Network securityPacket switchingPacketsReasons to use packet-switchingNetworking stacksOSI modelPacket encapsulation and decapsulationEncapsulationDecapsulationProtocol data unitsNetwork interfacesMAC addressesSwitchOperation of a switchCombining switchesInternet Protocol (IP)IP functionsAddressingRoutingAddressesAddress subdivisionsBroadcast addressesPrivate networksPacketsRoutingInternet Control Message Protocol (ICMP)Tools using ICMPSmurfingPreventionAddress Resolution Protocol (ARP)Caching (look-up table)FunctionalityPoisoning attacksUser Datagram Protocol (UDP)AdvantagesDisadvantagesTransmission Control Protocol (TCP)FunctionalityPacket structurePorts
SYN flagEstablishing connectionsTerminating connectionsData transfer
SYN floodingAdvantages of
SYN flooding (as an attack)Disadvantages of
SYN flooding (as an attack)Forging packets (spoofing)Advantages of packet forging (as an attack)Disadvantages of packet forging (as an attack)Application layer and DNSProtocolsURLsDomain Name System (DNS)DomainsDomain nameTop-level domain (TLD)ICANNDNS treeName serversName resolutionIterative name resolutionRecursive name resolutionGlue recordsCircular referencesExampleCachingLocal DNS cacheDNS cache poisoningDNS query mechanismVulnerability to cache poisoningDefences against cache poisoningSSL/TLSPosition in the stackDifferences between SSL and TLSTLS building blocksFunctionalityBasic key exchangeForward secrecyDiffie-Hellman key exchangeProblemsFirewalls and intrusion detectionFirewall policiesExampleStateless firewallsStateful firewallsPort scanningApplication layer firewallsPersonal firewallsNetwork Address Translation (NAT)IPv4Address space exhaustionIntrusion Detection Systems (IDS)AlarmsRule-based intrusion detectionStatistical intrusion detectionNumber of alarmsResources
Communication in modern networks is characterised by the following fundamental principles:
Packet switching is a mode of data transmission in which a message is:
Figure 1: Packet switching with 3 packets. (source)
Packets typically consist of a header and a payload.
If a message is sent all at once (as one packet), an attacker would have access to the whole message if it was intercepted.
Dividing it into packets prevents this, by only allowing a single packet or division of the message (which is often useless alone) to be intercepted by the attacker.
Network communication models typically use a stack of layers to divide network communications.
A network layer takes care of a specific job, and passes the data onto the next layer.
Figure 2: Linux networking stack. (source)
The OSI model is a specific standard for network communication layering - it defines a networking framework to implement protocols in seven layers.
Most communications systems implement the OSI model in one way or another, often combining two or three layers into one.
As packets travel through a networking stack, the protocols at each layer either add or remove fields from the basic header.
When a protocol on the sending host adds data to the packet header, the process is called data encapsulation. This occurs when going down the stack, towards the physical layer.
Data that the host typically adds to the packet header includes:
When a protocol on the sending host removes data from the packet header, the process is called data decapsulation. This occurs when going up the stack, towards the application layer.
A protocol data unit (PDU) is a single unit of information transmitted between layers in a network stack.
In network stacks, each of the layers implement protocols tailored to the specific type of data exchange. For example:
These are all different types of PDUs, just with specific names on specific layers.
Figure 4: TCP/IP network stack.
The PDUs are displayed on the right, and change when moving between layers (encapsulation and decapsulation). (source)
More information on frames, datagrams, packets, segments and PDUs.
Network interfaces are devices that connect a computer to a network. Packets are transmitted between network interfaces, and computers may have multiple network interfaces. Some examples are:
As discussed in the Protocol Data Units section, most local area networks (such as Ethernet and WiFi) broadcast frames.
Most network interfaces come with a predefined MAC address. A Media Access Control (MAC) address is a 48-bit number usually represented in hexadecimal. These addresses are used in the data link layer of the OSI model.
