Networking Concepts

Questions and Answers

When a router's queue is full due to congestion, what type of ICMP message is sent to notify the sender of a dropped packet?

• Destination Unreachable
• Time Exceeded
• Source Quench (correct)
• Echo Reply

What are the possible Code values that indicate that an ICMP 'Time Exceeded' message should be sent?

• Code 0: Network unreachable, Code 1: Port unreachable
• Code 0: Router unreachable, Code 1: Host unreachable
• Code 0: TTL reached 0, Code 1: Packet too big.
• Code 0: TTL reached 0, Code 1: Fragment reassembly time exceeded (correct)

Which of the following best describes how a 'Ping of Death' attack is executed?

• By sending an oversized ICMP echo request packet that exceeds the maximum allowed IP datagram size. (correct)
• By exploiting vulnerabilities in DNS servers to redirect traffic.
• By sending a malformed TCP packet with invalid flags.
• By flooding the target with a large number of small ICMP echo request packets.

In a Smurf attack, what type of address is typically used as the source address, and what type of address is used as the destination address?

The source address is a spoofed IP address; the destination address is a broadcast address. (C)

Which IPv6 header field is specifically designed to enable efficient traffic flow classification by routers based solely on the main header?

Flow Label (D)

Which layer of the OSI model do Ethernet protocols primarily operate within?

Data Link Layer (D)

What is the EtherType value for IPv6 in Ethernet frames?

0x86DD (A)

Which of the following is NOT a function of the Data Link Layer?

Logical Addressing (D)

What is the decimal value of the protocol number that identifies TCP at Layer 3?

6 (C)

Which field in the IP header is used to prevent packets from circulating endlessly in a network?

TTL (D)

What does the 'DF' flag in the IP header signify?

Don't Fragment (B)

In the context of IP headers and network congestion, what does Explicit Congestion Notification (ECN) provide that traditional TCP/IP networks do not?

A method for end-points to signal congestion before packet loss occurs. (D)

What action does an ECN-aware router take when it anticipates congestion, assuming ECN negotiation is successful?

Sets a mark in the IP header to signal impending congestion. (B)

Which of the following is a primary function of IP Options?

To introduce special-handling services to datagrams. (C)

What is a fundamental characteristic of the UDP transport protocol?

Small header size and fast transmission, but it's unreliable. (C)

In TCP, what is the role of the Acknowledgment field?

To confirm the receipt of data, ensuring reliable transmission. (D)

What does the 'Window' field in a TCP header primarily indicate?

The sender's receive window, representing available buffer space for incoming data. (D)

Among the TCP flags, what is the purpose of the PSH flag?

To request the receiver to push/send the data immediately without buffering. (D)

How does TCP's Sequence Number contribute to reliable data transmission?

By enabling the reordering of received datagrams to ensure correct data assembly. (C)

Consider a scenario where a network administrator is diagnosing a slow file transfer issue. They capture packets and notice the TCP window size advertised by the receiver is consistently small. Analyzing further, they observe frequent retransmissions of the same segments. What is the most likely cause of this issue, assuming no routing or physical layer problems?

The sender is overrunning the receiver's buffer, leading to dropped packets and retransmissions. (D)

A security researcher discovers an unpatched legacy system on the network that utilizes IP Options for a proprietary routing protocol. The researcher successfully crafts packets with manipulated IP Options to redirect traffic through a compromised host under their control without disrupting the network's primary routing infrastructure. Which vulnerability is MOST directly exploited in this scenario?

Source Routing Exploitation: The attacker leverages IP Options features to override standard routing policies and divert traffic. (D)

Which TCP flag is used to initiate a connection?

SYN (C)

What is the purpose of the TCP three-way handshake?

To establish a reliable connection between two hosts. (C)

In TCP, what happens when a sender does not receive an acknowledgment (ACK) for a sent packet within a certain timeout period?

The sender retransmits the packet. (B)

What is the primary function of a sliding window in TCP?

Flow control (A)

What is the purpose of ICMP (Internet Control Message Protocol)?

