Network Security: TCP/IP, Sniff/Spoof & IPsec
Why this matters. Every attack in this module exploits the same root cause: the original Internet protocols were designed in a trusted academic environment and contain no built-in mechanism to authenticate who sent a packet or to keep its contents private. Understanding these gaps is the first step toward fixing them.
The Network Stack in 60 Seconds
Data travels through four layers. Each layer adds its own header as it passes data downward (encapsulation) and strips that header on the receiving side.
Application [ Data ]
Transport (L4) [ TCP/UDP header | Data ]
Network (L3) [ IP header | TCP/UDP | Data ]
Data Link (L2) [ MAC header | IP | TCP/UDP | Data ]
Physical (L1) bits on the wire
IP (Layer 3) gives each packet a 32-bit source and destination address. IP is connectionless — each packet is routed independently, and there is no verification that the source address is genuine.
UDP (Layer 4, connectionless) adds source/destination port numbers and a checksum. Fast, simple, no handshake.
TCP (Layer 4, connection-oriented) adds reliable, ordered delivery via sequence numbers, acknowledgements, and a three-way handshake.
TCP Three-Way Handshake
Client Server
| --SYN seq=x-------------> |
| <-SYN-ACK seq=y, ack=x+1- |
| --ACK ack=y+1-----------> |
(connection established)
After the handshake, each side tracks a sequence number that increments with every byte sent. Sequence numbers are critical: they prevent stale duplicates from disrupting an ongoing stream — and, as we will see, they are also the target of blind injection attacks.
Why Classic TCP/IP Has No Security
The original design assumptions:
- No authentication of source addresses. The IP source address field is set by the sending host — any program with a raw socket can write any address it likes.
- No confidentiality. Packets travel in plaintext through every router and switch between source and destination.
- Switches, not hubs — but not immune. Modern switched LANs deliver frames only to their MAC-address destination, so a passive attacker can only see their own traffic. However, ARP lets an attacker bypass this (see below).
Packet Sniffing
Sniffing means reading packets not addressed to your host. The mechanism is the OS promiscuous mode: the NIC passes every frame up to the kernel ring buffer instead of discarding frames whose MAC destination differs from the host's own MAC.
Libraries like libpcap (used by tcpdump and Wireshark) and Scapy open a raw socket in promiscuous mode to capture traffic.
# Scapy: capture 10 ICMP or UDP packets on ens4
from scapy.all import *
pkts = sniff(iface='ens4', filter='icmp or udp', count=10)
pkts.summary()
Sniffing on a Switched LAN — ARP Spoofing
A switch normally forwards frames only to the correct port, so an attacker on a different port cannot see Alice-to-Bob traffic. The bypass: ARP spoofing (also called ARP poisoning).
ARP is the protocol that maps an IP address to a MAC address. It is stateless and unauthenticated — any host can broadcast a fake ARP reply claiming "I am 192.168.1.1, my MAC is AA:BB:CC:DD:EE:FF". Because hosts cache the most recent reply, the attacker poisons both Alice's and Bob's caches, positioning themselves as a man-in-the-middle:
Before: Alice ---> Switch ---> Bob
After: Alice ---> Attacker ---> Bob (Attacker forwards to stay invisible)
All traffic between Alice and Bob now passes through the attacker's NIC, which can sniff or modify it even on a fully switched network.
Packet Spoofing
Spoofing means constructing a packet with a fabricated source address (or other header fields). Normal socket calls let the OS fill in the source IP; a raw socket bypasses that and lets the application write every header field directly.
# Scapy: spoof an ICMP echo from 1.2.3.4
from scapy.all import *
ip = IP(src="1.2.3.4", dst="93.184.216.34")
icmp = ICMP()
send(ip/icmp, verbose=0)
TCP RST and SYN Attacks
Because TCP uses sequence numbers for state, an attacker who knows (or can guess) the current sequence number can inject valid-looking segments:
- TCP RST attack. Send a RST segment with the correct sequence number → the receiver immediately tears down the connection. Used to disrupt existing TCP sessions (e.g., cut a BGP peering session).
- TCP SYN flood (DoS). Send a flood of SYN segments with spoofed source IPs. The server allocates a half-open connection entry for each one, exhausting its connection table. Legitimate clients cannot complete their handshake. The server never receives the final ACK because replies go to non-existent (or innocent) IP addresses.
