Sep 23, 2020
Firewalls are specialized software modules running on a computer or a dedicated network device. They serve to filter packets coming in and out of a network. They can work on different layers of the OSI model.
The most basic feature of a firewall is packet filtering. Administrator can create rules which will filter packets according to certain characteristics like:
- source IP address
- destination IP address
- source port
- destination port
Common actions, that can be applied:
- allow: allow the packet to pass
- drop: drops the packet without any diagnostic message to the packet source host
- deny: similar to drop, but notify the source host
Inspecting the header of a packet does not give you any information on the content. Even if only port
443 is allowed, attacker can exploit them, to access deeper levels of network.
Application level firewalls
Application level firewall works by checking all 7 layers of the OSI model. They provide more comprehensive protection because they inspect the actual content of a packet, not just headers.
Intrusion Detection System (IDS)
IDS inspects the application payload trying to detect any potential attack. It checks for attack vectors like ping sweeps, port scans, SQL injections, buffer overflows etc.
IDS, similar to antivirus, detects risky traffic by means of signatures. The vendor provides frequent signature updates as soon as new attack vectors are found. Without the right signatures an IDS cannot detect and report an intrusion.
There is also risk of false positives when legic traffic is marked as malicious.
IDS != firewall
IDS is another layer of protection, which can be used in conjunction with firewall.
Intrusion Prevention System (IPS)
It is similar to IDS, however it can drop malicious request when the threat has risk classification above predefined threshold.
Domain Name System (DNS)
The DNS converts human-readable names to IP addresses.
DNS structure can be broken down into:
- top level domain (TLD)
- domain part
- subdomain part (if applicable)
- host part
Name resolution is performed by resolvers. Resolvers are servers that contact the TLD server and follow the hierarchy of the DNS name to resolve the name of a host:
- resolver contacts one of the root name servers, these server contain information about the TLD (this information is hardcoded by system administrator);
- next, it asks the TLD name server (from previous step), what's the name of the server which can give information about the domain the resolver is looking for;
- if there are one or more subdomains, previous step is repeated for every subdomain;
- resolver asks for the name resolution of the host part;
- the resolver sends the IP address back to the client.
Sep 21, 2020
TCP & UDP
There are two common transport protocols used on the Internet:
TCP (Transmission Control Protocol) and
UDP (User Datagram Protocol).
TCP is the most used transport protocol on the Internet. The vast majority of applications use it, and the IP protocol suite is often called TCP/IP.
UDP is much simpler. It doesn't guarantee packet delivery and it is conectionless. Thanks to those features, it is much faster than TCP, it provides better throughput. It is often used by multimedia applications that can tolerate packet loss but are througput intensive. It is often used in VoIP and video streaming applications where you can tolerate a little glitch in the audio or video.
|Connection oriented protocol
|Rearranges data packets in the order specified
||No inherent order as all packets are independent of each other.
|Slower speed than UDP
||UDP is faster, because error recovery is not attepmted. It is "best effort" protocol
|Data is read as byte stream, no distinguishing information is sent to signal message boundaries
||Packets are sent individually and are checked for integrity only when they arrive. Packets have definite boundaries, meaning a read operation at the receiver socket will yield an entire message as it was originally sent.
Ports are used to identify a single network process on a machine. When some process is establishing connection to external internet resource (browser -> website), there is port open, associated with browser. Information about the port is later sent as part of header in TCP or UDP packet. In the case of aforementioned connection,
source port would be the same, that was created for browser.
Destination port then is associeated with website (usually
This is the way how process know where information needs to be addressed.
In the case of UDP, which is connectionless, there is no handshake. However, for TCP, before any kind of transmission can happen, there needs to be established connection.
It is done in so called three-way handshake.
The header fields involved in the handshake are: sequence number, acknowledgement numbers, SYN and ACK flags
- The client sends a TCP packet to the server with the
SYN flag enabled and a random
- The server replies by sending a packet with both the
Sequence number is again chosen as random, but
seq number + 1.
- The client completes the synchronization by sending an
ACK packet. The
seq number + 1 and
sequence number is
ACK + 1 from the second step.
Host 1 | flags | Host 2
-----> |SYN |
Seq: 328, ACK: 0
Seq: 412, ACK: 329
Seq: 330, ACK: 413
Sep 19, 2020
A router is a networking device that forwards data packets between computer networks. A router os connected to two or more data lines from different IP networks. When a data packet comes in one of the lines, the router reads the network address information in the packet header to determine the destination. Then, based on routing table, it directs the packet to the next network.
Routing table contains information about the topology of the network immediately around it.
The table can also contain an entry with the default address
0.0.0.0. This entry is used when the router receives a packet whose destination is an unknown network.
Routing table example (router)
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
126.96.36.199 0.0.0.0 255.255.255.255 UH 0 0 0 eth0
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 br0
188.8.131.52 0.0.0.0 255.255.252.0 U 0 0 0 eth0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 184.108.40.206 0.0.0.0 UG 0 0 0 eth0
The kernel reads routing table from the top down. The first column is the destination. The second column tells how to reach that destination.
The default gateway is always shown with the destination
0.0.0.0. The IP address in the gateway column is that of the outbound gateway router. The netmask for the default gateway means that any packet not addressed to the local network or another outbound router by additional entries in the routing table are to be sent to the default gateway regardless of the network class.
