--- tags: uni, netapp --- # BA Prüfung Net App Questions + Labs ## I. Short recap on networking (2) ### 1. Different Models and Protocols ![](https://i.imgur.com/Iqy3gFR.png =500x) | Layer | | | | | | -------- | -------- | -------- |- | -| | **Application Protocols** | SSH/Telnet | FTP |DHCP |SNMP | | | HTTP, HTTPs | DNS | NTP| RIP | | **Transport Protocols** | TCP | UDP | | | | **Internet Protocols** | IP | ARP | ICMP | | | **Physical Protocols** | Ethernet | ISDN | | | A port is an identifier for a specific process or network service. **ICMP** * Internet Control Message Protocol * ICMP messages controls the connectivity and routing * **control** and **error messages** * **ping** and **tracert** **UDP vs TCP** | TCP | UDP | |-------- | -------- | |connection oriented |connectionless | |reliable |not reliable | |error recovery |no recovery, no ACKs| |for secure connections|for real time | |segment retransmission|no retransmission | |larger header |smaller header | **NAT** * Network Address Translation - maps IP addresses from one realm to another to provide transparent routing to hosts. Allows users in private internal networks communicate with external networks. In other words, NAT 'changes' the private IP address to a public one and vice versa. **DHCP** * Dynamic Host Configuration Protocol - offers dynamic IP addresses and other configuration informations to hosts on an TCP/IP network. ### 2. MAC and IP **Media Access Controll Address** * Written in hexadecimal numbers. * Networking hardware address, a unique identifier of a NIC (Network Interface Controller) * ARP is used to translate an IP address into a MAC address **Internet Protocol Address** * A numeric label assigned to the NIC, 32 * It is a logical address of the computer used on the Internet to get data designed for this address * IP header i.a. consisting of: Version, Header Length, ID, Flags, TTL, Protocol, Heafer Checksum, Src and Dst Address, Padding * Private IP address: * Addresses reserved for private networks, LANs (Local Area Network). They are not routed through the Internet * 10.0.0.0 - 10.255.255.255 * 172.16.0.0 - 172.31.255.255 * 192.168.0.0 - 192.168.255.255 ## II. Recap ICMP, DHCP (1) ### 1. Which protocols does IP work with? * **ARP** - Address Resolution Protocol - necessary to be able to send and receive packets. ARP asks for the MAC address matching the given IP address and the owner replies * **ICMP** - Internet Controll Message Protocol - is a companion of IP that returns error informations * **DHCP** - Dynamic Host Configuration Protocol - assigns a local IP address to a host :::info **ICMP** * Used by hosts to communicate network-level informations * Echo report/request * Error reporting: host, port, network unreachable * ICMP messages are carried in the IP datagram * type + code + first 8 bytes of IP datagram causing the error * 0 0 echo reply (ping) * 3 0 dest net unreachable * 3 1 dest host unreachable * 3 2 dest prot unreachable * 3 3 dest port unreachable * 3 6 dest net unreachable * 3 7 dest host unknown * **ping** - used to test the connectivity between hosts, but can alco check the DNS. Instead of typing the IP address, you need to type the domain name * **traceroute** - used to check the route a packet takes to its destination and to say the time it needs to get there. * Host sends a series of test packets with TTL 1 and increases it for every new set. * When the n'th packet arrives at the n'th router, then the router discards the datagram and sends an ICMP message with TTL expired. This message includes the name and address of the router. * When the ICMP message arrives, RTT is recorded * **successful** - host gets the RTT, packet reaches the destination * **unsuccessful** - TTL expired / max number of hops reached -> host unreachable or source stops sending ::: :::success **DHCP** * Dynamic Host Configuration Protocol * The goal of DHCP is that a host can obtain an IP address when joining the network. IP addresses can be * leased again * reused * accessible for mobile users * DHCP is encapsulated in a UDP datagram * **DISCOVER, OFFER, REQUEST, ACK** * Distributing IP addresses for hosts in the network, if they don't have a static address. IP addresses can be leased again and reused. Also possible for mobile phones. * How does a host gets an IP address? * **static**, manually configured * **dynamic**, using DHCP: ![](https://i.imgur.com/obviDKm.png) * DHCP also offers: * Gateway * Name and IP of DNS server * Network mask (indicating network and host portion) * IP of NTP (Network Time Protocol) **Wireshark Example** ![](https://i.imgur.com/oCdnrpX.png) ::: ## III. Transport Layer (17) ### 1. TL services * Logical communication between processes on different hosts that runs on end systems * sender side: break application services and divide them into smaller segments to pass them to the IP layer * receiver side: reassembly IP packets from the network layer and forward them to the upper layer * 2 protocols: UDP (not reliable, not in order) and TCP * Network Layer vs Transport Layer * Network: logical communication between hosts * Transport: logical communication between processes on hosts ### 2. Sockets * Sockets provide communication between processes. Process sends/receives messages from/to its socket. It acts as a door and relies on the transport infrastructure of the receiving process. * Socket = IP address + port number -> can be created by UDP or TCP Well known port numbers * **System Ports** (0-1023) (assigned by IETF) * **User Ports** (1024-49151) (assigned by IANA) * **Dynamic** **and/or Private Ports** (49152-65535) (not assigned) ### 3. Demultiplexing **Connection oriented:** Host receives IP datagrams, each having dest and source IP address, dest and source port number and each carrying a transport-layer segment. The 4-tuple is used to forward sockets and several sockets can be handled at same time. Webserver has different sockets for every client **Connectionless:** Only dest IP and dest port number. Dest IP in header used to forward segments to sockets, so even in src IP is different, it goes to the same