To report errors and update routing information. (C)

Which of the following scenarios would most likely require the use of ICMP?

A router needs to inform a host that a packet's TTL has expired. (A)

What does the 'delayed ACK' mechanism in TCP aim to improve?

Network efficiency by reducing the number of ACK packets sent. (C)

Which of the following flags indicates that a TCP connection should be terminated?

FIN (D)

Consider a scenario where a TCP sender transmits packets at a rate exceeding the receiver's processing capability. Which mechanism is primarily responsible for preventing the sender from overwhelming the receiver?

The sliding window and flow control mechanisms (A)

A host sends a TCP packet with the ECE and CWR flags set. What does this indicate?

The host has received notification of congestion and has reduced its congestion window. (D)

Which of the following is a characteristic of UDP?

Provides message-oriented data transmission and operates without acknowledgements. (D)

What is the primary function of ICMP?

To provide feedback about network operations, like errors or changes in routes. (A)

Which ICMP type is used to determine if a host is reachable?

Echo Request (B)

What does the 'Code' field in an ICMP message specify?

A more specific reason or subtype for the ICMP message. (B)

Which of the following ICMP messages falls under the 'Reporting' category?

Destination Unreachable (D)

In the context of ICMP 'Ping', what is the purpose of the 'Identifier' and 'Sequence Number' fields?

To correlate replies with corresponding requests, especially in environments with multiple concurrent pings. (A)

What is a key reason TCP is preferred over UDP for applications requiring high reliability?

TCP automatically retransmits lost data packets and ensures data is received in the correct order. (C)

An application sends a series of UDP packets. What mechanisms, if any, guarantee that these packets will arrive at the destination in the order they were sent?

UDP does not guarantee the order of packet arrival; packets may be received out of order. (D)

A network administrator observes frequent 'Source Quench' ICMP messages. What does this indicate, and why is it rarely used today?

It indicates a request to reduce the transmission rate due to network congestion; it's deprecated because modern congestion control mechanisms are more effective. (B)

Consider a scenario where a network device sends an ICMP 'Redirect' message. Under what specific circumstances would this message be generated, and what problem is it intended to solve?

When a router identifies that a host is using a suboptimal gateway, it sends a Redirect message to inform the host of a better first-hop router for a specific destination. (B)

Flashcards

Protocol Headers

Defines how devices format data for transmission on a network.

Layer 2 Sublayers

Breaks the Data Link Layer into Logical Link Control (LLC) and Media Access Control (MAC).

Data Link Layer Functions

Used for framing, physical addressing and error control in data transmission.

IP Addresses

Used to logically address hosts in Layer 3.

Netmask

Identifies the network portion of an IP address.

TOS (Type of Service)

Deprecated field in IP header, replaced by DSCP for traffic prioritization.

TCP/IP Congestion Signaling

Signals network congestion by dropping packets.

ECN (Explicit Congestion Notification)

A method where a router marks packets instead of dropping them to signal congestion.

IP Options

Special instructions added to IP packets for specific handling.

IP Options Examples

Examples include traceroute, router alert and record route

UDP (User Datagram Protocol)

A fast but unreliable transport protocol with a small header.

Port Address

Specifies the application or service using a port.

Sequence Number

Reassembles fragmented data into the correct order

Window (in TCP)

Indicates space available for incoming data.

PSH Flag

Push/Send data immediately.

ACK Flag

Confirming successful receipt of data.

UDP

A connectionless protocol that sends data immediately without establishing a connection.

TCP

A connection-oriented protocol that establishes a connection before sending data, ensuring reliable delivery.

TCP Reliability

Ensures data packets are delivered; retransmits if errors are detected.

UDP Data Sequencing

Data received might be unordered.

UDP Speed

Fast due to no connection establishment, acknowledgement, or retransmission.

UDP Header Size

8 bytes (smaller than TCP)

UDP Transmission

Point-to-point, multicast, and broadcast.

UDP Applications

Applications prioritizing speed where data loss is tolerable.

