In this post, I am translating my notes from my Solutions Architect Professional Training IT Reviews Section. This second post covers some more networking concepts, and I will follow up with a post about encryption, hashing, and RTO/RPO, and then finally, one more about DNS.
The IPv4 Address space contains over four billion addresses. This number sounds big, but it needs to be bigger to accommodate even one IP address for every person on the planet. To compound issues, every device on the internet needs an IP address, and people and companies typically have more than one device. For this reason, IPv6 was developed (as well as stop-gap measures like network address translation, discussed in the previous post). IPv6 is massively larger and completely solves the problem of IP address scarcity. According to the Internet Society Organization, IPv6 address space is 2^128 or 340 trillion, trillion, trillion IPv6 addresses. This number is more than 100 times the number of atoms on the earth’s surface.
In the early days, IP addresses broke out into five major categories:
- Class A - 0.0.0.0 - 127.255.255.255
- 128 Distinct Networks (/8)
- 16,777,216 Hosts for each network
- Allocated to huge businesses, mostly
- Class B - 220.127.116.11.0 - 18.104.22.168
- 16,384 Networks (/16)
- 65,536 Hosts for each network
- Allocated to larger businesses that didn’t need a class A allotment
- Class C - 192.0.0.0 - 22.214.171.124
- 2,097,152 Networks (/24)
- 256 Hosts for each network
- Allocated to smaller businesses
- Class D - Multicasting
- Class E - Reserved
One Note, and a reminder from my previous post, is that there are particular ranges of addresses cut out of the above network for private networking. These ranges can’t be routed over the internet are defined in RFC-1918. RFC-1918 ranges can be used for NAT applications.
- 10.0.0.0 - 10.255.255.255
- One Class A network from the Class A pool described above
- 16,777,216 total addresses
- 172.16.0.0 - 172.31.255.255
- 16 Class B networks from the Class B pool described above
- 65,536 addresses for each network
- 1,047,576 Total addresses
- 192.168.0.0 - 192.168.255.255
- 256 Class C networks from the Class C pool described above
- 256 addresses for each network
- 65,536 Total Addresses
In those days, the number assignments were handled by IANA. However, in recent times, in light of the shortage of IPv4 addresses, many of the larger holders of these blocks have yet to relinquish what they weren’t using. Additionally, much of the control over the IPv4 Addresses that IANA once had is now in the hands of regional authorities.
In an earlier section, in my previous post, I covered some of the basics of netmasks and how an IPv4 network address was composed of a host portion and a network portion. Subnetting is a way of designing networks to split larger networks into smaller networks.
That section demonstrated how to change the size of the network by choosing a certain number of bits to represent the network. This choice is called subnetting.
Subnetting is helpful because if we have a large allotment of IP addresses, let’s say 10.0.0.0/8 (which is over 16 million addresses), it wouldn’t be efficient from a network design or a technical perspective to have all of the hosts in the same broadcast domain. Also, leaving the address space like this means you are limited to a single layer two networks for all hosts. It is far easier and more efficient to split the design up.
Adding one more bit to the netmask (i.e., /8 to /9) halves the number of hosts in the network but doubles the number of networks. For instance, in the previous example, if you went to /9, you would end up with:
- 10.0.0.0/9 - 10.0.0.0 - 10.127.255.255
- 10.128.0.0/8 - 10.128.0.0 - 10.255.255.255
These two networks are separate now and need a layer-3 device like a router to facilitate communication. But, assuming they weren’t in the private space or had NAT configured, you could do that routing over another network like the internet. Additionally, ARP broadcasts are limited to each of the two networks and would not cross over to the other.
The possibilities for subnetting are nearly limitless and can be used to make the network more efficient, logically separate parts of a network, allow for lower cost communications over the public internet (versus expensive wide area network layer two implementations), and to improve security.
VLANs work at the ethernet (layer-2) level. The function of a VLAN is to allow traffic from multiple layer-3 (IP) networks to travel on the same wires/medium. VLANs work by adding a field to the ethernet frame that tags that frame with a VID - this field can handle 4,096 different VIDS.
For VLANs to function, your switches must be VLAN-aware (commonly called smart switches). A smart switch can recognize and react to a VID field in the ethernet frame. There are two kinds of ports on these switches. There are trunk ports, and there are access ports:
- Trunk Ports - These ports transmit and receive frames that are tagged with all of the VIDS.
- Access Ports - Remove the tags from a frame and deliver the traffic for a single VID to that port.
There are variants to these ports, and some can be tagged with some but not all of the VIDs - but these are the most common. The infrastructure uses trunk ports to deliver the data to all switches throughout the internetwork. In contrast, Access Ports are used at the termination of specific users, applications, servers, and other devices to deliver a single network to that device. The critical point is that devices on one VLAN VID cannot communicate with devices on another VLAN VID without a layer three device, like a router, to route the traffic.
