Devices used in each layer of TCP/IP

model
 Difficulty Level : Easy
 Last Updated : 21 Mar, 2022

Prerequisite – TCP/IP Model, Network Devices 

1. Physical Layer – Physical layer of TCP/IP model is responsible for physical
connectivity of two devices. Some of the devices used in Physical layers are, 
 
 Hubs: 
Hubs are devices commonly used to connect segments of a LAN. It
contains multiple input/output ports. when signal is at any input port,
this signal will be made at all output ports except the one it is coming
from.
 Cables: 
In Wired network architecture (e.g Ethernet), cables are used to
interconnect the devices. some of the types of cables are coaxial cable,
optical fiber cable, and twisted pair cable.
 Modem:                                                                                                  
Modem stands for MOdulator/DEModulator. A modem converts
digital signals generated by the computer into analog signals which,
then can be transmitted over cable line and transforms incoming
analog signals into digital equivalents.
 Repeaters: 
Repeaters are used in transmission systems to regenerate analog or
digital signals distorted by transmission loss. Analog repeaters can
only amplify the signal whereas a digital repeaters can reproduce a
signal to near its original quality.
2. Data Link Layer – Data Link layer is responsible to transfer data hop by hop
(i.e within same LAN, from one device to another device) based on the MAC
address. Some of the devices used in Data Link layer are, 
 
 Bridges: 
A bridge is a type of computer network device that provides
interconnection with other networks that use the same protocol,
connecting two different networks together and providing
communication between them.
 Switch: A network switch is a multiport network bridge that uses
MAC addresses to forward data at the data link layer (layer 2) of the
OSI model. Some switches can also forward data at the network layer
(layer 3) by additionally incorporating routing functionality. Such
 switches are commonly known as layer-3 switches or multilayer
switches.
 Network Interface Card: 
Network interface card is an electronic device that is mounted on
ROM of the com that connects a computer to a computer network,
usually a LAN. It is considered a piece of computer hardware. Most
modern computers support an internal network interface controller
embedded in the motherboard directly rather than provided as an
external component.
3. Network Layer – The network layer is responsible for creating routing table,
and based on routing table, forwarding of the input request. Some of the
Devices used in Network Layer are, 
 
 Routers: 
A router is a switch like device that routes/forwards data packets
based on their IP addresses. Routers normally connect Local Area
Network (LANs) and Wide Area Network (WANs) together and have
a dynamically updating routing table based on which they make
decisions on routing the incoming packets.
 Brouters: 
A bridge router or brouter is a network device that works as a bridge
and as a router. The brouter routes packets for known protocols and
simply forwards all other packets as a bridge would. Brouters operate
at both the network layer for routable protocols (or between network
with different data link layer protocol ex. one is running on ethernet
(802.3) and other network is running on Token ring (802.5)) and at the
data link layer for non-routable protocols (or both network are using
same data link layer protocol).
 
Figure: Typical interconnection of Router, Switch, Hub and Bridge 
4. Transport Layer – Transport layer is responsible for end-to-end
communication (or process-to-process communication). Some of the transport
layer devices are, 
 