ICMP

Used for network diagnostics and error reporting.

ICMP Type

Used to identify the specific type of ICMP message such as Echo Request or Destination Unreachable.

Destination Unreachable Message

An ICMP message sent by a router to indicate that it cannot route a packet to its destination.

Source Quench Message

An ICMP message a congested router sends to the source, indicating it's dropping packets due to queue overflow. The host should slow down transmission.

Time Exceeded Message

An ICMP message indicating a datagram was dropped because its TTL reached 0 or fragment reassembly time exceeded.

Ping of Death

A denial-of-service attack involving sending an oversized ICMP echo request (ping) to crash or hang the target system.

Smurf Attack

A distributed denial-of-service attack that spoofs the source IP address and sends ICMP echo requests to a broadcast address, flooding the target with responses.

RST Flag (TCP)

Aborts a connection in response to an error.

SYN Flag (TCP)

Initiates a TCP connection.

FIN Flag (TCP)

Gracefully closes a TCP connection.

CWR Flag (TCP)

Indicates the congestion window is reduced.

ECE Flag (TCP)

Echoes that congestion notification was received.

TCP Three-Way Handshake

A process to establish a reliable TCP connection, involving SYN, SYN-ACK, and ACK packets.

TCP Acknowledgment & Retransmission

Ensures reliable data transfer by acknowledging received packets. If a packet is lost, the sender retransmits it after a timeout.

TCP Efficient Transmission Method

The sender continues to send packets without waiting for acknowledgment for each packet. If the Window is full sender stops and waits for ACKs.

TCP Sliding Window

It is used for flow control. The receiver advertises a window size to the sender, indicating how much data it can receive. The sender must not send more data than the window size allows.

ICMP (Internet Control Message Protocol)

Used to report errors, handle abnormal conditions, and update routing information between network devices.

Study Notes

• The presentation covers protocol headers and focuses on understanding main protocols.
• IPv4, TCP, UDP, ICMP, IPv6 and ICMPv6 headers will be reviewed.

Layer 2 | Data Link Layer | Ethernet

• Layer 2 is divided into two sub layers: Logical Link Control (LLC) and Media Access Control (MAC).
• Ethernet type for IPv4 is 0x800, for IPv6 is 0x86DD, and for ARP is 0x806
• Ethernet functions include framing and physical addressing
• Error control checks if a received frame is corrupted; in Ethernet, corrupted frames are discarded.
• Layer 2 Ethernet header contains Destination MAC address (6 bytes), Source MAC address (6 bytes), Ether type (2 bytes), Data (46 to 1500 bytes), and FCS (4 bytes).

Layer 3

• IPv4 uses 0x800 as the Ether type
• IP addresses are used to logically address hosts in Layer 3
• A netmask is used for identifying the network address of every IP address to contact.
• If the network address is similar to the receiving device's network address, the frame is sent to the destination using the NIC interface with the destination MAC address of the receiving device.
• If the network address is different, the frame goes to the gateway (router), which is responsible for delivering the packet to its destination

IPv4 Packet Header Format Important Fields

• Version indicates the IP version.
• IHL is the IP Header Length.
• DSCP is the Differentiated Services Code Point.
• ECN is the Explicit Congestion Notification.
• Identification specifies the Identification number
• Flags indicate fragmentation flags.
• Time to Live indicates how long the packet is good for
• Protocol signifies what protocol is being used
• Source IP Address describes the senders IP address
• Destination IP Address describes the receiver IP address
• Options are enabled if the IHL is greater than 5
• Total Length indicates the length of the IP packet
• Fragment Offset specifies where the fragment belongs
• Header Checksum allows for error correction

Layer 3 Protocol Values and Names

• 1 is Internet Control Message Protocol (ICMP)
• 2 is Internet Group Management Protocol (IGMP)
• 6 is Transmission Control Protocol (TCP)
• 17 is User Datagram Protocol (UDP)
• 50 is Encapsulating Security Payload (ESP)
• 51 is Authentication Header (AH)

