chapter 0 introduction - villanova universitymdamian/past/cybersecurityfa14/... · 2014. 8. 28. ·...
TRANSCRIPT
8/28/14
1
Chapter 0 Outline
❀ Internet architecture ❀ Access networks ❀ Network core ❀ Packet switching and circuit
switching ❀ Packet Switching Delays ❀ Protocol stack ❀ Internet security
Chapter 0 Introduction
8/28/14
2
Chapter 0 Outline
❀ Internet architecture ❀ Access networks ❀ Network core ❀ Packet switching and circuit
switching ❀ Packet Switching Delays ❀ Protocol stack ❀ Internet security
Internet architecture (1)
router
PC
server
wireless laptop
smartphone
Wired Communication links
access points
switch
cellular tower
Optical 8iber Network
Core Internet backbone
Global ISP Global ISP
Root DNS servers
Regional ISP
Regional ISP
Regional ISP
Mobile/cell network
Corporate/institute network
HFC or DSL
Home network ISP: Internet service provider HFC: hybrid 8iber coax DSL: digital subscriber line
8/28/14
3
Internet architecture (2) ❀ Internet: an interconnected network of network
" Connects billions of hosts " Hierarchical networks:
µ Internet backbone: connec3ng the ISPs’ backbones µ ISP backbone: connec3ng organiza3ons’ backbones µ Organiza3on backbone connects local area networks (LANs) µ LAN connects end systems
❀ Communication links " connect end systems/routers/switches/access points " fiber, copper and radio " transmission rate/bandwidth " resource allocation/reservation
Internet architecture (3) ❀ Routers
" connect local area networks " Generate/maintain a routing table " forward packets
❀ Access networks " connects a local area network or a host to the Internet
❀ Internet backbone (network core) " a group of interconnected routers using optical fiber " infrastructure name servers, such as DNS root servers for Naming
8/28/14
4
Chapter 0 Outline
❀ Internet architecture ❀ Access networks ❀ Network core ❀ Packet switching and circuit
switching ❀ Packet Switching Delays ❀ Protocol stack ❀ Internet security
Edge Router and Subnet
❀ Internet uses a gateway (edge router) to connect a Local Area Network (LAN) or a subnet to the hierarchical network
….
….
Subnet
Subnet
Internet
Edge router
8/28/14
5
Home networks ❀ DSL or cable modem to ISP ❀ Router cannot perform routing functions such as generating routing tables
" It is called a router because of NAT (network address translation) " E.g., 192.168.1.x to a given IP address from ISP
❀ Router that may contain a firewall/VPN/IPS " VPN: virtual private network " IPS: intrusion prevention system
❀ Ethernet switch (built in router)/wireless access point
Ethernet
Wireless access point
Wireless laptops
Router/ Firewall/ VPN/IPS Cable/
DSL modem
Internet Service Provider (ISP)
Coax, phone line, power line, 8iber
Local Area Networks (LAN) ❀ Organization/home local area
network (LAN) or subnet connects hosts to edge router
❀ Edge router connects LANs to Internet
❀ Ethernet LAN " Hosts connect into Ethernet
switch " 10Mbps, 100Mbps, 1Gbps,
10Gbps Ethernet
Edge router
Internet
ATM over Fiber
8/28/14
6
Building LANs: From the Ground Up
How to Build a LAN? ❀ Start with just two nodes
❀ This is the most basic “network” " Also called direct or dedicated connection
" Message placed on one link end is delivered to the other end " No contention for use of transmission media
" Media: serial or parallel cable, coax, twisted pair, fiber optic cable, infrared, radio wave, microwave
LINK
8/28/14
7
Multiple (Shared) Access (1)
❀ Two nodes is boring. How do we connect more nodes? " Attach computers to a single, long cable
" Bus (above) or hub (below) arrangement
" All nodes share communication link, compete for access
. . .
