Second Day

TRANSPORT LAYER
Layer Transport bertugas melakukan sesi
komunikasi antara komputer dalam
jaringan. Menenrukan bagaimana data
ditransmisikan.

Dua Protocol Transport Layer yang dipakai

:
Transmission Control Protocol (TCP)
User Datagram Protocol (UDP).

Cont
User Datagram Protocol
UDP merupakan connectionless communication, bekerja tidak menjamin
data sampai ditujuan secara utuh.
Normalnya untuk mentransmisikan data dalam jumlah kecil pada satu
waktu.
Reliabilitasnya/penjaminan data sampai pada penerima tergantung dari
aplikasi.

Transmission Control Protocol (TCP)

Connection-oriented dan reliable communication yang artinya data dijamin
sampai tujuan
Untuk menjamin diperlukan komunikasi awal dengan penerima sebelum
transfer data dilakukan
Membutuhkan ack setiap penerimaan data
Dipakai untuk mentransmisikan data dalam jumlah besar

karakteristik

Port and Socket

Ada dua komponen yang biasa dipakai selama

komunikasi pada layer transport yaitu port dan socket
Port
Port bisa dikatakan internal address yang disediakan
untuk aplikasi tertentu pada komputer. Setiap aplikasi
mempunyai port yang berbeda
Port bisa TCP atau UDPt, tergantung pada
pemakaian protocol apa pada layer transport apakah
Udp atau TCP
Nomor Port antara 0 and 65,535.
Aplikasi TCP/IP biasanya menggunakan nomor port
dibawah 1,024, dimana setiap aplikasi biasanya
nomornya sudah pasti. Port ini biasa disebut "WellKnown Ports".
Socket
Merupakan kombinasi dari IP address dan TCP atau
UDP port.
Aplikasi men-generate socket ketika berkomunikasi
dengan komputer lain
IP address menentukan tujuan komputer dan Port
menentukan aplikasi yang dipakai.

UDP
UDP merupakan protokol connectionless, artinya tidak ada
sesi komunikasi awal ketika data ditransmisikan.
UDP merupakan unreliable protokol. Berarti pesan yang
dikirim tanpa ada nomor urut dan tanpa acknowledgment
dari penerima shg pengirim tidak pernah tahu apakah pesa
sudah diterima penuh atau tidak. Untuk masalah ini
ditangani oleh aplikasi
Jika terjadi Lost paket data harus di-retrieve oleh layer
diatasnya (aplikasi).
Biasanya message UDP ditransmisikan secara regular dalam
interval waktu tertentu atau setelah ditentukan batas waktu
habis
Hanya membutuhkan sedikit resource memori dan processor
Contoh aplikasi yang menggunakan Protocol UDP Domain
Name System(DNS) dan Dynamic Host Configuration
Protocol(DHCP).

UDP
Biasa digunakan untuk
aplikasi streaming
multimedia
loss tolerant
rate sensitive

Penggunaan UDP
lain untuk:

Length, in
bytes of UDP
yang
segment,
including
header

DNS
SNMP
Bila ingin melakukan reliable
transfer menggunakan UDP:
tambahkan reliability di layer
aplikasi
application-specific error
recover!

32 bits
source port #

length

dest port #
checksum

Application
data
(message)

UDP segment format

7

TCP: Overview

RFCs: 793, 1122, 1323, 2018, 2581

point-to-point:
Satu pengirim utk satu
penerima

reliable, in-order byte

stream:
pipelined:
Kendali kongesti dan flow
control TCP menetapkan
ukuran window

Ada buffer di pengirim

dan penerima
socket
door

application
writes data

application
reads data

TCP
send buffer

TCP
receive buffer

full duplex data:

Aliran data dua arah pada
koneksi yang sama
MSS: maximum segment
size

connection-oriented:
Ada handshaking
sebelum pertukaran data

flow controlled:
sender will not overwhelm
receiver
socket
door

segment

Struktur segmen TCP

32 bits

URG: urgent data

(generally not used)
ACK: ACK #
valid
PSH: push data now
(generally not used)
RST, SYN, FIN:
connection estab
(setup, teardown
commands)
Internet
checksum
(as in UDP)

source port #

dest port #

sequence number
acknowledgement number

head not
UA P R S F
len used

checksum

rcvr window size

ptr urgent data

Options (variable length)

counting
by bytes
of data
(not segments!)
# bytes
rcvr willing
to accept

application
data
(variable length)