socket. ![](https://i.imgur.com/0QVDaZW.png =650x) ### 4. UDP in detail * Segments can be lost or delivered out-of-order * Connectionless, thus: no handshake and segments are handled separately * Used for: DNS, Streaming multimedia apps and SNMP * To make it reliable, add reliabiliy to App Layer or App-specific error recovery * UDP advantages: Smaller header, no connection establishment, which can cause delay, simple, no status at receiver or sender side and no congestion control **Header** ![](https://i.imgur.com/eYqdDYp.png =250x) **UDP Checksum calculation** 1. Sender segments contents and header fields as 16-bits sequences 2. Checksum will be calculated (adding bits of segments) and put into the checksum field 3. Receiver gets the segments, calculates the checksum and compares it with the value in the header field. Same - good (probably no error. Different - error for sure. Calculation: 1. Add 2 16-sequences. In case of overload, add the 1 to the result. 2. In the result - convert the 1s to 0s and vice versa. 3. Check the result with the value of header field. ![](https://i.imgur.com/0CLKYHa.png) ### 5. Principles of reliable data transfer * Important in application, transport and link layer * Complexity of unreliable channel determines the complexity of reliable data transfer protocol. ![](https://i.imgur.com/tBnUUP2.png) * Key problem is to provide reliability even though packets may be lost, corrupted, duplicated or delayed. * Principles * Detect lost packets * Detect errors in the packets * Doesn't treat duplicated packets as new * Flow and congestion control **Some reliable data transfer mechanisms** * Checksum - detects bit errors * Timer - used to timeout/retransmit packets in case they went lost or ACK was not received * Sequence number - used to check if all packets were received and if they received only once or were duplicated. * ACK - acknowledgment that packets were sent correctly. Sometimes hovewer, ACK may also get lost * NACK - negative ACK, packets were not received correctly * Windowing, pipelining - congestion and flow control. Window is a number of packets that may be sent without getting an ACK for them. The size may depend on network congestion or receiver's ability to send ACKs. Regulating the sending rate depends on 2 factors: * Receiver is not fast enough (too less capacity for too much data) - flow control * Network is not fase enough - congestion control ### 6. TCP in detail * Connection oriented - 3 way handshake for sender & receiver status initiation * Point-to-point connection - no multicast, only sender-receiver * Full duplex - bidirectional sending possible * Flow control - does not overhelm receiver * Pipelined - window size defined by congestion and flow control * Reliable in order delivery * TCP View - unstructured, in order stream of bytes * **3 way handshake** * Both agree to establish connection * Both agree on connection parameters - Set up of sender & receiver buffers, variables and sockets. Variables, e.g. **MTU** - Maximum Transfer Unit or **MSS** - Maximum Segment Size, maximum application data amount per segment ![](https://i.imgur.com/6b3eVx8.png =320x) **Closing connection** ![](https://i.imgur.com/aZ9ioeA.png) **TCP segment structure** - Source port & destination port - Sequence number - Acknowledgement number - Header length & empty & flags & window - Options - Payload ![](https://i.imgur.com/ZyGEDPm.png =400x) **TCP sequence & acknowledgment numbers** - Sequence number - number of the first byte in segment's data - ACK number - sequence number of the next expected segment ![](https://i.imgur.com/OW9AvcC.png =300x) ### 7. TCP Round Trip Time and Timeout - How to set TCP timeout? - Longer than RTT, but RTT varies - Too long - waiting too long for restransmissions - Too short - permanent timeouts, unnecessary retransmissions - How to estimate RTT? - SampleRTT - time from sending a segment until receiving an ACK - EstimatedRTT - smoother SampleRTT - average of recently measured RTT, not only the actual one - What is timeout interval? - Estimated RTT + safety marigin ### 8. TCP reliable data transfer - TCP creates a reliable data transfer service on top of unreliable IP connection. Using: - Pipelined segments - Single timer retransmission - Cumulative ACKs - avoid retransmission of first segment. When data was received but ACKs went lost, cumulative ACK is sent to say the sender, that it doesn't need to retransmit the segment. ![](https://i.imgur.com/VlUu3fr.png) **TCP fast retransmit** * The timeout period is often relatively long, therefore resending of segments may be delayed. * Detect lost segments via duplicated ACKs * Triple duplicate ACKs - if sender gets 3 ACKs for the same segment, it means that this segment needs to be resent, even though there was no timeout. Sender resends segment with the smalles sequence number ![](https://i.imgur.com/pxDiree.png =400x) ### 9. TCP Flow Control * Application layer may remove data from TCP socket buffer too slowly. Sender is sending a lot, therefore TCP delivers too many data to the socket buffer. Flow control avoids overhelming of receiver's buffer by sending not too fast and not too much. * To avoid overhelming, reeceiver advertises free buffer space in the rwnd value in the TCP header in the receiver-sender segment. The number of packets sent is limited to the rwnd value, so it is guaranteed that receiver won't get overhelmed. * The RcvBuffer is set via socket options. Normally it is 4096 bytes. It can also be autoadjusted. ![](https://i.imgur.com/NQi6rck.png) ### 10. TCP Congestion Control * 2 layer are responsible for congestion control * Transport layer - controls the offered load * Network layer - experiences congestion * Goals: Desirable bandwidth allocation and regulating the sending rate * 2 approaches for congestion control ![](https://i.imgur.com/DoNJJQG.png) * Sender limits the rate at which it sends traffic to connection as a function of network congestion * Less/no C -> increase * Much C -> Decrease * Each side of TCP connection consists of receive buffer, send buffer and several variables (rwnd, etc) * TCP congestion-control mechanism