TCP/IP Protocol Suite & Network Vulnerabilities Network Security

Title: P r o t o c o l S e c u r i t y A n a l y s i s

Introduction to TCP/IP Protocol Suite &:

 TCP/IP stands for Transmission Control Protocol/Internet Protocol and is a suite of
communication protocols used to interconnect network devices on the internet.

 TCP/IP is also used as a communications protocol in a private computer network --

an intranet or extranet.

Introduction to Network Vulnerabilities:

 Network vulnerabilities refer to weaknesses or flaws within a network's design,
implementation, or operation that cyber attackers can exploit.

 Security gaps can stem from a variety of sources, including outdated software,
misconfigured hardware, weak security protocols, or human error.

Protocol Security Analysis

Definition: It is the process of evaluating the security of network protocols.

Protocol Security Analysis Involves:

 Developing methods: Creating methods that are accurate, informative,

and deployable.

 Formal modeling: Constructing a formal model from a set of

requirements.

 Verification: Using tools and techniques to verify that the model meets
security requirements.

 Specification languages: Using different specification languages to suit

the complexity of the protocol and the user's expertise.

1
TCP/IP Protocol Suite & Network Vulnerabilities Network Security

1. Understanding Each Protocol's Normal Behavior

 Transmission Control Protocol (TCP):
 Connection Establishment: TCP uses a three-way handshake (SYN, SYN-
ACK, ACK) to establish a connection.

 Data Transmission: TCP ensures reliable, ordered delivery of data using

sequence numbers and acknowledgments.

 Connection Termination: A four-way handshake (FIN, FIN-ACK, and ACK)

is used to terminate a connection gracefully.

 User Datagram Protocol (UDP):

 Connectionless: UDP does not establish a connection before sending data,
making it faster but less reliable.

 Data Transmission: Data is sent in packets (datagrams) without guarantees

of delivery or order.

 Use Cases: Commonly used for applications requiring low latency, such as
VoIP and online gaming.

 Internet Protocol (IP):

 Addressing: Each device on a network has a unique IP address (IPv4 or
IPv6).

 Packet Routing: IP is responsible for routing packets based on the

destination address.

 Hypertext Transfer Protocol (HTTP/HTTPS):

 Request/Response Model: Clients send requests to servers, which respond
with data.

 Stateless: Each request is independent; no session information is retained.

 HTTPS: Adds security through SSL/TLS encryption.

 File Transfer Protocol (FTP):

 Connection Establishment: FTP uses a control connection (port 21) and a
data connection (port 20).

 Authentication: Typically requires a username and password for access.

 Data Transfer: Can operate in active or passive mode.

2
TCP/IP Protocol Suite & Network Vulnerabilities Network Security

2. Learning How to Recognize Anomalies in Protocol

Behavior
 TCP Anomalies:
 SYN Flooding: A high volume of SYN packets without
corresponding ACKs may indicate a DoS attack.

 UDP Anomalies:
 High Volume of UDP Traffic: An unusual spike in UDP traffic may
indicate a DoS attack or port scanning.

 Unsolicited Responses: Receiving unexpected responses to UDP

packets can indicate misconfigured services or attacks.

 IP Anomalies:
 IP Spoofing: Packets with source IP addresses that do not match
the expected range can indicate spoofing.

 Fragmentation Attacks: Abnormal fragmentation patterns may

suggest attempts to evade detection.

 HTTP/HTTPS Anomalies:
 Unusual Request Patterns: A sudden increase in requests to a
specific endpoint may indicate a web application attack (e.g., SQL
injection).

 FTP Anomalies:
 Brute Force Attempts: Multiple failed login attempts can indicate a
brute force attack.

 Unusual Data Transfers: Large or unexpected file transfers may

indicate data exfiltration.

3
TCP/IP Protocol Suite & Network Vulnerabilities Network Security

3. Examining Real Packet Captures

 Capture Traffic: Use Wireshark or similar tools to capture packets on the
network interface.

 Filter by Protocol: Use display filters (e.g., TCP, UDP, HTTP, FTP) to focus on
specific protocols.

 Analyze Packet Details: Inspect packet headers and payloads to understand

the flow of communication.

 Look for Anomalies: Identify any deviations from normal behavior, such as
unexpected flags, unusual packet sizes, or abnormal timing.

4. Studying Common Protocol Vulnerabilities and Their

Indicators
 TCP Vulnerabilities:
 SYN Flooding: Exploits the TCP handshake to overwhelm a server, leading
to denial of service.

 Session Hijacking: Attackers can take over an active TCP session by

predicting sequence numbers.

 UDP Vulnerabilities:
 Reflection Attacks: Attackers send requests to a third-party server with a
spoof.

4
TCP/IP Protocol Suite & Network Vulnerabilities Network Security

Common Network Attacks

There are many Network Attacks are:
1. Malware.
2. Viruses.
3. Phishing.
4. DoS (Denial of Service) and DDoS Attacks.
5. Man-in-the-Middle.
6. Ransomware.

1. Basic Attack Concepts

a. Definition of Network Attacks: Network attacks are malicious attempts to
disrupt, damage, or gain unauthorized access to computer networks or systems.
They can target individuals, organizations, or governments.

b. Types of Attackers:
 Hackers: Individuals who exploit vulnerabilities for various motives (e.g.,
financial gain, political reasons, or personal challenge).

