, it needs to know the MAC address of the destination device.
2. ARP Request: If a device has the IP address of another device but does not know its MAC address, it sends out an ARP request broadcast message to the local network. The ARP request contains the IP address of the target device that the sender wants to communicate with.
3. ARP Reply: When the device with the requested IP address receives the ARP request, it responds with an ARP reply message. The ARP reply contains the MAC address associated with the IP address specified in the ARP request.
4. Caching: Once a device receives an ARP reply, it caches the IP-to-MAC mapping in its ARP table (also known as the ARP cache) for future reference. This caching helps reduce the need for ARP requests for frequently accessed devices, improving network efficiency.

Question 24

What is ARP spoofing?

Answer 24

ARP spoofing, also known as ARP poisoning or ARP cache poisoning, is a type of cyber attack where an attacker sends falsified Address Resolution Protocol (ARP) messages over a local area network. Here’s how ARP spoofing works:

1. ARP Protocol: In a typical network, devices use ARP to map IP addresses to MAC addresses. When one device wants to communicate with another device on the same local network, it first checks its ARP cache (a table storing IP-to-MAC address mappings). If the IP address is not found in the ARP cache, the device sends an ARP request broadcast message to the network, asking for the MAC address associated with the target IP address.
2. Spoofing ARP Replies: In an ARP spoofing attack, the attacker sends falsified ARP reply messages to one or more devices on the network. These ARP reply messages contain forged MAC addresses, falsely claiming to be the MAC address associated with a particular IP address.
3. Updating ARP Cache: When the targeted device receives the falsified ARP reply, it updates its ARP cache with the forged MAC address. As a result, the device associates the attacker’s MAC address with the target IP address.
4. Traffic Redirection: With the ARP cache poisoned, traffic intended for the target IP address is now sent to the attacker’s MAC address instead. The attacker can then intercept, modify, or eavesdrop on the traffic before forwarding it to the legitimate destination.
5. Consequences: ARP spoofing can be used for various malicious purposes, including:
   • Man-in-the-middle (MITM) attacks: The attacker intercepts and modifies communication between two parties without their knowledge.
   • Session hijacking: The attacker steals authentication credentials or session tokens to impersonate a legitimate user.
   • Denial of service (DoS): The attacker floods the network with falsified ARP messages, causing network congestion or disruption.
6. Mitigation: To prevent ARP spoofing attacks, network administrators can implement various security measures, including:
   • ARP spoofing detection tools: Monitoring network traffic for suspicious ARP activity.
   • Static ARP entries: Manually configuring ARP mappings to prevent dynamic ARP updates.
   • Port security: Limiting the number of MAC addresses allowed on a switch port to prevent unauthorized devices from connecting.

Question 25

What are switches?

Answer 25

Switches are network devices used to connect multiple devices within a local area network (LAN) and facilitate communication between them.

Question 26

What are CAM tables and how do they work

Answer 26

The CAM (Content Addressable Memory) table, also known as the MAC address table or MAC address forwarding table, is a data structure used in network switches to manage the association between MAC (Media Access Control) addresses and the ports on the switch. Here’s how the CAM table works:

1. Switch Operation: Network switches are devices used to connect multiple devices in a local area network (LAN). Unlike hubs, which simply broadcast incoming traffic to all connected devices, switches are more intelligent and selectively forward traffic only to the appropriate destination device.
2. Learning MAC Addresses: When a switch receives a frame (a unit of data at the data link layer), it examines the source MAC address of the frame. If the switch has not yet learned the source MAC address, it adds an entry to its CAM table associating the MAC address with the port on which the frame was received.
3. Forwarding Frames: When a switch receives a frame destined for a particular MAC address, it consults its CAM table to determine which port to forward the frame to. If the MAC address is in the CAM table, the switch forwards the frame only to the port associated with that MAC address. If the MAC address is not in the CAM table, the switch floods the frame to all ports except the port on which it was received, allowing the destination device to respond and update the CAM table.
4. Aging Mechanism: To ensure that the CAM table remains up-to-date, switches typically implement an aging mechanism. Entries in the CAM table have a limited lifetime, after which they are removed if no traffic is received from the associated MAC address. This allows the CAM table to adapt to changes in the network topology and device connectivity over time.
5. Efficient Traffic Forwarding: By maintaining a CAM table of MAC address-port associations, switches are able to efficiently forward traffic within a LAN without the need for broadcasting every frame to all connected devices. This improves network performance by reducing unnecessary network traffic and minimizing collisions.

Question 27

How can we perform an attack to CAM table?