TCP : Nomor urut segmen dan ACKs

Nomor urut segmen:
Nomor byte pertama
pada suatu aliran
segmen data
ACKs:
Nomor urut byte
berikutnya yang
diharapkan dari sisi yg
lain
cumulative ACK
Q: bagaimana receiver
menangani segmen yg tak
terurut
Tidak ada dlm
spesifikasi TCP
(tergantung
pengembang program)

Host A
User
types
C

Host B

host ACKs
receipt of
C, echoes
back C

host ACKs
receipt
of echoed
C

simple telnet scenario

time

10

TCP ACK generation [RFC 1122, RFC 2581]

Event

TCP Receiver action

in-order segment arrival,

no gaps,
everything else already ACKed

delayed ACK. Wait up to 500ms

for next segment. If no next segment,
send ACK

in-order segment arrival,

no gaps,
one delayed ACK pending

immediately send single

cumulative ACK

out-of-order segment arrival

higher-than-expect seq. #
gap detected

send duplicate ACK, indicating seq. #

of next expected byte

arrival of segment that

partially or completely fills gap

immediate ACK if segment starts

at lower end of gap
11

TCP: retransmission scenarios

Host A

X
loss

lost ACK scenario

Host B

Seq=92 timeout
Seq=100 timeout

timeout

time

Host A

Host B

time

premature timeout,
cumulative ACKs
12

TCP Flow Control

flow control

Mencegah pengirim
membanjiri penerima
dengan data (shg
buffer tidak overflow)
RcvBuffer = Ukuran buffer TCP Receive
RcvWindow = sisa Buffer space

receiver: secara eksplisit

memberi tahu pengirim
ruang buffer yang masih
kosong
RcvWindow field
dalam segmen TCP
sender: menjaga agar
jumlah data yang
dikirimkan (yg belum diACK) lebih kecil drpd
RcvWindow terakhir yg
diterima

receiver buffering
13

Attack Pada Transport Layer

TCP sync flooding,

UDP flooding
Scanning
Sniffing
Buffer Overflow
Hijack

Application Layer
voice over IP
e-mail
real-time video
web
conferencing
instant messaging
grid computing
remote login
P2P file sharing
multi-user network
games
streaming stored video
clips

Attack In Application Layer

Auto
Coordinated

Tools

Cross site scripting

stealth / advanced
scanning techniques

High

Staged

packet spoofing denial of service

distributed
attack tools
www attacks
automated probes/scans
GUI

sniffers
Intruder
Knowledge

sweepers

back doors
network mgmt. diagnostics

disabling audits

hijacking
sessions

burglaries
Attack
Sophistication

exploiting known vulnerabilities

password cracking
self-replicating code

Intruders

password guessing

Low
1980

1985

1990

1995

2004

Second Day
Talk about Miscellanous !!
Legality
Footprinting
Scanning
Enumeration
Trojan and backdoor
Sniffer
Sql Injection

CYBER CRIME

Example : (My tob, Buffer Overflow)

Step 1: Arrives as an email or buffer overflow
Copies itself as %System%\msnmsgs.exe
Adds the value: MSN = msnmsgs.exe to
registry:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
RunServices
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\OLE
HKEY_CURRENT_USER\SYSTEM\CurrentControlSet\Control\Lsa

User Zone

W32.Mytob@mm runs every time Windows starts

Server Zone

Step 2: Loads itself into memory

Since the exe is now in start up,
msnmsgs.exe is loaded into memory
HELLBOT by Diablo is clearly
advertised to show who wrote the
program

User Zone

Server Zone

Step 3: Logs in to an IRC channel

IRC Server

DP

DP

Connects to an IRC channel on the

irc.blackcarder.net domain on TCP port 6667
Advertises host PC IP address
listens for commands that allow the remote
attacker to perform the following actions:

User Zone

Download files
Execute files
Delete files
Update itself
Get uptime information

Server Zone

Step 4: Generate potential targets and attack

Generates random IP addresses

Exploits the RPC/DCOM vulnerability

Allows the program to gain full access and
execute any code on a target machine by
sending a malformed packet to the DCOM
service
Exploits the Windows LSASS vulnerability
This is a buffer overflow that allows remote
code execution and enables a malicious user
to gain full control of the affected system

User Zone

Random IPs

Server Zone

Step 5: Use its own SMTP server to send itself

Searches for email addresses on local computer

From: Spoofed
Subject:

