Chapter 3 - IIS Windows Server

Download Report

Transcript Chapter 3 - IIS Windows Server

Review of TCP/IP Internetworking
Chapter 3
1
Single Network: applications, client and
server hosts, switches, access links, trunk
links, frames, path
Path
Frame
Server
Host
Client
Host
Trunk Link
Access
Link
Mobile Client
Host
Server
Host
2
Frame Organization
Frame
Trailer
Data Field
Header
Other
Destination
Header
Address
Field
Message Structure
Field
3
Switching Decision
Switch
1 2 3 4 5 6
Frame with Station C
In the destination
Address field
Station
A
Station
B
Station
C
Switch receives
A frame, sends
It back out
Based on
Destination
Address
Station
D
4
Figure 3-1: Internet

An internet is two or more individual
switched networks connected by routers
Switched
Network 1
Switched Network 3
Router
Switched
Network 2
5
Figure 1.11: An Internet
Multiple Networks
Connected by Routers
Path of a Packet is its Route
Single Network
Routers
Packet
Single Network
Route
6
Figure 1.13: The Internet
The global
Internet has
thousands of
networks
Webserver
Software
Browser
Network
Packet
Router
Packet
Route
Router
Router
Packet
7
Figure 3-6: Frames and Packets
Frame 1
Carrying Packet
in Network 1
Packet
Switch
Client PC
Packet
Server
Frame 3
Carrying Packet
in Network 3
Switch
Router
A
Frame 2
Carrying Packet
in Network 2
Router B
8
Figure 1.12: Frames and Packets

Like passing a shipment (the packet) from a truck
(frame) to an airplane (frame) at an airport.
Shipper
Same
Shipment
Truck
Airport
Receiver
Airport
Truck
Airplane
9
Figure 3-2: TCP/IP Standards (Study
Figure)

Origins

Defense Advanced Research Projects Agency
(DARPA) created the ARPANET

An internet connects multiple individual networks

Global Internet is capitalized

Internet Engineering Task Force (IETF)

Most IETF documents are requests for
comments (RFCs)

Internet Official Protocol Standards: List of RFCs
that are official standards
10
Figure 3-2: TCP/IP Standards (Study
Figure)

Hybrid TCP/IP-OSI Architecture (Figure 3-3)


Combines TCP/IP standards at layers 3-5 with
OSI standards at layers 1-2
TCP/IP
Application
OSI
Application
Hybrid TCP/IP-OSI
Application
Presentation
Session
Transport
Transport
Transport
Internet
Network
Internet
Subnet Access: Use
OSI Standards Here
Data Link
Data Link
Physical
Physical
11
Figure 3-2: TCP/IP Standards (Study
Figure)

OSI Layers

Physical (Layer 1): defines electrical signaling
and media between adjacent devices

Data link (Layer 2): control of a frame through a
single network, across multiple switches
Physical Link
Frame
Switched
Network 1
Data Link
12
Figure 3-2: TCP/IP Standards

Internet Layer

Governs the transmission of a packet across an
entire internet. Path of the packet is its route
Packet
Switched
Network 1
Route
Switched Network 3
Router
Switched
Network 2
13
Figure 3-2: TCP/IP Standards (Study
Figure)

Frames and Packets

Frames are messages at the data link layer

Packets are messages at the internet layer

Packets are carried (encapsulated) in frames

There is only a single packet that is delivered
from source to destination host

This packet is carried in a separate frame in
each network
14
Figure 3-7: Internet and Transport Layers
Transport Layer
End-to-End (Host-to-Host)
TCP is Connection-Oriented, Reliable
UDP is Connectionless Unreliable
Client PC
Server
Internet Layer
(Usually IP)
Hop-by-Hop (Host-Router or Router-Router)
Connectionless, Unreliable
Router 1
Router 2
Router 3
15
Figure 3-2: TCP/IP Standards (Study
Figure)