IP

• TOS (Type of Services) has been deprecated after the publication of RFC2474.
• DSCP stands for Differentiated Services Code Point.
• ECN is Explicit Congestion Notification
• Identifier: A unique value per source/destination address and datagram protocol
• DF (Don't Fragment): This flag indicates no fragmentation of the packet should occur
• MF (More Fragments): This flag indicates there are more fragments
• TTL: Time to live

IP | Explicit Congestion Notification

• Commonly, TCP/IP networks signal congestion by dropping packets.
• With successful ECN negotiation, an ECN-aware router can mark the IP header instead of dropping the packet to signal impending congestion.
• The receiver echoes the congestion indication to the sender, which reduces its transmission rate as if it detected a dropped packet.

IP Options

• IP options allow specialized handling by routers for datagrams or packets.
• Traceroute, Router Alert, and Record Route are a few examples of IP options.

UDP

• UDP is a transport protocol for sending messages.
• UDP has a small header size.
• Speed is fast but unreliable
• UDP header contains:
  • Source Port (16 bits)
  • Destination Port (16 bits)
  • Message Length
  • Checksum
  • Data

TCP

• TCP is a connection-oriented and reliable transport protocol.
• The Acknowledgment field makes it a reliable transmission protocol.
• Port address: Addresses applications/services.
• Sequence Number: Used for reordering received datagrams.
• Header Length and Data Offset are specified.
• Code Bits (Flags): Provide control information
• Window: Sender's receive window specifies buffer space for incoming data which indicates how much data can be sent before requiring an acknowledgment in return.

TCP Flags

• URG: Urgent data (rarely used)
• ACK: Acknowledge received data
• PSH: Push/send data immediately
• RST: Aborts a connection in response to an error
• SYN: Initiates a connection
• FIN: Closes a connection
• New flags added at Reserved are (10 or 01=ECN-Capable, 11 =Congestion Encountered)
  • CWR: Congestion Window Reduced
  • ECE: Explicit Congestion Notification Echo

TCP | Three-Way Handshake

• SYN: The client sends a synchronization packet to the server.
• SYN-ACK: The server acknowledges the client's synchronization request, and sends its own.
• ACK: The client completes the connection with the server and acknowledges the servers packet.
• ESTABLISHED: the connection is active

TCP Acknowledgment and Retransmission

• The sender sends a packet.
• The receiver receives the packet and sends an acknowledgement packet back to the sender.
• If the sender does not receive an acknowledgement packet they will resend the initial packet.
• Packet Loss, ACK loss, and ACK delayed scenarios covered

TCP | Efficient Transmission Method

• Sliding windows are used to control flow

Error and Control Messages in the IP

• Communication among routers and hosts is sometimes necessary, to report errors, handle abnormal conditions, and to update routing information.
• The Internet Protocol defines the Internet Control Message Protocol (ICMP) for these types of messages

TCP vs UDP

• TCP establishes a connection before sending data, guarantees delivery of data packets, checks for and requests retransmission of errors, reorders data, and provides flow control, making it reliable and suitable for applications demanding high reliability.
• UDP is connectionless, immediately sends data, does not guarantee delivery, discards segments/datagrams with errors, does not reorder data, and lacks flow control, making it fast but unreliable and suitable for applications that prioritize speed over reliability and when data is not critical

ICMP

• Encapsulated as the datagram data area within an IP packet
• Includes an ICMP header and ICMP data, encapsulated by an IP header and frame header.

