CPSC 3600 - Drachova - Final

How many layers in TCP IP stack?

4 layers

What are the layers of the TCP IP stack?

Application, Transport, Network, and Link

How long is an IP address?

32 bits

What does an IP address identify?

Subnet high order and host low order

How long is a MAC address?

48 bits

What does a MAC address identify?

First 24 is manufacturer and second 24 is unique adaptopt id

What does MAC stand for?

Media Access Control

What is another name for MAC address?

BIA (Burned-In address)

What does CIDR stand for?

Classless Inter-Domain Routing

What is CIDR for?

Allows a single IP address to represent a range of addresses, which improves the efficiency of address distribution.

What is a network mask?

Shows the prefix of an IP address. What part is the network.

What is a broadcast address?

Broadcasts to all hosts on network.

What is network address?

Address of the network. First part of an IP address.

Who is responsible of assigning port numbers?

The Internet Assigned Numbers Authority (IANA)

What is a socket?

It is a software interface where a process sends messages into, and receives messages from, the network.

What does a socket consist of?

An IP address and a port number.

What is a Hypervisor?

It is another name for a Virtual Machine Manager (VMM). It creates and runs a VM by creating a virtual interface identical to the host machine.

What are hosts?

End systems or always-hosts called servers.

What are clients?

Communicate with server and may be intermittently connected instead of always. Do not communicate directly with each other. Dynamic IP address sometimes.

Network Core

Mesh of interconnected routers that do packet/circuit switching, Internet structure.

Includes routing and forwarding as key functions.

Network Edge

hosts, access net, physical media

What devices are found in the Network Core?

Routers and high-capacity switches

What devices are found in the Network Edge?

User devices like computers, smartphones, and IoT devices

What is the difference between a Router and a Switch?

A router connects networks by IP addresses to send data to correct networks, while a switch connects devices within the same network and sends the correct data to the right device using MAC addresses.

What are the 3 different Mail Protocols?

SMTP (push), POP3 (pull), IMAP (pull)

What are the differences between the Mail Protocols?

SMTP is used for sending while POP3 and IMAP are used for receiving. POP3 downloads emails to a single device while IMAP allows access to emails on multiple devices.

Characteristics of TCP Protocol.

Reliable Transport. Flow control. Congestion Control. Connection Oriented. Can be Pipelined.

What does TCP protocol not provide?

Timing, minimum throughput guarantee, security

What is difference between Flow Control and Congestion Control?

Flow Control is where sender won't overwhelm receiver and Congestion Control is where the sender gets throttled if it overloads the network.

What happens when network gets too congested?

Data packets experience delays, increased latency, potential packet loss, and a significant slowdown in data transfer speeds

What is Round Trip Time (RTT)?

Time for a small packet to travel from client to server and back

What is "Internet of Things?"

Refers to a network of physical devices embedded with sensors, software, and connectivity that allows them to collect and exchange data over the internet using protocols like TCP/IP, essentially enabling communication between various devices like smart sensors, home appliances, and industrial machinery

What are Smart Devices? Why are they Smart?

Any electronic device that can connect to a network and perform complex functions independently. They are smart because it can do it independently.

IPv4 address

32 bits.

IPv6 address

128 bits.

IPv5 address

Experimental and never took off.

IPv4 to IPv6

Checksum removed, options allowed, and ICMPv6 upgrade.

What is a multicasting?

a networking technique where a single source sends data to a group of designated receivers simultaneously, using a special IP address to identify the group

What is Anycasting?

a network addressing method where multiple servers or network nodes across different locations share the same IP address

What is Broadcasting

sending a data packet to every device on a network simultaneously, using a special "broadcast address" which ensures all devices on that network receive the information

What is Unicasting?

a method of network communication where data is sent from one specific device to another single device

What do ports identify?

ports identify specific applications or services running on a device

Big Endian vs Little Endian

"Big Endian" refers to a byte order where the most significant byte of a multi-byte data value is stored first (at the lowest memory address), while "Little Endian" stores the least significant byte first

What do routers do?

Primary function is to connect different networks together by forwarding data packets between them based on their IP addresses and by the best path using a function called routing.

TCP multiplicative and additive?