Internet and Transport Layers

Purposes

Internet layer governs hop-by-hop transmission
between routers to achieve end-to-end delivery
Transport layer is end-to-end (host-to-host) protocol
involving only the two hosts
Internet Protocol (IP)



IP at the internet layer is unreliable—does not correct
errors in each hop between routers

This is good: reduces the work each router along the
route must do
16
Figure 3-2: TCP/IP Standards (Study
Figure)

Transport Layer Standards

Transmission Control Protocol (TCP)
 Reliable and connection-oriented service at
the transport layer
 Corrects errors

User Datagram Protocol (UDP)
 Unreliable and connectionless service at the
transport layer
 Lightweight protocol good when catching
errors is not important
17
Figure 3-8: HTML and HTTP at the
Application Layer
Hypertext Transfer Protocol (HTTP)
Requests and Responses
Webserver
Client PC with
Browser
123.34.150.37
60.168.47.47
Hypertext Markup Language (HTML)
Document or Other File (jpeg, etc.)
18
Figure 3-2: TCP/IP Standards (Study
Figure)

Application Layer

To govern communication between application
programs, which may be written by different
vendors

Document transfer versus document format
standards
 HTTP / HTML for WWW service
 SMTP / RFC 822 (or RFC 2822) in e-mail

Many application standards exist because there
are many applications
19
Figure 3-3: TCP/IP and OSI
Architectures: Recap
TCP/IP
Application
OSI
Application
Hybrid TCP/IP-OSI
Application
Presentation
Session
Transport
Transport
Transport
Internet
Network
Internet
Subnet Access: Use
OSI Standards Here
Data Link
Data Link
Physical
Physical
Note: The Hybrid TCP/IP-OSI Architecture is used on the Internet and
dominates internal corporate networks.
20
Figure 3-5: IP Packet
0100
Bit 0
Header
Version
Length
(4 bits)
(4 bits)
IP Version 4 Packet
Diff-Serv
(8 bits)
Bit 31
Total Length
(16 bits)
Identification (16 bits)
Flags Fragment Offset (13 bits)
Protocol (8 bits)
Time to Live
1=ICMP, 6=TCP,
Header Checksum (16 bits)
(8 bits)
17=TCP
Source IP Address (32 bits)
Destination IP Address (32 bits)
Options (if any)
Padding
Data Field
21
Figure 3-5: IP Packet

Version


Has value of four (0100)
Time to Live (TTL)




Prevents the endless circulation of mis-addressed
packets
Value is set by sender
Decremented by one by each router along the
way
If reaches zero, router throws packet away
22
Figure 3-5: IP Packet

Protocol Field




Identifies contents of data field
1 = ICMP
6 = TCP
IP Data Field
17 =UDP
ICMP Message
IP Data Field
TCP Segment
IP Header
Protocol=1
IP Header
Protocol=6
IP Data Field
UDP Datagram
IP Header
Protocol=17
23
Figure 3-5: IP Packet

Header checksum to check for errors in the
header only




Faster than checking the whole packet
Stops bad headers from causing problems
IP Version 6 drops eve this checking
Address Fields

