Module 9
TCP/IP Layers and Vulnerabilities
MModified by :Ahmad Al Ghoul
PPhiladelphia University
FFaculty Of Administrative & Financial Sciences
BBusiness Networking & System Management Department
RRoom Number 32406
EE-mail Address: ahmad4_2_69@hotmail.com
Network Security
Philadelphia University
Ahmad Al-Ghoul 2010-2011
1
Module Objectives
 Map the TCP/IP protocol suite to the seven layer Open Systems






Interconnection (OSI) communication model
Reviewing the Four-Layer DARPA Model
Reviewing the TCP/IP Communications Flow
Identify the types of attacks that can occur at the Network Interface
layer
Identify the types of attacks that can occur at the Internet layer
Identify the types of attacks that can occur at the Transport layer
Identify the types of attacks that can occur at the Application layer
Network Security
Philadelphia University
Ahmad Al-Ghoul 2010-2011
2
Basic TCP/IP Principles
 Computers communicate with each other to request and share information.
When one computer communicates with another computer, an application
running on the source computer forms a request that can be serviced by an
application running on the destination computer. The two applications must be
written to understand what is being requested and what is being returned.
 To communicate across the same network, the two computers must be
configured to form similar information packets made up of data bits that can
be placed on a network, received by the correct destination computer.
 To communicate across multiple networks, such as when communicating with
another computer across the Internet, the packet must be formed in a manner
that will be understood by all of the computers that will receive and forward
the information packet. There must also be a unique identifier for the source
computer, and a unique identifier for the destination computer to ensure that
the communications reaches the correct destination computer.
 When two computers communicate across the Internet, any number of
computers, called routers, must receive the data packet, read the addressing
information, and determine if the destination computer is local to that router or
if the packet needs to be transmitted to another router for delivery to the
destination computer.
Network Security
Philadelphia University
Ahmad Al-Ghoul 2010-2011
3
Network Security
Philadelphia University
Ahmad Al-Ghoul 2010-2011
4
What Is TCP/IP?
 TCP/IP is the suite of protocols used to
communicate on the Internet. Each protocol of the
TCP/IP protocol suite is associated with a layer of
the seven-layer OSI communications model,
which is an International Organization for
Standardization standard. The seven layers are the
Physical layer, Data Link layer, Network layer,
Transport layer, Session Layer, Presentation
Layer, and the Application layer. The TCP/IP
protocols are shown with their respective layers
Network Security
Philadelphia University
Ahmad Al-Ghoul 2010-2011
5
Network Security
Philadelphia University
Ahmad Al-Ghoul 2010-2011
6
Reviewing the Four-Layer DARPA
Model
 The four-layer DARPA model is a collection of protocols that
was originally developed in 1968 by BBN Technologies, which
was hired by the Defense Advanced Research Projects Agency
(DARPA) to establish a packet switched network between
research institutions in the United States. At the time,
functionality and performance were of greater concern than
security. Rather than breaking communications into seven
layers, as the International Organization for Standardization
(ISO) Open Systems Interconnection (OSI) model specifies, the
DARPA model presents four layers. The next Figure shows the
general mapping between the four-layer DARPA model and the
seven-layer OSI model.
Network Security
Philadelphia University
Ahmad Al-Ghoul 2010-2011
7
Network Security
Philadelphia University
Ahmad Al-Ghoul 2010-2011
8
Reviewing the TCP/IP Communications Flow
Any time one computer needs to communicate with another, a sequence of
steps is followed. For this example, we relate Web browsing to the
TCP/IP communications flow.
When a user at a computer wants to access a Web page, he or she typically
starts a Web browser application and types the name of the Web site he
or she wishes to visit. The browser generates a request to have the Web
site name resolved to an IP address. The browser then attempts to
establish communications with that Web site.
The information that is passed from the upper layers of the DARPA model
to the lower layers is packaged for delivery by each necessary protocol
as it goes down through the TCP/IP stack. When the datagram (One
packet, or unit, of information, along with relevant delivery
information such as the destination address, that is sent through a
packet-switching network.) reaches the destination, the packet is
passed up the TCP/IP stack and the process is reversed. Next Figure
represents this communications process.