The first three octets of any MAC address are IEEE-assigned Organisationally Unique Identifiers (OUIs), which are labels that identify which organisation created the interface:
The remaining three octets of the MAC address can be assigned by organisations as they wish, with uniqueness being the only constraint.
A network switch is a computer networking device that connects devices on a network by using packet switching to receive, process and forward data to the destination device.
Figure 5: Operation of a network switch in a typical network. (source)
Switches can be combined and arranged into a tree. Each switch forwards frames for the MAC addresses of the machines in the segments (subtrees) connected to it.
Figure 6: Combining switches (tree diagram). (source)
The Internet Protocol (IP) is the principal set of digital message formats and rules for exchanging messages between devices across a single network or a series of interconnected networks, using the Internet Protocol Suite (often referred to as TCP/IP).
The IP is used as the primary protocol in the TCP/IP stack's internet layer (a subset of the OSI stack's network layer).
Figure 7: A typical data-link frame. (source)
In order to deliver data, IP needs to be aware of the destination of the data, and hence includes addressing systems.
IP might be required to communicate across networks, and communicate with networks not directly connected to the current network.
An IP address is a numerical label assigned to each device connected to a computer network that uses the Internet Protocol for communication. These addresses are used in the network layer of the OSI model.
IP addresses come in two forms:
IPv4: 32-bit addresses (numbers typically displayed in decimal)
IPv6: 128-bit addresses (numbers typically displayed in hexadecimal)
IPv6 was introduced to solve the issue of IPv4 address exhaustion (a limitation on the ~4.3 billion IPv4 addresses available).
IP addresses are divided into separate segments: network, subnet and host.
A broadcast address is a network address at which all devices connected to a network are enabled to receive packets.
Analogy: There is often a need to send a datagram to all stations connected to the same medium, or the same link, without even knowing their own addresses. It is like shouting aloud in a room to speak to all present persons at once, without knowing their names. This is broadcasting.
Private networks are networks which are not routed outside of a LAN.
The headers of IP packets typically include the following fields:
A router bridges two or more networks.
Figure 8: Routers bridging two networks. (source)
Routers operate at the network layer, and have two main tasks:
A routing table maps ranges of addresses to LANs or other gateway routers.
Internet Control Message Protocol (ICMP) is a protocol that is used for network testing and debugging. Messages for this protocol are simple, and encapsulated in single IP packets.
ICMP is considered a network layer protocol.
ping- Command for sending series of echo request messages and provides statistics on roundtrip times and packet loss.
traceroute- Command for sending series of ICMP packets with increasing TTL value to discover and display routes that the packets took.
Smurfing is a form of Denial of Service (DoS) attack that exploits the ICMP, whereby remote hosts respond to echo packets to say they are alive (ping).
The idea behind smurfing is:
Figure 9: Typical smurf attack. (source)
The Address Resolution Protocol (ARP) is a protocol responsible for connecting the network layer and data link layer together by mapping IP addresses to physical machine addresses (MAC addresses) that are recognised in the local network.
Systems keep an ARP look-up table where they store information about what IP addresses are associated with what MAC addresses.
Example: Running the command
arp -adisplays the ARP table:
IP Address Physical Address Type 188.8.131.52 00-00-0c-07-ac-00 dynamic 184.108.40.206 00-0c-76-b2-d7-1d dynamic 220.127.116.11 00-0c-76-b2-d0-d2 dynamic
If a source device wants to send a packet to another device:
The source device checks its ARP cache (look-up table) to find if it already has a resolved MAC address that corresponds to the requested device's IP address.
If there is a MAC address, it is used for sending the packet.
If there is no record for the requested device's IP address in the ARP look-up table, the source device generates an ARP message with the following fields:
The source device broadcasts the ARP message to the local network.
The ARP message is received by each device on the LAN since it is a broadcast.
Each device compares the target protocol address on the ARP message with its own IP address. Those devices which do not match these two addresses will drop the packet without any action.
When the targeted device checks the target protocol address, it will find a match and will generate an ARP reply message, essentially filling in the blank target hardware address with the devices own MAC address.