User Zone

Server Zone
Find Email Addresses

.wab
.adb
.tbb
.dbx

hello
hi
error
status

.asp
php
.sht
.htm
Mail Transaction Failed
Mail Delivery System
SERVER REPORT
(No Subject)
(random alphabets)

Spyware Infection
A - Downloading programs
Kazaa / screensavers / windows utilities
Download managers / file sharing sw / demo
software

User Zone

C/D

B - Trojans that are delivered or

downloaded in e-mail
C - In free, banner ad-based software Popups
D - The most notorious enabler of Spyware
is Microsofts ActiveX module

Random IPs
Server Zone

Proteksinya Nihhh!!!

Firewall Technology

User Zone

Typical firewalls are effective for port blocking

If a port is open it is assumed any data can pass

Intrusion detection is a reactive approach that

does not actively protect

Security must be built upon deep packet

inspection, AV/Spy/Intrusion prevention with
dynamic updates

Server Zone

Deep Packet Inspection- Unified Threat Mmt

PRO Series as a
Prevention
Solution

Full L2-7 signaturebased inspection

Application
awareness

Zone based security

Protect internally

Gateway Anti-Virus
Scan through unlimited files sizes
Scan through unlimited connections
Scan over more protocols than any
similar solution

SonicWALL IPS/GAV
Dynamic Updates

Anti-Spyware for protection against

malicious programs

DPI

Blocks the installation of spyware

Blocks Spyware that is emailed and
sent internally

Applications Layer Threat

DPI

User Zone

Protection:

DPI

Dept Zone

Full protection from Trojan, worm,

blended and polymorphic threats

Server Zone

DPI: Intrusion Prevention

/Gateway AV/ Anti-Spy

OK !!!!!

Cryptography Take Part In Network

In Application Layer
HTTPS (using SSL)

HTTPS (using SSL)

SSL: Secure Sockets
Layer
Addresses issues of
privacy, integrity and
authentication
What is it?
How does it address the
issues?
How is it used

What is SSL?

transport layer security service

originally developed by Netscape
version 3 designed with public input
subsequently became Internet
standard known as TLS (Transport
Layer Security)
uses TCP to provide a reliable end-toend service
SSL has two layers of protocols

 The SSL protocol runs above TCP/IP and below higherlevel protocols such as HTTP or IMAP. It uses TCP/IP
on behalf of the higher-level protocols, and in the
process allows an SSL-enabled server to authenticate
itself to an SSL-enabled client, allows the client to
authenticate itself to the server, and allows both
machines to establish an encrypted connection.

Privacy
Encrypt message so it cannot be read
Use conventional cryptography with
shared key
DES, 3DES
RC2, RC4
IDEA

Uses Public Key Scheme

Each client-server pair uses
2 public keys
one for client (browser)
created when browser is installed on
client machine

one for server (http server)

created when server is installed on
server hardware

2 private keys
one for client browser
one for server (http server)

Where SSL Fits

HTTP SMTP POP3

HTTPS SSMTP SPOP3

80

443

25

110

465

Secure Sockets
Layer
Transport
Network
Link

995

Services Provided by SSL

These capabilities address fundamental
concerns about communication over the
Internet and other TCP/IP networks:
SSL server authentication
SSL client authentication
An encrypted SSL connection

Services Provided by SSL

SSL encrypts data so that no one who
intercepts is able to read it.
SSL can assure a client that they are
dealing with the real server they intended
to connect to.
SSL can prevent any unauthorized clients
from connecting to the server.

SSL Architecture
SSL session

an association between client & server

created by the Handshake Protocol
define a set of cryptographic parameters
may be shared by multiple SSL connections

SSL connection
a transient, peer-to-peer, communications link
associated with 1 SSL session

SSL Handshake Protocol

allows server & client to:
authenticate each other
to negotiate encryption & MAC algorithms
to negotiate cryptographic keys to be used

comprises a series of messages in phases

Establish Security Capabilities

Server Authentication and Key Exchange
Client Authentication and Key Exchange
Finish

SSL Server Authentication

SSL server authentication allows a user to confirm a server's
identity.
SSL-enabled client software can use standard techniques of publickey cryptography to check that a server's certificate and public ID
are valid and have been issued by a certificate authority (CA) listed
in the client's list of trusted CAs.
This confirmation might be important if the user, for example, is
sending a credit card number over the network and wants to check
the receiving server's identity.

