Advanced ⏱ 60–75 Minutes Protocol Internals

Advanced Deep Dive

Understanding the hidden networking mechanisms that control packet delivery, reliability, and performance. This is the knowledge that separates casual users from senior engineers and pentesters.

Why This Module Exists

Most learners understand IP addressing, Routing, DNS, and Ports. But real engineers and pentesters understand the "Why":

WHY packets fail.
WHY connections reset.
WHY latency happens.
WHY scans behave differently.

This module breaks down those internal mechanics.

1. DHCP Deep Dive (DORA Process)

Dynamic Host Configuration Protocol automatically assigns IP addresses to devices. It follows a strict 4-step sequence known as DORA.

💻 Client
Discover: "Who can give me an IP?"
(Broadcast: 0.0.0.0 → 255.255.255.255)
Offer: "Here is an available IP."
Request: "I accept this IP."
Acknowledge: "Lease confirmed."
🖥️ Server

💀 Security Insight

DHCP is built on implicit trust. This enables Rogue DHCP attacks, where an attacker stands up a fake DHCP server to hand out IPs and sets their own machine as the Default Gateway, instantly achieving a Man-In-The-Middle (MITM) position.

2. ICMP Internals

Internet Control Message Protocol handles network diagnostics and error reporting. It doesn't transport application data; it talks about the health of the network itself.

Type Purpose Meaning
Echo Request (8) Ping "Are you alive?"
Echo Reply (0) Ping Response "Yes, I am alive."
Destination Unreachable (3) Routing Failure The router has no path to the target.
Time Exceeded (11) TTL Expired Packet died in transit (used by Traceroute).

When you type ping google.com, you are actually sending an ICMP Echo Request.

Pentesting Importance

ICMP is the foundation of Reconnaissance. It is used for Host Discovery, Network Mapping, and Firewall Testing (seeing if a router drops ICMP but allows TCP).

3. MTU (Maximum Transmission Unit)

MTU defines the maximum packet size allowed on a network. For typical Ethernet, this is exactly 1500 bytes.

What happens if a packet is too large?

Packet Fragmentation occurs. The router takes the massive packet and chops it into smaller pieces to fit through the network.

📦 Large Packet (2000 Bytes)
Fragment 1
1500 Bytes
Fragment 2
500 Bytes

Problems Caused: Heavy fragmentation leads to slow connections, VPN tunnel failures (due to encryption overhead), and packet loss.

# Real Troubleshooting Command to detect MTU issues:
ping -M do -s 1472 target.com
# (-M do = Do not fragment. -s = payload size. If it fails, MTU is too low.)

4. TCP Flags Deep Dive

TCP is connection-oriented. It controls the "state" of a connection by setting specific bits (Flags) in the packet header to 1 or 0.

Flag Full Name Meaning
SYN Synchronize Start connection / Sync sequence numbers.
ACK Acknowledge Acknowledge received data.
FIN Finish Graceful close. "I have no more data to send."
RST Reset Force terminate. Drop the connection immediately.
PSH Push Push data immediately to the application (bypassing buffers).
URG Urgent Marks priority data. (Rare today, but historically important).

The PSH Flag in Action

Normally, TCP buffers data to send it efficiently in chunks. The PSH flag forces immediate delivery. It is heavily used in interactive sessions like SSH or live chat, where every keystroke needs to appear instantly.

Security Relevance: Port Scanning

Nmap relies entirely on manipulating TCP flags to see how firewalls and servers react.

SYN Scan: Sends a SYN. If it gets a SYN-ACK, the port is open. It never completes the handshake (stealthy).
Xmas Scan: Sends FIN, PSH, and URG simultaneously. How the server drops the weird packet reveals its OS.

5. TCP Connection States

As flags are exchanged, the socket on the computer changes states. Understanding these is critical for diagnosing hanging servers.

LISTEN — Waiting for a SYN.
SYN_SENT — Client sent SYN, waiting for SYN-ACK.
ESTABLISHED — 3-way handshake complete. Data flowing.
FIN_WAIT — Starting to close the connection.
TIME_WAIT — Waiting to ensure delayed packets arrive before fully closing.

Why is this important?
In a SYN Flood Attack, an attacker sends millions of SYN packets but never replies with an ACK. The server creates millions of sockets stuck in the SYN_RCVD state until memory is exhausted and it crashes.

6. Load Balancing

Modern services (like Google or Netflix) never route you to a single server. A Load Balancer sits in front to distribute traffic.

Users
Load Balancer
Server 1
Server 2
Server 3

Distribution Algorithms

  • Round Robin: Requests distributed equally in order (1, 2, 3, 1, 2, 3).
  • Least Connections: Traffic is sent to the server currently handling the fewest active users.
  • IP Hash: The client's IP is hashed. The same client will always be sent to the same server (fixes session log-out issues).

Security Benefit: Prevents overload, improves availability, and absorbs DDoS attacks before they reach backend servers.

7. Real Network Behavior (Putting it Together)

When you browse a website, this is the true mechanical lifecycle:

1. DHCP assigns your IP (DORA)
2. DNS resolves domain to an IP
3. TCP Handshake establishes state (SYN, SYN-ACK, ACK)
4. MTU ensures packets are the right size to avoid fragmentation
5. Load Balancer routes your packet to an available server
6. ICMP quietly monitors for routing failures

8. Interview & Pentester Insights

You can now confidently explain:

  • Why Ping fails but a website works: The firewall drops ICMP Echo Requests but allows TCP Port 443.
  • Why a VPN disconnects randomly: Likely an MTU mismatch causing fragmented encrypted packets to be dropped.
  • Why SYN scans are stealthy: They tear down the connection (RST) before it reaches ESTABLISHED, so the application log never records a full connection.
  • Why servers enter TIME_WAIT: To ensure delayed "ghost" packets from a closed session don't accidentally corrupt a brand new connection using the same ports.

🧠 Knowledge Check

1. What does DORA stand for in DHCP?
Discover, Offer, Request, Acknowledge.
2. Why does packet fragmentation occur?
It occurs when a packet exceeds the network's Maximum Transmission Unit (MTU), typically 1500 bytes.
3. What is the difference between the PSH and URG flags?
PSH pushes data immediately to the application bypassing buffers (used for live streams/SSH). URG marks data as high-priority out-of-band data.
4. What ICMP message indicates a routing failure?
Destination Unreachable (Type 3).
5. Why use an IP Hash algorithm in Load Balancing?
It ensures that a specific user (based on their IP) is always routed to the same backend server, maintaining session state.
🌌
Networking Mastery Achieved

You now understand networks at the packet level. You comprehend protocol behavior, connection states, and infrastructure scaling logic.

  • ✔ Protocol Behavior
  • ✔ Packet Lifecycle
  • ✔ Connection States
  • ✔ Network Performance Logic