Incident response

Network traffic analysis for IR: Basic protocols in networking

Lester Obbayi
March 9, 2020 by
Lester Obbayi

Introduction

In this article, we’ll discuss some of the basic protocols that are commonly used in computer networking. A good understanding of computer networking is required by fresh hackers in order for them to quickly pick up related cybersecurity content. 

This piece is ideal for individuals who might be getting into cybersecurity from a computer networking background.

Learn Incident Response

Learn Incident Response

Get hands-on experience with incident response tools and techniques as you progress through nine courses.

Overview of networking protocols

Network protocols are the rules that govern communication between devices within a computer network. These rules include instructions that allow devices to identify and connect to each other, as well as the formatting rules that allow messages to be packed and unpacked from end to end. These rules determine the data that is either received or rejected.

During communication between computers within a network, data is broken down at the source into data packets. These are later on reassembled at their destination. There are various packet-switching techniques which make this possible, and numerous protocols that have been developed that make communication possible as per different categories. These are covered below.

Internet Protocol (IP)

Internet protocols are the set of rules that determine how data is transmitted within a network. The Internet Protocol (IP) in itself is a standard of specifications of how things should work between devices that are connected on the internet. This takes place because of two main things:

  1. IP addressing: This ensures that every device within the network has a unique IP address that can be able to determine the source and destination of the data or traffic in transit
  2. IP routing: This determines the paths that traffic should take based on their IP address. This is made possible by routers

Various protocols will interact with IP to make communication possible over any network. Below are some of these protocols.

Transmission Control Protocol (TCP)

TCP is one of the lower layer technologies of the OSI model. TCP and IP work together to ensure data is properly transmitted over the internet. The main work of TCP is to ensure that traffic reaches its destination in a reliable manner. This guarantee is not offered by IP in itself. 

TCP ensures the following:

  1. No data packets are lost
  2. The right intended order of the packets is observed
  3. The acceptable amount of delay is experienced
  4. Duplication of packets is prevented

User Datagram Protocol (UDP)

UDP is another of the lower layers of the OSI model and is the main alternative to TCP. Compared to TCP, UDP is quite unreliable. UDP is unable to perform error checking or correcting on data transmissions. 

There are, however, certain applications where UDP is preferred more than TCP. A good example of this is during online gaming, where UDP allows packets to be dropped without performing retries. In this situation, UDP can allow packets to be received in a different order as compared to how they were sent. 

UDP is, however, not very good for file transfer. If some packets get lost during file transfer, the result is file corruption, which would be a problem. However, during video streaming or online gaming, this is not a concern.

Hypertext Transfer Protocol (HTTP)

HTTP is the protocol that allows web browsers and servers to properly communicate. The protocol is used by web browsers to request HTML files from remote servers which users can then interact with in the form of images, music, videos, text and more.

HTTP is built on top of TCP which implements a client-server communication model. There are three main message types that HTTP uses, and these are:

  • HTTP GET: Here, a message is sent to the server that may contain a bare URL or a URL containing one or more parameters. The server responds by returning a web page to the browser
  • HTTP POST: Here, a message is sent to the server containing data within the body section of the request. This is done to avoid sending data via the URL as in HTTP GET above
  • HTTP HEAD: Here, emphasis is placed on the response of the server. HTTP HEAD restricts the server response to only respond with the header information

File Transfer Protocol (FTP)

The File Transfer Protocol is widely used where files are to be shared between two computers. Just like the HTTP protocol, FTP implements the client-server model of communication. To run FTP, one would launch their FTP client and connect to a remote server where FTP software would be running. Once the connection has been established, they can then download files of their choice from the FTP server. 

A minimal version of FTP (known as TFTP) was also created for much weaker devices. Trivial File Transfer Protocol or TFTP provides basic usage, containing the most common FTP operations. Even though FTP is quite reliable, more secure and advanced methods of file sharing have been developed such as peer-to-peer file-sharing (P2P).