keeps track of additional variable, the CWND - **Congestion Window** that contains the rate at which sender may send traffic into the network * AIMD - Additive Increase Multiplicative Decrease is a mechanism to control congestion. Sender increases sending rate to find the best bandwidth until loss occurs * If no congestion - increase cwnd by 1 MSS every RTT until loss occurs * Loss - cut cwnd by half ![](https://i.imgur.com/P5cyTsG.png =380x) ![](https://i.imgur.com/JpCrdSO.png =580x) TCP is *fair*, because if K TCP connections have the same bootleneck link of bandwidth R, each should have average rate of R/K ![](https://i.imgur.com/2cCvpKf.png) * 2 competing sessions * Additive increase gives slope of 1 as throughput increases * Multiplicative decrease decreases throughput proportionally ![](https://i.imgur.com/h5UvhEP.png) ### 11. TCP Congestion Control: Stages 1. Slow start * cwnd set to small value, 1 MSS * cwnd doubleb when ACK received, **exponential** growth * Ends at loss or when slow-start-treshold sstresh reached 2. Congestion control * Congestion could occur * Increasing cwnd only by 1 MSS, **linear** growth 3. Fast recovery * Not always used, but recommended * Differs in different TCP versions ![](https://i.imgur.com/7s99ImY.png) The exponential increase should switch to linear when cwnd gets the 1/2 of its value before timeout. Variable **ssthresh** is implemented and on loss event sstresh is set to the 1/2 of cwnd just before loss event. ### 12. TCP Congestion Control today Early congestion control was good for SMTP, Telnet etc, but nowadays high-speed TCP connection is needed (streaming, cloud computing). **CUBIC** was designed for large networks: * Window size is cubic function of time since the last congestion event * Does not rely on ACK - independent of RTT * Default in new versions of Windows and Linux ### 13. Securing TCP with TLS TCP and UDP are not secure because of no encryption and passwords sent in cleartext over network. Thus, **TLS** - Transport Layer Security is used to secure TCP and it provides: * Encrypted TCP connection * Data integrity * End-point authentication TLS is at app layer. TLS socket API (Application Programming Interface) sends cleartext passwords into sockets traverse Internet encrypted ![](https://i.imgur.com/4FTxjRk.png =400x) ### 14. 3 application types in multimedia networking * Streaming stored audio/video - data stored at server, beginning the playout before downloading the whole data * Conversations - voice, video over IP - Skype, WhatsApp * Streaming live audio, video - live concerts **Challenges in streaming a stored video** * **Continous playout constraints** - playout of client must match with playback, but network delays are variable - **jitter** - therefore client-side buffer to match requirements is needed * Client's interactivity - pause, rewind, fast-forward * Packet loss, retransmissions ![](https://i.imgur.com/i9YrZ4b.png) **Streaming multimedia via UDP** * Server sends traffic at rates appropriate for client * Often: send rate = encrypt rate = constant rate * Transmission rate may be oblivious to congestion level * UDP man not go through firewall * Short playout delay to remove network jitter * Error recovery at app layer **Streaming multimedia via HTTP** * Multimedia rate retrieved via HTTP GET * Sever sends at maximum possible rate unter TCP * Fill rate fluctuates due to TCP congestion and retransmissions (in-order delivery) * Larger playout delay, because then TCP delivery rate is smoother * HTTP/TCP goes better through firewall **Voice-over-IP (VoIP)** * VoIP end-end-delay requirement needed to maintain the conversational aspect * Higher delays which are noticable disturb the interaction * <150 good, 400< bad * Includes app-level and network delays * Characteristics * Speaker's audio: alternating talk spurts and silent periods * Generating packets only at talk spurts * 64 kbps during talk spurt * 20 msc chunks at every 8 kbps * App-header added to chunk * Chunk + header encapsulated in UDP oder TCP segment * App send segment into sockets every 20msc in talk spurt ### 15. RTP - Real-Time Transport Protocol * Generic, application independet protocol providing transport facilities and support for sending real-time media over UDP * Today mainly used for VoIP * Often implemented as a part of an application * 2 aspects * Transporting video and audio data in packets * Processing to play audio and video in the right time ![](https://i.imgur.com/gr70Tfd.png) * Operation principle: 1. Media data contains several streams (audio, video, text). They are encoded by the application. 2. Streams are multiplexed and encoded into RTP packets. They then are sent to the sockets. 3. App gets the packets from the RTP library and is responsible for playing out the media, decoding and synchronization of several media streams. * Services * Multiplexing - several real-time data streams are multiplexed to one stream of UDP packets. Unicast, Multicast * Sequencing of packets - to detect packet loss * Timestamping - timestamps relative to start of sending. Used for detect missing packets and buffering * RTP does not provide retransmissions or ACKs * QoS - RTP does not provide in-time data delivery or other QoS guarantees. RTP header only is seen at end points. Routers does not care. **RTP Header** * RTP header contains fields to describe the data type and for synchronization across multiple streams. ![](https://i.imgur.com/Jsr0de9.png) * Most important: * Payload type - type of encoding currently being used. If changed during call, sender informs receiver in the payload type. * Sequence number - increment by every RTP packet. To data loss detection and restoring packet sequence * Timestamp * SSRC - Synchronization Source - source of RTP stream. ### 16. Buffering and jitter control * Buffer at receiver delays packets and absorbs jitter so that streaming media is played out smoother. * High jitter - various delays - requiers larger buffer to avoid gaps in playout ![](https://i.imgur.com/a0weKZl.png) ### 17. RTCP – Real-time Transport Control Protocol * Helps RTP with management tasks * Handles