Tag: tcpip

MTU & MSS

Posted on by lechuck park

From Copilot with some prompting
Certainly! Let’s clarify the distinct purposes of MTU (Maximum Transfer Unit) and MSS (Maximum Segment Size):

  1. MTU (Maximum Transfer Unit):
    • Associated with Ethernet, MTU represents the maximum size of an Ethernet frame.
    • When data is transmitted over a network, it is divided into smaller packets (frames). MTU defines the largest size a frame can be.
    • If a frame exceeds the MTU, it will be fragmented by the outgoing network device.
    • MTU optimization aims to efficiently share network bandwidth.
  2. MSS (Maximum Segment Size):
    • Associated with TCP (Transmission Control Protocol), MSS controls the flow of data within a TCP session.
    • It specifies the largest amount of data that can be sent in a single TCP segment.
    • The sender determines how many MSS units are sent at a given time.
    • MSS plays a crucial role in TCP congestion control and affects the TCP window size.

In summary, MTU focuses on frame size in the Ethernet layer, while MSS governs data segmentation and flow control in the TCP layer.

Anomaly IP Packet header

Posted on by lechuck park

From Gemini with some prompting
Title: Anomaly Detection (IP Packet Header)

Overview:

The image illustrates the structure of an IP packet header and how to detect anomalous activities based on TCP/IP header information.

Key Elements:

  • IP Address: Identifies the server.
  • TCP/UDP Port: Used to send and receive packets.
  • Service Port Number: Port number used to connect to a specific service.
  • Service Area: IP address range where a specific service is provided.

Indicators of Anomalous Activity:

  • Unknown IP: Packets coming from unknown IP addresses.
  • Foreign IP: Packets coming from overseas IP addresses.
  • Unused Port: Packets sent to unused ports.
  • TCP/UDP Port == 0: Packets with TCP/UDP port number 0.
  • IP/TCP Checksum == 0: Packets with IP/TCP checksum 0.
  • Unused IP Protocol: Packets using unused protocols.
  • Too Large (IP.ttl): Packets with excessively large TTL values.
  • Too Many (TCP Syn): Excessive number of SYN packets.
  • Too Many (IP. fragmented): Excessive number of fragmented packets.

TCP/IP 5 tuple

Posted on by lechuck park

From DALL-E with some prompting
The image summarizes how to use the 5-tuple network criteria to check additional information and detect abnormal packet patterns. The 5-tuple includes the IP Protocol, Source IP, Source Port, Destination IP, and Destination Port, which helps to identify network communication sessions. Additional insights such as location tracking through ASN or GEO, whether a server IP is static, anonymous client IP, access to unused ports, and the usage of specific ports can be leveraged to analyze network traffic and identify security threats. This information, along with application protocols, can be utilized by network administrators to detect strange packets or unusual network activities.

OSPF & BGP

Posted on by lechuck park

from DALL-E with some prompting
The image is an illustrative diagram explaining the interaction between two key protocols used in networking: OSPF (Open Shortest Path First) and BGP (Border Gateway Protocol).

  • In the center, we have a network labeled “AS (Autonomous System)” which is a collection of connected IP routing prefixes under the control of one or more network operators that presents a common, clearly defined routing policy to the internet.
  • Within the AS, the diagram shows a smaller network with purple lines connecting different nodes (routers), representing the OSPF protocol. OSPF is an interior gateway protocol used within an AS that distributes routing information between routers belonging to a single Autonomous System. The key features listed are:
    • “Sharing Link State (broadcast)” which means OSPF routers send link state advertisements to share the state of each directly connected link.
    • “with a Bandwidth” indicates that OSPF takes bandwidth into account when calculating the best route.
    • “Find Short Path (Dijkstra)” refers to OSPF using Dijkstra’s algorithm to find the shortest path through the network based on the cumulative cost of reaching each node.
  • On the right side of the diagram, there’s a larger network outlined in red, with blue lines connecting to a central node. This represents the BGP protocol, which is used between different ASes, especially at the borders. The features listed for BGP are:
    • “Border (of the AS) Gateway” which is the point where an AS connects to another AS.
    • “Sharing Routing Table between Border Gateways” means that BGP is responsible for exchanging routing information between autonomous systems, allowing them to see each other’s networks and determine the best paths.

The diagram uses solid lines to denote direct connections and dashed lines for indirect connections. The interplay between OSPF and BGP is critical for the overall functioning of the internet, with OSPF managing routes within an AS and BGP managing routes between ASes.

Anomaly Traffic Detection#1

Posted on by lechuck park

From DALL-E with some prompting
The flowchart illustrates a four-step network anomaly detection process:

  1. Data Collection: Gather various types of network data.
  2. Protocol Usage: Employ SNMP, SFLOW/NETFLOW, and other methods to extract the data.
  3. Analysis: Analyze Ethernet and TCP/IP header data for irregularities.
  4. Control: Implement countermeasures like blocking traffic or controlling specific IP addresses.

The expected benefits of this process include enhanced network security through early detection of anomalies, the ability to prevent potential breaches by blocking suspicious traffic, and improved network management via real-time analysis and control.

Anomaly Connection Detection #0

Posted on by lechuck park

from DALL-E with some prompting
The image seems to illustrate the concept of anomaly detection in network security. A user is shown with a green line leading to a server, indicating normal interaction, while a red line leading from a network criminal suggests malicious activity. The network architecture is in place to mirror and tap into the data traffic, allowing for the steering of packets for closer inspection. An alert (!!) signifies the detection of an anomaly. Below, details of what is monitored are given: raw or sampled packets, TCP/IP 5-tuples, geographic IP locations, bandwidth, and new detection areas including DNS and HTTP header information. This represents a multifaceted approach to identifying and responding to potential security threats within a network.

IP network

Posted on by lechuck park

From DALL-E with some prompting
The image presents an overview of IP network operation, emphasizing that there are two main methods by which data moves across the network. The focus is on the second method, where:

  • IP Address: Acts as the unique identifier within the internet, similar to a physical address in the real world.
  • Transmission Devices: These are network devices like switches and routers that facilitate the movement of data packets through the network.
  • Packets and Physical Connections: Data packets are routed based on their IP addresses through physical connections established within the network infrastructure.

The core message is that in an IP network, data doesn’t move on its own; it is routed based on IP addresses through devices that make the transport decisions, highlighting the importance of network infrastructure in the efficient delivery of data packets to their intended destinations.