Application layer protocol

DNS

What is DNS?

In TCP/IP networks, each host has an IP unique identifier and computers communicate based on the IP address. However, IP addresses are difficult to remember, so people manage a hosts file in the Internet Information center, which records the mapping between host names and IP addresses. When accessing a host name, the system translates the host name into an IP address. However, when the IP address of each host changes, the hosts file is changed, and all other computers must download the hosts file again. Bad for management and expansion.

So we shifted each host’s attention to the hosts file to the DNS system. The DNS system maintains several databases that record the mapping between host names and IP addresses. It can set and change the data in these databases efficiently. If a host needs to change its mapping, only a request is made to the DNS system. Then, the DNS searches for the domain name server of the organization and changes the mapping. This process does not affect other hosts. The DNS server records the mapping between domain names and IP addresses. It is a tree structure in which each layer below the root DNS server has several DNS servers, and each DNS server manages the domain names in that layer. And each DNS server has the IP addresses of all the layers below it for retrieval.

DNS queries:

Our host will register the IP address of the domain name server, and when the request comes in the host will first go to its own hosts file to look for the mapping. If no, search for the mapping from the DNS server registered on the local host. If no, go to the root DNS server to query the mapping. The root DNS server then traverses the tree until it finds the specified DNS server and returns the IP address. (Note: both hosts and DNS servers cache this IP address.)

DNS hijacking:

Attacker attacker access to resources by attacking the domain name server records, attack domain registrar domain account password access control, illegal invasion of the router, and modify the DNS Settings, tampering with the analytical results of a domain name, domain to the IP is replaced, the user to access the site when it was guided to the malicious web site.

Carrier LocalDNS may hijack the resolved domain name, forcibly point the domain name to the IP address of its own content cache server, or change the TTL of DNS, affecting service availability.

Prevent DNS hijacking:

1. Check the network periodically to discover abnormal IP request paths in time

2. Reset the router configuration

3. Use HttpDNS to bypass carrier’s LocalDNS and directly interact with the DNS server using HTTP (DNS is based on UDP).

DNS pollution:

DNS contamination is a type of DNS hijacking. When a user accesses a domain name, a hacker server disguised as a DNS server returns an incorrect IP address to the user.

The FTP protocol

FTP File transfer protocol: used to transfer files reliably and efficiently between clients and FTP servers. FTP transfers commands and data separately, meaning that it requires two ports.

  • Command port: The commands such as Change directory and Delete file are sent through the command port.

  • Data port:

Passive mode: The server returns port 21 to the client. The client uses this port number to enable Socket connection for the data port.

Active mode: The client sends a port 20 to the server. The server needs to connect to the data port enabled by the client for data transmission.

The SNMP protocol

SNMP is based on UDP and is used to transfer network management control and message information between management servers and management agents. (The management server is the control of the network behavior of the managed device, and the agent is a process in the managed server. The process communicates with the management server, and the agent manages the actions of the server.) SNMP ensures reliable transmission by mapping request ids to response ids.

SNMP is usually in request-response mode, where the management server sends the request, the agent receives the request, performs the action, and returns the response. There are also trap messages, in which the agent sends a non-request message to the management server to notify the management server of an exception.

DHCP protocol

DHCP is a dynamic host configuration protocol. When the client host IP address is dynamically obtained, the DHCP server assigns IP addresses to the client based on the DHCP protocol.

Why have DHCP?

Only when two hosts are on the same network segment and a host attempts to connect to another host, the host sends ARP requests to obtain the MAC address of the peer host for correct connection. If the two hosts are on different network segments, the network packet is sent to the gateway instead of the network. Assume that the gateway is not configured and there is no information about the peer host, that is, the MAC address of the peer host cannot be known, so the connection cannot be made. Therefore, the IP addresses must be on the same network segment. However, when we change a place, the IP address needs to be changed to that network segment, which is obviously not in the river, so there is the dynamic host configuration protocol DHCP.