In TCP/IP, the congestion control mechanism is considered "additive increase, multiplicative decrease" (AIMD), meaning that when increasing the sending rate, TCP uses an additive approach, while when decreasing the rate due to congestion, it uses a multiplicative approach; essentially making it more "multiplicative" in terms of its primary congestion handling behavior.

How to do Dijkstra algorithm?

A widely used algorithm for finding the shortest path between two nodes in a network.

Art-Net Protocol?

a networking protocol built on top of the TCP/IP suite specifically designed to transmit DMX512 lighting data over an Ethernet network

DHCP Protocol

Stands for Dynamic Host Configuration Protocol, is a network protocol within TCP/IP that automatically assigns IP addresses and other network configuration details like subnet masks and default gateways to devices on a network, allowing them to seamlessly connect and communicate with each other

What is Network Address Translation? How does it work?

A process where a router translates private IP addresses used within a local network to a single public IP address before sending data to the internet. It is also called NAT.

What is the difference between Digital Signature vs Electronic Signature?

Digital is message digest and Electronic is actual written signature.

Cryptography

Symmetric and Asymmetric.

Provides confidentiality, integrity, authentication, and non-repudiation.

One way function.

Strength is time.

Symmetric encryption

Data encrypted and decrypted using the same secret key.

Requires a secure method of key exchange.

Faster than asymmetric encryption

AES, DES

Asymmetric Encryption

Data is encrypted with a public key and decrypted with a private key

Does not require prior key exchange.

Required key size is bigger than in symmetric key schemes.

RSA

Hashing

Reduces a large file to a small hash value.

Used to provide authenticity and integrity, one way encryption

md5, sha 512 or 256, yescrypt

Steganography

Hiding a message in a media file. Like a picture.

Encoding

No key

no sort

base64

Output redirection

program > file.txt

Input redirection

program < file.txt

How to create a reliable socket?

int socket(int domain, int type, int protocol)

The first parameter should be AF_INET.

The second parameter should be SOCK_STREAM.

The third parameter should be IPPROTO_TCP.

This will make it a reliable socket.

socket(AF_INET, SOCK_STREAM, IPPROTO_TCP) creates a correctly reliable IPv4 TCP stream socket.

How can you send a signal to a program to process?

Establish a TCP connection to the program (acting as a server) by specifying its IP address and port number, then send data through that connection

Differences between TCP and UDP

TCP has flow control and congestion control, while UDP does not have any control.

A TCP header is 20-60 bytes and a UDP header is 8 bytes.

TCP sockets must be bound while UDP sockets do not have to be.

What fields are in a TCP header?

Source Port, Destination Port, Sequence Number, ACK Number, Data Offset, ECN, Control Bits, Window, Checksum, Urgent Pointer, Options

What fields are in a UDP header?

Source port

Destination port

Length

Checksum

Difference between TCP and UDP in code.

TCP must use bind() while UDP does not have to.

In ssize_t sendto(int socket, const void msg, size_t msgLength, int flags, const struct sockaddr destAddr, socklen_t addrLen) the Last 2 parameters are UDP only.

TCP uses send() instead

In ssize_t recvfrom(int socket, void msg, size_t msgLength, int flags, struct sockaddr srcAddr, socklen_t *addrLen) the Last 2 parameters are UDP only.

TCP uses recv() instead.

tcpdump

tcpdump is mainly used for "listening" to interfaces of a console to see network traffic. It can be used to confirm if data was sent/received, what data was sent/received, and who sent/received the data. It can be useful for catching mal practices like hacking and is a good way for catching errors in sending or receiving data.

netcat

netcat is a tool used for port scanning and port listening. It can be used to read and write data between two networks and can be very useful in troubleshooting problems within a network. It is very simple and apparently a very reliable tool in security and network management.

nslookup

nslookup is a tool that allows a user to get the IP address and DNS record of a domain name. It can be very useful in making sure that DNS records are up to date and that IP addresses are mapped to the correct domain name. It stands for name server lookup.

nmap

It stands for Network Mapper and is a great tool for seeing hosts of a network, what OS hosts are running, and much more information on a network. It can be used for network discovery and security auditing to make sure a network is secure from attacks. It lists information like which ports and hosts are active and how many total of each there are.