The ARP reply message is sent from the target device back to the source device (as a unicast message, NOT broadcast - to save network resources).
The source device processes the ARP reply from the target device, and adds a new cache entry to the ARP look-up table with the new target hardware address and target protocol address.
The source device will then send the requested packet to the now known target hardware address.
An ARP poisoning attack (also known as ARP spoofing or ARP cache poisoning) is a type of attack in which a malicious man-in-the-middle sends false ARP reply messages over a local area network.
Essentially in step 5 of the ARP functionality description, although the attacker's device won't match the target protocol address, the attacker can still send back a spoofed reply message with its own MAC address, acting as if it were the intended target device.
This results in the linking of an attacker's MAC address with the IP address of a legitimate device on the network.
The User Datagram Protocol (UDP) is a stateless, unreliable datagram protocol built on top of IP - that is, it lies at the transport layer of the OSI model.
Example: VoIP and streaming (audio/video) all use UDP.
Transmission Control Protocol (TCP) is a transport layer (OSI model) protocol that enables/offers:
Example: HTTP and SSH are built on top of TCP.
Packages a data stream into segments transported by IP.
Checks transmitted data by comparing a checksum of the data with a checksum encoded in the packet.
Figure 10: Structure of a TCP packet (160+ bits).
The blue-outlined section is the packet header. (source)
Both TCP and UDP support concurrent applications running on the same server. In order to do this, ports are used to identify where data is directed.
A port is simply represented as a 16 bit number (
1023 are reserved for use by known protocols.
Example: HTTPS uses
443and SSH uses
49151 are known as user ports, and are used for listening to connections.
SYN is a binary flag field in the TCP packet header, which indicates whether a particular packet is part of a SYN exchange during the handshake.
A TCP connection involves a client and server, where the server is generally a passive listener, waiting for a connection request. However, the server is just another client.
TCP connections are established through a three-way handshake, known as
SYN, SYN-ACK, ACK (SSAA):
SYN-ACKpacket, acknowledging the connection.
ACKpacket to the server, thus establishing the connection.
During connection establishment using the three-way handshake, initial sequence numbers are exchanged.
The TCP header includes a 16-bit checksum of the data and parts of the header, including the source and destination.
Acknowledgement (or lack thereof) is used by TCP to keep track of network congestion, control flow etc.
TCP connections are cleanly terminated with a 4-way handshake, known as
FIN, ACK, FIN, ACK (FAFA):
FINmessage to the server.
ACK, and the connection is terminated.
Data transfer with TCP works the same way as terminating connections, but replacing the
SYN flooding is a form of TCP attack in which lots of requests (
SYN packets) are sent to the victim in order to overload them.
A basic three-part handshake is used to initiate a TCP connection to the victim.
SYN packets are sent to the victim (without acknowledging any replies).
As a result, the victim accumulates more
SYN packets than they can handle.
TCP packet forging is another form of TCP attack, which is exactly the same as
SYN flooding - except the source of the TCP packet is forged.
ACK's are sent to a second computer. This means that less bandwidth is used on the attacker's side.
The application layer is a layer in the OSI network model that is used for managing human-computer interactions.
This layer is typically where applications (such as web browsers) can access the network services.
Examples of protocols that lie in the application layer are:
Uniform Resource Locators (URLs) are a standardised format for describing the location and access method of resources via the internet.
URLs are of the format:
The Domain Name System (DNS) is an application-layer protocol. The basic function of DNS is to map domain names to IP addresses—this mapping is many-to-many.
18.104.22.168and other addresses.
More generally, a DNS is a distributed database that stores resource records such as:
|Address||IP address associated with a host name.|
|Mail exchange||Mail server of a domain.|
|Name server||Authoritative server for a domain.|
A domain name consists of two or more labels, separated by dots.
Top-level domains can be any of:
.net- managed by ICANN
.it- managed by government organisations
The Internet Corporation for Assigned Names and Numbers (ICANN) is a non-profit corporation that:
Alternatively, if a domain has subdomains:
Resource records (e.g.