Working principle:

When a new machine joins a network, it performs DHCP Discover: broadcasts a network packet with IP address 0.0.0.0 that encapsulates the BOOTP header (DHCP). Then the DHCP Server can obtain the network packet and determine whether the MAC address of the corresponding machine exists (which reflects the importance of the unique MAC address). The machine is then dynamically assigned an IP address, subnet mask, gateway, and other information. The new machine broadcasts a DHCP Request to the network. After receiving the Request, the DHCP Server broadcasts a DHCP ACK to the new machine, which carries the IP lease period. At this point, DHCP completes its work

The WebSocket protocol

The WebSokcet protocol is an application-layer protocol. The server using WebSocket protocol can subscribe to a type of message, and when the server receives such message, it will initiate notification to the client, realizing the active message push of the server.

WebSokcet generates messages based on Frame frames. During message transmission, frames are fragmented. Different types of frames have different functions

  • Persistent frame (maintains the state of the previous frame)

  • Heartbeat frames: WebSocket uses ping frames and Pong frames to maintain heartbeat. When a Ping frame is received, a Pong frame needs to be sent back. The ping frame can carry data, so the pong frame must have the same data

  • Data frame: Transmits binary or text data.

  • FIN Frame: WebSocket merges frames based on FIN frames. WebSocket is based on the TCP layer, so there is no frame out of order.

Disadvantages: The server actively pushes messages, so the client machine does not scale well dynamically. So you need a message processing layer to properly route messages to the new client.

The socket function can implement Http and WebSocket protocols. Netty encapsulates the socket function, making it easier to implement Http and Websockets. Both Http and WebSocket are built on top of TCP. While Http communication can only be initiated by the client, WebSocket communication can be actively initiated by the server, so WebSocket can be used for real-time communication between multiple clients. Generally speaking, WebSocket is used in IM scenarios where a single connection can be established to complete real-time data transmission at any time. Http is generally used for things like simple requests, accessing Web sites (Http short connections), etc. Websocket is full duplex communication and can be multiplexed, but it can be multiplexed after Http2.0

Transport layer protocol

TCP, UDP

Network layer protocol

TCP/IP protocol

Class IP address IPv4 is expressed in dotted decimal notation (converting every 8 bytes of a 32-bit binary number to a 0-255 decimal number. The IP address has A network zone, and the IP address has A parent-child structure, so A.. Class E address. The first part of an IP address is 0, which is called A Class A address. A Class A address has seven network addresses available. Therefore, the IP address range is 1.0.0.0 to 126.255.255.255

Disadvantages: ① There is no address hierarchy in private network, poor address flexibility ② there are too few class 3 network addresses.

CIDR No classified address: IP/N (N indicates the first N bits of the network address range (the network address range should be a multiple of 8), which solves the flexibility problem of classified address). In addition, the first N is the network address, so the following are the host numbers, so we can divide the subnet according to 10, indicating the host segment under the same network address.

NAT address translation technology: Solves the problem of the shortage of public IP addresses, enabling a small number of public IP addresses to support the Internet access of a large number of clients. We first assign private IP addresses to a large number of hosts, and then the NAT router changes the source host address to a public IP address and sends it to the server. The target address of the server response is the public address, and after arriving at the NAT router, it is forwarded back to our private address and sent. NAPT supports IP+ port mapping because it is possible to have multiple devices (multiple mobile phones under wifi) on the same private network. NAPT maintains the mapping between IP addresses and ports. IPv6 is 128 bits long, which means no NAT addressing is required.

IPv6:

There are three modes for transmitting IP packets

Direct transmission:

If the two hosts are on the same network segment, you can query the MAC address of the target host in the ARP table, assemble the packet, and forward the packet through the switch.

Local network indirect transmission:

The client accesses the Intranet service set up on the local network and forwards packets through the router.

RIP: Selects routes based on the number of hops and broadcasts UDP packets to determine the number of hops required by host packets to reach each routing table.

OSPF: multi-level topology. Each router in the same topology has the same data information. Each topology is directly connected through the router topology and transmits routing packets based on the IP protocol header.

Public indirect transmission

To access services on a remote network, a client needs to forward packets through multiple routers on a WAN.

BGP: EBGP is used on the Internet, IBGP is used on the Intranet, and information is transmitted based on TCP.

Broadcast and multicast: Both the network layer and the data link layer support broadcast and multicast.