Network Security
Philadelphia University
Ahmad Al-Ghoul 2010-2011
9
Network Security
Philadelphia University
Ahmad Al-Ghoul 2010-2011
10
When application data is sent from one computer to another:
1.
2.
3.
4.
The information is passed from the Application layer to the Transport layer.
The Transport layer protocols consider the Application layer information as
the payload (or data) that needs to be delivered and create a header that
contains information such as source and destination port, to help with
delivery of the information to the destination computer. That information is
passed to the Internet layer.
The Internet layer protocols considers the Transport layer information as the
payload that needs to be delivered and create an IP header that contains
information such as destination IP addresses, to help with delivery of the
datagram to the destination computer. That information is passed to the
Network Interface layer.
The Network Interface layer protocols consider the Internet layer
information as the payload that needs to be delivered and creates a
preamble and a frame header, which contains the source and destination
MAC addresses, to help with delivery of the datagram to a destination on
the local network once it arrives, and trailer information, called a checksum
that contains the count of the number of bits in a transmission so that the
receiver can ensure the packet did not get damaged in transit. A checksum is
an error detection method that is used to determine if a single bit error
occurred in transmission. The information is placed on the local network.
Network Security
Philadelphia University
Ahmad Al-Ghoul 2010-2011
11
At Distension Point
1.
2.
3.
4.
When the information reaches the destination computer, the
Network Interface layer protocols strip the preamble and
checksum from the packets and then pass the payload to the
Internet layer.
The Internet layer protocols strip the IP header from the
packet and pass the payload to the Transport layer.
The Transport layer protocol strips the TCP or UDP header
and passes the payload to the Application layer.
The application that is specified to manage that data receives
the data.
Network Security
Philadelphia University
Ahmad Al-Ghoul 2010-2011
12
TCP/IP Layers and Vulnerabilities
After reviewed the four communication layers used with
the TCP/IP suite and can identify the information that
is contained in an IP datagram, you should consider
the types of attacks that might occur at each level.
This is not meant to be a comprehensive list; rather it
provides you with an understanding of the types of
attacks that can occur at different levels.
Network Security
Philadelphia University
Ahmad Al-Ghoul 2010-2011
13
Identifying Possible Network Interface Layer
Attacks
 Identifying Possible Network Interface Layer Attacks
 At the Network Interface layer, the packet of information
that is placed on the wire is known as a frame. The packet
is comprised of three areas: the header, the payload, and
the FCS. Because the Network Interface layer is used for
communications on a local network, the attacks that occur
at this level would be carried out on local networks.
Network Security
Philadelphia University
Ahmad Al-Ghoul 2010-2011
14
25070
Network Layer Attacks

MAC address spoofing.
The header contains the MAC address of the source and destination computers and
is required to successfully send a directed message from a source computer to
a destination computer. Attackers can easily spoof the MAC address of another
computer. Any security mechanism based on MAC addresses is vulnerable to
this type of attack.
 Denial of service (DoS).
A DoS attack overloads a single system so that it cannot provide the service it is
configured to provide. An ARP protocol attack could be launched against a
computer to overwhelm it, which would make it unavailable to support the CI-A triad.
 ARP cache poisoning.
The ARP(Address Resolution Protocol. A TCP/IP protocol for determining the
hardware address (or physical address) of a node on a local area network
connected to the Internet) cache stores MAC (Media Access Control)
addresses of computers on the local network that have been contacted within a
certain amount of time in memory. If incorrect, or spoofed, entries were added
to the ARP cache, then the computer is not able to send information to the
correct destination.
Network Security
Philadelphia University
Ahmad Al-Ghoul 2010-2011
15
Identifying Possible Internet Layer Attacks ( 1 )
At the Internet layer, IP datagrams are formed. The packet is comprised of
two areas: the header and the payload. Some of the ways the Internet
layer can be exploited to compromise the C-I-A triad include the
following:
 IP address spoofing.
If the IP header fields and lengths are known, the IP address in the IP
datagram can be easily discovered and spoofed. Any security
mechanism based on the source IP address is vulnerable to this attack.
 Man-in-the-middle attacks.