Wireshark

Wireshark is a tool used for capturing packets on a network and analyzing them. It is used as a troubleshooting tool for protocols and is an open-source network protocol analysis software program. It can be incredibly useful in error checking when sending and receiving data over your own network

What protocols live on Application Layer?

HTTP

FTP

DNS

SMTP

Telnet

DHCP

SNMP

What protocols live on Transport Layer?

TCP

UDP

What protocols live on Network Layer?

IP

ICMP

What protocols live on Link Layer?

Ethernet

ARP

RARP

NDP

HTTP

stands for "Hypertext Transfer Protocol," which is a communication protocol used between web browsers (clients) and web servers to transfer information like web pages, images, and other data across the internet

FTP

(File Transfer Protocol) is a network protocol that allows users to transfer files between computers over a TCP connection

DNS

(Domain Name System) acts as a translator, converting human-readable domain names (like "www.google.com") into machine-readable IP addresses

SMTP

(Simple Mail Transfer Protocol) is the protocol responsible for sending emails across the internet

Telnet

a network protocol that allows users to remotely access and control a computer by establishing a text-based connection to a remote device

DHCP

(Dynamic Host Configuration Protocol) automatically assigns IP addresses and other network configuration details like subnet masks and default gateways to devices on a network

SNMP

(Simple Network Management Protocol) acts as a protocol that allows network administrators to monitor and manage various network devices like routers, switches, and servers by collecting information about their status and performance, enabling them to identify issues and make configuration changes remotely

IP

(Internet Protocol) is responsible for determining the destination address of data packets

ICMP

(Internet Control Message Protocol) acts as a mechanism for network devices to communicate error messages and status information

Ethernet

acts as the physical layer protocol responsible for transmitting data packets between devices on a local network

ARP (IMPORTANT)

(Address Resolution Protocol) acts as a mechanism to translate an IP address (logical address) into a MAC address (physical address)

RARP

(Reverse Address Resolution Protocol) allows a device to discover its own IP address by sending its MAC address to a dedicated server

NDP

stands for "Neighbor Discovery Protocol" and is primarily used in IPv6 networks to discover the MAC addresses of other devices on the local network

ARP attacks

Spoofing - Any computer on the nw can claim to have the requested IP address...

This leads to Cache Poisoning - which is where data is thought to be sent directly to where it needs to go to but it actually first goes through the attackers system, so they can see the data.

ICMP attacks

SMURF attack - DDoS, meaning every device on the network will send a message to a victim rendering a server useless.

IP attacks

Packet sniffing - IP packets are not encrypted, the Internet Protocol allows for some types of eavesdropping

TCP attacks

SYN Flood - Typically a DOS attack, though can be combined with other attacks such as TCP hijacking. Relies on sending TCP connection requests faster than the server can process them.

Attacker creates a large number of packets with spoofed source addresses and sets the SYN flag on these. The server responds with a SYN/ACK for which it never gets a response (waits for about 3 minutes each)

Optimistic ACK attack

An optimistic ACK attack takes advantage of the TCP congestion control. It begins with a client sending out ACKs for data segments it hasn't yet received. This flood of optimistic ACKs makes the servers TCP stack believe that there is a large amount of bandwidth available and thus increase cwnd. This leads to the attacker providing more optimistic ACKs, and eventually bandwidth use beyond what the server has available

TCP RST attack

If a connection exists between two machines, A and B, a third party can attempt to break that connection by injecting a packet into one or the other with a spoofed IP address and the RST flag set

Blind Injection

If you can guess the sequence number, and happen to know what upper level protocol is being supported by TCP, you can also inject a command into an existing connection, rather than resetting it. Can cause Ack Storm.

Complete session hijacking

When an attacker is on the same network segment as the target server and/or client, an attacker can completely hijack an existing TCP session

DNS Attack: Pharming and Phishing

Corruption of the DNS lookup process to cause a DNS request to redirect to a false IP address is called "Pharming." Often combined with a Phishing attack, where the false IP serves up content identical in appearance to the actual site, tricking the user into entering credentials which can be stolen.

Also DNS Cache Poisoning.