Attacker (many spoofed IPs) Server
SYN src=1.1.1.1 ------------> SYN-ACK queued, waiting for ACK
SYN src=2.2.2.2 ------------> SYN-ACK queued, waiting for ACK
... connection table fills up
(Legitimate SYN) ------------> DROPPED — table full
Blind TCP Injection
If an attacker cannot sniff the sequence numbers (off-path attacker), they can still inject data if the sequence space is predictable. Early TCP implementations used weak ISN (Initial Sequence Number) generators. With the right guess, an attacker can inject bytes into a live session without observing the traffic — enabling session hijacking or command injection.
DNS Spoofing / Cache Poisoning
DNS resolvers cache responses. If an attacker can race a forged DNS reply (with the right transaction ID) before the legitimate answer arrives, the resolver stores the fake mapping. All clients using that resolver then connect to the attacker's IP instead of the real server — a powerful redirection attack, especially before DNSSEC.
IPsec: Security at the Network Layer
IPsec (Internet Protocol Security, RFCs 2401–2406) retrofits security directly into IP so that all IP traffic — not just specific applications — can be protected. It has three main components:
Authentication Header (AH) — RFC 2402
AH provides integrity and data-origin authentication for the entire IP packet (including most of the IP header). It does not encrypt — traffic is still readable, but a tampered or spoofed packet will fail the integrity check.
AH Transport Mode:
[ IP Header | AH Header | TCP Header | Data ]
<-------------- Authenticated -------------->
Encapsulating Security Payload (ESP) — RFC 2406
ESP provides confidentiality (encryption) plus integrity/authentication for the payload. It is the protocol used in practice because it covers both goals.
ESP Transport Mode:
[ IP Header | ESP Header | TCP Header | Data | ESP Trailer | ESP Auth ]
<-------------- Encrypted --------------->
<------------------------ Authenticated -------------------------->
AH and ESP can be combined: apply ESP first (encrypt + authenticate payload), then apply AH (authenticate the result including the outer IP header).
Transport Mode vs. Tunnel Mode
| Transport Mode | Tunnel Mode | |
|---|---|---|
| Original IP header | Kept, protected by AH/ESP | Replaced by new outer IP header |
| Who uses it | Host-to-host (two endpoints run IPsec) | Gateway-to-gateway (VPN tunnels) |
| Typical use | Securing a single TCP session between two servers | Corporate VPN: branch office to HQ |
In tunnel mode, the entire original IP packet (header + payload) is encapsulated inside a new IP packet. The original source/destination addresses are hidden inside the encrypted payload — the outer header shows only gateway addresses, protecting internal network topology.
Key Management: IKE
Before AH or ESP can authenticate or encrypt anything, the two sides must agree on keys and algorithms. IKE (Internet Key Exchange) is the standard handshake protocol that negotiates Security Associations (SAs) — the shared parameters (algorithm, key, lifetime) for each direction of traffic.
IPsec vs. TLS
A common point of confusion:
- IPsec operates at Layer 3 (the network layer). It is transparent to applications — no code changes needed. It protects all IP traffic between two endpoints, including ICMP, UDP, and any protocol on top of IP.
- TLS operates at Layer 4/7 (transport/application). It must be explicitly used by each application (HTTPS, IMAPS, etc.). It does not protect the IP headers.
Both are valid; they address different threat models. TLS is more widely deployed for Internet-facing services; IPsec is commonly used in VPNs and site-to-site tunnels.
Key Takeaways
- The TCP/IP stack was designed without authentication of source addresses or confidentiality — attackers can forge the source IP in any packet using a raw socket.
- Sniffing requires either being on a shared medium (hub) or poisoning ARP caches to redirect switched traffic through the attacker's machine.
- ARP spoofing works because ARP replies are accepted without verification, enabling MitM on a switched LAN.
- SYN flooding exploits the half-open connection queue: spoofed SYNs consume server state until legitimate connections are rejected.
- Blind TCP injection is possible when sequence numbers are guessable; modern OSes use cryptographically random ISNs to mitigate this.
- IPsec AH provides integrity and authentication but no encryption; ESP adds confidentiality and is the protocol used in practice.
- Transport mode protects host-to-host traffic; tunnel mode wraps the entire original packet for gateway-to-gateway VPNs.
- IKE handles key negotiation for IPsec SAs; TLS solves a related but distinct problem at a higher layer.