ICMP Fields

• Type: Identifies the message type.
• Code: Identifies the subtype.
• Checksum for error checking

ICMP | Type (RFC6918)

• Reporting
  • 3: Destination Unreachable
  • 4: Source Quench (Deprecated)
  • 6: Alternate Host Address (Deprecated)
  • 11: Time Exceeded
  • 12: Parameter Problem
• discovery
  • 0: Echo Reply
  • 5: Redirect
  • 8: Echo Request
  • 9: Router Advertisement
  • 10: Router Solicitation
  • 13: Timestamp
  • 14: Timestamp Reply

ICMP Ping Echo Request and Reply Messages

• Type: Identifies the message type.
• Code: Identifies the subtype.
• Identifier and Sequence Number: The sender can use these to identify which reply belongs to which process and request.
• TYPE (8 or 0)
• CODE (0)
• CHECKSUM
• SEQUENCE NUMBER
• OPTIONAL DATA

Destination Unreachable Messages

• Sent when a router can't route the packet
• TYPE (3)
• CODE (0-12)
• CHECKSUM
• UNUSED (MUST BE ZERO)
• INTERNET HEADER + FIRST 64 BITS OF DATAGRAM

ICMP | Congestion and Datagram Flow Control

• Hosts can overwhelm a router with packets, causing their queue to reach its limit.
• When a router's queue is full (buffer overflow), any new received packets are dropped, and the sender is notified using a Source Quench ICMP message.
• Hosts can send Source Quench ICMP messages to other hosts sending datagrams faster than they can process.
• TYPE (4)
• CODE (0)
• CHECKSUM
• UNUSED (MUST BE ZERO)
• INTERNET HEADER + FIRST 64 BITS OF DATAGRAM

ICMP | Source Quench Messages

• Congested routers send one for every datagram they drop.
• Hosts that receive can slow datagram transmissions.
• TYPE (4)
• CODE (0)
• CHECKSUM
• UNUSED (MUST BE ZERO)
• INTERNET HEADER + FIRST 64 BITS OF DATAGRAM

ICMP | Time Exceeded

• Indicates that a datagram is dropped.
  • Code 0: TTL reached 0
  • Code 1: Fragment reassembly time exceeded
• TYPE (11)
• CODE (0 or 1)
• CHECKSUM
• UNUSED (MUST BE ZERO)
• INTERNET HEADER + FIRST 64 BITS OF DATAGRAM

Security Issues

• ICMP can be exploited
  • Denial of service attack
  • Scan networks for available hosts

ICMP | Ping Packet Overflow Attack (Ping of Death)

• A denial-of-service attack sends an improperly large ICMP echo request packet (a "ping") to cause the destination system to fail.
• The IP specification allows IP datagrams up to 65,535 octets to occur
• If an IP system can't process long IP packets correctly, the ping packet can overflow the input buffer and cause a fatal system error
• Packet Header (20 Bytes)
• ICMP Header (8 Bytes)
• ICMP Data (65,510 Bytes)

ICMP | Smurf Attack (ICMP Flood)

• It is a form of a distributed denial-of-service attack.
• Source address is a spoofed IP address
• Destination address is a broadcast address.

IPv6

• Traffic Class/Priority: Used for traffic management
• Flow Label: Used to label a flow to request special handling by routers.
• Enables efficient IPv6 flow classification with main header fields in fixed positions.
• Next Header replaces protocol and header length fields in IPv4 header.
• 40 octets Basic Header

ICMPv6

• ICMPv6 Type descriptions include:
  • 1: Destination Unreachable
  • 128: Echo Request
  • 129: Echo Reply
  • 133: Router Solicitation
  • 134: Router Advertisement
  • 135: Neighbor Solicitation
  • 136: Neighbor Advertisement
• IPv6 header and next header = 58

ICMPv6 | Echo

• Type: Identifies the ICMPv6 message type (128 for Echo Request, 129 for Echo Reply).
• Code: Not used; set to 0.
• Checksum: 16-bit checksum field for the ICMP header.
• Identifier: An optional field to help in matching Echo Request and Echo Reply messages.
• Sequence Number: A number to help in matching Echo Request and Echo Reply messages.
• Optional Data: Additional data in the Echo Request is copied into the Echo Reply sent back to the source.

Description

Questions cover ICMP messages, network attacks, IPv6, OSI model layers, and Ethernet protocols. Key concepts include packet dropping, Smurf attacks, traffic flow classification, and TCP protocol identification. The quiz tests understanding of data link layer functions and IP header fields.