Introduction to TCP/IP/UDP && ICMP Protocols
The TCP/IP family of protocols includes several of components:
the Transmission Control Protocol (TCP), the User Datagram Protocol
(UDP), the Internet Protocol (IP) and the Internet Control Massage
Protocol (ICMP).
TCP/IP is originally developed for research and academia and
includes no built-in strong security capabilities. The traditional
TCP/IP protocol suite provides no means for ensuring the
confidentiality, integrity, and authentication of any data transmitted
across the network. Without confidentiality and integrity controls,
when you send a packet accross the Internet, TCP/IP will allow any
other user to see or modify your data. Further more an attacker can
send data to you that appears to come from other, trusted sources on
the network.
Transmission Control
Protocol / TCP
1. File Transfer, using the File Transfer Protocol (FTP)
2. telnet, a remote command-line interface
3. Email, using variuos protocols, including the Simple Mail Transfer
Protocol (SMTP) and Post Ofiice Protocol (POP)
4. Web Browsing, using the HyperText Transfer Protocol (HTTP)
In order to understand how an attack works, you need to know the
purpose of several fields in the TCP header :
There are 65,535 different tcp ports on each machine, port 0 is
reserved and not used.
The most common TCP Port Numbers :
Port 21 - FTP
Port 22 - SSH
Port 23 - Telnet
Port 25 - Mail Transfer Protocol
Port 80 - HTTP
A port with a listening service is known as open port, and a
port where nothing is listening is known as closed
port! To contact some application servers, the client layer generates
packets with a TCP destination port corresponding to the port where the
server application is listening.
A system administrator can configure any application to use any port
number, but clients programs expects them to be listening on specific
destination ports. Therefore it is useless to reconfigure the port
certain application is using, exept when the client and user know about
that custom port.
You can check which ports are in use by typing "netstat -na" in a
terminal, all port sending and listening data will be displayed.
User Datagram Protocol /
UDP
TCP and UDP are like cousins. TCP gets more attention, and is used in
the family name, but UDP is still the basis of soe very important
applications. Services that utilize UDP include many streaming audio
and video applications, as well as Domain Name Service (DNS) queries
and responses. According to the proffessionals UDP also means
"Unreliable Damn Protocol". Why ? It is easy. It may lose packets or
send them out of order. Sometimes this is ok, it is buying you a speed.
Some applications are much more interested by getting packets accross
the network quickly, and don't need very high reliability. What kind of
applications are these? These are applications that transmit data ment
for the human eye and ear, like streaming audio or video.
Additionally, some query-response applications use UDP, most notably
DNS. When looking up the network address for a particular domain name,
DNS sends out one packet with a query to look up a domain name.
UDP has 16-bit port numbers, so there are 65,535 possible UDP
ports. Just like TCP, data comes from one port on the destination
system (the UDP source port), and is destined for a port on the
destination system (the UDP destination port). One of the most widely
used UDP services, DNS listens for DNS queries on UDP Port 53.
Some other UDP-based service :
UDP port 69 - The Trivial File Transfer Protocol (TFTP)
UDP port 161 - The Simple Network Management Protocol (SNMP)
UDP port 7070(can be configured to anyone) - RealPlayer Data
(video/audio)
Is UDP Less
Secure Than TCP ????
The applications that runs on UDP are more difficult to
secure
than TCP based ones. It is considerably harder for network components (
like routers or firewalls ) to understand and track what is happening
in an application using UDP as opposed to TCP. With UDP's
lack of
code bits and sequence numbers, it's much more difficult to track where
the end systems are in their communications. UDP packets coming in from
the internet could be responses for legitimate services, or they could
be malicious scans. By simply looking the UDP header there is no way to
tell if the packet is the start of communication or response.
The Internet Protocol (IP) and The Internet Control Massage
Protocol (ICMP)
When the TCP or UDP generate a packet, it must be sent
accross
the network. The transport layer (TCP or UDP) will pass the packet to
the network layer for end-to-end packet delivery. The Internet Protocol
(IP) is the most commonly used Network layer today and is used for all
traffic moving accross the Internet.
Local Area
Networks and Routers
The purpose of the IP is to carry packets end-to-end accross
the
network. What exactly is a network ? Complete networks are made up of
fundamental building blocks called local
are networks
(LANs). LAN is simply a lot of computers connected together using a
switch or a hub, with no routers separating the systems. LANs are
connected together using routers. The routers job is to move packets
between the LANs.
IP Addresses
IP addresses identify a particular machine on the network and
are
32 bits in lenght. Every system directly connected to the internet has
a unique IP address. Every IP packet contains a source IP address,
identifying the system that is sending the packet and a destination IP
address, which identifies the destination system of the packet.
Netmasks
Every IP address actually consists of two components : the
network address and the host address on that particular network. The
networks address describes the particular LAN where traffic can be
directed for a delivery. The host address identifies the particular
machine on the given LAN.
Well then how does a computer or router which part of an IP
address refers to the network and which part refers to the host? It
determines this information based on something called netmask.
The Netmask defines which bits are in the network address (and all the
rest of the bit in the IP address are in the host component of the
address). The netmask is a binary number that has its bits set to 1
when a given bit of the IP address is part of the network address.
Internet Control
Massage Protocol / ICMP
Another critical member of the TCP/IP family is the Internet
Control Massgae Protocol. ICMP is kind of like the network plumber. Its
job is to transmit command and control information between systems and
network elements to foster the transmission of actual data and to
report errors. One system can use ICMP to determine whether another
system is alive by sending it a "ping", which is ICMP Echo massage. If
the pinged system is alive it will respond by sending an ICMP Echo
Reply massage. A router can use ICMP to tell a source system that it
does not have to route to the required destination. One host can tell
another system to slow down the number of packets it is sending with an
ICMP Source Quench massage. ICMP is used for systems to exchange
information about how data is flowing.
Routing Packets
To move data end-to-end accross the network, the packets must
be
carried from their source to their destination. Routing is the process
of moving a packet from one network to another., with the goal of
advancing the packet toward its destination in a relatively efficient
way. Routers determine the path that a packet should take accross the
network, specifying from hop to hop which network segments the packets
should bounce through as they travel across the network.
Most networks todfay use dinamic routing, where the routers
themselfs determines the path the packets will use. The routers chat among themselves using a variety of routing protocols to determine the best paths for packets to
travel.
. 