SSL Client Authentication

SSL client authentication allows a server to
confirm a user's identity.
Using the same techniques as those used for
server authentication, SSL-enabled server
software can check that a client's certificate and
public ID are valid and have been issued by a
certificate authority (CA) listed in the server's list
of trusted CAs.
This confirmation might be important if the
server, for example, is a bank sending
confidential financial information to a customer
and wants to check the recipient's identity.

An encrypted SSL connection

An encrypted SSL connection requires all
information sent between a client and a server to
be encrypted by the sending software and
decrypted by the receiving software, thus providing
a high degree of confidentiality.
Confidentiality is important for both parties to any
private transaction.
In addition, all data sent over an encrypted SSL
connection is protected with a mechanism for
detecting tampering--that is, for automatically
determining whether the data has been altered in
transit.

The SSL Record Protocol

The SSL record protocol defines the
format used to transmit data
The SSL record protocols provides two
services for SSL connections:
Confidentiality: The Handshake Protocol
defines a shared secret key that is used for
conventional encryption of SSL payloads
Message Integrity: The Handshake Protocol
also defines a shared secret key that is used
to form a message authentication code
(MAC)

SSL Record Protocol Operation

IPSec Needs!!
the most serious involving:
IP spoofing
intruders creating packets with false
address then taking advantages of OS
exploits

eavesdropping and sniffing

attackers listen for userids and
passwords and then just walk into
target systems

IPSec
Generally IP Security mechanisms
provides
authentication
confidentiality
key management

applicable to use over LANs,

across public & private WANs, &
for the Internet

IPSec Uses

Benefits of IPSec
in a firewall/router provides strong security
to all traffic crossing the perimeter
is resistant to bypass
is below transport layer, hence transparent
to applications
can be transparent to end users
can provide security for individual users if
desired
additionally in routing applications:
assure that router advertisments come from
authorized routers
neighbor advertisments come from authorized
routers
insure redirect messages come from the router to
which initial packet was sent
insure no forging of router updates

IP Security Architecture
RFC 2401 (Primary RFC)
specification is quite complex
defined in numerous RFCs
incl. RFC
2401/2402/2406/2408
many others, grouped by
category

mandatory in IPv6, optional in

IPv4

IPSec Services
Two protocols are used to provide
security:
Authentication Header Protocol (AH)
Encapsulation Security Payload (ESP)

Services provided are:

Access control
Connectionless integrity
Data origin authentication
Rejection of replayed packets
a form of partial sequence integrity

Confidentiality (encryption)
Limited traffic flow confidentiality

Security Chain
a one-way relationship between
sender & receiver that affords
security for traffic flow
defined by 3 parameters:
Security Parameters Index (SPI)
a bit string

IP Destination Address
only unicast allowed
could be end user, firewall, router

Security Protocol Identifier

indicates if SA is AH or ESP

Security Chain
has a number of other parameters
seq no, AH & EH info, lifetime etc

have a database of Security Associations

Authentication Header
provides support for data integrity & authentication of IP
packets
end system/router can authenticate user/app
prevents address spoofing attacks by tracking sequence numbers

based on use of a MAC (message authentication code)

HMAC-MD5-96 or HMAC-SHA-1-96
MAC is calculated:

immutable IP header fields

AH header (except for Authentication Data field)
the entire upper-level protocol data (immutable)
parties must share a secret key

AH architecture

Transport and Tunnel Modes

Both AH and ESP have two modes
transport mode is used to encrypt & optionally
authenticate IP data
data protected but header left in clear
can do traffic analysis but is efficient
good for ESP host to host traffic

tunnel mode encrypts entire IP packet

add new header for next hop
good for VPNs, gateway to gateway security

Encapsulating Security Payload

(ESP)
provides message content confidentiality &
limited traffic flow confidentiality
can optionally provide the same authentication
services as AH
supports range of ciphers, modes, padding
incl. DES, Triple-DES, RC5, IDEA, CAST etc
CBC most common
pad to meet blocksize, for traffic flow

Iki ESP!!!

VPN Tunneling

INTRODUCTION
What is a VPN?

Introduction: What is a VPN?

Virtual
Private
Network

Introduction to VPN

Introduction (continued):
Four Categories:
Trusted VPN
Secure VPN
Hybrid VPN
Provider-provisioned VPN

VPN TOPOLOGY
How does a VPN work?