Hub Hub
Multiple Access (2)
❀ Broadcast medium " All stations receive a copy of the message sent " But most communication is intended to be only between two computers on a
network
❀ To allow sender to specify destination, each station is assigned a hardware address (MAC address)
sender receiver
Signal propagates along the entire cable
8/28/14
8
MAC Addressing ❀ Example: Ethernet Addressing
" Unique 48-bit MAC address
" First 24 bits is manufacturer code - assigned by IEEE
" Second 24 bits are sequentially assigned and UNIQUE
❀ MAC address must be unique in a multiple access network
❀ Extending an Ethernet with repeaters
❀ Repeaters " Electronic devices that simply copy signals (at higher power) between segments " Propagate valid signals as well as collisions " Do not have hardware addresses " Any Ethernet segment is limited to 500 meters " One repeater doubles the length to 1,000 meters. " At most 4 repeaters can be placed between any 2 machines
Multiple Access (3)
. . . . . . R
8/28/14
9
❀ Extending an Ethernet with bridges (switches)
❀ Bridges (level 2 switches) " Electronic devices that operate on packets, not signals " Have a NIC like any other station " Maintain a list of computers on each segment " Forward a packet only if necessary " Useful for controlling congestion
Multiple Access (4)
. . . . . . B
Switched Networks (LANs) ❀ Extend the network segment by switching
" Groups of nodes are connected by intermediate hardware (switches or bridges) which regulate traffic
" Switches inside cloud implement the network, nodes outside the cloud use the network
S
incoming links
outgoing links
Switch
Memory
Store-‐and-‐Forward
8/28/14
10
Internetworks ❀ Getting bigger - connect heterogeneous networks
" Using routers (sometimes called gateways) " Different networks may use different technologies " A technology provides its own implementation of services
R
Routers vs. Switches ❀ Bridges and Layer 2 switches understands only MAC addresses
" Process packets and directs them toward the correct port. " The switching table is learned from each source’s MAC address
❀ Routers and Layer 3 switches understand both IP addresses and MAC addresses " Routers work together to generate routing tables " A router or layer 3 switch knows the next hop's IP address from the routing table
8/28/14
11
Chapter 0 Outline
❀ Internet architecture ❀ Access networks ❀ Network core ❀ Packet switching and circuit
switching ❀ Packet Switching Delays ❀ Protocol stack ❀ Internet security
Network Core
❀ Routers and fiber links (in orange) form the Internet core ❀ Routers work together to figure out the most efficient path for routing a packet
from source to destination host " A distributed algorithm can adapt to changing Internet conditions " Routing tables are generated and maintained in real time
Network Core
Internet backbone
Global ISP Global ISP
Root DNS servers
Regional ISP
Regional ISP
Regional ISP
Tier-1 ISPs
Tier-2 ISPs
8/28/14
12
Internet eXchange Point (IXP)
At these IXPs, major ISPs accept traf8ic from each other and agree to carry the other's packets to their downstream destination point without charge.
AT&T backbone
Source: http://www.corp.att.com/globalnetworking/media/network_map.swf
8/28/14
13
Verizon backbone
Source: http://www.verizonbusiness.com/us/about/network/
Chapter 0 Outline
❀ Internet architecture ❀ Access networks ❀ Network core ❀ Packet switching and circuit
switching ❀ Packet Switching Delays ❀ Protocol stack ❀ Internet security ❀ Internet history
8/28/14
14
Information switching ❀ Data transfer in the Internet
" Packet switching µ Header contains source and des3na3on IP address µ Best-‐effort delivery
[ Packets may be lost [ Packets may be corrupted [ Packets may be delivered out of order
" Circuit switching µ Dedicated circuit per call
[ Dial-up modem [ Virtual circuit, such as classical IP over ATM, or leased lines
Analogy: Circuit switching: a traveler paid a round trip ticket with reserved seats Packet switching: an airline employee uses free, open tickets to fly (no reserved seats)
Circuit Switching ❀ End-to-end resources reserved for a connection
" Establish a connection before data transfer " Circuit-like (guaranteed) performance
❀ Dedicated resources " No sharing
µ Using FDM, TDM or ATM (virtual circuit switching) µ Resource is idle if not used by the call’s owner µ No queueing delay
" Call setup and teardown required
8/28/14
15
Packet Switching ❀ The base of the Internet. Each host data stream is segmented into packets ❀ Source and Destination IP address is in the packet header
