In: Computer Science
Analyzing network traffic and understanding packets is an important task for IT security professionals. Illegitimate hackers also use network traffic to steal information and/or to about an organization's network infrastructure.
Any network connected to the Internet is subject to cyber attacks. Strong security measures, forensic tools, and investigators contribute together to detect and mitigate those attacks, reducing the damages and enabling reestablishing the network to its normal operation, thus increasing the cybersecurity of the networked environment. This paper addresses the use of a forensic approach with Deep Packet Inspection to detect anomalies in the network traffic. As cyber attacks may occur on any layer of the TCP/IP networking model, Deep Packet Inspection is an effective way to reveal suspicious content in the headers or the payloads in any packet processing layer, excepting of course situations where the payload is encrypted. Although being efficient, this technique still faces big challenges. The contributions of this paper rely on the association of Deep Packet Inspection with forensics analysis to evaluate different attacks towards a Honeynet operating in a network laboratory at the University of Brasilia. In this perspective, this work could identify and map the content and behavior of attacks such as the Mirai botnet and brute-force attacks targeting various different network services. Obtained results demonstrate the behavior of automated attacks (such as worms and bots) and non-automated attacks (brute-force conducted with different tools). The data collected and analyzed is then used to generate statistics of used usernames and passwords, IP and services distribution, among other elements. This paper also discusses the importance of network forensics and Chain of Custody procedures to conduct investigations and shows the effectiveness of the mentioned techniques in evaluating different attacks in networks.
To fix this problem the International Organization for Standardization (ISO) researched different network models and the result is the OSI-model which was released in 1984. Nowadays most vendors build networks based on the OSI model and hardware from different vendors is compatible….excellent!
The OSI-model isn’t just a model to make networks compatible; it’s also one of the BEST ways to teach people about networks. Keep this in mind since when you are studying networking you will see people refer a lot to the OSI model.
Here’s what the OSI model looks like:
“All People Seem To Need Data Processing”
This is the OSI-model which has seven layers; we are working our way from the bottom to the top. Let’s start at the physical layer:
I’m taking a short break here, these four layers that I just described are important for networking, and the upper three layers are about applications.
“People Do Need To See Pamela Anderson”
This one normally gives me more smiles when I’m teaching CCNA in class and it’s another way to remember the OSI-Model.
P = Physical
D = Data Link
N = Network
T = Transport
S = Session
P = Presentation
A = Application
Remember that you can’t skip any layers in the OSI-model, it’s impossible to jump from the Application layer directly to the Network layer. You always need to go through all the layers to send data over the network.
Let’s take a look at a real-life example of data transmission:
Once again, you are unable to “skip” any layers of the OSI model. You always have to work your way through ALL layers. If you want a real-life story converted to networking land just think about the postal service:
If you put your letter directly in the mailbox it won’t be delivered. Unless someone at the postal office is friendly enough to deliver it anyway, in network-land it doesn’t work this way! Going from the application layer all the way down to the physical layer is what we call encapsulation. Going from the physical layer and working your way up to the application layer is called de-encapsulation.
Now you know about the OSI-model, the different layers and the function of each layer. During peer-to-peer communication, each layer has ‘packets of information’. We call these protocol data units (PDU). Now every unit has a different name on the different layers:
This is just terminology, so don’t mix up talking about IP frames and Ethernet packets