Answer 27

Dsniff can generate a lot of spoofed packets Feeling the CAM table. With the CAM table filled, we cannot cash ARP replies and we must forward everything to report.

Question 28

What is the Spanning Three Protocol

Answer 28

Spanning Tree Protocol (STP) is a network protocol used to prevent loops in Ethernet networks. When redundant links exist between switches in a network, without STP, these links can create loops that cause network instability and broadcast storms.

Question 29

How does a STP protocol works? And why and how it could be used by an attacker.

Answer 29

Switches decide how to build the ST (spanning tree) by exchanging BPDU (bridge protocol data unit) packets to elect the root note

DPDU packets are not authenticated, so, attacker can change the shape of the tree for sniffing or ARP spoofing purposes

Question 30

Explain IP address spoofing in UDP/ICP protocols

Answer 30

The IP source address is not authenticated.

Changing it in UDP or ICMP packets is easy.

However, the attacker will not see the answers (e.g., he/she is on a different network), because they will be sent to the spoofed host (blind spoofing).

But if the attacker is on the same network, s(he) can sniff the rest, or use ARP spoofing.

Question 31

What is the TCP sequence number? How does it works?

Answer 31

The TCP sequence number is a 32-bit value used by the TCP (Transmission Control Protocol) to uniquely identify each byte of data sent in a TCP connection. Here’s an overview of TCP sequence numbers and their significance:

1. Uniquely Identifying Data: In TCP, data is transmitted in segments, and each segment is assigned a sequence number. The sequence number is used to uniquely identify each byte of data within the stream of data being transmitted.
2. Initial Sequence Number (ISN): When a TCP connection is established, each endpoint generates an initial sequence number (ISN) to use as a starting point for numbering the segments of data exchanged during the connection. The ISN is typically chosen based on a combination of factors, including the current time, the IP addresses and port numbers of the endpoints, and other parameters.
3. Incremental Sequence Numbers: As data is transmitted in segments over the TCP connection, the sequence number is incremented to assign a unique value to each byte of data within the segment. The sequence number of the first byte in each segment is determined by adding the length of the preceding data to the sequence number of the first byte in the previous segment.
4. Acknowledgment Number: In addition to assigning sequence numbers to outgoing data segments, TCP also uses acknowledgment numbers to acknowledge the receipt of data segments from the other endpoint. The acknowledgment number indicates the next expected sequence number that the receiver of the data is willing to accept.
5. Flow Control and Reliability: TCP sequence numbers play a crucial role in ensuring the reliable and ordered delivery of data between TCP endpoints. By using sequence numbers to track the transmission and receipt of data segments, TCP can detect and recover from packet loss, reordering, and duplication, ensuring that data is delivered correctly and in order.

Overall, TCP sequence numbers are essential for the operation of the TCP protocol, providing a mechanism for uniquely identifying and ordering the transmission of data segments within a TCP connection. They enable TCP to provide reliable, ordered, and error-checked delivery of data over IP networks.

Also look at the picture 6S in the Comp Sec album

Question 32

What is an RST package?

Answer 32

A RST packet, or TCP RST packet, is a type of control packet used in the Transmission Control Protocol (TCP) to reset a TCP connection

Question 33

How old is TCP sequence number guessing attack work?

Answer 33

TCP uses sequence numbers for reordering and acknowledging packets.
● A semi-random Initial Sequence Number (ISN) is chosen.
● If a blind spoofer can predict the ISN, he can blindly complete the 3-way handshake without seeing the answers.
● However, the spoofed source should not receive the response packets, otherwise it might answer with a RST.

See the 7S picture

Question 34

How does a TCP session hijack works?

Answer 34

Taking over an active TCP session.
If the attacker (C) can sniff the packets:
1. C follows the conversation of A and B recording the sequence numbers.
2. C somehow disrupts A’s connection (e.g., SYN Flood): A sees only a “random” disruption of service.
3. C takes over the dialogue with B by spoofing A address and using a correct ISN. B suspects nothing.

See picture 8S in the Comp Sec album

Question 35

What is DNS

Answer 35

DNS, or Domain Name System, is a hierarchical decentralized naming system used to translate domain names (e.g., www.example.com) into IP addresses (e.g., 192.0.2.1) and vice versa. It serves as the phonebook of the Internet, allowing users to access websites, send emails, and perform other network activities using human-readable domain names instead of numerical IP addresses.