feedback (delay, jitter, algorithms, etc) * Interstream synchronization * Naming of various sources - info to be displayed on user interface ## IV. NAT (2) ### 1. NAT Network Address Translation - implemented on router or gateway between networks. It translates inside IP addresses into (sometimes several) outside IP addresses and vice versa. Not a common protocol, since it operates between L3 and L4. Why using NAT? * Local network uses one IP address seen by outside world for all devices instead of range of addresses * Changing IP address of local network possible without notifying outside network * Changing ISP without changing IP address Is NAT secure? * NAT provides some type of security: internal net structure is hidden for the public and firewalls may be implemented as well. * There is a special mode for enabling IPsec NAT traversal, but normally IPsec does not work with NAT, because in NAT the IP address changes -> packet becomes invalid for IPSec (integrity violation) -> problems for: * ESP tunnel mode - IP address is encapsulated in an encrypted packet * AH, tunnel and transport - MAC (Message Authentication Code) is based on IP address. **Source NAT** Source NAT - changing the source address. Made when internal client initiates a connection to the outside world. SNAT is done after the routing decision * For outgoing packets - replace (source IP address, port#) to (nat IP address, new port#) <- used then by remote clients * Source sockets are saved in NAT table as NAT socket translation pair * For incomming packets - replace packets/datagrams (nat IP address, new port#) in the destination header to (source IP address, port #) using the informations stored in the NAT table ![](https://i.imgur.com/GnMKiwo.png =400x) **Destination NAT** Destination NAT - changing the destination address, used for port forwarding. Used when an outside client wants to initiate a connetion with an internal host. Performed, before the routing decision is made. * For incomming packets - replace incomming packets/datagrams (dest IP address, port#) to (NAT dest IP, new port#). * Remember pair translations in the NAT table * For outgoing packets - replace incomming packets/datagrams (NAT dest IP, new port#) in source fields to (dest IP address, port #). ![](https://i.imgur.com/bG7TZDp.png =400x) **Mapping in NAT** * **Static NAT** - one to one mapping. Private IP is always the same as outside IP * **Dynamic NAT** - pool to pool mapping. Private address is not always the same as outside IP **(Only one) port forwarding in NAT** `iptables -t nat -A PREROUTING -d {inside_global} –p {layer4_protocol} --dport {destination_port} -j DNAT --to-destination {inside_local:inside_local_port}` ### 2. How does dynamic NAT with PAT overloading work? Port Address Translation - private IP is not always the same public IP:PORT * If public IP changes - use MASQUERADE (more CPU expensive) to specify the interface. When link is down, connections are forgotten * If public IP doesn't change - use SNAT to specify IP address, because it uses less CPU ## V. Firewalls (7) ### Firewalls Defined rules to authorize or deny traffic passing through the network in both directions between L3 and L4, that act as barrier between different network areas to protect them. However, it cannot protect against internal attacks, incorrect wireless configs and BYON infected outside and brought inside. Design goals: * All traffic needs to pass through firewall * Firewall itself needs to be immune against network-based attacks or physical access * White-listing mostly used - deny all, allow only specific traffic. (Blacklisting - allow all, deny some) Traffic filtering can be based on: * Service type - defined by port, IP address etc * Content type - if proxy interprets app layer content * User type - user trying to enter the network * Behaviour type - if defined set of rules is exceeded ### 2. Firewall Architecture: The Packet Filtering Firewall Filtering all incomming and outgoing packets based on: * Source and Destination IP * Transport Layer Protocol - signed with flags like SYN, ACK * Port - defines an application * Physical Interface - (outgoing or incomming interface) of the firewall PFF is very simple and fast, but: * No tracking if packet is answer to another * No tracking if connection is related to another connection * No amount of packets allowed to pass within a connection specified * No protection against application-specific vulnerabilities **Common vulnerabilities of PFF** 1. IP address spoofing possible if no other mechanism applied 2. Tiny fragment vulnerability: extremely small fragments forces TCP header to divide. Mostly only the first fragment is controlled and the following ones are just forwarded. For protection: rejecting too small packets or allowing packets of a certain size 3. Overlapping fragment vulnerability: attacker wants to connect to port 23, but only port 80 is open. The first and only checked fragment of a packet has the port number 80 but the offset is manipulated so that at the reassembly the port number gets overwritten. Protection: no fragmentation allowed or reassembly before the forwarding decision (slow) ### 3. Firewall Architecture: The Stateful Inspection Firewall PFF makes filtering decisions based on individual packets and SIF considers additional context. Client-server apps often rely on TCP as transport layer protocol so for connection handling infos are used: * Ports: * Well known ports as Source ports: under 1024 * Temporary ports as Destination ports: 1024 until 65000 * Source and destination address * Sometimes sequence numbers * Limited amount of app layer data to identify related connections * After flag FIN/RST or timeout the connection is closed SIF tracks packets as connections in opposite to PFF - incomming packets must match the outgoing packets, based on source and destination IP and port number. In PFF all temporary ports are open to enable answers from server side. ### 4. Firewall on higher layer * DPI (Deep Packet Inspection): checks the payload too * IDS (Intrusion Detection System): monitors for malicious activities * IPS (Intrusion