Networking Fundamentals
(Kalyana+Soma).Sundaram
Lead DevOps Engineer, Media.net
What happens when you open www.google.com
AGENDA
- DNS, UDP (0.5 days)
- HTTP/(S) (0.5 days)
- TCP, IP Routing (0.5 days)
- Conclusion and Noc session(0.5 days)
DNS
- why DNS
IP vs Domain Name - StakeHolders
TLD owners- ccTLD,gTLD etc
Registrars- Godaddy, Orderbox
DNS Cache- ISP, local
Nameserver
- Assume we registered google.com domain.
- Most domain registrars have their own ns
- NS makes authoritative response to google.com
- Glue Records
Activity
- install bind9
- out of box recursion is on
- tld
- resolv.conf
Activity
- set zone example.google.com
Types of Records
- A record
- PTR record dig -x 8.8.8.8 @8.8.8.8
- CNAME
- NS
- SPF DKIM
Where else dns can be used?
- To geographically distribute traffic
- Load balancing
- Both a and b
- none
END Notes
- TTL
- Setup custom backend in powerdns
https://doc.powerdns.com/md/authoritative/backend-pipe/ - DM DNS Overview
UDP
- DNS uses UDP
- Just multiplexing, fire and forget
- Source Port Destination Port
- tcpdump
tcpdump -s 0 -A -i any net 8.8.8.8 -nn
Sysctl tunables
- sysctl recv and send buffer max and default
- so_sndbuff and so_rcvbuff socket system call params
HTTP
- Methods
Get,Head,Post,Put.. - HTTP/1.1 vs HTTP/1.0
telnet directi.com 80 - Headers
HTTP States
- Stateless
- Cookie
- Web Proxy (cache headers)
- Man in the middle
tcpdump
HTTPS
TLS
End to End Encryption
Activity
- Install apache2
- Setup Self Signed Cert and https
TCP
- 3 way handshake
- Acknowledgements and reliability
- tcpdump and check sequence numbers
- Push Reset Flags
sysctl values
- tcp_rmem,tcp_wmem
- tcp_max_syn_backlog
- tcp_recycle,tcp_fintimeout
Connection Tearing Phase
What if somebody spoofs Syn and send to me?
- Syn+Ack goes to spoofed ip
- Syn+Ack goes to correct ip
- Syn+Ack is dropped
- Hodor
TCP Attacks
- SYN/ACK flood
- SYN Cookies, somaxconn, tcp_syn_backlog
Network + Data Link Layer
- Routing table
route -n - CIDR subnet mask
mask XOR IP=net - Gateway 0.0.0.0 ARP
- Net 0.0.0.0
- rp_filter(way to prevent spoofed ip)
Network + Data Link Layer
Q From your system to Access point what part of the packet addresses the access point when you open google.com?
- Source IP Address
- Dest IP Address
- Dest Port
- Mac Address
NAT
- Port based nat
Activity - Setup Nat using iptables masquerade and ip_forwarding on one vm and change routing table on another vm to use the nat
http://www.revsys.com/writings/quicktips/nat.html - Tcp recycle
Can the NAT box see HTTPS Application Level Data?
- Yes
- No
Recap opening www.google.com
Advanced
- BGP
looking glass lg.he.net - Tunnels
- Anycast
- CDN
- Load Balancing
- Mitigation