❀ Packets use available resources provided by routers ❀ Packets may be lost while traveling or received out of order ❀ Transport layer must put the received packets in the correct order and reassemble
them at destination
Statistical Multiplexing
❀ Packet switching is based on statistical multiplexing " Packets are sent by hosts A and B " If there is no priority set, then every packet is treated the same based on the
order of arrival " Router 1’s T1 link bandwidth is shared by packets from hosts A and B
❀ In contrast, FDM and TDM let each host use the same slot and there is no resource contention
A
B
C Ethernet
1.5 Mbps (T1 link)
Statistical Multiplexing
queue of packets waiting for output link
Router 1
8/28/14
16
Packet switching versus circuit switching
❀ Packet switching is great for bursty data " Best effort delivery " Better for resource sharing " Network congestion
µ Packet delay in the router’s queue µ Packet loss due to queue overflow
" Protocols pay overhead for reliable data transfer, congestion and flow control
❀ Circuit switching is great for voice and video " Bandwidth guarantee " Timing, latency, and latency jitter guarantee " Complex mechanisms lead to high cost for equipment and management
µ Most enterprise networks replaced ATM LANs with Gigabit or 10 Gbit Ethernets
Marry packet and circuit switching ❀ IP based approach
" Protocols based on IP for streaming video/audio over the Internet µ The Resource Reserva3on Protocol (RSVP): is a Transport Layer protocol for reserving
resources in order to achieve an integrated services Internet µ The Real-‐3me Streaming Protocol (RTSP) uses RTP and RTCP to deliver video/audio
[ RTSP permits the reservation of resources for a flow using RSVP
µ Real-‐3me Transport Protocol (RTP): best effort delivery µ Real-‐3me Transport Control Protocol (RTCP): QoS is handled by RTCP
8/28/14
17
Chapter 0 Outline
❀ Internet architecture ❀ Access networks ❀ Network core ❀ Packet switching and circuit
switching ❀ Packet Switching Delays ❀ Protocol stack ❀ Internet security
Latency in packet switching network
❀ Store and forward packets in a router ❀ If the link is available, it takes L/R
seconds to transmit one packet from Router 1 to Router 2 " Transmission delay
❀ Entire packet must arrive at one router before it can be forwarded on the next link
❀ Host to host delay = 3L/R + propagation delay + other delays
❀ Example: ❀ L = 1000 Mbits ❀ R = 100 Mbps (Ethernet) ❀ Transmission delay per link = 10
sec ❀ Total transmission delay = 30 sec
Packet length: L bits Link Rate: R bps
Router 1 Router 2
8/28/14
18
4 packet delay factors
A
B Router buffer
Buffer over8low: arriving packets dropped (loss) if no free buffers
1. Packet processing: check bit errors and forward to output port
2. Packet queueing, depending on congestion
3. Transmission delay: L/R
4. Propagation delay: d/s
Router 2
Router 3
Router 1
Total Delay of a node = processing delay + transmission delay + propagation delay + queueing delay
Congestion Control ❀ Congestion occurs when source hosts send out more data than the network can
handle ❀ Loss and delay causes packets to be resent in TCP ❀ Negative feedback causes even more congestion ❀ Congestion control regulates the output rate of source hosts to relieve congestion by
using the symptom of congestion " Packet loss " Packet delay " Buffer overflow
8/28/14
19
Flow Control ❀ Flow control is necessary when the destination cannot digest the data as fast as it
arrives " Server has
µ Powerful CPU µ Vast memory µ 1 or 10 Gbps link
" Client: smart phone has µ Baber-‐powered CPU µ very lible memory µ Low-‐bandwidth link
❀ Goal: to optimize the throughput rate (bits/sec) between source and destination
Chapter 0 Outline
❀ Internet architecture ❀ Access networks ❀ Network core ❀ Packet switching and circuit
switching ❀ Packet Switching Delays ❀ Protocol stack ❀ Internet security
8/28/14
20
Modularization by layering ❀ Develop Internet: Divide and conquer by many people ❀ Internet can be modularized by layers ❀ Modularization eases
" Development (one company can tackle one module) " Maintenance " Updating the system
❀ Interaction between layers " Each layer relies on services from layer below " Each layer exports services to layer above
❀ Interface between layers defines interaction " Hides implementation details " Layers can change without disturbing other layers
Internet protocol stack: US DoD Model (1)
❀ Application Layer " Network applications " HTTP, SMTP