Prevention System): avoid malicious activities * HA-Cluster High availability cluster * two parallel hardware appliances * Active/Active or Active/Passive configuration * Status is monitored via heartbeat connection * Status is synchronized between all devices ### 5. Firewalls - Placements In general firewalls are located between the internal and external network, but they can also be placed internally on different places to provide different security sectors: Distributed sectors are centrally managed and unique sets of rules are created. Bastion, host and personal firewall can be implemented in this system. Logs analysis is made at the management center. System used to implement the firewall * Stand-alone machine with a general purpose hardware on it * Specialized hardware with a hardened small operatin system * As part of software implemented in router or switch Different types of firewall placements * **Bastion Host** * Secure operating system version results in hardened system * Reduced functionalities like proxies for DNS, FTP * Proxies act as non-priviledged users * File system read only * Logs infos about every traffic and each connection * Authentication before accessing ![](https://i.imgur.com/99F0vcD.png =400x) * **Host-based firewall** * Protects an individual host * Available for many operating systems * Independent from network topology * Mostly implemented directly on the server which needs to be protected * Filtering rules adequate to host environment * Also protects against internal attacks * **Personal firewall** * Protects personal computer * Less complex than network-wide firewalls * Mostly protects against unauthorized access * Monitors outgoing packets to detect and block malware * Can consider originating application traffic to deny or allow it ### 6. DMZ network Demilitarized network - dividing a network into several security areas with different levels, where Bastion Host is at the boundary. * External systems (accessing external networks, e.g. mailserver, DNS) are in the DMZ and have a special firewall * Internal systems are protected by several internal firewalls. These provide a two-way protection between internal hosts and DMZ ![](https://i.imgur.com/ZpIdFhh.png =400x) ### 7. Firewalls – iptables ![](https://i.imgur.com/vMnh5ey.png) ## VI. Troubleshooting (5) ### 1. Troubleshooting Is done to reduce failure times and because unstructured troubleshooting is hard. **Terminology** * Fault - cause of en error * Error - part of a component that can lead to a failure * Failure - a component does not behave the way it should Types of faults * Transient - occurs only once * Intermittent - comes and goes and comes again * Permanent - exist, until the faulty component is replaced Faults handling * Prevent * Remove * Tolerate - add components to mask faults * Forecast - estimate the presence of faults Types of failures * Crash error * Omission error - fails in responding to requests * Comission error - behaves differently than it should * Timely error - timed out * Response error - wrong response * Arbitrary error - arbitrary responses at arbitrary times ### 5. Explain the structured troubleshooting approaches |Approach |Access |First aid Tools | |-------- |-------- |-------- | |Top-down |Access to L7 |Browser | |Bottom-up |Access to L1 |Cable | |Divide-and-conquere |Start at L3 |Ping | |Spot-the-differences |Compare configs |Diff | |Follow the path |Discover traffic path |Ping | |Move the failure |Physically swap components|Hardware | ### 2. Interfaces troubleshooting * **arp** - modifies and displays the IPv4 network cache. Mapping IP address to its physical address. Can add and remove entries. * **ipconfig**/(ifconfig) - controls and displays current IP configs * **ip** - in Linux displays and modifies routing, network devices and interfaces ### 3. Routing troubleshooting * **route** - modifies and displays the IP routing tables * **ip route show** - prints the routing table in Linux * **ping** - sends ICMP ECHO-REQUEST messages to test connectivity * **tracert** - shows the possible route a packet can take to dest * **traceroute** - tracert in Linux. Checks the possible route for packets to the same destination hosts by sending test packets with small TTL and waiting for 'time exceed' reply ### 4. Connections troubleshooting * **netstat** - prints network and masquerade connections, routing tables and interface statistics ### 5. DNS troubleshooting * **nslookup** - a programm to query internet domain name servers (A Record) using own internal resolver library * **dig** - a programm to wuery internet domain name servers (A Record) using OS resolver library * **whois** - looks up A Records in databases maintained by several NICs (Network Information Center) * **tcpdump** - captures traffic passing through the network for analyzing. Also used as security tool. * **TShark** - open source packet analyzer. Captures packets from live network or reads packets recorded by previous session. It prints them decoded or writes them into a file. * **nmap** - scans the whole network and displays e.g. IP addresses in the network or open ports * **telnet** - communication with other host using the telnet protocol * **netcat** - also called **swiss army knife** used for everything according TCP, UDP, UNIX domain sockets. Examples: * **hostname** - displays system's hostname ## VII. Network Applications Protocols (10) ### 1. Creating a net app Apps are based on protocols - protocols define format, order of messages and actions taken on them. Apps should work on different end systems and communicate over network, e.g. web server SW that communicates with browser software. No need to write software for network -core devices since they do not support user applications **2 possible apps architectures** Client-server * Server is an always-on host with a permanent IP address and a data center for scaling * Client connects the server instead communicating directly. May be interminately connected to server, but different IP Peer-to-peer * No always-on host and no permanent IP address but interminate connections. Hosts communicate