TCP Explained.

Always on Time !!..The Transmission control protocol (TCP) Provides applications with reliable ,connection-oriented service and provides full logical path between two hosts on disparate networks .

This article is an attempt to detail the different fields available in the TCP segment .

Source and Destination port :Its a 16 bit field that specifies the source and destination applications for the encapsulated data.

RFC 1700 describes all the ports number in common and not so-common use (http://www.ietf.org/rfc/rfc1700.txt).

A port number for an application ,which is combined with an ip address of the applications where host resides in , is called a socket .
Sequence number : Its a 32 bit identifier which identifies where the encapsulated data is fits within a data stream .
If the sequence number of a segment is 1 and the segments contains 512 octets ..the next segment should have sequence number of 1+512=513.
Acknowledgment number :Its a 32 bit field which tells what would be the sequence number the source expects to receive from destination.
If a hosts receives a acknowledgment number that doesn't match the next sequence number it intends to send , it concludes that packets earlier sent has not reach the destination and it will re-transmits the same.

Header Length :Its a data offset and a four bit field indicates the length of the header in 32-bit words and indicates the beginning of the data.
Reserved Field :Its of six bites ..which are always set to zero.

Flags :They are six 1-bit flags that used for data flow and control .
URG -Urgent
ACK-Acknowledgment
PSH-Push
RST-Reset
SYN-Synchronize
FIN-Final

Window Size: 16 bit field used for flow control .It specifies the number of octets,starting with the octet in indicated by acknowledgment number, that the sender of the segment will accept from its peer.
It specifies how much data it can handle or process at a time .

Checksum: Its a 16 bit field covering both the header and the encapsulated data,allowing error detection.
Urgent pointer :Its again a 16 bit field ..its used only when the URG Flag is set..urgent pointer added to the sequence number indicating the end of the urgent data.

Options :Optional field .One good example is maximum segment size ..which indicates what will be the maximum segment size sender is willing to accept .

The remainder of the field is padded with zeroes to ensure that the header length is multiple of 32 octets .

Here below is an example of TCP packet capture details using Wireshark

A sneak peak in to the IP Packet.

Though Most of us know about the IP packet..here is an attempt to explain the IP packet detailing each and every field it has.

Ok..now let's sneak in to a IP packet ..



Version:Version identifies which version of the IP (Either IPv4 or IPV6) This packet belongs to.And this is a four bit field usually set to binary 0100.

Header Length:Header length is also a 4 bit field in an IP Packet and as the name implies its tells about the length of the IP header.
The minimum length of a IP header is 20 octets and can scale up to 24 octets.
TOS (Type of Service):Its a 8 bit field which can be broken down in to two parts .a)precedence :Which talks about the priority Very urgent,urgent or normal delivery of the packet and b)TOS :and this deciding on the priority of delivery will be based on throughput,delay,reliability and monetary cost factors.

And yep!!.this precedence will be used in QoS (Quality of Service) applications.

Total Length: It talks about the total length of the IP Packet including the header in octets ranging from 16 to 65,535 octets . This field consist of 16 bit.

Identifier:Imagine you are sending a 5000 byte packets in the network and it encounters a data link whose MTU is set 1500 bytes and that means that link can handle only 1500 bytes at a time. in that case the entire packet will be fragmented in to the chuncks of not more than 1500 bytes and then router marks each fragment with the same number in the identifier field so that a receiving device can identify the fragments and that go together in the end . This field consists of 16 bits .

Flags: Its a three bit field ..where first bit will be unused . second one is don't fragment(DF) bit .When this bit is set to on (1), the device which handling the packet cann't fragment the incoming packet .

If the incoming packet is of size which is larger than it can handle and if its not allowed to fragment than it will drop the packet and sends an error message to the source of the packet and this DF option will be set to determine the MTU on a network .

The third bit is MF(More fragments) bit..when a device fragments a packet , it sets MF bit to one and on the last packet where there is no more packets need to be fragmented it will set the MF bit to zero .

Fragment Offset :Its specifies offsets and responsible for fragments packets to re-assembled in the correct order in the end .

TTL(Time To Leave):You know it ..when a packet starts it journey towards its destination in a network ...as it passes through each hops (routers) the initially set value of TTL is decremented by one so that it prevents lost packets from wandering endlessly through an inter network and when the TTL value reaches zero packet will be discarded and the error message will be sent to the source.

Protocol:It talks about which transport layer protocol like this packet is destined for .( Example :1 is for ICMP.6 for TCP and 17 for UDP).

Header checksum :Its used for error-correction and its not used for encapsulated data.Its a 16 bit field field where the checksum will calculated at the source and once its received at the destination the checksum will be again calculated and if the checksums are exactly matching ( all one's) than it proves that packet is recieved without any errors and received intact .

Source and Destination Address: We all know abt this ! ..its 32 bit IP address . Identifies the source and destination.

Options : Its Optional!!..only used when it need contains any source generated information or for other routers to enter information like timestamp and strict source routing where its strictly defined how the packets should be routed via which routers interfaces .