❀ Transport Layer " Process-to-process data transfer " Segment message at source and reassemble message
at destination " TCP: reliable transport with overhead
µ Transmission Control Protocol " UDP: best effort delivery with little overhead
µ User Datagram Protocol " SCTP: reliable transport based on transaction
µ Stream Control Transmission Protocol
Application
Transport
Network
Data Link
Physical Layer 1
Layer 2
Layer 3
Layer 4
Layer 5
8/28/14
21
Internet protocol stack: US DoD Model (2)
❀ Network Layer " Routing of datagrams from source subnet to
destination subnet " IP and routing protocols
❀ Data Link Layer " Data transfer between adjacent neighboring
network nodes connected by a physical medium (copper, fiber or wireless)
" Ethernet, WiFi ❀ Physical Layer
" Bits propagate using copper, fiber and radio
Application
Transport
Network
Data Link
Physical
OSI reference model (International standard)
❀ OSI (open system interconnect) 7 layer model " US pledged to use OSI in 1980s " OSI was never finished " US DoD had sufficient funding to complete its protocol stack
❀ US DoD Internet stack does not explicitly modularize two layers " Presentation Layer
µ Allowing applica3ons to deal with coding of data, e.g., encryp3on, compression and unicode
" Session Layer µ Grouping connec3ons together for efficiency, synchroniza3on,
recovery or data exchange " These services, if needed, must be implemented in
application layer in the US DoD model
Application
Transport
Network
Data Link
Physical
Session
Presentation
8/28/14
22
The TCP/IP Protocol Suite
The Hourglass Model
Waist
The waist facilitates interoperability
FTP HTTP TFTP DNS
TCP UDP
IP
NET1 NET2 NETn …
Applications
HTTP FTP SMTP
TCP UDP
IP
Data link layer protocols
Physical layer protocols
Protocols ❀ Network protocols
" All communication and activities in the Internet are governed by protocols µ E.g. DHCP provides a client with an IP address, gateway IP address and DNS IP address
" Protocols define µ Packet format
[ Service (port) number in the TCP header, e.g. port 80 for http [ Sequence and acknowledgement numbers are in the TCP header
µ The sequence of packets sent and received among network en33es µ Ac3ons taken based on the parameters in the fields of a received packet
[ Retransmit of a packet depends on the acknowledgement number
❀ Speaking the same language using the same standard set by IETF ❀ Syntax and semantics are critical
8/28/14
23
Terms for bits processed in each layer
Message
Segment
Datagram
Frame
Message
Segment
Datagram
Frame
Internet
Application
Transport
Network
Data Link
Physical
Application
Transport
Network
Data Link
Physical
End Hosts vs. Routers
HTTP
TCP
IP
Ethernet interface
HTTP
TCP
IP
Ethernet interface
IP IP
Ethernet interface
Ethernet interface
SONET interface
SONET interface
host host
router router
HTTP message
TCP segment
IP datagram IP datagram IP datagram
frame
8/28/14
24
Protocol Use Example
HTTP
TCP
IP
argon.tcpip-lab.edu
128.143.137.144
Ethernet Ethernet Ethernet
IP
HTTP
TCP
IP
neon.tcpip-lab.edu128.143.71.21
Ethernet
router71.tcpip-lab.edu
128.143.137.100:e0:f9:23:a8:20
router137.tcpip-lab.edu
128.143.71.1
HTTP protocol
TCP protocol
IP protocol
Ethernet
IP protocol
Ethernet
00:20:af:03:98:28
Protocol Use Example
HTTP
TCP
IP
argon.tcpip-lab.edu
128.143.137.144
Ethernet Ethernet Ethernet
IP
HTTP
TCP
IP
neon.tcpip-lab.edu128.143.71.21
Ethernet
router71.tcpip-lab.edu
128.143.137.100:e0:f9:23:a8:20
router137.tcpip-lab.edu128.143.71.1
Send HTTP Request to neon
00:20:af:03:98:28
8/28/14
25
Protocol Use Example
HTTP
TCP
IP
argon.tcpip-lab.edu
128.143.137.144
Ethernet Ethernet Ethernet
IP
HTTP
TCP
IP
neon.tcpip-lab.edu128.143.71.21
Ethernet
router71.tcpip-lab.edu
128.143.137.100:e0:f9:23:a8:20
router137.tcpip-lab.edu128.143.71.1
Establish a connection to 128.143.71.21 at port 80
00:20:af:03:98:28
Protocol Use Example
HTTP
TCP
IP
argon.tcpip-lab.edu
128.143.137.144
Ethernet Ethernet Ethernet
IP
HTTP
TCP
IP
neon.tcpip-lab.edu128.143.71.21
Ethernet
router71.tcpip-lab.edu
128.143.137.100:e0:f9:23:a8:20
router137.tcpip-lab.edu128.143.71.1
Open TCP connection to 128.143.71.21 port 80
00:20:af:03:98:28
8/28/14
26
Protocol Use Example
HTTP
TCP
IP
argon.tcpip-lab.edu
128.143.137.144
Ethernet Ethernet Ethernet
IP
HTTP
TCP
IP
neon.tcpip-lab.edu128.143.71.21
Ethernet
router71.tcpip-lab.edu
128.143.137.100:e0:f9:23:a8:20
router137.tcpip-lab.edu128.143.71.1
Send a datagram (which contains a connection request) to 128.143.71.21
00:20:af:03:98:28
Send IP datagram to 128.143.71.21
Protocol Use Example