Question 36

How a Domain name is resolved in DNS

Answer 36

When a non-authoritative DNS server receives a request to resolve a domain name:

● if the answer is cached, it answers

● If no answer in cache:
○ Recursive: resolves the name on behalf of the client.
○ Iterative: gives the authoritative DNS address.

Question 37

What is the DNS Cache Poisoning Attack and how does it works

Answer 37

Poison the cache of a non authoritative DNS server

1)The attacker makes a recursive query to the victim DNS server.

2) The victim (non authoritative) DNS server contacts the authoritative server.

3)The attacker, impersonating the authoritative DNS server, sniffs/guess the the DNS query ID and spoofs the answer.

4) The victim DNS server trusts and caches the malicious record [POISONED].

All clients that request to resolve the DN to the poisoned DNS server are redirected to the malicious website

Question 38

What is DHCP and how does it works?

Answer 38

DHCP, or Dynamic Host Configuration Protocol, is a network management protocol used to automate the process of configuring devices on IP networks. It allows devices (clients) to obtain necessary network configuration information, such as IP addresses, subnet masks, default gateways, and DNS server addresses, from a DHCP server. Here’s how DHCP works:

1. DHCP Discovery: When a device (client) connects to a network, it does not have an IP address assigned. To obtain an IP address, the client broadcasts a DHCPDISCOVER message on the network to locate available DHCP servers.
2. DHCP Offer: Upon receiving the DHCPDISCOVER message, one or more DHCP servers on the network respond with a DHCPOFFER message. This message contains an available IP address and other network configuration parameters that the server offers to the client.
3. DHCP Request: The client receives one or more DHCPOFFER messages and selects one of the offers. It then sends a DHCPREQUEST message to the chosen DHCP server to formally request the offered IP address and configuration parameters.
4. DHCP Acknowledgment: The DHCP server receives the DHCPREQUEST message and responds with a DHCPACK message, confirming that the IP address and configuration parameters have been assigned to the client. The client can now configure its network interface with the provided information and start using the network.
5. IP Address Lease: The IP address assigned to the client is typically leased for a specific period, known as the lease time. The client must renew the lease periodically by sending a DHCPREQUEST message before the lease expires. If the DHCP server approves the renewal, it responds with a DHCPACK message, extending the lease.
6. Lease Renewal and Rebinding: If the lease renewal request is not acknowledged, the client will continue to attempt renewing the lease at specific intervals. If the lease expires without renewal, the client will send another DHCPDISCOVER message to obtain a new IP address.
7. DHCP Release: When a client no longer needs the assigned IP address (e.g., when it is shutting down or disconnecting from the network), it sends a DHCPRELEASE message to the DHCP server to release the IP address back to the pool of available addresses.

Question 39

How does the DHCP poison attack works

Answer 39

DHCP is an unauthenticated protocol

The attacker can intercept the “DHCP requests”, be the first to answer, and client will believe that answer.

With a (spoofed) “DHCP response”, the attacker can set:
● IP address,
● DNS addresses,
● default gateway of the victim client.

Question 40

What is ICMP

Answer 40

ICMP is used to send debugging information and error reports between hosts, routers and other network devices
at IP level.

ICMP messages can be:
○ Requests
○ Responses
○ Error messages

Question 41

What are some of the ICMp messages

Answer 41

● Address mask request/reply:
○ used by diskless systems to obtain the network mask at boot time.

● Timestamp request/reply: ○ used to synchronize clocks.

● Source quench:
○ used to inform about traffic overloads.

● Parameter problem:
○ used to inform about errors in the IP datagram fields.

● Time exceeded:
○ used to report expired datagrams (TTL = 0).

● Redirect:
○ used to inform hosts about better routes (gateways).

● Destination unreachable:
○ used to inform a host of the impossibility to deliver traffic to a specific
destination

Question 42

What are Routers

Answer 42

Routers (not hosts) are
○ Responsible for keeping routing information
up-to-date.
○ Assumed to discover best routes for every
destination.

Question 43

What is ICMP Redirect message used for

Answer 43

Tells an host that a better route exists for a given destination, and gives the gateway for that route.

When a router detects a host using a non-optimal route it:
● Sends an ICMP Redirect message to the host and forwards the message.
● The host is expected to then update its routing table.

Question 44

How the ICMP Redirect attack works

Answer 44

The attacker can forge a spoofed ICMP redirect packet to re-route traffic on specific routes or to a specific host that may be not a router at all.
The attack can be used to:
● Hijack traffic (elect his/her computer as the gateway).
● Perform a denial-of-service attack.

The attacker needs to intercept a packet in the “original” connection in order to forge the reply (i.e., must be in the same network).