 Script Kiddies: Inexperienced individuals using pre-written scripts or tools to

launch attacks.

 Insiders: Employees or contractors who misuse their access to harm the

organization.

 Nation-State Actors: Government-sponsored groups targeting other nations

for espionage or sabotage.

c. Common Goals of Attacks:

 Data theft
 Service disruption
 Unauthorized access
 Financial gain

5
TCP/IP Protocol Suite & Network Vulnerabilities Network Security

 Espionage

2. Understanding Attack Methodologies

a. Phases of an Attack:
 Reconnaissance: Gathering information about the target (e.g., network
structure, IP addresses, and employee details).

 Scanning: Actively probing the network to identify open ports, services, and
vulnerabilities.

 Gaining Access: Exploiting vulnerabilities to gain unauthorized access to

systems.

 Maintaining Access: Installing backdoors or other methods to retain access

after the initial breach.

 Covering Tracks: Deleting logs or using other methods to hide the attacker's
presence.

b. Common Attack Techniques:

 Social Engineering: Manipulating individuals into divulging confidential
information (e.g., phishing).

 Identity Spoofing (IP Address Spoofing): An attacker might also use

special programs to construct IP packets that appear to originate from valid
addresses inside the corporate intranet.

 After gaining access to the network with a valid IP address, the

attacker can modify, reroute, or delete your data.

 Denial of Service (DoS): prevents normal use of your computer or network

by valid users.

 Man-in-the-Middle (MitM): occurs when someone between you and the

person with whom you are communicating is actively monitoring, capturing,
and controlling your communication transparently.

3. Analyzing Attack Patterns and Signatures

a. Attack Patterns:
 Brute Force Attacks: Attempting multiple passwords or encryption keys until
the correct one is found.

 SQL Injection: Inserting malicious SQL queries into input fields to manipulate
databases.
6
TCP/IP Protocol Suite & Network Vulnerabilities Network Security

 Cross-Site Scripting (XSS): Injecting malicious scripts into web pages

viewed by users.

b. Signatures:
 Signature-Based Detection: Identifying known threats by matching them
against a database of attack signatures.

 Anomaly-Based Detection: Monitoring network traffic for unusual patterns

that may indicate an attack.

4. Learning Detection and Prevention Techniques

a. Detection Techniques:
 Intrusion Detection Systems (IDS): Monitor network traffic for suspicious
activity and alert administrators.

 Intrusion Prevention Systems (IPS): Actively block or prevent detected

threats in real-time.

 Log Analysis: Reviewing logs from firewalls, servers, and applications to

identify potential security incidents.

b. Prevention Techniques:
 Firewalls: Implementing network firewalls to filter incoming and outgoing
traffic based on security rules.

 Encryption: Protecting data in transit and at rest to prevent unauthorized

access.

 Regular Updates and Patching: Keeping software and systems up to date

to mitigate vulnerabilities.

 User Education: Training employees on security best practices and

recognizing social engineering attempts.

 Access Controls: Implementing the principle of least privilege to limit user

access to only what is necessary.

7
TCP/IP Protocol Suite & Network Vulnerabilities Network Security

IP Addressing and Subnetting for Security.

IP addressing is a system used to assign unique numerical labels to devices on a
network, enabling them to communicate with each other.

Each IP address consists of two parts:

 The network portion: This identifies the network itself.

 The host portion: This identifies the specific device within that network.

IP addresses can be classified into two types:

 IPv4: It uses a 32-bit address format.

 IPv6: It uses a 128-bit address format, allowing for a vastly larger number of
unique addresses.

IPv4 Address Classes:

IPv4 addresses are categorized into five classes, each serving different purposes based on
the size of the network and the number of hosts.

Class First Bits IP Address Range Network Size

A 0 1.0.0.0-126.0.0.0 Large Networks
B 10 128.0.0.0-191.255.0.0 Medium-sized Network
C 110 192.0.0.0- Small Network
223.255.255.0
D 1110 224.0.0.0- Multicast Addresses
239.255.255.255
E 1111 240.0.0.0- Reserved for experimental and
255.255.255.255 future use

8
TCP/IP Protocol Suite & Network Vulnerabilities Network Security

Types of IPv4 Address

There are two types of IPv4 addresses.

1. Public IPv4 addresses: They are globally routable and can be accessed over the
Internet.

 126.255.255.255

 128.0.0.0 - 191.255.255.255

 192.0.0.0 - 223.255.255.255

2. Private IPv4 addresses: They are used in private networks which are not routable
on the Internet.

 10.0.0.0 - 10.255.255.255

 172.16.0.0 - 172.31.255.255

 192.168.0.0 - 192.168.255.255

Subnetting
 Subnetting divides a network into smaller subnets which allows an efficient
utilization of IP addresses with network segmentation.

 It has several benefits such as improved network management, enhanced

security, and optimized routing.

 Subnets
 Subnets are smaller, manageable segments of a larger network, created by
dividing an IP address space. Subnetting allows for efficient IP address
management and better control over network resources, enabling easier
troubleshooting and reduced broadcast domains.

 Each subnet has its range of IP addresses, which helps in optimizing the use of
available addresses and improving overall network efficiency.

9
TCP/IP Protocol Suite & Network Vulnerabilities Network Security

Topology Diagram for configuring IP Address and Subnetting

Figure 1.0 Configure IP Addressing And Subnetting

10