HTTP
TCP
IP
argon.tcpip-lab.edu
128.143.137.144
Ethernet Ethernet Ethernet
IP
HTTP
TCP
IP
neon.tcpip-lab.edu128.143.71.21
Ethernet
router71.tcpip-lab.edu
128.143.137.100:e0:f9:23:a8:20
router137.tcpip-lab.edu128.143.71.1 00:20:af:03:98:28
8/28/14
27
Send datagram to 128.143.137.1
HTTP
TCP
IP
argon.tcpip-lab.edu
128.143.137.144
Ethernet Ethernet Ethernet
IP
HTTP
TCP
IP
neon.tcpip-lab.edu128.143.71.21
Ethernet
router71.tcpip-lab.edu
128.143.137.100:e0:f9:23:a8:20
router137.tcpip-lab.edu128.143.71.1
Protocol Use Example
00:20:af:03:98:28
Protocol Use Example
HTTP
TCP
IP
argon.tcpip-lab.edu
128.143.137.144
Ethernet Ethernet Ethernet
IP
HTTP
TCP
IP
neon.tcpip-lab.edu128.143.71.21
Ethernet
router71.tcpip-lab.edu
128.143.137.100:e0:f9:23:a8:20
router137.tcpip-lab.edu128.143.71.1
Send Ethernet frame to 00:e0:f9:23:a8:20
00:20:af:03:98:28
8/28/14
28
Protocol Use Example
HTTP
TCP
IP
argon.tcpip-lab.edu
128.143.137.144
Ethernet Ethernet Ethernet
IP
HTTP
TCP
IP
neon.tcpip-lab.edu128.143.71.21
Ethernet
router71.tcpip-lab.edu
128.143.137.100:e0:f9:23:a8:20
router137.tcpip-lab.edu128.143.71.1
Frame is an IP datagram
00:20:af:03:98:28
Send IP datagram to 128.143.71.21
Protocol Use Example
HTTP
TCP
IP
argon.tcpip-lab.edu
128.143.137.144
Ethernet Ethernet Ethernet
IP
HTTP
TCP
IP
neon.tcpip-lab.edu128.143.71.21
Ethernet
router71.tcpip-lab.edu
128.143.137.100:e0:f9:23:a8:20
router137.tcpip-lab.edu128.143.71.1 00:20:af:03:98:28
8/28/14
29
Send datagram to 128.143.7.21
HTTP
TCP
IP
argon.tcpip-lab.edu
128.143.137.144
Ethernet Ethernet Ethernet
IP
HTTP
TCP
IP
neon.tcpip-lab.edu128.143.71.21
Ethernet
router71.tcpip-lab.edu
128.143.137.100:e0:f9:23:a8:20
router137.tcpip-lab.edu128.143.71.1
Protocol Use Example
00:20:af:03:98:28
Protocol Use Example
HTTP
TCP
IP
argon.tcpip-lab.edu
128.143.137.144
Ethernet Ethernet Ethernet
IP
HTTP
TCP
IP
neon.tcpip-lab.edu128.143.71.21
Ethernet
router71.tcpip-lab.edu
128.143.137.100:e0:f9:23:a8:20
router137.tcpip-lab.edu128.143.71.1
Send Ethernet frame to 00:20:af:03:98:28
00:20:af:03:98:28
8/28/14
30
Protocol Use Example
HTTP
TCP
IP
argon.tcpip-lab.edu
128.143.137.144
Ethernet Ethernet Ethernet
IP
HTTP
TCP
IP
neon.tcpip-lab.edu128.143.71.21
Ethernet
router71.tcpip-lab.edu
128.143.137.100:e0:f9:23:a8:20
router137.tcpip-lab.edu128.143.71.1
Frame is an IP datagram
00:20:af:03:98:28
Protocol Use Example
HTTP
TCP
IP
argon.tcpip-lab.edu
128.143.137.144
Ethernet Ethernet Ethernet
IP
HTTP
TCP
IP
neon.tcpip-lab.edu128.143.71.21
Ethernet
router71.tcpip-lab.edu
128.143.137.100:e0:f9:23:a8:20
router137.tcpip-lab.edu128.143.71.1
IP datagram is a TCP segment for port 80
8/28/14
31
Different Views of Networking ❀ Different Layers of the protocol stack have a different view of the network.
This is HTTP’s and TCP’s view of the network.
HTTP client
TCP client
Argon128.143.137.144
HTTPserver
TCP server
Neon128.143.71.21
IP Network
HTTPserver
TCP server
Network View of IP Protocol
8/28/14
32
Network View of Ethernet
❀ Ethernet’s view of the network
00:e0:f9:23:a8:20
Layers and Services ❀ Service provided by TCP to HTTP:
" reliable transmission of data over a logical connection
❀ Service provided by IP to TCP: " unreliable transmission of IP datagrams across an IP network
❀ Service provided by Ethernet to IP: " transmission of a frame across an Ethernet segment
❀ Other services: " DNS: translation between domain names and IP addresses " ARP: Translation between IP addresses and MAC addresses
8/28/14
33
neon.tcpip-lab.edu"Neon"
128.143.71.21
argon.tcpip-lab.edu"Argon"128.143.137.144
router137.tcpip-lab.edu"Router137"
128.143.137.1
router71.tcpip-lab.edu"Router71"128.143.71.1
Ethernet NetworkEthernet Network
Router
Example: Sending a packet from Argon to Neon
DNS: What is the IP address of “neon.tcpip-lab.edu”?
DNS: The IP address of “neon.tcpip-lab.edu” is 128.143.71.21
neon.tcpip-lab.edu"Neon"
128.143.71.21
argon.tcpip-lab.edu"Argon"128.143.137.144
router137.tcpip-lab.edu"Router137"
128.143.137.1
router71.tcpip-lab.edu"Router71"128.143.71.1
Ethernet NetworkEthernet Network
Router
Sending a packet from Argon to Neon
8/28/14
34
neon.tcpip-lab.edu"Neon"
128.143.71.21
argon.tcpip-lab.edu"Argon"128.143.137.144
router137.tcpip-lab.edu"Router137"
128.143.137.1
router71.tcpip-lab.edu"Router71"128.143.71.1
Ethernet NetworkEthernet Network
Router
Sending a packet from Argon to Neon 128.143.71.21 is not on my local network. Therefore, I need to send the packet to my default gateway with address 128.143.137.1
ARP: What is the MAC address of 128.143.137.1?