 Gateways: 
In computer networking, a gateway is a component that is part of two
networks, which use different protocols. The gateway is a protocol
converter which will translate one protocol into the other. A router is a
special case of a gateway.
 Firewall: 
A firewall is a system designed to prevent unauthorized access to or
from a private network, some of the functionalities of firewall are,
packet filtering and as a proxy server.
5. Application Layer – Application layer is the top most layer of TCP/IP
Model that provides the interface between the applications and network.
Application layer is used exchange messages. Some of the devices used in
Application layer are, 
 PC’s (Personal Computer), Phones, Servers
 Gateways and Firewalls
DIFFERENT TYPES OF ATTACKS
 Malware – short for malicious software which is specifically
designed to disrupt, damage, or gain authorized access to a
computer system. Much of the malware out there today is self-
replicating: once it infects one host, from that host it seeks entry
into other hosts over the Internet, and from the newly infected
hosts, it seeks entry into yet more hosts. In this manner, self-
replicating malware can spread exponentially fast. 
 Virus – A malware which requires some form of user’s interaction
to infect the user’s device. The classic example is an e-mail
attachment containing malicious executable code. If a user
receives and opens such an attachment, the user inadvertently
runs the malware on the device. 
 Worm – A malware which can enter a device without any explicit
user interaction. For example, a user may be running a vulnerable
network application to which an attacker can send malware. In
some cases, without any user intervention, the application may
accept the malware from the Internet and run it, creating a worm. 
 Botnet – A network of private computers infected with malicious
software and controlled as a group without the owners’
knowledge, e.g. to send spam. 
 DoS (Denial of Service) – A DoS attack renders a network, host,
or other pieces of infrastructure unusable by legitimate users.
Most Internet DoS attacks fall into one of three categories : 
 • Vulnerability attack: This involves sending a few well-crafted
messages to a vulnerable application or operating system running
on a targeted host. If the right sequence of packets is sent to a
vulnerable application or operating system, the service can stop
or, worse, the host can crash. 
 • Bandwidth flooding: The attacker sends a deluge of packets to
the targeted host—so many packets that the target’s access link
becomes clogged, preventing legitimate packets from reaching
the server. 
 • Connection flooding: The attacker establishes a large number of
half-open or fully open TCP connections at the target host. The
host can become so bogged down with these bogus connections
that it stops accepting legitimate connections. 
 DDoS (Distributed DoS) – DDoS is a type of DOS attack where
multiple compromised systems, are used to target a single
system causing a Denial of Service (DoS) attack. DDoS attacks
leveraging botnets with thousands of comprised hosts are a
common occurrence today. DDoS attacks are much harder to
detect and defend against than a DoS attack from a single host. 
 Packet sniffer – A passive receiver that records a copy of every
packet that flies by is called a packet sniffer. By placing a passive
receiver in the vicinity of the wireless transmitter, that receiver
can obtain a copy of every packet that is transmitted! These
packets can contain all kinds of sensitive information, including
passwords, social security numbers, trade secrets, and private
personal messages. some of the best defenses against packet
sniffing involve cryptography. 

 IP Spoofing – The ability to inject packets into the Internet with a

false source address is known as IP spoofing, and is but one of
many ways in which one user can masquerade as another user.
To solve this problem, we will need end-point authentication, that
is, a mechanism that will allow us to determine with certainty if a
message originates from where we think it does. 
 Man-in-the-Middle Attack – As the name indicates, a man-in-
the-middle attack occurs when someone between you and the
person with whom you are communicating is actively monitoring,
capturing, and controlling your communication transparently. For
example, the attacker can re-route a data exchange. When
computers are communicating at low levels of the network layer,
the computers might not be able to determine with whom they are
exchanging data. 
 Compromised-Key Attack – A key is a secret code or number
necessary to interpret secured information. Although obtaining a
key is a difficult and resource-intensive process for an attacker, it
is possible. After an attacker obtains a key, that key is referred to
as a compromised key. An attacker uses the compromised key to
gain access to a secured communication without the sender or
receiver being aware of the attack. 
 Phishing – The fraudulent practice of sending emails purporting
to be from reputable companies in order to induce individuals to
reveal personal information, such as passwords and credit card
numbers. 
 DNS spoofing – Also referred to as DNS cache poisoning, is a
form of computer security hacking in which corrupt Domain Name
System data is introduced into the DNS resolver’s cache, causing
the name server to return an incorrect IP address. 
 Rootkit – Rootkits are stealthy packages designed to benefit
administrative rights and get the right of entry to a community
tool. Once installed, hackers have complete and unrestricted get
right of entry to the tool and can, therefore, execute any
 movement including spying on customers or stealing exclusive
data with no hindrance.

IDS AND TYPES OF IDS

An Intrusion Detection System (IDS) is a system that

monitors network traffic for suspicious activity and issues alerts when
such activity is discovered. It is a software application that scans a
network or a system for the harmful activity or policy breaching. Any
malicious venture or violation is normally reported either to an
administrator or collected centrally using a security information and
event management (SIEM) system. A SIEM system integrates outputs
from multiple sources and uses alarm filtering techniques to
differentiate malicious activity from false alarms.
Although intrusion detection systems monitor networks for potentially
malicious activity, they are also disposed to false alarms. Hence,
organizations need to fine-tune their IDS products when they first install
them. It means properly setting up the intrusion detection systems to
recognize what normal traffic on the network looks like as compared to
malicious activity.
Intrusion prevention systems also monitor network packets inbound the
system to check the malicious activities involved in it and at once send
the warning notifications.