Padding ensures that header ends on a 32 bit boundaryby adding extra zeroes after the option field until a multiple of 32 is reached .

Wireshark capture of an IP packet as below;

A Tour inside IPSec Tunnel..

Internet Protocol security (IPsec) is a suite of protocols for securing network connections or a framework of open standards for protecting communications over Internet Protocol (IP) networks through the use of cryptographic security services. IPsec supports network-level peer authentication, data origin authentication, data integrity, data confidentiality (encryption), and replay protection.

IPsec provides mechanism, not policy: rather than define such-and-such encryption algorithm or a certain authentication function, it provides a framework that allows an implementation to provide nearly anything that both ends agree upon…I mean anything!! J

Terms used in IPSec

AH versus ESP

Authentication Header (AH) "Encapsulating Security Payload" (ESP) are the two main wire-level protocols used by IPsec. Where Authentication Header (AH) only authenticates ..ESP does both the encryption and authentication. Though, they independently used one from another ..Though,we can combine it and use it.

Tunnel mode versus Transport mode

Transport mode only encapsulates IP packets payload (data) ..where, the tunnel mode encapsulates entire IP packet and creates a secure end tunnel between two peers across the untrusted public Network (Internet).

MD5/SHA1 and DES/3DES/AES…

Setting up an IPsec connection involves all kinds of crypto choices ;

Authentication :

Authentication is performs Integrity Check Value (ICV) on the packets needs to be sent based on cryptographic hash algorithm such as MD5 or SHA. It incorporates a secret key only known for both the ends. ..and once packet will reach the destination ICV will be calculated and if the ICV of the sender is same as the recipient that means it successfully authenticated .

AH always provides authentication, and ESP does so optionally.

Encryption:

Encryption is to Modify the packet data in something unreadable format based on algorithms like DES,3DES or AES and which reversible to original format by decrypting these algorithms .

Main mode versus aggressive mode:

"Main mode" requires six packets back and forth, but affords complete security during the establishment of an IPsec connection, while Aggressive mode uses only 3 exchanges providing a bit less security because some information is transmitted in clear text. We will talk it in detail about this …

Main mode is preferred because:

· Main mode is partially encrypted, from the point at which the shared DH key is known to both peers.

· Main mode is less susceptible to Denial of Service (DoS) attacks. In main mode, the DH computation is performed after authentication. In aggressive mode, the DH computation is performed parallel to authentication. A peer that is not yet authenticated can force processor intensive Diffie-Hellman computations on the other peer.

In symmetric cryptographic systems, both communicating parties use the same key for encryption and decryption. The material used to build these keys must be exchanged in a secure fashion. Information can be securely exchanged only if the key belongs exclusively to the communicating parties.

IKE

The goal of the Internet Key Exchange (IKE) is for both sides to independently produce the same symmetrical key. This key then encrypts and decrypts the regular IP packets used in the bulk transfer of data between VPN peers. IKE builds the VPN tunnel by authenticating both sides and reaching an agreement on methods of encryption and integrity. The outcome of an IKE negotiation is a Security Association (SA) .

Need to be noted that this agreement upon keys and methods of encryption must also be performed securely. For this reason IKE is composed of two phases. The first phase lays the foundations for the second.

Diffie-Hellman (DH) is that part of the IKE protocol used for exchanging the material from which the symmetrical keys are built. The Diffie-Hellman algorithm builds an encryption key known as a "shared secret" from the private key of one party and the public key of the other.

IKE Phase I

During IKE Phase I:

1.The peers authenticate, either by certificates or via a pre-shared secret.

2.A Diffie-Hellman key is Generated. The nature of the Diffie-Hellman protocol means that both sides can independently create the shared secret, a key which is known only to the peers.

It happens something like this ;

a)From a pool of random bits , each side produces DH private key .

b)Each peer derives a public key from its private key .

c)Public keys are exchanged between these two sites .

d)Each side creates a shared secret from their own private key and the public key received from the peer ( we call it as shared key or DH key.

This DH key is used to exchange

3. Key material (random bits and other mathematical data) as well as an agreement on methods for IKE phase II are exchanged between the peers. It lays the foundation for the IKE Phase 2 (Quick mode/IPSec mode)

IKE Phase 2 :

IKE phase II is encrypted according to the keys and methods agreed upon in IKE phase I. The key material exchanged during IKE phase II is used for building the IPSec keys.

The outcome of phase II is the IPSec Security Association. The IPSec SA is an agreement on keys and methods for IPSec, thus IPSec takes place according to the keys and methods agreed upon in IKE phase II.

How things work in IKE Phase 2 :

a)Peer exchange more key material and agree upon encryption (AES.DES.3DES) and Integrity (MD5,SHA1) methods for IPsec.

b) DH keys created in Phase 1 will be combined with the key materials to produce Symmetrical IPSec key .

c)Symmetric IPsec keys used in Bulk data transfer.

In summary :

1.IKE negotiations builds the tunnel .

2.Ipsec keys used to create encrypted IP Packets for transferring the data.

3.Data payload is encrypted using the various encryption mechanism like DES,AES..