A name server is a server on the internet responsible for handling queries regarding a domain name.
A name server:
An authoritative name server stores a reference version of DNS records for a zone (subtree of the DNS tree).
dns0.ed.ac.ukis authoritative for
dns0.inf.ed.ac.ukis authoritative for
A name resolver is a program that retrieves DNS records.
A name resolver:
Figure 11: An example of iterative name resolution with the query
In iterative name resolution, when a DNS server is queried, it returns an answer without querying other DNS servers—even if it cannot provide a definite answer. This answer can be:
In recursive name resolution, when a DNS server is queried, it will query subsequent DNS servers (on behalf of the client/requester) until a definitive answer is returned to the requester.
Note: The queries made to subsequent DNS servers from the first DNS server are iterative queries.
A glue record is a DNS record of type
A (IP address) for a name server referred to by a
This is used to break circular references.
Sometimes the authoritative name server for a domain may be within the same domain (a subdomain).
dns0.inf.ed.ac.ukis authoritative for
In the below table, the second record represents a glue record.
If a path in the DNS tree was simply traversed for each requested query, there would be too much network traffic, meaning that root servers and TLD servers would quickly become overloaded.
DNS servers cache records that are results of queries, for a specified amount of time. This amount is specified as a time-to-live field.
Arecord of the query domain.
NSrecord of the longest suffix of the query domain.
The local DNS cache is maintained by the operating system. This is shared among all running applications and can be displayed to all users.
This may cause privacy issues—namely:
DNS cache poisoning is a cyber attack that exploits DNS vulnerabilities by diverting internet traffic away from legitimate servers and towards fake ones.
The basic idea behind the attack is to give a DNS server a false address
A record and get it cached.
SYN-ACK) as there were in TCP/IP. In UDP, a sent packet will get processed since there are no authentication measures.
A DNS server is vulnerable to cache poisoning if its resolver:
Check request identifiers
Use signed records (DNSSEC)
SSL and TLS are both cryptographic protocols that establish an encrypted, bidirectional network tunnel for arbitrary data to travel between two hosts through the use of public-key cryptography. These protocols are often used in conjunction with other internet protocols such as HTTPS, SSH, FTPS and secure email.
These protocols provide:
In addition to providing an encrypted channel, these protocols are also used to authenticate communicating parties. This is crucial for such applications as online transactions because a client must be sure that money is being transferred to the person or company who they claim to be.
SSL and TLS lie on top of TCP/IP, and below application layer protocols (in the OSI model). In the TCP/IP stack, these protocols lie in the application layer (as seen in Figure 12).
Figure 12: TLS/SSL consists of two layers within the application layer of the TCP/IP stack. (source)
SSL is the predecessor to TLS. TLS was introduced in 1999 as a new version of SSL, and was based on SSLv3.
|Setup||Public-key based key-exchanged (RSA and DH)||Public-key digital signature (e.g. RSA)||Public-key digital signature (e.g. RSA)|
|Data transmission||Symmetric encryption (e.g. AES in CBC mode)||Hash-based MACS (e.g. HMAC using SHA256)|
When a connection is established between a client (typically a web browser) and a server :
sends its supported cryptographic algorithms to .
picks the strongest algorithms that it supports.
sends its SSL/TLS certificate to .
This certificate contains 's public encryption key.
The certificate is checked by against a trusted CA. As a certificate cannot be falsified, may be certain that they are communicating with the right server.
and perform a key exchange for symmetric encryption and hash-based authentication of subsequent data transfer.
and exchange data bidirectionally.
Before a message is encrypted, a MAC is appended to each HTTP message. The resulting message is encrypted and sent.
This symmetric cryptosystem provides confidentiality, and the use of MAC provides integrity of the HTTP requests and responses.
The basic key exchange performed in step 5 described above used to be done with RSA:
Forward secrecy is provided by a crypto-system if a compromise of private keys in a key exchange does not break the confidentiality of past messages.