neon.tcpip-lab.edu"Neon"
128.143.71.21
argon.tcpip-lab.edu"Argon"128.143.137.144
router137.tcpip-lab.edu"Router137"
128.143.137.1
router71.tcpip-lab.edu"Router71"128.143.71.1
Ethernet NetworkEthernet Network
Router
Sending a packet from Argon to Neon
8/28/14
35
neon.tcpip-lab.edu"Neon"
128.143.71.21
argon.tcpip-lab.edu"Argon"128.143.137.144
router137.tcpip-lab.edu"Router137"
128.143.137.1
router71.tcpip-lab.edu"Router71"128.143.71.1
Ethernet NetworkEthernet Network
Router
ARP: The MAC address of 128.143.137.1 is 00:e0:f9:23:a8:20
Sending a packet from Argon to Neon
neon.tcpip-lab.edu"Neon"
128.143.71.21
argon.tcpip-lab.edu"Argon"128.143.137.144
router137.tcpip-lab.edu"Router137"
128.143.137.1
router71.tcpip-lab.edu"Router71"128.143.71.1
Ethernet NetworkEthernet Network
Router
Sending a packet from Argon to Neon
frame
128.143.71.21 is on my local network. Therefore, I can send the packet directly.
8/28/14
36
neon.tcpip-lab.edu"Neon"
128.143.71.21
argon.tcpip-lab.edu"Argon"128.143.137.144
router137.tcpip-lab.edu"Router137"
128.143.137.1
router71.tcpip-lab.edu"Router71"128.143.71.1
Ethernet NetworkEthernet Network
Router
Sending a packet from Argon to Neon
ARP: What is the MAC address of 128.143.71.21?
frame
neon.tcpip-lab.edu"Neon"
128.143.71.21
argon.tcpip-lab.edu"Argon"128.143.137.144
router137.tcpip-lab.edu"Router137"
128.143.137.1
router71.tcpip-lab.edu"Router71"128.143.71.1
Ethernet NetworkEthernet Network
Router
Sending a packet from Argon to Neon
ARP: The MAC address of 128.143.137.1 is 00:20:af:03:98:28
frame
8/28/14
37
neon.tcpip-lab.edu"Neon"
128.143.71.21
argon.tcpip-lab.edu"Argon"128.143.137.144
router137.tcpip-lab.edu"Router137"
128.143.137.1
router71.tcpip-lab.edu"Router71"128.143.71.1
Ethernet NetworkEthernet Network
Router
Sending a packet from Argon to Neon
frame
Header for each layer ❀ Each layer has a header
" A header analogy is an envelope that contains source and destination addresses
❀ Link layer has a header containing MAC (medium access control) addresses ❀ Network layer has a header containing IP addresses ❀ Transport layer has a header containing the port (service) number
8/28/14
38
Encapsulation and Demultiplexing ❀ As data is moving down the protocol stack, each protocol is adding layer-specific