4.Data integrity is ensured with one-way hash functions like MD5,SHA1.

5.Data transfer over the tunnel.

Perfect Forward Secrecy (PFS)

Perfect Forward Secrecy (PFS) refers to the condition in which the compromise of a current session key or long-term private key does not cause the compromise of earlier or subsequent keys. Security gateways meet this requirement with a PFS mode. When PFS is enabled, a fresh DH key is generated during IKE phase II, and renewed for each key exchange.

However, because a new DH key is generated during each IKE phase I, no dependency exists between these keys and those produced in subsequent IKE Phase I negotiations. Enable PFS in IKE phase II only in situations where extreme security is required.

Life Cycle of a Malware.

Well. Almost everyone reading this article knows about Computer Viruses. Though its nothing new to us, This article is an attempt to give bit detailed information on this and the Life-Cycle of a Computer Worm ..Life cycle of a computer Virus or Malware is no different from that of a Biological Virus.

Here We go!!

A malware is a program that performs unexpected or unauthorized, but always malicious, actions. It is a general term used to refer to viruses, Trojans, and worms. Malware, depending on their type, may or may not include replicating and non-replicating malicious code.

Due to the many facets of malicious code or a malicious program, referring to it as malware helps to avoid confusion. For example, a virus that also has Trojan-like capabilities may be called malware.

Hence, now we will see what exactly are the difference between a Virus, Trojan and a Malware.

What is a virus?

A computer virus is a program – a piece of executable code – that has the unique ability to replicate. Like biological viruses, computer viruses can spread quickly and are often difficult to eradicate. They can attach themselves to just about any type of executable file and are spread as files that are copied and sent from individual to individual.
In addition to replication, some computer viruses share another commonality: a damage routine that delivers the virus payload. While payloads may only display messages or images, they can also destroy files, reformat your hard drive, or cause other damage. If the virus does not contain a damage routine, it can cause trouble by consuming storage space and memory, and degrading the overall performance of your computer.

What is a Trojan?

A Trojan is a Back-door entry malware that performs a malicious action, but has no replication abilities. Coined from Greek mythology's Trojan horse ( Do you remember that Hollywood flick Troy ?? J ), a Trojan may arrive as a seemingly harmless file or application, but actually has some hidden malicious intent within its code.
Trojan malware usually have a payload. When a Trojan is executed, you may experience unwanted system problems in operation, and sometimes loss of valuable data. Good example is key loggers and Once your computer is compromised with the keyloggers every key stroke on your computer will be logged and the detailed information of whatever you typed (like password) will be stored in the local drive for future access of the intruder or it will be logged and sent to the intruder on the remote location via e-mail .

What is a worm?

A computer worm is a self-contained program (or set of programs) that is able to spread functional copies of itself or its segments to other computer systems. The propagation usually takes place via network connections or email attachments.
More recent worms have also discovered ways to propagate using Instant Messengers, via file sharing applications, and by collaborating with other malware such as Trojans or other worm variants. WORM_BAGLE.BE, for example, forms a vicious worm-Trojan cycle with TROJ_BAGLE.BE, in which the worm mass-mails copies of the Trojan, and the Trojan downloads copies of the worm.
Some worms may have an additional payload, such as preventing a user from accessing antivirus Web sites, or stealing the licenses of installed games and applications.

Now let us talk about the Evolution and the Life-cycle of a virus. It includes 5 Phases .

Phase 1 : Creation : To create a Computer Virus/Malware on needs to have the knowledge of coding .Now days , Any one with the basic knowledge of Coding and access to the internet( where you will get plenty of self- tutorial websites teaches how to write a virus )can create a virus.

Phase 2 : Replication and Propagation

Not all the malwares have this Replication and Propagation capabilities .Trojans can be only downloaded from the link or by installing masked application pretending to be the genuine .

While Virus can replicate via E-mails ,IMs or with network shares and some of these has the ability to automated self-replication within a system or network.

Phase 3: Execution

Most malware perform their malicious activities upon execution like opening a unknown .exe file . Some have certain payloads that are activated only at a certain trigger date, or with the onset of a specific trigger condition

Phase 4: Discovery

This phase does not always follow activation, but typically does. When a malware is detected and isolated across the world , it is sent to the ICSA in Washington, D.C., to be documented and distributed to antivirus software developers. Vendors like Symantec or MacAfee or developer’s will create signatures or DAT files based on the pattern of the malware and will be released to the public use with their respective AV products .

Phase 5:Assimilation

At this point, antivirus software developers modify their software so that it can detect the new malware. This can take anywhere from one day to six months, depending on the developer and the malware type.

Phase 6 : Eradication

With the latest up –to-date AV programs on end user machine is the best way to eradicate majority of the Major Malware or Viruses .

Preventive measures;

Proactive or preventive measures are as follow but not only limited to these ;

Make sure you have a very powerful Anti-Virus Software (McAfee Symantec or Trend Micro) running on your system and is up to date with the latest virus definition files .

Make Sure not to visit untrusted websites or download untrusted files from the internet .

Make sure not to open any e-mail attachment from any unknown source.

1.