32 bits long, of course

Options field(s) give optional parameters

Data field contains the payload of the packet.
24
Figure 3-9: Layer Cooperation Through
Encapsulation on the Source Host
Encapsulation of HTTP
message in data field of
a TCP segment
Application
Process
HTTP
Message
Transport
Process
HTTP
Message
TCP
Hdr
Internet
Process
HTTP
Message
TCP
Hdr
Encapsulation of TCP
segment in data field
of an IP packet
IP
Hdr
25
Figure 3-9: Layer Cooperation Through
Encapsulation on the Source Host
Internet
Process
Data Link
Process
Physical
Process
DL
Trlr
HTTP
Message
TCP
Hdr
IP
Hdr
HTTP
Message
TCP
Hdr
IP
Hdr
Encapsulation
of IP packet in
data field of
a frame
DL
Hdr
Converts Bits of Frame into Signals
26
Figure 3-9: Layer Cooperation Through
Encapsulation on the Source Host
Note: The following is the final frame for supervisory TCP segments:
DL
Trlr
TCP
Hdr
IP
Hdr
DL
Hdr
27
Figure 3-10: Layer Cooperation Through
Decapsulation on the Destination Host
Decapsulation of HTTP
message from data field of
a TCP segment
Application
Process
HTTP
Message
Transport
Process
HTTP
Message
TCP
Hdr
Internet
Process
HTTP
Message
TCP
Hdr
Decapsulation of TCP
segment from data field
of an IP packet
IP
Hdr
28
Figure 3-10: Layer Cooperation Through
Decapsulation on the Destination Host
Internet
Process
Data Link
Process
Data Link
Process
DL
Hdr
HTTP
Message
TCP
Hdr
IP
Hdr
HTTP
Message
TCP
Hdr
IP
Hdr
Decapsulation of IP
packet from data
field of a frame
DL
Hdr
Converts Signals into the Bits of the Frame
29
Figure 3-11: Vertical Communication
on Router R1
A
Packet
Decapsulation
Frame
Switch X2
Internet Layer Process
Port 1
DL
Port 2
DL
Port 3
DL
Port 4
DL
PHY
PHY
PHY
PHY
Router R1
Notes:
A. Router R1 receives frame from Switch X2
in Port 1.
Port 1 DL process decapsulates packet.
Port 1 DL process passes packet to
internet process.
30
Figure 3-11: Vertical Communication
on Router R1
B
Router R1
Internet Layer Process
Port 1
DL
Port 2
DL
Port 3
DL
Port 4
DL
PHY
PHY
PHY
PHY
B. Internet process sends packet out on
Port 4.
DL Process on Port 4 encapsulates
packet in a PPP frame.
DL process passes frame to Port 4
PHY.
Packet
Encapsulation
Frame
Router 2
31
Figure 3-12: Site Connection to an ISP
Site Network
Border
Firewall
1.
Frame for This
Data Link
ISP
Packet
Packet
Packet
3.
Packet Carried
in Site Frame
Internet
Backbone
4.
Data Link
Between
Site and ISP
(Difficult to Attack)
ISP
Router
2.
Packet Carried
in ISP
Carrier Frame
5. Normally, Only the Arriving Packet is Dangerous—Not the
Frame Fields
32
Figure 3-13: Internet Protocol (IP)

Basic Characteristics

There were already single networks, and many
more would come in the future

Developers needed to make a few assumptions
about underlying networks

So they kept IP simple
33
Figure 3-13: Internet Protocol (IP)

Connection-Oriented Service and
Connectionless Service

Connection-oriented services have distinct starts
and closes (telephone calls)

Connectionless services merely send messages
(postal letters)

IP is connectionless
34
IP Packet
PC
Internet Process
First Router
Internet Process
IP Packet
Connectionless
Packets Sent in Isolation
Like Postal Letters
Unreliable
No Error Correction
Discarded by Receiver if Error is Detected
Leaves Error Correction to Transport Layer
Reduces the Cost of Routers
35
Figure 3-13: Internet Protocol (IP)
(Study Figure)

IP is Unreliable (Checks for Errors but does
not Correct Errors) (Figure 3-14)

Not doing error correction at each hop between
switches reduces switch work and so switch cost

Does not even guarantee packets will arrive in
order
36
Figure 3-13: Internet Protocol (IP)
(Study Figure)

Hierarchical IP Addresses

Postal addresses are hierarchical (state, city,
postal zone, specific address)

Most post offices have to look only at state
and city

Only the final post offices have to be
concerned with specific addresses
37
Figure 3-15: Hierarchical IP Address
Network Part (not always 16 bits)
Subnet Part (not always 8 bits)
Host Part (not always 8 bits)
Total always is 32 bits.
128.171.17.13
The Internet
UH Network (128.171)
CBA Subnet (17)
Host 13
126.171.17.13
38
Figure 3-13: Internet Protocol (IP)
(Study Figure)

