Internet Protocol (IP)

Internet Protocol (IP) is the principal communications protocol in the Internet protocol suite for relaying datagrams across network boundaries. Its role is to deliver packets from the source host to the destination host solely based on the IP addresses in the packet headers.

Key Features of IP

  • Connectionless protocol: Each packet is treated independently from others
  • Best effort delivery: It does not guarantee delivery, proper sequencing, or avoidance of duplicate delivery
  • Addressing: Uses IP addresses to identify source and destination of packets
  • Fragmentation and reassembly: Can break packets into smaller pieces if necessary

IP Versions

IPv4 (Internet Protocol version 4)

The fourth version of the Internet Protocol. It uses 32-bit addresses.

Example address: 192.168.1.1

IPv6 (Internet Protocol version 6)

The most recent version of the Internet Protocol. It uses 128-bit addresses.

Example address: 2001:0db8:85a3:0000:0000:8a2e:0370:7334

IP Header Structure

IP Header Structure Diagram

The IP header contains several fields including Version, IHL, Type of Service, Total Length, Identification, Flags, Fragment Offset, Time to Live, Protocol, Header Checksum, Source Address, Destination Address, and Options.

Working with IP

Linux Commands

  • ip addr show

    Display IP addresses and network interfaces

    Example of ip addr show command
  • ping example.com

    Send ICMP ECHO_REQUEST to network hosts

    Example of ping command
  • traceroute example.com

    Print the route packets trace to network host

    Example of traceroute command

Windows Commands

  • ipconfig /all

    Display full configuration information

    Example of ipconfig /all command
  • ping example.com

    Send ICMP ECHO_REQUEST to network hosts

    Example of ping command
  • tracert example.com

    Trace route to a remote host

    Example of tracert command

Common IP-Related Attacks

IP Spoofing

An attack where the attacker sends IP packets with a forged source IP address to impersonate another computing system.

Example: An attacker might send packets that appear to come from a trusted internal IP address to bypass security controls.

Practical Example: Using Scapy in Python to create a spoofed IP packet:

from scapy.all import IP, TCP, send
spoofed_packet = IP(src="192.168.1.100", dst="10.0.0.1") / TCP(dport=80)
send(spoofed_packet)

Reference: RFC 6959 - Source Address Validation Improvement (SAVI) Threat Scope

Man-in-the-Middle (MITM) Attack

An attack where the attacker secretly relays and possibly alters the communications between two parties who believe they are directly communicating with each other.

Example: An attacker might use ARP spoofing to intercept traffic between a user and a router, allowing them to eavesdrop or modify the traffic.

Practical Example: Using Ettercap for ARP poisoning:

ettercap -T -q -i eth0 -M arp:remote /192.168.1.1/ /192.168.1.10/

Reference: RFC 3833 - Threat Analysis of the Domain Name System (DNS)

IP Fragmentation Attack

An attack that exploits the way some systems handle fragmented IP packets, potentially leading to denial of service or unauthorized access.

Example: The Teardrop attack sends fragmented packets that overlap, causing some systems to crash when trying to reassemble them.

Practical Example: Using Scapy to create overlapping fragments:

from scapy.all import IP, UDP, fragment, send
packet = IP(dst="10.0.0.1") / UDP(dport=80)
frags = fragment(packet, fragsize=8)
frags[0].len = 20
frags[0].proto = 17
send(frags)

Reference: RFC 1858 - Security Considerations for IP Fragment Filtering

ICMP Flood (Ping Flood)

A denial-of-service attack where the attacker overwhelms the target with ICMP Echo Request (ping) packets.

Example: An attacker might use a botnet to send a massive number of ping requests to a target server, consuming its resources and making it unresponsive to legitimate traffic.

Practical Example: Using the `ping` command for demonstration (do not use on unauthorized systems):

ping -f -s 65507 target_ip

Reference: RFC 5635 - Remote Triggered Black Hole Filtering with Unicast Reverse Path Forwarding (uRPF)

Smurf Attack

A distributed denial-of-service attack where the attacker broadcasts ICMP echo requests (pings) to a network using the spoofed source address of the intended victim.

Example: An attacker sends a ping to a network broadcast address, spoofing the source as the victim's IP. All hosts on the network then reply to the victim, overwhelming it.

Practical Example: Using Scapy to create a Smurf attack packet (for educational purposes only):

from scapy.all import IP, ICMP, send
smurf_packet = IP(src="victim_ip", dst="broadcast_ip") / ICMP()
send(smurf_packet)

Reference: RFC 2644 - Changing the Default for Directed Broadcasts in Routers

Related RFCs

Back to Network Layer