VPN Topology: Types of VPNs

Remote access VPN
Intranet VPN
Extranet VPN

VPN Topology: Remote Access

VPN

VPN Topology: Intranet VPN

VPN Topology: Extranet VPN

VPN Topology: Advantages of

VPN
Advantages:

Greater scalability
Easy to add/remove users
Reduced long-distance telecommunications costs
Mobility
Security

VPN Topology: Disadvantages

of VPN
Disadvantages
Lack of standards
Understanding of security issues
Unpredictable Internet traffic
Difficult to accommodate products from
different vendors

VPN Topology: What is

needed?
Existing hardware (Servers,
workstations,)
Internet connection
VPN - Router/Switch
Software to create and manage tunnels
Security Device such as firewall

VPN Topology: How it works

Operates at layer 2 or 3 of OSI model
Layer 2 frame Ethernet
Layer 3 packet IP

Tunneling
allows senders to encapsulate their data in
IP packets that hide the routing and
switching infrastructure of the Internet
to ensure data security against unwanted
viewers, or hackers.

VPN COMPONENTS
What are the components of
VPN?

VPN Components
Protocols
Security
Appliances

VPN Components: Protocols

IP Security (IPSec)
Transport mode
Tunnel mode

Point-to-Point Tunneling
Protocol (PPTP)
Voluntary tunneling method
Uses PPP (Point-to-Point
Protocol)

VPN Components: Protocols

Layer 2 Tunneling Protocol (L2TP)
Exists at the data link layer of OSI
Composed from PPTP and L2F (Layer 2
Forwarding)
Compulsory tunneling method

Example of packet
encapsulation

VPN Components: Security

Encryption
Technique for scrambling and unscrambling
information
Unscramble called clear-text
Scrambled information cipher-text

VPN Components: Security

Keys
Secret code that the encryption algorithm uses to create a
unique version of cipher-text
8-bits keys = 256 combinations or two to the eighth power
16-bits keys = 65,536 combinations or two to the 16th
power
56-bits keys = 72,057,594,037,927,900 or two to the 56th
power
168-bits keys

VPN Components: Security

Authentication
Determine if the sender is the authorized
person and if the data has been redirect or
corrupted
User/System Authentication
Data Authentication

VPN Components: Appliances

Intrusion detection firewalls
Monitors traffic crossing network parameters and
protects enterprises from unauthorized access
Packet-level firewall checks source and destination
Application-level firewall acts as a host computer
between the organizations network and the Internet

VPN PRODUCTIVITY AND

COST BENEFITS
How can companies benefit from
VPN?

VPN Productivity and Cost

Benefits: Benefits

Extends geographic connectivity

Boosts employee productivity
Improves Internet security
Scales easily

VPN Productivity and Cost

Benefit: Costs
Costs associated with implementing VPN
In House implementation
Outsourced implementation
Middle Ground implementation

IDS and IPS

Contoh IDS & IPS

SNORT

Honey POT

Tips For today (Mengakali Speedy Lambat)

1. Cari DNS yang tercepat untuk DNS kamu, caranya kamu unduh dulu DNS
Bechmark (https://www.grc.com/dns/benchmark.htm)
Klik name server > Run Benchmark biarkan proses berjalan sampai selesai,
jika sudah selesai perhatikan tanda bulat, cari yang warna hijau penuh,
perhatikan nomor Dnsnya disamping kiri dan catat ( kamu perlu dua nomor
DNS untuk Alternative DNS )
2. Buka Start menu > Setting > Network Connection > Open, klik kanan local
Area Connection > Properties,Pilih InternetProtocol > Double Click
Centang Use Following DNS Server Addresses, isi kan dua Dns Yang kamu
Catat Tadi Klik Ok, Lalu Tutup
3. Tutup Browser kamu Klik Kanan Local Area Connection Klik Repair
4. Klik Start>Run>tulis gpedit.msc Bila sudah terbuka Folder Group Policy
nya Klik administrative Templete >Qos Packet Scheduler> Klik dua kali Limit
Resevable bandwith >setting Enable ubah Bandwidth Limit, Kalo saya 0%

Siapa Mereka????? FAKE ID

Istriku ternyata pria

Penipu cantik

How to Prevent!!!!
SOCIAL ATTITUDE
Think before you click
Keep your computer clean

Dont be too social

Thank You For Coming!

widiharahap@lemsaneg,go.id