directly with each other. Peers get and offer services - self scalable. **Process communication** Process is a program running within a host * Process on one host - inter-proces communication defined by OS * Process on different hosts - communication by exchanging messages * Client-process: initiation of communication with server * Server-process: waiting to be contacted * Peer-to-peer apps have client processes and server processes What transport service does an app need? * Data integrity: Some apps accept packet loss, but some requires 100% reliable transfer (transactions) * Timing: Some apps cannot accept much delay (telephony, interactive gaming) * Throughput: Some apps (multimedia) need high throughput, others can work with every amount * Security: Encryption, data integrity ### 2. Application layer protocols Define: * Message type, response, request * Message syntax, what fields are in message and how are they delinated * Message semantics, meaning of infos in fields * Rules for how to send messages and respond to them * Open-source: defined in RFC, for interoperability * Proprietary: Skype, WhatsApp ### 3. Telnet vs SSH Telnet - Teletype over network protocol * Client-server * Bi-directional * TCP port 23 * No encryption, no passwords SSH - Secure Shell: For secure remote login and other services on insecure net over TCP port 22 * Architecture * Transport Layer Protocol - server authentication, confidentiality and integrity * User Authentication Protocol - authenticate client-side user for server * Communication Protocol - multiplexes the encrypted channel into several logical channels * Swiss army knife for connectivity * Remote command-line login * SFTP - secure FTP * Secure Tunnel (port forwarding between remote hosts) - can be used to tunnel firewalls, simpler than VPN * Tools * OpenSSH * Putty ### 4. DNS IP address consists of 32 bit for addressing datagrams and domain-name is human readable. DNS is used to map IP do domain-name. Distributed databases are implemented in hierarchy of several name servers. They communitate with each other to resolve names (name/IP translation). It is the core Internet function, implemented as application layer protocol. DNS services: * Hostname to IP translation * Host aliasing (alias - 'Spitzname' to remember it better) * Mail server aliasing * Load distribution DNS cannot be centralized to avoid single point of failure, not being a distant database, not creating a big traffic volume and for maintenance. Centralized DNS does not scale. Therefore it is a distributed, hierarchical database. ![](https://i.imgur.com/FAStZoI.png =400x) **DNS Name Space?** DNS name space is hierarchical from root down - different parts lead to different organisations. ICANN controlls generic top-level domains. ![](https://i.imgur.com/k0HRZmi.png) **Types of DNS servers** **Local DNS** server contained in every ISP, also called default DNS server. When host makes a query, it is sent to its local DNS server. Then it can be queried to the hierarchy, since the local DNS server acts as proxy. Recent used name-IP translation pairs are saved in the cache. **Root DNS** servers are used if local name server cannot resolve a name. 13 all over the world, several copies of every of them. If root doesn't know the name, it contacts the authoritative server, gets the mapping and sends it back to the local DNS server. **Top-level DNS** server is responsible for com, edu, org, etc and country code at, de. nic.at responsible fot at **Authoritative DNS** server is an organization's own server which provides authoritative hostnames to IP address for own hosts. Can be maintained by organization itself or service provider **DNS name resolution** Finding IP address for given hostname. Host send query to local DNS server which forwards the query to the root server. Root server returns the name for a lower zone. Continues down until IP found. When IP address is found, it is forwarded back to the host. The DNS protocol uses UDP port 53, retransmitts lost packets and saves pairs in cache for better performance. * Iterated query: * Contacted server replies wit name of the server to contact * 'I don't know, but ask him, he will know' ![](https://i.imgur.com/BpTDRY9.png) * Recursive query * Contacted server forwards the query to the next server * Heavy load a upper layers ![](https://i.imgur.com/xxgcpTP.png) **Split-Horizon** Facility of DNS implementation that provides different sets of DNS informations based on the source IP address of the DNS request. Dividing the network into external and internal parts for more security. ### 5. DNS Resource Records Once a name server learns mapping it saves it in the cache. This entry timeouts after TTL expired. Root server do not have to be contacted all the time. But if the domain name changes, the website is not findable until old TTL expires. DNS Resource Records for Internal saving. It is a distributed database storing resource records RR. The key resource records are IP address (A/AAA) and name servers (NS). ![](https://i.imgur.com/MpTqlcc.png) Several types: * A - name is hostname, value is IP address * NS - name is domain, value is hostname of authoritative server * CNAME - alias name, value is cannocical name * IN - Internet information * MX - value is name of mailserver associated with name **DNS messages** Query and reply messages have the same format ![](https://i.imgur.com/TnrVG3T.png) **Inserting records into DNS** Register the new start-up address in a DNS registrar - provide names, IP addresses of authoritative servers. Create authoritative server type A and MX. Registrar server inserts 2 RRs into .com TLD server. ### 6. Attacking DNS * DDos attacks * spoofing DNS server with traffic * spoofing TLD server * Indirect attack * Man-in-the-middle * DNS poisoning - send bogus relies to DNS server that caches * Exploit DNS for DDOS * Send queries with spoofed source IP address (target IP) ### 7. Email 3 major components of an Email * User Agent * Composes, reads mail messages * e.g Thunderbird * Mail messages are stored at mail server * Mail servers: MTA - Message Transfer Agents * mailbox contains incomming messages * message queue of outgoing messages * SMPT between mail servers * SMPT - Simple Mail Transfer Protocol **Key components and steps to send an Email** ![](https://i.imgur.com/ZS5kajE.png) **SMTP** Uses TCP to reliably transfer email message from client to server, port 25. Direct communication between mailservers. 