CSEC 701 Final Review

Transport Layer Function

Provides process-to-process delivery

Data Link Layer Function

Provides node-to-node delivery

Network Layer Function

Provides host-to-host delivery

Port Numbers

16-bit addressing space that allows multiple simultaneous connections

Well-Known Ports

Port numbers 0–1023

NAPT Purpose

Translates internal private IP/port pairs to a public IP/port pair

NAT Translation Table

Maintains WAN-side to LAN-side IP:port mappings

NAT Handling Outgoing Traffic

Rewrites source IP/port to public IP/port and updates table

NAT Handling Incoming Replies

Uses translation table to rewrite destination IP/port back to internal host

UDP Reliability

Unreliable with no guaranteed delivery or ordering

UDP Transmission Control

Provides no flow control or congestion control

UDP Characteristics

Connectionless and low-overhead

UDP Uses

Used by DHCP

TCP Reliability

Reliable in-order byte stream using ACKs and retransmissions

TCP Flow Control

Prevents sender from overwhelming receiver

TCP Congestion Control

Slows sending rate when network is congested

TCP Connection-Oriented

Requires handshake setup and teardown

TCP Connection Setup

Three-way handshake using SYN and ACK flags

TCP Connection Termination

Four-way termination process

DNS Purpose

Provides human-readable names instead of numeric IP addresses

DNS Manual Method

Host file with static mappings

DNS Centralized Method

Stores all mappings in a single machine

DNS Hierarchical Method

Distributes the database across multiple servers

DNS Default Name Server

ISP or organization-run resolver for local users

DNS Transport Protocol

Uses UDP or TCP on port 53

DNS UDP Use Case

Used for responses smaller than 512 bytes

DNS TCP Use Case

Used when responses exceed 512 bytes

Authoritative DNS Servers

Provide official hostname-to-IP mappings

DNS Caching

Non-authoritative answers stored after learning mappings

TLD Server Caching

Commonly cached locally

Non-Persistent HTTP

Opens and closes a TCP connection for each object

Persistent HTTP

Uses one TCP connection to send multiple objects

HTTP/1.1 Pipelining

Allows multiple pipelined GETs over one connection

HOL Blocking (HTTP/1.1)

Small objects wait behind large ones due to FCFS processing

Loss Impact in HTTP/1.1

Retransmissions stall object transmission

HTTP/2 Frame Interleaving

Splits objects into frames and interleaves them to reduce blocking

HTTP/2 Effect

Allows quick delivery of small objects even if larger ones are delayed

HTTP/2 Limitation

Packet loss still stalls all object transmissions

Protocol Layering Issue

HTTP+TLS+TCP+IP stack limits performance

HTTP/3 (QUIC)

HTTP runs over QUIC which replaces TLS and TCP

QUIC Characteristics

Implements reliability in application layer instead of OS TCP

QUIC Origin

Developed by Google starting in 2012

Protocols Vulnerable to Sniffing

HTTP

Hub Behavior

Broadcasts traffic to all ports

Switch Behavior

Unicasts traffic to correct port

SPAN Port

Mirrored port that receives copies of all packets

Sniffer Layer

Operates at the Data Link layer

OSI Isolation

Upper layers do not detect sniffing occurring at lower layers

MAC Flooding Attack

Floods switch with bogus MAC mappings to force broadcast mode

macof Tool

Generates large numbers of random MAC source addresses to overflow CAM table

Switch Port Stealing

Attacker sends fake ARP replies faster to bind victim’s MAC to attacker port

Effect of Port Stealing

Redirects traffic intended for the target to attacker

Gratuitous ARP

ARP reply sent without request to update forwarding info

Fake Gratuitous ARP Effect

Causes conflicts and lets attacker race to control MAC binding

ARP Spoofing at Switch

Floods ARP table causing switch to behave as a hub

ARP Cache Poisoning

Inserts forged IP–MAC pairs into victim’s ARP cache

Dynamic ARP Inspection

Drops ARP packets with MAC mismatch using DHCP snooping table

ARP Spoofing Detection Tools

Xarp

MAC Duplication

Attacker reuses victim’s MAC address to receive traffic

MAC Duplication Result

Switch forwards traffic to multiple ports enabling impersonation

MAC Spoofing Defense

Use DHCP Snooping

Secure MAC Retrieval

Get MAC directly from NIC instead of OS

DHCP Process

DISCOVER → OFFER → REQUEST → ACK

DHCP Starvation Attack

Attacker sends many DHCP requests to exhaust IP leases

DHCP Starvation Tools

dhcpstarv and Yersinia

Rogue DHCP Server

Attacker responds to DHCP requests with fake configuration

Rogue DHCP Effects

Wrong IP

DHCP Attack Defense

Use port security and DHCP snooping

IRDP Purpose

Hosts discover local routers through ICMP Router Solicitation and Advertisement

IRDP Spoofing

Attacker sends fake router advertisements to change victim’s default router

Local DNS Spoofing

Attacker on LAN sniffs DNS requests and replies with forged answers

Internet DNS Spoofing

Trojan changes victim’s DNS server to attacker-controlled address

Proxy DNS Poisoning

Trojan modifies browser proxy settings to redirect traffic

DNS Cache Poisoning

Inserts forged DNS records into resolver cache to redirect users