Hierarchical IP Addresses

32-bit IP addresses are hierarchical (Figure 315)

Network part tells what network host is on

Subnet part tells what subnet host is on
within the network

Host part specifies the host on its subnet

Routers have to look only at network or
subnet parts, except for the router that
delivers the packet to the destination host
39
Figure 3-13: Internet Protocol (IP)
(Study Figure)

Hierarchical IP Addresses

32-bit IP addresses are hierarchical

Total is 32 bits; part sizes vary

Network mask tells you the size of the
network part (Figure 3-16)

Subnet mask tells you the length of the
network plus subnet parts combined
40
Figure 3-16: IP Address Masking with
Network and Subnet Masks
Network Masking
Subnet Masking
Mask Represents
Tells the size of the network
part
Tells the size of the network
and the subnet parts
combined
Eight ones give the decimal
value
255
255
Eight zeros give the decimal
value
0
0
Masking gives
IP address bit where the
mask value is 1; 0 where the
mask bit is 0
IP address bit where the
mask value is 1; 0 where
mask bit is 0
41
Figure 3-16: IP Address Masking with
Network and Subnet Masks
Example 1
Network Masking
Subnet Masking
IP Address
128.171.17.13
128.171.17.13
Mask
255.255.0. 0
255.255.255.0
Result
128.171.0. 0
128.171.17.0
Meaning
16-bit network part is 128.171
Combined 24-bit network plus subnet part
are 128.171.17
IP Address
60.47.123.7
60.47.123.7
Mask
255.0.0.0
255.255.0.0
Result
60.0.0.0
60.47.0.0
Meaning
8-bit network part is 60
Combined 16-bit network plus subnet
parts are 60.47
Example 2
42
Figure 3-13: Internet Protocol (IP)

IP Addresses and Security

IP address spoofing: Sending a message with a
false IP address (Figure 3-17)

Gives sender anonymity so that attacker cannot
be identified

Can exploit trust between hosts if spoofed IP
address is that of a host the victim host trusts
43
Figure 3-17: IP Address Spoofing
1. Trust Relationship
3. Server Accepts Attack Packet
Trusted Server
60.168.4.6
Victim Server
60.168.47.47
2.
Attack Packet
Spoofed Source IP Address
60.168.4.6
Attacker’s Client PC
Attacker’s Identity is
1.34.150.37
Not Revealed
44
Figure 3-13: Internet Protocol (IP)
(Study Figure)

IP Addresses and Security

LAND attack: send victim a packet with victim’s
IP address in both source and destination
address fields and the same port number for the
source and destination (Figure 3-18). In 1997,
many computers, switches, routers, and even
printers, crashed when they received such a
packet.
45
Figure 3-18: LAND Attack Based on IP
Address Spoofing
Attacker
1.34.150.37
From: 60.168.47.47:23
To: 60.168.47.47:23
Victim
60.168.47.47
Port 23 Open
Crashes
Source and Destination IP Addresses are the Same
Source and Destination Port Numbers are the Same
46
Figure 3-13: Internet Protocol (IP)
(Study Figure)

Other IP Header Fields

Protocol field: Identifies content of IP data field


Firewalls need this information to know how
to process the packet
Time-to-Live field

Each router decrements the TTL value by
one

Router decrementing TTL field to zero
discards the packet
47
Figure 3-13: Internet Protocol (IP)
(Study Figure)

Other IP Header Fields

Time-to-Live field

Router also sends an error advisement
message to the sender

The packet containing this message reveals
the sender’s IP address to the attacker

Traceroute uses TTL to map the route to a
host (Figure 3-19)
 Tracert on Windows machines
48
Figure 3-19: Tracert Program in
Windows
49
Figure 3-13: Internet Protocol (IP)
(Study Figure)

