Basics of Networking
Review of some basic notions of networking
IPv4 and IPv6
We will focus on IPv4, since IPv4 is used on the vast majority of the Internet, including most home and business networks.
- It is also used by many mobile devices and by some enterprise networks
- Most of the public datasets of network traffic (that we will use for our experiments) contain IPv4 packets.
- IPv4 is the first version of the Internet Protocol (IP). IPv4 uses 32-bit addresses, which means that there are a total of 4.3 billion possible addresses.
- Explosive Growth of Internet-Connected Devices: IoT, Cloud Computing, Mobile devices
- IPv6 is the successor to IPv4. It was developed to address the limitations of IPv4, such as the limited number of addresses and others. IPv6 uses 128-bit addresses, which means that there are a total of 340 undecillion possible addresses.
Structure of an IPv4 network packet
In an IPv4 network, data traverses the network by undergoing a dynamic process known as encapsulation and decapsulation
Encapsulation involves the sequential addition of specific headers to the data as it descends through the networking layers.
Stages of the IPv4 packet encapsulation
- Data Creation: At the application layer, data is generated by applications and services in the form of messages. The data (web requests, email messages, DNS queries) are encapsulated using application-layer protocols such as HTTP, SMTP, FTP, DNS, etc.
- Transport Layer: The transport layer is responsible for connecting applications and services on different devices. It provides end-to-end communication services that ensure reliable data transfer between applications. The transport layer segments large messages into smaller units if needed, and it adds transport layer headers (e.g., TCP or UDP headers) to enable reliable communication and establish connections
- Network Layer (IPv4 Encapsulation): The network layer is responsible for connecting hosts or devices across different networks. The network layer adds the IPv4 header to the transport layer’s segment. This header includes information like source and destination IP addresses, Time to Live (TTL), and protocol type
- Data Link Layer: The data link layer adds headers and trailers specific to the local network technology. For Ethernet, this includes MAC addresses
- Physical Layer: The physical layer converts the data into electrical or optical signals suitable for transmission over the physical medium
Structure of an IP packet
0 0 00 00 00 |
. 11 |
11 10 P |
11/2 |
||
|---|---|---|---|---|---|
| Byte | |||||||
|---|---|---|---|---|---|---|---|
| Offset | |||||||
| Version | L (Heade Lenath) |
Type of Service (TOS) | Total Length | ||||
| Identification | D M | Fragment Offset | 20 | ||||
| 8 | Time To Live (TTL) | Protocol | Header Checksum | Bytes | |||
| 12 | Source Address | ||||||
| 16 | Destination Address | ||||||
| 20 | IP Option (variable length, optional, not common) | ||||||
| Bit | ਵਾ Nibble |
5 Byte |
3 ട് 8 ਰੋ 2 ಗ Word |
6 8 7 |
1 C 2 3 5 6 8 ਰੇ चौ |
7
The TCP protocol
- TCP stands for Transmission Control Protocol. It is a connection-oriented protocol that provides reliable delivery of data between two hosts.
- TCP is used for a wide variety of applications, including file transfer, email, and web browsing.
- There are many network attacks based on TCP-based protocols such as: SYN flood attack, HTTP-based DDoS attacks, SQL injection, etc.
The TCP header Source Port (16 bits) and Destination Port (16 bits): These fields indicate the source and destination application ports, which help identify the applications communicating with each other. NIDS can use this information to detect unusual or unauthorised application behaviour (e.g., port scan).
TCP Flags (9 bits): SYN, ACK, FIN are the three flags use to manage the TCP NIDSs examine these fields to detect SYN, ACK, FIN attacks and null flood attack, a type of denialof-service attack that sends a large number of TCP packets with all of the flags set to zero.
connection
The TCP window (16 bits): specifies the amount of data that the sender is willing to The TCP window is used to prevent the sender from sending too much data to the receiver, which could overwhelm the receiver’s system. There are attacks that leverage this mechanism.
receive from the receiver. It is used to control the flow of data between two hosts.
The UDP protocol
- User Datagram Protocol (UDP) is a connectionless protocol that provides a way for hosts to send datagrams to each other over a network.
- UDP is a simple protocol that does not provide any guarantees about the delivery of data.
- UDP is typically used for applications that do not require reliable delivery, such as streaming media and videoconferencing.
The UDP header Source Port (16 bits) and Destination Port (16 bits): These fields indicate the source and destination application ports, which help identify the applications communicating with each other. Along with other header fields, the transport ports are often used to form the identifiers of network flows.
Length: The length field is a 16-bit field that specifies the length of the UDP packet, including the header and the payload. The length field is used by the receiving host to determine how much data to read from the packet.