This attack occurs when a hacker places himself or herself between the
source and destination computer in such a way that neither notices his
or her existence. Meanwhile, the attacker can modify packets or simply
view their contents.
Network Security
Philadelphia University
Ahmad Al-Ghoul 2010-2011
16
Identifying Possible Internet Layer Attacks ( 2 )

DoS.
With a DoS attack at this level, simple IP-level protocols and utilities can be
exploited to overload a computer, thus breaking the C-I-A triad.
 Incorrect reassembly of fragmented datagrams.
For fragmented datagrams, the Offset field is used with packet reassembly. If the
offset is changed, the datagram is reformed incorrectly. This could allow a
datagram that would typically not pass through a firewall to gain access to
your internal network, and could disrupt the C-I-A triad.
 Corrupting packets.
Because IP datagrams can pass through several computers between the source and
destination, the information in the IP header fields is read and sometimes
modified, such as when the information reaches a router. If the packet is
intercepted, the information in the header can be modified, corrupting the IP
datagram. This could cause the datagram to never reach the destination
computer, or it could change the protocols and payload information in the
datagram.
Network Security
Philadelphia University
Ahmad Al-Ghoul 2010-2011
17
Identifying Possible Transport Layer Attacks ( 1 )
 At the Transport layer, either a UDP header is added to the
message or a TCP header is added. The application that is
requesting the service determines what protocol will be
used. Some of the ways the Transport layer can be
exploited to compromise the C-I-A triad include the
following:
 Manipulation of the UDP or TCP ports.
 By knowing the UDP and TCP header fields and lengths,
the ports that are used for communications between a
source and destination computer can be identified, and that
information can be corrupted or exploited.
Network Security
Philadelphia University
Ahmad Al-Ghoul 2010-2011
18
Identifying Possible Transport Layer Attacks ( 2 )
 DoS.
 With a DoS attack at this level, simple IP-level protocols and utilities
can be exploited to overload a computer, thus breaking the C-I-A triad.
For instance, by knowing the steps involved in a three-way TCP
handshake, a hacker or cracker might send the packets in the incorrect
order and disrupt the availability of one of your servers. An example of
this is a SYN flood, where a hacker sends a large number of SYN
packets to a server and leaves the session half open. The server leaves
these sessions half-open for a prescribed amount of time. If the hacker
is successful in opening all available sessions, legitimate traffic will be
unable to reach the server.
 Session hijacking.
 This kind of attack occurs after a source and destination computer have
established a communications link. A third computer disables the
ability of one the computers to communicate, and then imitates that
computer. Because the connection has already been established, the
third computer can disrupt your C-I-A triad.
Network Security
Philadelphia University
Ahmad Al-Ghoul 2010-2011
19
Identifying Possible Application Layer Attacks (1 )
 Application layer attacks can be some of the most difficult to protect
against because they take advantage of vulnerabilities in applications
and lack of end-user knowledge of computer security. Some of the
ways the Application layer can be exploited to compromise the C-I-A
triad include the following:
 E-mail application exploits.
 Attachments can be added to e-mail messages and delivered to a user's
inbox. The user can open the e-mail message and run the application.
The attachment might do immediate damage, or might lay dormant and
be used later. Similarly, hackers often embed malicious code in
Hypertext Markup Language (HTML) formatted messages. Exploits of
this nature might take advantage of vulnerability in the client's e-mail
application or a lack of user knowledge about e-mail security concerns.
Network Security
Philadelphia University
Ahmad Al-Ghoul 2010-2011
20
Identifying Possible Application Layer Attacks ( 2 )
 Web browser exploits.
 When a client computer uses a Web browser to connect to a Web
server and download a Web page, the content of the Web page can be
active. That is, the content is not just static information, but can be
executable code. If the code is malicious, it can be used to disrupt the
C-I-A triad.
 FTP client exploits.
 File Transfer Protocol (FTP) is used to transfer files from one
computer to another. When a client has to provide a user name and
password for authentication, that information can be sent across the
Internet using plain text. The information can be captured at any point
along the way. If the client uses the same user name and password as
they use to attach to your corporate servers, that information could be
obtained by a hacker or cracker and used to access your company's
information.
Network Security
Philadelphia University
Ahmad Al-Ghoul 2010-2011
21