Wireless protocols

There are a number of wireless protocols that are in use today, the most common being Bluetooth, Wi-Fi and LTE.

  1. 802.11b protocol: This is the most commonly found protocol today. It is inexpensive to build and operate within the 2.4 GHz range of frequency. The main disadvantage of this protocol is that many devices operate within the same 2.4GHz range. The maximum speed at this range is also 11 Mbps which is a huge disadvantage
  2. 802.11g protocol: This is an improvement on the previous 802.11b and is capable of speeds up to 54Mbps. However, it still operates under the same crowded 2.4GHz frequency range
  3. 802.11a protocol: This is the most improved protocol of the previously discussed ones above. It operates within the 5GHz frequency range, which is less susceptible to interference, yet maintains the 54Mbps speeds
  4. Bluetooth: This protocol is heavily in use today due to its ability to be transmitted at low power. The main disadvantage here is the maximum speed, which is only up to 1 Mbps, and the previously discussed crowded 2.4 GHz frequency range

Network routing protocols

These protocols have a special purpose. They are meant to be specifically applicable to network routers. These protocols are able to manage other routers and traffic routes. They are able to learn of available routes within the network, build routing tables and make routing decisions. 

The two main categories of network routing protocols are:

  • Distance vector protocols: These advertise their routing table at regular intervals to all surrounding neighbors. The main disadvantage with this is that it consumes too much bandwidth and is slow to converge. That means when routing information changes on one router, it needs to be broadcast across the network for all the routers to be updated
  • Link state protocols These advertise routing updates only when they take place; therefore, the routing table is not advertised throughout the network. This makes convergence better and consumes less bandwidth. To update the routing table information on routers on the network, the routing protocol floods the network with link state advertisements to all the neighboring routes. These small incremental changes are collectively sent as a multicast LSA update

The following are some of the routing protocols that exist:

  • IGRP: Interior Gateway Routing Protocol is a distance vector protocol that was intended for small and medium-sized CISCO networks. It is proprietary and requires that you only use CISCO routers
  • EIGRP: Enhanced Interior Gateway Routing Protocol is a hybrid routing protocol developed by CISCO and used to route multiple protocols across an enterprise CISCO network
  • OSPF: Open Shortest Path First is a true link state protocol. It was developed as an open standard for routing IP across large multi-vendor networks. It works by sending link state advertisements to all connected neighbors to communicate route information
  • IS-IS: Integrated Intermediate System – Intermediate System is a link state protocol similar to OSPF. The intermediate system here is a router and IS-IS is the protocol. It uses the SPF Dijkstra algorithm to determine the shortest path routes
  • BGP: Border Gateway Protocol is an exterior gateway protocol. It routes traffic between autonomous systems that are assigned particular AS numbers. Routing of traffic depends on the IP addresses, AS numbers
  • RIP: Routing Information Protocol has existed for a very long time. It uses the hop count as a routing metric. RIP is a distance vector routing protocol

Conclusion

Getting into cybersecurity with a proper networking background will ensure that you can understand why certain tools and approaches are taken during hacking. 

This article has focused on some of the most basic protocols that you are bound to encounter in your journey as a hacker. You should consider looking into the vulnerabilities that affect protocols and how you can exploit them, and available tools and frameworks such as the Metasploit framework.

Learn Incident Response

Learn Incident Response

Get hands-on experience with incident response tools and techniques as you progress through nine courses.

 

Source

  1. What IP Means and How It Works, Lifewire
  2. TCP/IP (Transmission Control Protocol/Internet Protocol), TechTarget
  3. Understanding Network Routing Protocols, RouterFreak
  4. Types of Wireless Protocols, Techwalla
Lester Obbayi
Lester Obbayi

Lester Obbayi is a Cyber Security Consultant with one of the largest Cyber Security Companies in East and Central Africa. He has a deep interest in Cyber Security and spends most of his free time doing freelance Penetration Tests and Vulnerability Assessments for numerous organizations.