The ICMP protocol
- Internet Control Message Protocol (ICMP) is a layer 3 network protocol that is used to send error messages and control messages between hosts on a network. ICMP is a part of the Internet Protocol Suite (TCP/IP), and it is used by a variety of applications, including ping and traceroute. ICMP messages are encapsulated in IP packets, and they are sent between hosts using the IP protocol.
- For instance, the PING application uses two ICMP messages:
- Echo request: The echo request message is used to test the reachability of a host. The PING application sends an echo request message to the destination host. If the destination host is reachable, it will send an echo reply message back to the source host
- Echo reply: The echo reply message is the response to an echo request message. The echo reply message contains the same data as the echo request message, plus the round-trip time (RTT) of the message. The RTT is the time it takes for the echo request message to travel from the source host to the destination host and back again
| ICMP Message Types | Checksum | |||||
|---|---|---|---|---|---|---|
| Type Code/Name 0 Echo Reply 3 Destination Unreachable |
Type Code/Name 3 Destination Unreachable (continued) 12 Host Unreachable for TOS |
Type Code/Name 11 Time Exceded 0 TTL Exceeded |
Checksum of ICMP header |
|||
| 0 Net Unreachable 1 Host Unreachable |
13 Communication Administratively Prohibited 4 Source Quench |
1 Fragment Reassembly Time Exceeded 12 Parameter Problem |
RFC 792 | |||
| 2 Protocol Unreachable 3 Port Unreachable 4 Fragmentation required, and DF set 5 Source Route Failed 6 Destination Network Unknown 7 Destination Host Unknown 8 Source Host Isolated 9 Network Administratively Prohibited 10 Host Administratively Prohibited 11 Network Unreachable for TOS |
5 Redirect 0 Redirect Datagram for the Network 1 Redirect Datagram for the Host 2 Redirect Datagram for the TOS & Network 3 Redirect Datagram for the TOS & Host 8 Echo 9 Router Advertisement 10 Router Selection |
0 Pointer Problem 1 Missing a Reguired Operand 2 Bad Length 13 Timestamp 14 Timestamp Reply 15 Information Request 16 Information Reply 17 Address Mask Request 18 Address Mask Reply 30 Traceroute |
Please refer to RFC 792 for the Internet Control Message protocol (ICMP) specification. |
|||
The ICMP header Type: This field specifies the type of ICMP message. There are many different types of ICMP messages, such as echo request, echo reply, destination unreachable, and time exceeded. Some examples:
- Echo Request (Type 8)
- Echo Reply (Type 0)
- Destination Unreachable (Type 3): This message is used to report that a destination is unreachable. There are many different codes for this message, each one indicating a different reason for the destination being unreachable.
- Time Exceeded (Type 11): This message is used to report that a packet has exceeded its TTL (Time to Live). The TTL is a value that is decremented by each router that the packet passes through. If the TTL reaches 0, the packet is discarded and an ICMP time exceeded message is sent back to the source host.
- Code: This field provides more information about the type of ICMP message. For example, Code 1 for Type 3 (Destination unreachable) means the destination host is unreachable.
Examples of ICMP-based attacks
- ICMP smurf attack: A Smurf attack is a DDoS attack in which large numbers of ICMP echo request messages with the intended victim’s spoofed source IP are broadcast to a computer network using an IP broadcast address
- The victim machine is flooded by echo reply messages
- ICMP router discovery attack: ICMP Router Advertisement messages inform hosts about the existence of routers on the network.
- An attacker can forge these messages to mislead hosts into routing their traffic through the attacker’s system
Traffic flows in computer networks
A network traffic flow refers to a sequence or collection of network packets that share common characteristics and are treated as a unit for analysis and management within computer networking.
Traffic flows in computer networks are often represented by a 5-tuple. This representation is commonly used in network flow analysis and is known as the “5-tuple flow.” The 5-tuple consists of the following five components:
- Source and destination IP addresses
- Source and destination transport ports
- Transport protocol number
Definition of network traffic flow
Definition: Given a 5-tuple that identifies a network traffic flow, the transposed 5-tuple is the same as the 5-tuple, but with the source and destination IP addresses and port numbers swapped.
Definition: A network traffic flow is a sequence of packets carrying information between two hosts where packets have common properties:
For transport protocols with port numbers (i.e.TCP/UDP):
All packets in the flow share the same 5-tuple or transposed 5-tuple
else (i.e., ICMP, IPSec, or routing protocols such as OSPF):
All packets in the flow share the same 3-tuple or transposed 3-tuple
16 For practical reasons, flows are typically identified with a 5-tuple, even in the case of Layer 3 protocols such as ICMP or IPSec. Nevertheless, the transport ports are set to 0 for these flows because these protocols do not use transport ports.