[TUTORIAL] Network Traffic Flow

[The High Roller]

 

 

 

Introduction

 

To begin with, let's start off from the very beginning. I'll go through the very basics and fundamentals of networking and reaching to a somewhat decent level of knowledge, concluding with all the detailed aspects of managing networks and servers' operations.

 

How servers communicate with each other

 

The network flow consists of packets that are being exchanged over the World Wide Web (WWW, as we know it). In order for a client to exchange information with a specific server, the client must sent over packets containing the request over to the server. The server then returns an answer for the request contained within packets of data. A flow is the period of time within which, packets from the same source and destination have occurred.

 

 

Depending on the link the traffic can be:

 

■ Uni-directional

■ Bi-directional

 

The uni-directional traffic is a one-way traffic that creates one flow and does not use reverse channel arguments unlike some protocols like TCP. A basic example of a uni-directional traffic would be using the User Datagram Protocol (UDP) so as to generate a single flow without requesting an answer from the server.

 

 

The bi-directional traffic is a two-way traffic that creates two flows. One flow is generated upon a request made to the server by the client and a second flow is being generated in order to return the answer to the client from the server. Common usage of a bi-directional traffic is that of sockets and also ICMP as a protocol.

 

 

Both of them are part of the so-called UDLD (Unidirectional Link Detection) data link layer that has the mission to determine whether a link is broken or not.

 

So basically the first thing the client has to do in order to establish a connection to a particular node (connection point), he must generate an endpoint which will use a specific transport provider to carry the information. Next step is to specify the node itself with the address information so as for the client to be able to locate the destination. Then the client-server connects to the server and awaits a response.

 

Whenever the server analyzes the payload it is ready to return an answer whether the request had been accepted or rejected. Then the communication between the nodes is over and the connection is aborted.

 

Duplexes

 

The duplex is a point-to-point system, consisting of two nodes that communicate and exchange information with each another. Depending on the type of communication those systems are half-duplex and full-duplex.

 

The half-duplex is when only one of the connection points can send/receive at a moment.

 

The full-duplex is when both nodes send and receive data over the network simultaneously.

 

OSI Model

 

Most plainly said, the Open Systems Interconnection (abbreviated OSI) model defines the phases that the data must be parsed through in order to reach a certain node over a network. It allocates different types of payloads of delivery into different protocols that are part of layers. The OSI model consists of seven layers. Each layer consists of protocols. Those are (as follows):

 

 

Physical Layer [#1]

 

This layer is the first and lowest in the OSI model. It is responsible for the management of electrical signals. A fundamental layer configuring the logical data structures of the higher level functions in a network. Some of it's protocols are:

 

 

► Telephone network modems- V.92

► IRDA physical layer

► USB physical layer

► EIA RS-232, EIA-422, EIA-423, RS-449, RS-485

► Ethernet physical layer

► Varieties of 802.11 Wi-Fi physical layers

► DSL

► ISDN

► SONET/SDH

► Optical Transport Network (OTN)

► GSM Um air interface physical layer

► Bluetooth physical layer

► ITU Recommendations: see ITU-T

► IEEE 1394 interface

► TransferJet physical layer

 

 

The Physical layer mainly manages cables, connectors, hubs, and repeaters.

 

Data Link Layer [#2]

 

The Data Link or just Link Layer is responsible for addressing between nodes, error notifications and output of server-side errors. Most usually we come to know it around the casual status codes like 403, 404 etc. that we encounter upon an unsuccessful attempt to access a page, directory or link. The following protocols append to the Data Link layer:

 

 

► ARP/InARP

► NDP

► Different types of tunnels

► L2TP

► Ethernet

► DSL

► ISDN

► FDDI

► PPP

► Media Access Control

 

 

As I mentioned, part of this layer's duties is to notify of a permission denied page or other resources. As of that I have included the top most common status codes that occur.

 

 

 

Network Layer [#3]

 

This is the third layer in the OSI model also known as Internet Layer. The layer manages logical addressing between nodes, routing functions and host addressing where you can track the source to its location. Also controls message forwarding operations for packet forwarding over a network. Some of its protocols are:

 

 

► BGP

► ECN

► IGMP

► IPsec

► IP

► IPv4

► IPv6

► ICMP

► ICMPv6

► RIP

► OSPF

 

 

We come to know it as of the IP (Internet Protocol) which is mostly used to determine users over a network and restrict permissions or grant privileges.

