Tag: port

Reverse Path Forwarding

Posted on by lechuck park

From Claude with some prompting
The image explains the two main modes of Reverse Path Forwarding (RPF): Strict RPF and Loose RPF.

At the top left, three hosts are sending packets to a router. The router is determining which port to use for forwarding based on the source IP address during the routing process.

The top right explains the operation of Strict RPF. In Strict RPF, all packets are validated. It compares the port used for routing the source IP with the actual receiving port, and allows the packet only if they match.

The note under Strict RPF mentions that it prevents “No Looping (primarily for multicast)” and “No Spoofing (primarily for unicast)”. Both Strict RPF and Loose RPF can help prevent looping and spoofing to some extent.

No Looping is primarily important for multicast routing. RPF is used in multicast protocols to prevent packet loops. Both Strict RPF and Loose RPF aid in loop prevention.

No Spoofing is primarily related to security issues with unicast IP traffic. IP spoofing involves an attacker using a forged source IP address to launch network attacks. Both Strict RPF and Loose RPF are effective in mitigating IP spoofing attacks.

The bottom right explains Loose RPF. In Loose RPF, an RPF interface list for the source address is configured for each port. If the receiving port is in the RPF list for that source IP, the packet is allowed.

Therefore, while Strict RPF provides more comprehensive packet checking, Loose RPF can also help prevent looping (mainly in multicast) and spoofing (mainly in unicast) by referring to the pre-configured RPF interface lists for each port and source address.


Anomaly IP Packet header

Posted on by lechuck park

From Gemini with some prompting
Title: Anomaly Detection (IP Packet Header)

Overview:

The image illustrates the structure of an IP packet header and how to detect anomalous activities based on TCP/IP header information.

Key Elements:

  • IP Address: Identifies the server.
  • TCP/UDP Port: Used to send and receive packets.
  • Service Port Number: Port number used to connect to a specific service.
  • Service Area: IP address range where a specific service is provided.

Indicators of Anomalous Activity:

  • Unknown IP: Packets coming from unknown IP addresses.
  • Foreign IP: Packets coming from overseas IP addresses.
  • Unused Port: Packets sent to unused ports.
  • TCP/UDP Port == 0: Packets with TCP/UDP port number 0.
  • IP/TCP Checksum == 0: Packets with IP/TCP checksum 0.
  • Unused IP Protocol: Packets using unused protocols.
  • Too Large (IP.ttl): Packets with excessively large TTL values.
  • Too Many (TCP Syn): Excessive number of SYN packets.
  • Too Many (IP. fragmented): Excessive number of fragmented packets.

TCP/IP 5 tuple

Posted on by lechuck park

From DALL-E with some prompting
The image summarizes how to use the 5-tuple network criteria to check additional information and detect abnormal packet patterns. The 5-tuple includes the IP Protocol, Source IP, Source Port, Destination IP, and Destination Port, which helps to identify network communication sessions. Additional insights such as location tracking through ASN or GEO, whether a server IP is static, anonymous client IP, access to unused ports, and the usage of specific ports can be leveraged to analyze network traffic and identify security threats. This information, along with application protocols, can be utilized by network administrators to detect strange packets or unusual network activities.