3 phases: * handshaking * data transfer * closure SMTP uses persistent connections and requires msgs in 7-bit ASCII format. Comparing to HTTP (pull), SMTP is push. Both have ASCII command/response interaction, status codes. In HTTP each object is encapsulated in its own response message and in SMTP: multiple objects are sent in multipart message. Extended SMPT * Additional commands * Not all commands supported by each mail server * Conversation starts with EHLO Command (ASCII) /respond (status line) interaction like in HTTP and MIME allows different formats of messages. ![](https://i.imgur.com/md2jrHQ.png) **Transferring messages - Sending mails over SMPT** SMPT commands * HELO * MAIL * RCPT * DATA * < mail> * QUIT ![](https://i.imgur.com/9KjNDlv.png =500x) **The Mail message format** ![](https://i.imgur.com/qBWHNbo.png =400x) ### 8. MIME * Multipurpose Internet Message Extension that redefines the format of messages to allow for * More than 7 bit ASCII * Set of different formats for non-textual message bodies * Multi-part message body * textual header information in character sets other than US-ASCII **Common MIME content types and subtypes** ![](https://i.imgur.com/5nYHHZS.png =500x) **Multipart message** ![](https://i.imgur.com/D3WaRsw.png) ### 9. Mail access protocols **SMTP** * Delivery/storage to receiver’s server **POP3 Protocol** * Post Office Protocol for authorization and download * Stateless across the network * POP3 uses “download and delete” mode: Bob cannot re-read e-mail if he changes client * POP3 “download-and-keep” mode: copies of messages on different clients **IMAP** * Interactive Message Access Protocol where all mails are at server * Allows user to organize messages in folders * Allows client to access and manipulate electronic messages on a server * Manipulation of mailboxes (remote message folders) equivalent to local folders * Stateful - keeps user state across sessions: names of folders and mappings between message IDs and folder name; resync of offline client with server ### 10. FTP * File transfer protocol (like HTTP) * Server-client architecture * Client sends request, server responses * TCP port 21 and 20 * "The Forgotten Cloud": In 2015 there were 13M FTP servers in IPv4 address space * No integrity, authentication, encryption. Secure access over SFTP or HTTPS ![](https://i.imgur.com/QhNITrT.png =500x) **FTP file transfer process** 1. Client initiates connection on TCP port 21 2. Client authentication (name/pwd) via control connection 3. Client controls via control connection * Change directory * “put” & “get” files 4. New TCP data connection for every single file transfer opened by server on port 20. 5. Data connection closed when file transfer completed. FTP sends control information out-of-band: Separated connections for control and data. In contrary, HTTP, SMTP send control information in-band. FTP server maintains state: User accounts and tracking of user activities (current directory). Keeping track of state information for each ongoing user sessions limits total number of simultaneously maintained sessions. ## VIII. Socket Programming (1) ### 1. Socket Programming Means building client/server applications that communicate using sockets (IP + port combination). Socket is a 'door' between application process and end-end transport protocol. There are two socket types for two transport services: UDP and TCP. ![](https://i.imgur.com/eXhsYWV.png) Example 1. Client writes a line of characters (data) from its keyboard and sends it to server 2. Server receives the data and changes the them to uppercases 3. Server sends the modified data back to client 4. Client receives modified data and displays it on the screen **Socket programming with UDP** No connection between client and server, no handshaking before starting to send data. Sender explicitely attaches IP destination address and port to every data and receiver extracts IP address and port from packets. Viewpoint of app: unreliable transfer of group of bytes (datagrams). Packets may get lost or be out-of-order. ![](https://i.imgur.com/LWHU8un.png) **Socket programming with TCP** 1. Client must contact the server * Server process must run first * Server must create a socket that welcomes client's contact 2. Client contacts server by * Creating a socket specifying IP address and port number of server process * When clients creates a socket, client TCP establish connection to server TCP 3. Server is contacted by client * Server creates a new socket for server process to communicate with than particular host * Multiple client connections possible * Clients are distinguished by source port numbers * In order, reliable transfer of stream of bits ('pipe') ![](https://i.imgur.com/iuKGm8Q.png =330x) ![](https://i.imgur.com/K31xl0T.png =400x) ## Labs ### Lab 1 - Proxmox Virtual Environment Proxmox: Open source virtualization platform for operating virtual machines with a web interface. 1. Connecting to Proxmox 2. Configuring the Gateway * change hostname of the server and pass * configure internal (ens19) and external (ens18) network interfaces by configuring netplan: Netplan is a utility for easily configuring networking on a linux system. You simply create a YAML description of the required network interfaces and what each should be configured to do. From this description Netplan will generate all the necessary configuration for your chosen renderer tool. 3. Enabling openssh-server on gateway 4. Using nmap, ping, fping and other tools to scan the whole 192.168.5.0/24 subnet 5. Using tcpdump, netstat or wireshark to check what servers are online 6. Changing visibility by `echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all`. It disables ping requests therefore it is not possible to see if the host is online. 