 

Transport Layer [#4]

 

Probably one of the most important layers in the OSI model. The Transport Layer (#4) provides end-to-end communication over a network. It also enables data being transferred in stealth and controls the flow. Usually Denial of Service attacks are being carried over this layer. Some of the protocols it includes are:

[/align]

---

[align=center]

 

► UDP

► SYN

► TCP

► WTCP

► DCCP

► SCTP

► RSVP

► TIPC

► ALCAP

► WAP Datagram Protocol

► Xpress

 

 

Session Layer [#5]

 

A connection between two applications is called a session. The fifth layer - Session Layer - establishes, manages and terminates connections between applications. The session layer (as of its name) operates sessions. It can open and/or close a session. Also responsible for the restoration of an inactive session and so on. The protocols that append to it are the following:

 

 

► NetBIOS

► SAP

► PPTP

► RTP

► Named Pipe

► SOCKS

► SPDY

► TLS/SSL

 

 

Presentation Layer [#6]

 

The sixth layer of the OSI model is the presentation layer. Imagine we have a courier, a recipient and a factory. This layer serves as the courier. It encrypts data over the network and configures it in a way that only the designated connection point can read  and accept it. By far it contains of only two protocols:

 

► MIME

► XDR

 

Application Layer [#7]

 

Now the final layer of the OSI model is the Application Layer (#7). This layer is pretty much responsible for identifying the connection points and user authentication. Its protocols rely on protocols from the transport layer in order to establish host-to-host connections. It includes the following protocols:

 

 

► DHCP

► DHCPv6

► DNS

► FTP

► HTTP

► IMAP

► IRC

► LDAP

► MGCP

► NNTP

► BGP

► NTP

► POP

► RPC

► RTSP

► RIP

► SIP

► SMTP

► SNMP

► SSH

► Telnet

 

 

Denial of Service

 

 

Let's see a basic example of a Denial of Service (DoS) attack, carried out through a Slowloris script against an Apache server. Let's first load up our script. What the Slowloris attack does is open an amount of connections to a host and leaving them open for as long as possible. Meanwhile, whenever a connection is about to get terminated due to inactivity Slowloris sends HTTP headers to keep it alive. That way the DoS is rarely filtered up automatically and a system crashes quickly without manual nullrouting.

 

We will start by running the script with:

 

./slowloris.pl

 

http://i1067.photobucket.com/albums/u433/aeroxtk/wdada_zps8ec3071a.png[/img]

 

First of all, in case we are now aware of the timeouts, the script offers a mode for testing. Based on port usage Slowloris determines the timeouts itself, although the numbers won't be precise it is still recommended that we should first start off with this.

 

./slowloris.pl -dns [url=http://www.site.com]www.site.com[/url] -port 80 -test

 

But let's say we've got the timeout (for example the number 1500). What we want to do now is launch the actual attack.

 

./slowloris.pl -dns [url=http://www.site.com]www.site.com[/url] -port 80 -timeout 1500 -num 700 -tcpto 5

 

The -num switch is for how many sockets to be used to initiate the attack. Also the -tcpto should be set to the value of 5 (by default).

 

http://i.imgur.com/e6rnuSe.png[/img]

 

Also a thing that could usually bust our whole attack is the HTTPReady accept filter. This filter buffers entire HTTP requests at the kernel level. Once the entire request is received, the kernel sends it to the server. So as Slowloris is based on opening connections and leaving them open for as long as possible, that pretty much fails our attack. However, the developer of the script has thought of this and developed a method that would send the attack as a POST verses a GET or HEAD request. We come to use it by the -httpready switch (how ironic).

 

http://i1067.photobucket.com/albums/u433/aeroxtk/123_zpsbeccc689.png[/img]

 

Now let's have a look at some statistical information, Monitoring the bandwidth usage during the attack, it is plainly visible that we use a minimum part of it but actually manage to take down an Apache server with it. In comparison the this the victim we have targeted has most of its traffic timeout (in red).

 

http://i.imgur.com/XViEVT9.jpg[/img]

 

Smurf Attacks

 

Smurf attacks represent an attack carried over the IP protocol using Internet Control Message Protocol (ICMP). ICMP packets are being sent in immense amounts with a spoofed Internet Protocol source. The attack is by far a pretty advanced method of attacking a server. It is both reflective and amplificational. Lemme explain it a bit plainer. The victim server returns an answer to the slave (which is in control of the actual attacker) from the ICMP request/packet. Each time it is being returned it gets multiplied as the attacker's server replies the answer that was first replied by the target. That explain both theories of amplification and reflection.

 

 

The more slaves there are, the harder the impact will be. In a network there may be hundreds of bots, all of which replying to the server responses and overloading it to excess. Smurfing attacks as mentioned above use a spoofed IP source to perform their attacks in stealth. The spoofed protocol is randomly generated sequence of numbers that does not originate in fact but has the illusion it does. However, if a developer blocks ICMP response packets this will pretty much mitigate the attack.

 

Conclusion

 

I guess, I placed it a bit noob friendly for people who are new to this. All in all took me two days but there is Part 2 coming soon. Thanks for reading!

 

[Shenpi]

nice

[ProfessionalGeodata]

Put credit$

[kry100kry100]

Thanks, nice.