Broadcast: There are multiple domains and only processes in a particular domain can receive broadcasts. IP multicast uses a Class D IP address, starting with 1110. Packets with host ids all 1 in an IP address indicate all hosts on a network and are used for broadcasting.

Multicast: Multicast addresses are class D addresses and can control the multicast range by managing IGMP groups

How to rectify the IP address failure:

Possible IP conflict. Run the arping IP command to check how many MAC addresses correspond to this IP address. If there are multiple MAC addresses, run the ifconfig command to check the local IP address and isolate other IP addresses. You can also run the arp-scan-l command to obtain the IP addresses and MAC addresses of all hosts to check IP address conflicts.

What is the private IP address: the IP address on the local LAN, which corresponds to the public IP address

What a subnet mask is: the first three bytes of network bits that divide IP into network addresses and host addresses.

The ICMP protocol

ICPM is an auxiliary protocol (over IP) of IP, which focuses on performance. Therefore, ICMP is used to confirm whether the IP network is working properly, diagnose IP packet anomalies, and track links. Ping is based on ICMP.

How it works: ICMP packets are encapsulated in IP packets. When a router fails to discover the destination host, it sends an IMCP packet back to the source host over an IP link. The source host decomparts the header of the ICMP packet and the data field to learn the cause or diagnosis message.

ICMP message type:

0.ICMP Active request message and reply message

1.ICMP target unreachable message and ICMP redirection message

2.ICMP timeout message: When the TTL field of an IP packet is reduced to 0, the packet is discarded, and the router sends an ICMP timeout message.

3.ICMP echo message: A message sent between hosts or routers to check whether the sent data packet reaches the peer end.

The ping command uses ICMP to send back messages.

4.ICMP Router Discovery message: Used to discover routers on the network. The host sends an ICMP router discovery message, and the router on the connected network returns an ICMP route announcement message to the host.

5.ICMP Address mask message: Obtains the subnet mask of the target host or router.

6.ICMP Neighbor exploration: It uses the neighbor exploration request message to send a multicast address to nearby hosts.

The destination host returns its MAC address to the source host through the neighbor probe message. In IPv6, ICMP replaces ARP. It combines IPv4 ARP, ICMP redirection, and ICMP router discovery messages to locate MAC addresses. Within the message type, there are many subtypes of Code that represent location-specific error messages.

Ping workflow:

Ping is a query packet that complies with ICMP. When the ping command is executed, the source host constructs an ICMP request packet, which contains the sequence number and sending time (used to calculate the RTT round trip time). Then, the source host sends the ICMP request packet together with the IP address to the transport layer and encapsulates the IP packet in the data link layer. Then, the source host encapsulates the FRAME in the data link layer and sends the packet to the peer end. The peer host receives the frame, checks and extracts the data, and finally submits it to ICMP. Then the peer host constructs an ICMP reply packet, keeps the sequence number consistent with the transmitted one, and sends it to the source host. If the source host does not receive an ICMP reply packet, the host is unreachable.

Data link layer protocol

ARP (IPv4 only)

IP addresses transfer data between large networks, while MAC addresses transfer data between local network devices. The ARP protocol is used to find Mac addresses from IP addresses. At the data link layer, switches recognize only MAC addresses. Therefore, both IP and MAC addresses are necessary for communication.

ARP uses the target IP address as a cue to obtain the MAC address. To obtain the MAC address of the target host, the host broadcasts ARP packets containing the IP address of the target host. All hosts and routers on the same link can receive and parse the packet. If the host finds the same IP address, it adds its MAC address to the ARP packet and returns the packet to the source host. If the two hosts are on different links, the source host obtains the MAC address of the next-hop router. After obtaining the destination MAC address, the source host caches the mapping between the destination IP address and MAC address, and the destination host caches the mapping between the source host IP address and MAC address. ARP is recached each time.

RARP: The MAPPING between MAC addresses and IP addresses is registered on the RARP Server. If an embedded device (printer) cannot obtain an IP address, it obtains its IP address from the RARP Server through RARP.

Proxy ARP: A router that uses proxy ARP can forward ARP requests to neighboring network segments to achieve normal communication between nodes on different network segments and subnets.

PPP (P2P) protocol

STP agreement

VLAN