control information
HTTP
TCP
IP
Ethernet
User data
User data HTTP Header
TCP Header
TCP Header IP Header
TCP Header IP Header Ethernet Hdr. Ethernet Trailer
IP datagram
TCP segment
Ethernet frame
User data HTTP Header
User data HTTP Header
User data HTTP Header
Application
Transport
Network
Link
Physical
Application
Transport
Network
Link
Physical
Link
Physical
Link
Physical
Network
Link
Physical
Source
Destination
Link-‐layer Switch
Link-‐layer Switch
Router
1. Delivery from Source to Switch
M
M Ht
M Ht Hn
M Ht Hn Hl
8/28/14
39
Application
Transport
Network
Link
Physical
Application
Transport
Network
Link
Physical
Link
Physical
Link
Physical
Network
Link
Physical
Source
Destination
Link-‐layer Switch
Link-‐layer Switch
Router
M Ht Hn Hl
M Ht Hn Hl
M Ht Hn
M Ht
5. Delivery between the Internet Layers.
Chapter 0 Outline
❀ Internet architecture ❀ Access networks ❀ Network core ❀ Packet switching and circuit
switching ❀ Packet Switching Delays ❀ Protocol stack ❀ Internet security
8/28/14
40
Internet Security ❀ Attacks on the Internet information infrastructure:
" Malware " Denial of service: deny access by valid hosts to resources
❀ Internet and host security improvement " Security must be in all protocol layers " Host OS must be hardened " Anti-malware capability in hosts and routers
❀ Losing battle " Malware life cycle is 2 hours in 2009 " Nortel's internal network "owned" by hackers for almost a decade (Wall Street Journal,
2/13/2012) µ Stolen passwords from seven top-‐level execu3ves
5 Types of Malware/Capabilities ❀ Spyware
" Recording keystrokes/crucial activities
" Capturing video/audio without consent
" Uploading info to collection site ❀ Virus
" Providing illegal access to host resources
" Infected by receiving object (e.g., e-mail attachment) in hosts
" May contain spyware, Trojan or worm
" Actively propagates to other hosts
❀ Worm: " Actively propagating to other hosts " Infected by passively receiving object
that gets itself executed ❀ Trojan:
" Providing a backdoor for illegal access to a host
" May be contained in spyware, a virus and Worms
❀ Rootkits " Hidden in a host’s file system
❀ Currently, a single piece of malware possesses 5 types of capabilities in order to expand its territory, control the infected hosts and steal information
8/28/14
41
Exponential increase in threats
Source: Symantec Global Internet Security Threat Report 2009
MOTIVATION: FINANCIAL GAIN FOR PROFESSIONAL DEVELOPERS
Delivery of Malware ❀ Email ❀ Worm ❀ Website-based attacks
" Highly reputed sites were hacked for delivering malware " E.g. US Dept. of Treasury
❀ Start a hacker career (https://www.youtube.com/watch?v=zFdxoLyOTLM, 3 mins) " Buy Zeus crimeware toolkit and establish a website " Lure people to go to the site " Infect with malware " Propagate malware to other computers " Establish a botnet: a business for rent " Send SPAM by botnet: a business for rent
8/28/14
42
Crimeware toolkit (1): Zeus ❀ The Zeus crimeware toolkit has grown over time to be the most established
crimeware toolkit in the underground economy " $4000 PER COPY " Ease-of-use, can create tailored Trojan botnets. Favored toolkit for entry-level
criminals " Symantec alone has detected over 154,000 computers infected with the Zeus
Trojan
Crimeware toolkit (2): SpyEye http://www.symantec.com/connect/blogs/spyeye-bot-versus-zeus-bot
❀ In late December 2009 a new crimeware toolkit emanating from Russia, known as SpyEye V1.0, started to appear for sale on Russian underground forums " Retailing at $500, it expects to take a chunk of the Zeus crimeware toolkit market " Symantec detects this threat as Trojan.Spyeye
❀ The SpyEye toolkit is similar to Zeus in many ways " It contains a builder module for creating the Trojan bot executable with a config file and a Web
control panel for command and control (C&C) of the botnet
8/28/14
43
ZeuS homes in on SMS-TAN process (1) http://www.h-online.com/security/news/item/Banking-trojan-ZeuS-homes-in-on-SMS-TAN-process-1097104.html
❀ According to a report on the S21sec blog, " New versions of the ZeuS banking trojan are now homing in on the SMS-TAN
procedure (also known as mobile TAN or mTAN) " In the SMS-TAN procedure, transaction numbers (TANs) for online transactions are
sent to the customer's cell phone to authenticate that person for an online bank transfer, initiated for instance from a web browser µ Second communica3on channel is intended to make phishing and Trojan abacks impossible µ Aher all, the transac3on can only be hacked if users do not carefully check the data in the text
message, if their cell phones get stolen, or the device is infected with a Trojan that passes on the text message to the phisher
❀ However, the developers of ZeuS have pursued the strategy to get Trojans onto mobile devices in an attack requiring multiple stages " The most important step is still infecting a Windows PC " Then, victims view a specially crafted web site that masquerades as a security update
for the victims cell phone.
ZeuS homes in on SMS-TAN process (2)
" Victims are asked to enter their cell phone number so they can receive a link for the download in a text message
" The PC infected with the Trojan then promptly sends a text message containing a link to what appears to be a new security certificate
" Users are then asked to download and install the certificate on their mobile phones, which requires an internet connection on the phone µ The downloaded file contains the mobile version of ZeuS, which then analyses and
forwards all incoming text messages
❀ Criminals can then use the account access data stolen from the PC along with the TAN to make bank transactions from the account
❀ Police in the U.K. have arrested 19 people on charges that they used the Zeus Trojan with stealing more than $9.4 million from U.K. banks
8/28/14
44
Stuxnet worm ❀ World's most sophisticated malware ever
" Stuxnet is designed to attack the SCADA (Supervisory Control And Data Acquisition) system µ These SCADA systems are installed in big facili3es (like nuclear plants and u3lity companies) to
manage opera3ons
❀ Stuxnet works by infecting Windows machines " It used 20 zero-day vulnerabilities