Other IP Header Fields

Header Length field and Options
 With no options, Header Length is 5
 Expressed in units of 32 bits
 So, 20 bytes
 Many options are dangerous
 So if Header Length is More Than 5, be
Suspicious
 Some firms drop all packets with options
50
Figure 3-13: Internet Protocol (IP)
(Study Figure)

Other IP Header Fields

Length Field

Gives length of entire packet

Maximum is 65,536 bytes

Ping-of-Death attack sent IP packets with
longer data fields

Many systems crashed
51
Figure 3-20: Ping-of-Death Attack
Attacker
1.34.150.37
IP Packet Containing
ICMP Echo Message
That is Illegally Long
Victim
60.168.47.47
Crashes
52
Figure 3-13: Internet Protocol (IP)
(Study Figure)

Other IP Header Fields

Fragmentation

Routers may fragment IP packets (really, packet data
fields) en route
 All fragments have same Identification field value
 Fragment offset values allows fragments to be
ordered
 More fragments is 0 in the last fragment

Harms packet inspection: TCP header, etc. only in first
packet in series

Cannot filter on TCP header, etc. in subsequent
packets
53
Figure 3-22: TCP Header is Only in the First
Fragment of a Fragmented IP Packet
1. Fragmented IP Packet
2. Second
Fragment
Attacker
1.34.150.37
4. TCP Data IP
Field
Header
No
TCP Header
2. First
Fragment
TCP Data
Field
IP
Header
3. TCP Header
Only in First
Fragment
5. Firewall
60.168.47.47
Can Only
Filter TCP
Header in
First Fragment
54
Figure 3-13: Internet Protocol (IP)
(Study Figure)

Other IP Header Fields

Fragmentation

Teardrop attack: Crafted fragmented packet
does not make sense when reassembled

Some firewalls drop all fragmented packets,
which are rare today
55
Figure 3-21: Teardrop Denial-ofService Attack
“Defragmented” IP Packet”
Gap
Overlap
Attacker
1.34.150.37
Victim
60.168.47.47
Crashes
Attack Pretends to be Fragmented
IP Packet When Reassembled,
“Packet” does not Make Sense.
Gaps and Overlaps
56
Figure 3-24: IP Packet with a TCP
Segment Data Field
Bit 0
Bit 31
IP Header (Usually 20 Bytes)
Source Port Number (16 bits)
Destination Port Number (16 bits)
Sequence Number (32 bits)
Acknowledgment Number (32 bits)
Header
Length
(4 bits)
Reserved
(6 bits)
Flag Fields
(6 bits)
TCP Checksum (16 bits)
Window Size
(16 bits)
Urgent Pointer (16 bits)
57
Figure 3-23: Transmission Control
Protocol (TCP) (Study Figure)

TCP Messages are TCP Segments

Header
Length
(4 bits)
Flags field has several one-bit flags: ACK, SYN,
FIN, RST, etc.
Reserved
(6 bits)
Flag Fields
(6 bits)
Window Size
(16 bits)
58
Figure 3-23: Transmission Control
Protocol (TCP) (Study Figure)

Reliable


Receiving process sends ACK to sending process if
segment is correctly received
 ACK bit is set (1) in acknowledgement segments
If sending process does not get ACK, resends the
segment
PC
Transport Process
Webserver
Transport Process
TCP Segment
TCP Segment (ACK)
59
Figure 3-23: Transmission Control
Protocol (TCP) (Study Figure)

Connections: Opens and Closes

Formal open and close

Three-way open: SYN, SYN/ACK, ACK
(Figure 3-25)

Normal four-way close: FIN, ACK, FIN, ACK
(Figure 3-25)