7. Using nmap and other tools to find out what software or services other servers use on their UbuntuGateways. 8. Configuring Webserver * change hostname of the server and pass * configure the network interfaces (netplan) 9. Enabling IP forwarding on Gateway * net.ipv4.ip_forward = 1 * Set up SNAT by iptables ### Lab 2 - One Server is not a Network 1. Configure a DHCP on the UbuntuGateway machine and allocate the IP addresses appropriately * Install the DHCP Server * Define, which interface to use for DHCP server -> ens19; declare the subnet, the range the DCHP server should handle and any hosts that should get fixed IP addresses: * Change ‘option domain-name’ and uncomment authoritative so that nACKS can be sent 2. Use the SparkyLinuxClient to test the DHCP Service. * Check with ip address whether the correct ip address has been assigned (10.10.10.40 which is the first IP address of the DHCP server). 3. Configure a Webserver on the UbuntuWebserver machine 4. Use the SparkylinuxClient to test the Webserver * You should see the Apache2 Ubuntu Default Page 5. Install an internal DNS server (bind9) * On DNS Server change hostname and password * configure the network interfaces (netplan) * Install bind9 and configure the .local file * Configure DNS as master and define the zones. Configure ns1 in order to allow transfers and notify ns2 of updates. * Create a new directory for forwarding and recursive zones * configure the .options file to allow recursive queries for the internal network 6. Configure the .dhcp.conf file. on Gateway and add DNS to the file 7. Check DNS server with tools dig and nslookup for testing if bind9 is active or troubleshooting 8. Create another yaml file for the internal DNS servers on all clients 9. Use another internal server (e.g.: UbuntuGateway) to act as secondary DNS. For this install and configure Bind9 on the Gateway 10. On SparkyLinuxClient check with nslookup if the zones are working. ### Lab 3 - You have a new message 1. Configure a port forwarding (use iptables) for http and https traffic from your gateway to the webserver. DNAT must be used because it is necessary to change the destination IP in IP header of packet. The other servers should be able to connect the website with their SparkyLinuxClient by requesting http://192.168.5.32 2. Add an MX Record for the Mailserver to your DNS Server. You need to have an MX Record because otherwise other Mailservers don’t know which Mailserver belongs to the certain domain. * Configure the mailserver. Set a hostname and a new password. * In Gateway add the mailserver to sudo nano /etc/dhcp/dhcpd.conf. * Configure an interface in mailserver to use DHCP. * Connect to DNS over cmd. * Go to the zone files and add 2 records: The MX record - mailserver, responsible for the FQDN and the A record - name to ip mapping of mailserver * To check if the added MX record actually works as a for our domain, we can use the following command to check for mailservers in our domain: dig, status bind9, nslookup 3. Set Up an MTA on a new linked clone (use postfix) * Install Mailutils and Postfix and configure postfix using your FQDN (JudytaKrzyzak.netapp.nwlab) * Change the /etc/postfix/main.cf file. * test the MTA via telnet using telnet mail.JudytaKrzyzak.netapp.nwlab 25 to send a test mail. Later you can find your email in /home/mmustermann/mbox. 4. Deliver your mails. Set up a Mail Delivery Agent (MDA) on the server (use dovecot) to deliver the mails to the client. * Install dovecot * Test connectivity for POP3 (110) and IMAP (143) via telnet mail 110 5. Retrieve your mails * Set up an e-mail client (thunderbird recommended) on a client machine (SparkeylinuxClient) and send yourself an e-mail. * In mailserver check your emails. * Create two new e-mail users (Alice Smith, Bob Builder) and send mails from Alice to Bob and vice versa via an e-mail client (thunderbird). * Forward your mail server.Set up a port forwarding for your Mail Server on the gateway. In gateway add a new rule to iptables. * Look for a colleague who will set up an e-mail address for you on her/his server and add this e-mail address to your client. * Try to send and receive E-Mails with this new address. ### Lab 4 - Firewall, Fileserver, Sockets and Monitoring 1. Use IPTABLEs to set up a stateful inspection firewall on your gateway machine. Create and configure the rules for your Webserver, DNS and Mailserver so that your colleagues can access them. Write a bash script for your rules. * What is the difference between REJECT and DROP? * Reject: Prohibit a packet from passing. Send an ICMP destination-unreachable back to the source host [unless the icmp would not normally be permitted, eg. if it is to/from the broadcast address]. REJECT also results in an ICMP error being returned. With REJECT, you do your scan and categorise the results into “connection established” and “connection rejected”. * Drop: Prohibit a packet from passing. Send no response. With DROP, you categorise the results into “connection established” and “connection timed out”. 2. Set up an FTP Server (vsftp recommended) on your webserver with which you can access your website directory (/var/www). 3. Use SFTP to secure the FTP connection. 4. Deploy a code for sockets for the server and the client on two of your machines and try to send a “Hello World” message from the client to the server.
Last changed by  
judytakrz
213

Read more

Portugal

Porto

4/6/2024
Zypern

Pyrga Forest: Explore the nearby Pyrga Forest, which offers beautiful hiking trails through pine trees and scenic landscapes. It's a great way to connect with nature and enjoy the peaceful surroundings.

3/21/2024
Espanol

Escuchar

7/14/2023
Virtual and Augmented Reality

Virtual reality (VR) immerses users in a fully artificial digital environment.Education (A flight simulator in use by the US Air Force) Health Care (Drug Design) Industry (Prototyping) Augmented reality (AR) overlays virtual objects on the realworld environment. Mixed reality (MR) not just overlays but anchors virtual objects to the real world. Augmented Human

6/19/2023
Read more from judytakrz
Published on HackMD