1. TCP/IP Transmission Control Protocol / Internet Protocol Rakhi Saxena Assistant Professor, Deshbandhu College, Delhi University

6. But First ...

10. ipconfig/ ifconfig

12. Back to TCP/IP

25. ARP conversation HEY - Everyone please listen! Will 128.213.1.5 please send me his/her Ethernet address? not me Hi Green! I’m 128.213.1.5, and my Ethernet address is 87:A2:15:35:02:C3

27. IP-Layer Operation IP Data Link Physical IP Data Link Physical IP Data Link Physical Application TCP IP Data Link Physical X A B C Y X A B C Y Application TCP IP Data Link Physical TCP is end-to-end layer

29. Process Layer Transport Layer Network Layer Data-Link Layer ICMP, ARP & RARP TCP UDP IP 802.3 Process Process

32. Ports Host A Host B Process Process Process Process Process Process

42. OSI and Protocol Stack OSI: Open Systems Interconnect Link Layer : includes device driver and network interface card Network Layer : handles the movement of packets, i.e. Routing Transport Layer : provides a reliable flow of data between two hosts Application Layer : handles the details of the particular application OSI Model TCP/IP Hierarchy Protocols 7 th Application Layer 6 th Presentation Layer 5 th Session Layer 4 th Transport Layer 3 rd Network Layer 2 nd Link Layer 1 st Physical Layer Application Layer Transport Layer Network Layer Link Layer

45. Break

47. C onnection Creation

48. C onnection Creation

49. C onnection Creation

50. C onnection Creation

51. Why is a two-Way Handshake not enough? When aida initiates the data transfer (starting with SeqNo=15322112355) , mng will reject all data. Will be discarded as a duplicate SYN 

52. C onnection Teardown

53. C onnection Teardown

54. C onnection Teardown

55. C onnection Teardown

56. C onnection Teardown

57. T wo-Army Problem Red army Red army Blue army

58. T wo-Army Problem

59. T wo-Army Problem

60. T wo-Army Problem

61. T wo-Army Problem

62. T wo-Army Problem

63. T wo-Army Problem So how many acks of acks are enough??

64. C onnection Teardown Connection close is treated as two separate “close’s” of each simplex connection

66. Packet Exchange for TCP Connection socket() socket() bind() listen() connect() write() read() read() write() Data reply, ack Data request ack of reply close() close() SYN j SYN k, ack j+1 ack k+1 FIN M ack M+1 FIN N ack N+1 CLIENT SERVER accept()

67. netstat –n Lists all active sockets with the address/port number pair

68. netstat –r Displays the routing table

69. netstat –s Displays network statistics

70. ping sends a test packet to a given address and reports the round trip time

71. traceroute discovers the route from a source to a destination

76. TCP SYN Flood client server SYN RQST SYN ACK Spoofed SYN RQST zombie victim Waiting buffer overflows Zombies SYN ACK

77. Distributed Denial of Service Zombies on innocent computers Server-level DDoS attacks Infrastructure-level DDoS attacks Bandwidth-level DDoS attacks

78. Spoofing X Y Z Mr. Z is that you? Yes I’m here!

79. ARP Cache Poisoning IP -> 192.168.51.36 MAC -> 00:00:00:BB:BB:BB Internal ARP Cache 192.168.51.35 – 00:00:00:CC:CC:CC System B IP -> 192.168.51.35 MAC -> 00:00:00:AA:AA:AA Internal ARP Cache 192.168.51.36 – 00:00:00:CC:CC:CC System A IP -> 192.168.51.37 MAC -> 00:00:00:CC:CC:CC Internal ARP Cache 192.168.51.36 – 00:00:00:BB:BB:BB 192.168.51.35 – 00:00:00:AA:AA:AA Attacker 192.168.51.36 is at 00:00:00:CC:CC:CC 192.168.51.35 is at 00:00:00:CC:CC:CC

80. More DoS attacks Continuous requests for a heavy computational dynamic page HTTP SQL/Application server attack Source and destination IP addresses are the same causing the response to loop TCP SYN Land Local IP address hijack Middleman attack ARP ARP Redirect

81. Mitigation Techniques

83. TCP Intercept