Abrupt close: RST (Figure 3-26)
60
Figure 3-25: Communication During a
TCP Session
PC
Transport Process
Webserver
Transport Process
1. SYN (Open)
Open
(3)
2. SYN, ACK (1) (Acknowledgement of 1)
3. ACK (2)
3-Way Open
61
Figure 3-25: Communication During a
TCP Session
PC
Transport Process
Webserver
Transport Process
1. SYN (Open)
Open
(3)
Carry
HTTP
Req &
Resp
(4)
2. SYN, ACK (1) (Acknowledgement of 1)
3. ACK (2)
4. Data = HTTP Request
5. ACK (4)
6. Data = HTTP Response
7. ACK (6)
62
Figure 3-25: Communication During a
TCP Session
PC
Transport Process
Carry
HTTP
Req &
Resp
(4)
Webserver
Transport Process
8. Data = HTTP Request (Error)
9. Data = HTTP Request (No ACK so Retransmit)
10. ACK (9)
11. Data = HTTP Response
12. ACK (11)
Error Handling
63
Figure 3-25: Communication During a
TCP Session
PC
Transport Process
Close
(4)
Normal Four-Way Close
Webserver
Transport Process
13. FIN (Close)
14. ACK (13)
15. FIN
16. ACK (15)
Note: An ACK may be combined with the next message if the next message
is sent quickly enough
64
Figure 3-25: Communication During a
TCP Session
PC
Transport Process
Close
(1)
Abrupt Close
Webserver
Transport Process
RST
Either side can send
A Reset (RST) Segment
At Any Time
Ends the Session Immediately
65
Figure 3-26: SYN/ACK Probing Attack
Using Reset (RST)
1. Probe
60.168.47.47
2. No Connection:
Makes No Sense!
SYN/ACK Segment
IP Hdr RST Segment
Attacker
1.34.150.37
5.
60.168.47.47
is Live!
4. Source IP
Addr=
60.168.47.47
Victim
60.168.47.47
Crashes
3. Go Away!
66
Figure 3-23: Transmission Control
Protocol (TCP) (Study Figure)

Sequence and Acknowledgement Number

Sequence numbers identify segment’s place in
the sequence

Acknowledgement number identifies which
segment is being acknowledged
Source Port Number (16 bits)
Destination Port Number (16 bits)
Sequence Number (32 bits)
Acknowledgment Number (32 bits)
67
Figure 3-23: Transmission Control
Protocol (TCP) (Study Figure)

Port Number

Port numbers identify applications

Well-known ports (0-1023) used by applications
that run as root (Figure 3-27)

HTTP=80, Telnet=23, FTP=21 for
supervision, 20 for data transfer, SMTP=25
Source Port Number (16 bits)
Destination Port Number (16 bits)
68
Figure 3-23: Transmission Control
Protocol (TCP) (Study Figure)

Port Number

Registered ports (1024-49152) for any
application

Ephemeral/dynamic/private ports (49153-65536)
used by client (16,384 possible)

Not all operating systems uses these port
ranges, although all use well-known ports
69
Figure 3-23: Transmission Control
Protocol (TCP) (Study Figure)

Port Number
128.171.17.13:80

Socket format is IP address: Port, for instance,
128.171.17.13:80
 Designates a specific program on a specific
machine

Port spoofing (Figure 3-28)
 Incorrect application uses a well-known port
 Especially 80, which is often allowed through
firewalls
70
Figure 3-27: Use of TCP and UDP
Port Number
Client
60.171.18.22
Webserver
60.171.17.13
Port 80
From: 60.171.18.22:50047
To: 60.171.17.13:80
SMTP Server
123.30.17.120
Port 25
71
Figure 3-27: Use of TCP and UDP
Port Number
Client
60.171.18.22
Webserver
60.171.17.13
Port 80
From: 60.171.18.22:50047
To: 60.171.17.13:80
From: 60.171.17.13:80
To: 60.171.18.22:50047
SMTP Server
123.30.17.120
Port 25
72
Figure 3-27: Use of TCP and UDP
Port Number
Client
60.171.18.22
Webserver
60.171.17.13
Port 80
From: 60.171.18.22:60003
To: 123.30.17.120:25
SMTP Server
123.30.17.120
Port 25
73
Figure 3-27: Use of TCP and UDP
Port Number
Client
60.171.18.22
Webserver
60.171.17.13
Port 80
From: 60.171.18.22:50047
To: 60.171.17.13:80
Clients Used Different
Ephemeral Ports for
Different Connections
From: 60.171.18.22:60003
To: 123.30.17.120:25
SMTP Server
123.30.17.120
Port 25
74
Figure 3-29: User Data Protocol (UDP)
(Study Figure)