Networking Layer 2
Every host on a network has both an IP and a MAC address. When server A wants to send a packet to server B:
- server A creates a packet:
- the destination IP address of server B in the IP header of the datagram.
- the destination MAC address of the router in the link layer header of the frame.
- the source IP address of the server A.
- the source MAC address of the server A.
- router takes a packet and forwards it to server B (the destination MAC address is the MAC address of the next hop):
- the destination MAC address is rewritten to server B
- the source MAC address is of router.
- Only MAC address is changed. IP address stays the same (both source and destination). This is global information and remains the same along the packet trip.
MAC address is a unique identifier assigned to a network interface controller (NIC). It is assigned by device manufacturer: typically includes a manufacturer's organizationally unique identifier. MAC address is 48 bit (6 bytes) long and is expressed in hexadecimal form:
The IEEE has built in special address to allow more than one NIC to be addressed at one time. It's called broadcast address:
FF:FF:FF:FF:FF:FF. Frame with this address is delivered to all devices in the local network.
Switches do not segment networks. Only routers do so. Usually, every interface of a router is connected to different network. This is the reason, why routers do not forward broadcast packets, like switches.
To forward a packet:
- the switch reads the destination MAC address of the frame.
- it performs a look-up in the CAM table.
- it forwads the packet to the corresponding interface.
- if there is no entry with the MAC address, the switch will forward the frame to all its interfaces.
Address Resolution Protocol (ARP)
The ARP is a communication protocol used for discovering the link layer address, such as a MAC address, associated with a given internet layer address, typically an IPv4 address.
Example of workflow
Two computers are connected to the same local network. Computer A wants to send packet to Computer B. Through DNS, it determines Computer B IP address
To send message, Computer A also requires MAC address.
Computer A retrieves cached information from ARP table for
- if the cache didn't produce a result for IP address, Computer A sends broadcast ARP request message
FF:FF:FF:FF:FF:FF, requesting an answer for
Based on retrieved information, Computer A sends packet with MAC adress and IP address.
ARP table has time-to-live (TTL) for every entry. When it expires, or on power off, host discards entries.
Sep 17, 2020
What is packet
Every packet in every protocol has
Header (control information) and
Payload (user data) structure. The header has a protocol-specific structure: this ensures that the receiving host can correctly interpret the payload and handle the communication. The payload is the actual information. It could be something like part of an email message or the content of a file during a download.
IPv4 protocol header is at least 160 bits (20 bytes) long, and it includes 14 fields, of which 13 are required. Last field, called
options is optional.
Source: Wikipedia, author MichelBakni
Using the information in the header, the nodes involved in the communication can understand and use IP packets.
Most of the time, when people talk about layers, they think about OSI model. OSI model promoted the idea of a consistent model of protocol layers, defining interoperability between network devices and software.
Based on that we can think about seven layers (more here). What we need to know is, that each protocol has
payload. It goes from top to bottom. Every next layer is encapsulating the layer before in the form of payload.
If we look from 10.000 foot perspective, we can see only data packet. However, if we look at this closer, it's starting showing some interesting properties.
Every layer contains paylod in a form of
header+payload from previous layer. It means, that at the lowest level, we're looking at
(header + (header + (header + (header + payload))))
This kind of behavior happens to every packet sent by host. On the other side of pipeline, receiving host, needs to unpack all the information, with regards to correct layers.
Internet Protocol (IP)
IPv4 address consists of 4 bytes (octets). A dot delimits every octet in the address. Each byte (
2^8) can represent value 0 to 255.
Special use IPv4 addresses
RFC5735 describes IPv4 addresses, which cannot be assigned to host, due to its special use case.
Common addresses, that are in use:
127.0.0.0/8 <-- host loopback address.
169.254.0.0/16 <-- communication between hosts, without DHCP server cannot be found.
192.168.0.0/16 <-- private networks.
Internet addresses are allocated by the InterNIC organization. The most common classes are A, B and C. D and E exist, but are not used by end users.
Each of classes has different default subnet mask.
- Class A: uses 255.0.0.0 (CIDR /8) and have
0-127 as first octet,
- Class B: uses 255.255.0.0 (CIDR /16) and have
128-191 as first octet,
- Class C: uses 255.255.255.0 (CIDR /24) and have
192-223 as first octet.
- Class D: range
224-239 as first octet, used for multicasting
- Class E: range
240-255 as first octet, not available for general use, reserved for research purposes.
Subnet with all zeros is reserved for the referring to the network itself, while last address, all ones is used as broadcast address for the network. It means, that from network, two addresses are unavailable. In the world of CIDR,
/32, would be unusable, due to above requirement. That's why
RFC3021 created an exception. Network
/31 is usable for point-to-point links, while
/32 (single-host network) must be accessed by explicit routing rules, as there is no room in such a network for a gateway.
RFC3513 (obsolete now) and RFC4291 describes IPv6 addressing architecture. This version allows to address 2^128 devices (approximately 3.4*10^38). It's been introduced in December 1995, but still majority of Internet relies on IPv4.
IPv6 is divided into two parts (each 64 bits): network identifier and interface identifier. Furthermore, the first 64 bits ends with a dedicated 16-bits space that can be used only for specifying a subnet.