VLANs can help with the cost and effort of implementations. For instance, if a business has three units: HR, Accounting, and Sales, located in a single building, but the decision is that they should not share a single layer-two network, VLANS can help. Let’s assume the staff in this business could be sitting in any part of the building. If we didn’t have VLANs, we would need to run three separate cables to each workspace, one for each network. With VLANs, we can run a single cable plant to all the workspaces and configure the switch to deliver the correct untagged network based on the currently assigned user.
In wide-area deployments, companies sometimes must deliver layer two frames across distances. Often when they do this, they use a partner who provides this service. In some cases, these partners use VLANs to segregate customers from one another so that they can use the same cables to service multiple customers. This practice can cause issues because customers may be using VLANs to segregate traffic internally.
A technology called Q-Q (Q in Q) solves the problem. This technology adds another field to the ethernet frame. The standard VLAN field in this configuration is called the C-Tag. C-Tag is the field the customer would use internally before connecting to the service provider equipment. The service provider adds the second VLAN tag, called the S-Tag, to the frame when the customer’s network connects to the provider network. Each service provider customer would be assigned a VLAN ID added as the S-Tag as the frames traveled on the service provider network. As the frames exited at facilities that the service provider connects for that customer, the frames with that S-Tag would be provided to the customer with that S-Tag stripped. Hence, the customer only saw the C-Tag (or regular VLAN traffic)
A standard ethernet frame’s maximum transmission unit (MTU) is 1,500 bytes. However, it is possible to expand the MTU up to 9,000 bytes, called a Jumbo Frame.
The key reason to do this is that there is overhead with Ethernet frames. Each frame, for example, needs to contain the source MAC address and the destination MAC address (along with other fields). This overhead is constant, no matter the size of the MTU. Additionally, when transmitting a frame across the wire, there is some time between each frame. Therefore, using larger frames means that the data is a larger component of the frame size relative to the overhead.
Some issues with doing this are:
- L2 frames need to encapsulate L3 packets, and if you don’t synchronize packet size to frame size, you get fragmentation (which can slow things down)
- Not all hardware or network stacks support jumbo frames.
AWS supports Jumbo Frames in some cases, and in other cases, it does not:
|Traffic outside of a single VPC||No|
|Traffic over an inter-region VPC peering connection||No|
|Same region VPC Peering||Yes|
|Traffic over VPN connections||No|
|Traffic over Internet Gateway||No|
|Transit Gateway||Yes (only up to 8500 bytes)|
A distributed denial of service (DDOS) attack overloads a website or other internet service with some kind of data. As a result, it competes with legitimate traffic and causes the service to be unavailable or degraded for legitimate users. DDOS attacks are hard to combat because the traffic often comes from large numbers of different IPs or potentially from legitimate actors in the case of volumetric attacks.
- Application Layer - HTTP Flood
- Lots of regular requests. These usually come from a botnet. The IP addresses are legitimate internet users with compromised machines controlled by a bad actor. The bad actor uses this network of compromised devices to target a specific service and flood it with massive traffic. The service cannot keep up with the demand and becomes inaccessible or degraded for legitimate users.
- Protocol Attack - SYN Flood
- This attack is where the bad actor crafts malicious TCP Datagrams that attempt to start the TCP handshake (known as an SYN). However, this request’s IP address is a fake IP address and not related to the attacker. The IP manipulation causes the server infrastructure to reply to the address specified, which is not expecting the reply, with an SYN-ACK. Since the IP address may not be online, or if it isn’t expecting an SYN-ACK, it will ignore it. As a result, the server will wait for some time for the response - which doesn’t come- and consumes resources on the server.
- This attack only requires a few machines to pull off because the attacker doesn’t need to expend a lot of resources to craft these malicious datagrams and doesn’t need to deal with any return traffic.
- The result of this attack is similar to the HTTP flood in that server resources are overwhelmed with malicious traffic and don’t have the resources to serve or are degraded in the service of legitimate users.
- Volumetric Attacks - DNS Amplification
- This attack is another where the botnet can be very small.
- This attack uses public DNS servers to do the dirty work of attacking the target.
- The way this works is that the attacker makes DNS requests to a large number of DNS servers using a spoofed IP address. This IP address will be spoofed to the target of the attack’s IP address.
- When these requests are made, the requests are not expensive for the attacker or his botnet, but the DNS server response is heavy - thus amplifying the attacker’s efforts and flooding the victim with data.
- One bad thing about these attacks is that the DNS servers are legitimate internet services. Therefore, blocking them at an IP level may cause further issues for the victim.