TLS with the basic key exchange described above does not provide forward secrecy.
As a result, the basic RSA key exchange is not used since an attacker can uncover the value of and use it to derive encryption keys.
An alternate key exchange method used that provides forward secrecy is the Diffie-Hellman key exchange.
Although Diffie-Hellman provides forward secrecy, it is open to an man-in-the-middle attack.
This attack can be prevented by signing and before sending them.
Note: This approach requires both and to know each other's public key.
A firewall is a security measure designed to prevent unauthorised electronic access to a networked computer system.
Firewalls prevent unauthorised access by monitoring and controlling incoming an outgoing traffic based on predetermined security rules.
These rules are called firewall policies. Based on these rules, it allows or denies traffic.
|Rule||Protocol||Source address||Destination address||Destination port||Action|
A stateless firewall does not maintain any remembered context (state) with respect to the packets it is processing.
Instead, it treats each packet attempting to travel through it in isolation without considering packets that it has processed previously—if a packet matches the filter's set of rules, the packet filter will drop or accept it.
Note: Stateless firewalls may have to be fairly restrictive in order to prevent most attacks.
Stateful firewalls can tell when packets are part of legitimate sessions originating within a trusted network. They maintain a record of all connections passing through it and can determine if a packet is either:
Stateful firewalls maintain tables containing information on each active connection, including the IP addresses, ports, and sequence numbers of packets involved in a connection.
Using these tables, stateful firewalls can allow only inbound TCP packets that are in response to a connection initiated from the internal network.
A port scanner is a tool that provides information regarding open ports in a target system. An example of a port-scanning tool is
Port scanning can be a useful tool in the arsenal of an attacker, as it can identify ports which are open to attacks.
An application layer firewall works like a proxy—it can understand certain applications and protocols, and as a result effectively simulates the effects of an application at OSI level 7.
This type of firewall acts as a protective man-in-the-middle that screens information at the application layer. It may inspect the contents of the traffic, blocking what it views as inappropriate content. For example:
A personal firewall runs on the workstation that it protects, as software. It provides basic protection—especially for home or mobile devices.
Any rootkit type software can disable the firewall.
Network Address Translation (NAT) is a method of remapping one IP address space into another.
IPv4 is the fourth version of the Internet Protocol. The addressing system used in this protocol is 32-bit, which limits the address space to addresses.
There are less than 4.3 billion IPv4 addresses available. This is an issue as we do not have enough addresses for every device on the planet.
The solution to this problem is NAT, where the internal IP address of a device is different from its external IP address.
Firewalls are used as a preventative measure. An Intrusion Detection System (IDS) can be used to detect a potential incident in progress.
At some point, some traffic must be allowed to move into and out of a network. However, most security incidents are caused by a user letting something into the network that is malicious, or being an insider threat themselves. Situations such as these cannot be prevented or anticipated in advance.
The next step is to identify that something bad is happening quickly so it can be addressed. This is when IDS comes in.
An IDS can either sound an alarm or not, depending on whether it thinks it has detected an intrusion attack.
This leads to TP, FP, FN and TN.
In rule-based intrusion detection, a set of rules identify the types of actions that match certain known intrusion attacks. These rules encode a signature for such attacks.
|High accuracy (low false positives)||Admin must anticipate attack patterns in advance|
|An attacker may test an attack on common signatures|
|Impossible to detect a new type of attack|
In statistical intrusion detection, a statistical model of acceptable or normal behavior is dynamically built, and any other non-matching behaviour is flagged.
|Admin does not need to anticipate potential attacks||System needs time to warm up to new behaviour|
|Can detect new types of attacks||Lower accuracy (higher false positives)|
In the 2013 Target breach, the IDS did correctly identify that there was an attack on the Target network. However, there were too many alarms going off to investigate all of them in great depth.
Some cyberattack insurance policies state that if you know about an attack and do nothing, they will not cover the attack—meaning that having a noisy IDS can potentially be a liability.