µ One zero-‐day is used to spread the worm to a machine using a USB s3ck. µ A Windows printer-‐spooler vulnerability is used to propagate the malware from one infected
machine to others on a network µ Other zero-‐day vulnerabili3es help the malware gain administra3ve privileges on infected
machines to feed the system commands " The malware is digitally signed with legitimate certificates stolen from two certificate
authorities Read More http://www.wired.com/threatlevel/2010/09/stuxnet/#ixzz10kcTAGUH
Watch https://www.youtube.com/watch?v=7g0pi4J8auQ
Duqu: the next Stuxnet ❀ Duqu is a Trojan with remote access capabilities that appears to have been created
specifically to gather information about industrial control systems " Stuxnet is designed to sabotage industrial control systems
µ In a detailed analysis of the Duqu malware, Symantec labeled it as the next Stuxnet because of similari3es in code and func3on
µ Duqu was likely created by Stuxnet's authors " Duqu has been used to carry out attacks against systems in six organizations in
eight countries: France, India, Iran, Netherlands, Switzerland, Sudan, Ukraine and Vietnam
❀ Zero-day code execution vulnerability in the Windows kernel
8/28/14
45
Flame ❀ Flame makers used a cryptographic collision attack to acquire digital "signatures," or
certificates, that certified the code as Microsoft's, and used those certificates to sign malicious files that posed as legitimate Windows updates " Microsoft revoked three certificates, which were used to sign code in Flame, on
June 3, 2012
❀ Flame can infect fully-patched Windows PCs and servers ❀ Microsoft announced it would revamp how Windows updates are secured by
dedicating a new CA to Windows Update in order to unlink the service from all other Microsoft-generated certificates
Cyberespionage operation: attacks to SCADA
http://arstechnica.com/tech-‐policy/2011/07/how-‐digital-‐detectives-‐deciphered-‐stuxnet-‐the-‐most-‐menacing-‐malware-‐in-‐history/
Malware Date of operation
Size Special features
Stuxnet June 2009 500 kilobytes Sabotage program: sabotaging uranium centrifuges
DuQu September 2011 300 kilobytes Information gathering
Flame March 2010 20 megabytes A spyware program; Windows Update deception; Connect with Bluetooth devices in the area
8/28/14
46
US's ICS under daily cyber-attack ❀ Critical control systems inside two US power generation facilities were found
infected with computer malware " According to the US Industrial Control Systems Cyber Emergency Response Team
(October, November, and December of 2012) µ Source: hbps://threatpost.com/en_us/blogs/malware-‐infects-‐two-‐power-‐plants-‐lacking-‐basic-‐security-‐controls-‐011413
❀ Department of Homeland Security (DHS): US's water and power utilities under daily cyber-attack (4/4/2012) " These industrial-control systems (ICS) and their networks are used to control
water, chemical and energy systems µ Only about half a dozen major manufacturers, such as Siemens and GE µ Most ICS’s are using either Microsoh Windows or Linux OS
" On a daily basis under constant cyber-espionage and denial-of-service attacks according to the team of specialists from the U.S. µ Only nine incidents were reported in 2009 µ In 2011 this grew to 198 incident 3ckets. Just over 40% came from water-‐sector
u3li3es, with the rest from various energy, nuclear energy and chemical providers
Defensive Measures for Cybersecurity
Name Security check Action taken
Firewall TCP/IP Header Inspection Block
Intrusion Detection Systems (IDS)
TCP/IP Header and Content Inspection Alert
Intrusion Prevention Systems (IPS)
TCP/IP Header and Content Inspection Block and Alert
VPN:SSL/TLS Authentication, Encryption, Integrity Communication protection
VPN: IPSec Authentication, Encryption, Integrity Communication protection
Network Access Control (NAC)
Host health inspection, Authentication, Encryption, Integrity
Access Control
8/28/14
47
Firewall, IDS & IPS (1) ❀ Perimeter defense by firewall, Intrusion Detection/Prevention System (IDS/IPS)
" Place at the critical entry/exit points " Protect critical assets, such as a server farm, financial database " Use firewall, IDS/IPS
❀ Firewall " Computer host firewall protects a host " Network firewall protects the entrance to a network " Block packets based on IP address and port number in the header " Stateful inspection by maintaining a state transition table for a connection
❀ Host defense " Host IDS/IPS, Anti-Virus (AV) and host firewall " A.k.a. Endpoint defense
Firewalls ❀ Isolate organization’s
internal network (intranet) from Internet
❀ DMZ: demilitarized zone serving public information
❀ Allow: " Internet to DMZ " DMZ to Internet " Internal to
Internet
❀ Block: " Internet to
Internal except via VPN
Web, DNS servers
Internal network
public Internet
Firewall
DMZ
8/28/14
48
IDS & IPS
❀ IDS (Intrusion Detection System)/ IPS (Intrusion Prevention System) " Identify or block suspicious packets at the entrances of critical assets " Monitor potentially malicious traffic by inspecting the whole packet " IDS lets malicious packets pass, but sends alerts to a network administrator " IPS blocks malicious packets and sends alerts to a network administrator
Web, DNS servers
Internal network
public Internet
Firewall
DMZ
Secure information transmission/ access
❀ Guarded by encryption, authentication and authorization ❀ SSL/TLS: between session and transport layer
" For Internet shopping and web mail " For VPN (virtual private network)
❀ IPsec: network layer " VPN (virtual private network)
❀ Firewall allows SSL/TLS and VPN to pass through
Web, DNS servers
Internal network
Public Internet
Firewall
DMZ
8/28/14
49
Introduction: Key concepts ❀ Internet architecture: network edge, network core, and access network ❀ Switch and router functions ❀ Internet protocol layers and models ❀ Packet-switching-versus-circuit-switching ❀ Packet loss, delay, congestion and throughput ❀ Encapsulation and demultiplexing ❀ Internet security
" Malware types: spyware, virus, worm, rootkit " Crimeware toolkits " Firewalls, IDS/IPS " Encryption, Authentication and Authorization: SSL/TSL and IPsec