UDP Datagrams are Simple (Figure 3-30)



Source and destination port numbers (16 bits
each)
UDP length (16 bits)
UDP checksum (16 bits)
Bit 0
Bit 31
IP Header (Usually 20 Bytes)
Source Port Number (16 bits)
Destination Port Number (16 bits)
UDP Length (16 bits)
UDP Checksum (16 bits)
Data Field
75
Figure 3-29: User Data Protocol (UDP)
(Study Figure)

Port Spoofing Still Possible

UDP Datagram Insertion


Insert UDP datagram into an ongoing dialog
stream
Hard to detect because no sequence numbers in
UDP
76
Figure 3-33: Internet Control Message
Protocol (ICMP)

ICMP is for Supervisory Messages at the
Internet Layer

ICMP and IP


An ICMP message is delivered (encapsulated)
in the data field of an IP packet
Types and Codes (Figure 3-2)


Type: General category of supervisory message
Code: Subcategory of type (set to zero if there is
no code)
77
Figure 8.13: Internet Control Message Protocol
(ICMP) for Supervisory Messages
Router
“Host Unreachable”
Error Message
ICMP Message
“Echo
Reply”
IP Header
“Echo”
78
Figure 3-32: IP Packet with an ICMP
Message Data Field
Bit 0
Bit 31
IP Header (Usually 20 Bytes)
Type (8 bits)
Code (8 bits)
Depends on Type and Code
Depends on Type and Code
79
Figure 3-32: Internet control Message
Protocol (ICMP)

Network Analysis Messages





Echo (Type 8, no code) asks target host if it is
operational and available
Echo reply (Type 0, no code). Target host
responds to echo sender
Ping program implements Echo and Echo Reply.
Like submarine pinging a target
Ping is useful for network managers to diagnose
problems based on failures to reply
Ping is useful for hackers to identify potential
targets: live ones reply
80
Figure 3-32: Internet control Message
Protocol (ICMP)

Error Advisement Messages


Advise sender of error but there is no error
correction
Host Unreachable (Type 3, multiple codes)

Many codes for specific reasons for host
being unreachable

Host unreachable packet’s source IP address
confirms to hackers that the IP address is live
and therefore a potential victim

Usually sent by a router
81
Figure 3-31: Internet control Message
Protocol (ICMP)

Error Advisement Messages

Time Exceeded (Type 11, no codes)

Router decrementing TTL to 0 discards
packet, sends time exceeded message

IP header containing error message reveals
router’s IP address

By progressively incrementing TTL values by
1 in successive packets, attacker can scan
progressively deeper into the network,
mapping the network

Also usually sent by a router
82
Figure 3-31: Internet control Message
Protocol (ICMP)

Control Codes


Control network/host operation
Source Quench (Type=4, no code)

Tells destination host to slow down its
transmission rate

Legitimate use: Flow control if host sending
source quench is overloaded

Attackers can use for denial-of-service attack
83
Figure 3-31: Internet control Message
Protocol (ICMP)

Control Codes


Redirect (Type 5, multiple codes)

Tells host or router to send packets in
different way than they have

Attackers can disrupt network operations, for
example, by sending packets down black
holes
Many Other ICMP Messages
84