25. ARP conversation HEY - Everyone please listen! Will 128.213.1.5 please send me his/her Ethernet address? not me Hi Green! I’m 128.213.1.5, and my Ethernet address is 87:A2:15:35:02:C3
26.
27. IP-Layer Operation IP Data Link Physical IP Data Link Physical IP Data Link Physical Application TCP IP Data Link Physical X A B C Y X A B C Y Application TCP IP Data Link Physical TCP is end-to-end layer
28.
29. Process Layer Transport Layer Network Layer Data-Link Layer ICMP, ARP & RARP TCP UDP IP 802.3 Process Process
30.
31.
32. Ports Host A Host B Process Process Process Process Process Process
33.
34.
35.
36.
37.
38.
39.
40.
41.
42. OSI and Protocol Stack OSI: Open Systems Interconnect Link Layer : includes device driver and network interface card Network Layer : handles the movement of packets, i.e. Routing Transport Layer : provides a reliable flow of data between two hosts Application Layer : handles the details of the particular application OSI Model TCP/IP Hierarchy Protocols 7 th Application Layer 6 th Presentation Layer 5 th Session Layer 4 th Transport Layer 3 rd Network Layer 2 nd Link Layer 1 st Physical Layer Application Layer Transport Layer Network Layer Link Layer
51. Why is a two-Way Handshake not enough? When aida initiates the data transfer (starting with SeqNo=15322112355) , mng will reject all data. Will be discarded as a duplicate SYN
64. C onnection Teardown Connection close is treated as two separate “close’s” of each simplex connection
65.
66. Packet Exchange for TCP Connection socket() socket() bind() listen() connect() write() read() read() write() Data reply, ack Data request ack of reply close() close() SYN j SYN k, ack j+1 ack k+1 FIN M ack M+1 FIN N ack N+1 CLIENT SERVER accept()
67. netstat –n Lists all active sockets with the address/port number pair
79. ARP Cache Poisoning IP -> 192.168.51.36 MAC -> 00:00:00:BB:BB:BB Internal ARP Cache 192.168.51.35 – 00:00:00:CC:CC:CC System B IP -> 192.168.51.35 MAC -> 00:00:00:AA:AA:AA Internal ARP Cache 192.168.51.36 – 00:00:00:CC:CC:CC System A IP -> 192.168.51.37 MAC -> 00:00:00:CC:CC:CC Internal ARP Cache 192.168.51.36 – 00:00:00:BB:BB:BB 192.168.51.35 – 00:00:00:AA:AA:AA Attacker 192.168.51.36 is at 00:00:00:CC:CC:CC 192.168.51.35 is at 00:00:00:CC:CC:CC
80. More DoS attacks Continuous requests for a heavy computational dynamic page HTTP SQL/Application server attack Source and destination IP addresses are the same causing the response to loop TCP SYN Land Local IP address hijack Middleman attack ARP ARP Redirect