CS Network Transport
In-Depth Transport and Link Layers
Computer systems frequently need to communicate with one another; this is accomplished by connecting them to the same network. Computers can communicate with each other over a variety of networks thanks to a number of different technologies. We will go further into the protocols that are utilized by the majority of networks in this part.
We use a variety of protocols on the networks we use, some of which are covered in this course. Numerous additional protocols are also in use in networks, and each one carries some degree of risk in terms of security.
TCP ("Transmission Control Protocol")
TCP and UDP use ports for addressing, same as IP uses IP addresses. The port, denoted by a number ranging from 0 to 65535, determines which network service ought to handle the request.
A TCP packet and its appearance to someone examining network traffic are depicted in the image below.
The image displays 16 bits for both the source and destination ports; the same is true for UDP. In order to send data properly and participate in the three-way handshake, sequence and acknowledgement numbers are utilized. The control bits that identify the type of packet are also visible. Though they are not related to the security course, the other headers are equally significant.
TCP 3-Way-Handshake
TCP facilitates communication between two systems by requiring a three-way handshake. To establish the handshake, 32 bits of PRNG (“Pseudo Random Number Generator”) numbers are used. The exchange of hands confirms that communication is the goal for both sides.
Here’s a picture to help with that:
An explanation of TCP’s communication mechanisms:
Client initiates the communication by sending a packet with the control bit SYN set in the header, a PRNG number in the Sequence number field and a target destination port. The Network Layer (Layer 3) allows the packet to be sent to a remote system. This packet is referred to as a SYN packet.
Server receives the packet, reads the Sequence Number from the Client and crafts a response. The response sets the Acknowledgement field with the Sequencer number of the client with the number 1 added to it. Furthermore the response contains the controls bits SYN and ACK set and the Sequence number is set to the Servers PRNG number. This packet is referred to as a SYN/ACK packet.
The Client receives the SYN-ACK packet and to complete the handshake returns a packet with the ACK control bit set. The final packet also confirms the PRNG number from the Server by returning it in the Acknowledgement field of the header.
This handshake is known as the SYN, SYN/ACK, ACK three-way handshake.
The three-way handshake is being exchanged by two hosts in the image below:
The screenshot demonstrates how to capture and examine packets using the Wireshark program. Wireshark is an excellent tool since it lets us see packets and perform more thorough inspections on them. The three packets in the screenshot stand for the three-way handshake. Take note of how the two parties communicating are represented by the source and destination columns. The source and destination ports, along with the SYN, SYN/ACK, and ACK (enclosed in square brackets), are displayed in the Info field.
After the three-way handshake, the parties can be seen exchanging data in the following screenshot. The TCP packet’s contents are indicated toward the bottom of the image.
Spoofing Traffic
These days, networks are mostly unrestricted, allowing anyone to construct packets anyway they like. Anybody can generate packets with any header field set to any value they like. Attackers can send traffic on behalf of others by using a technique known as spoofing.
TCP has security built into the protocol, but it relies on the strength of the PRNG (“Pseudo Random Number Generator”) number generators. If the Sequence numbers of the communicating parties can be guessed, the security of TCP can be compromised in the sense that an attacker can engage in spoofed communications via TCP.
Many protocols are easily spoofed, but TCP offers some resiliency against this. Protocols such as UDP and ICMP does not offer similar protection.
Spoofing packets is typically done by attackers with root / system capabilities, i.e. the highest privileges on the Operating System. The reason being that Operating Systems enforces the use of API’s which forces the user to conform to the rules of communications as specified in RFC’s (“Request For Comments”). If the attacker does not have the highest privileges, they will not be able to craft their own packets on the network.
UDP ("User Datagram Protocol")
In the modern world, more applications are using UDP to support fast packet transfer with resilience and security built into the higher levels of the OSI model; QUIC is an example of this. UDP is used for traffic that does not need the resilience and security of TCP, typically applications like VOIP.
The identical Source and Destination ports are shown in the UDP Header, but there are no Sequence numbers or Control bits. Because there is far less overhead in the protocol, data transmission is faster.
UDP is highly spoofable due to its lack of features like the 3-Way-Handshake.
Switched Networks
Through a switch, systems can be connected to a LAN (“Local Area Network”). Instead of the more widely used IP address, switches employ MAC (“Media Access Control”) addresses for addressing. Forwards traffic between local area networks, such as your home network and the branches of your company, using switches. Although MAC addresses are meant to be unique, anyone with administrator credentials can modify their MAC address.
The six-octet MAC address, for instance: FC:F8:AE:12:34:56
The company that made the communicating equipment is represented by the first three octets, or OUI (“Organizational Unique Identifier”). Intel Corporate has been assigned the MAC address mentioned above. There are numerous locations where you may look for MAC addresses, such as https://www.adminsub.net/mac-address-finder/intel.
The manufacturer specifies the final three octets.
ARP
The protocol known as ARP (“Address Resolution Protocol”) enables computer systems to determine which MAC address corresponds to which IP address. The computer system will forward traffic to the configured Default Gateway if it needs to be routed.
ARP is a protocol that resolves one address into another, just like DNS. ARP cache is checked by a system each time it attempts to connect to a LAN IP address to determine whether the address has been resolved recently.
You are able to review your own ARP. To get started, just type arp -a on Windows or Linux. This displays the systems with which your system has recently interacted.
VLAN ("Virtual LAN")
A switch can insert tags, or a VLAN ID, into a frame using a VLAN, sometimes known as a private VLAN. Subsequently, a number of switches can ensure that LAN computers are only able to speak with other computers that have the same VLAN ID.