Signature-based: A signature-based IDS or IPS sensor looks for specific, predefined

patterns (signatures) in network traffic. It then compares the traffic to a database of
known attacks and triggers an alarm or prevents communication if a match is found.
The signature may be based on a single packet or a sequence of packets. New
attacks that do not match a signature will not result in detection. For this reason, the
signature database needs to be constantly updated.

Note Protocol analysis-based intrusion detection is similar to signature-based

intrusion detection, but it performs a more in-depth analysis of the protocols
specified in the packets.

Signature-based pattern matching is an approach that is rigid but simple to employ.

In most cases, the pattern is matched against only if the suspect packet is
associated with a particular service or, more precisely, destined to and from a
particular port. This helps to lessen the amount of inspection done on every packet.
However, it tends to make it more difficult for systems to deal with protocols that do
not reside on well-defined ports and, in particular, Trojan horses and their associated
traffic, which can usually be moved at will.
At the initial stage of incorporating signature-based IDS or IPS, before the signatures
are tuned there can be a lot of false positives (traffic generating an alert which is no
threat for the network). After the system is tuned and adjusted to the specific
network parameters there will be fewer false positives than with the next approach,
the policy-based approach.

■ Policy-based: The IDS or IPS sensor is preconfigured based on the network security
policy. You must create the policies used in a policy-based IDS or IPS. Any traffic
detected outside the policy will generate an alarm or will be dropped. Creating a
security policy requires detailed knowledge of the network traffic and is a time-
consuming task. Policy-based signatures use an algorithm to determine if an alarm
should be fired. Often policy-based signature algorithms are statistical evaluations of
the traffic flow. For example, in a policy-based signature that is used to detect a port
sweep, the algorithm issues an alarm when the threshold number of unique ports is
scanned on a particular machine. Policy-based signature algorithms could be
designed to only analyze a specific type of packets, for example, SYN packets. The
policy itself may require tuning. For example, you might have to adjust the threshold
level of certain types of traffic so that the policy conforms to the utilization patterns
on the network that it is monitoring. Polices may be used to look for very complex
relationships.

■ Anomaly-based: Anomaly-based or profile-based signatures typically look for

network traffic that deviates from what is seen "normally." The biggest issue with
this methodology is that you first need to define what "normal" is. Some systems
have hard-coded definitions of normal traffic patterns and, in this case, they could be
considered heuristic-based systems.

Other systems are built to learn normal traffic behavior; however, the challenge with
these systems is in eliminating the possibility of improperly classifying abnormal
behavior as normal. Also, if the traffic pattern being learned is assumed to be
normal, the system must contend with how to differentiate between allowable
deviations and those deviations not allowed or that represent attack-based traffic.
Normal network traffic can be difficult to define.

■ Honey pot-based: Honey pot systems use a dummy server to attract attacks. The
purpose of the honey pot approach is to distract attacks away from real network
devices. By staging different types of vulnerabilities in the honey pot server, you can
analyze incoming types of attacks and malicious traffic patterns. You can use this
analysis to tune your sensor signatures to detect new types of malicious network
traffic.
Malwares – Malicious Software
Malware is a software that gets into the system without user consent with an
intention to steal private and confidential data of the user that includes bank
details and password. They also generates annoying pop up ads and makes
changes in system settings
They get into the system through various means:
1. Along with free downloads.
2. Clicking on suspicious link.
3. Opening mails from malicious source.
4. Visiting malicious websites.
5. Not installing an updated version of antivirus in the system.
Types:
1. Virus
2. Worm
3. Logic Bomb
4. Trojan/Backdoor
5. Rootkit
6. Advanced Persistent Threat
7. Spyware and Adware
What is computer virus:
Computer virus refers to a program which damages computer systems and/or
destroys or erases data files. A computer virus is a malicious program that self-
replicates by copying itself to another program. In other words, the computer
virus spreads by itself into other executable code or documents. The purpose of
creating a computer virus is to infect vulnerable systems, gain admin control
and steal user sensitive data. Hackers design computer viruses with malicious
intent and prey on online users by tricking them.
Symptoms:
 Letter looks like they are falling to the bottom of the screen.
 The computer system becomes slow.
 The size of available free memory reduces.
 The hard disk runs out of space.
 The computer does not boot.
Types of Computer Virus:
These are explained as following below.
1. Parasitic –
These are the executable (.COM or .EXE execution starts at first
instruction). Propagated by attaching itself to particular file or
program. Generally resides at the start (prepending) or at the end
(appending) of a file, e.g. Jerusalem.
 2. Boot Sector –
Spread with infected floppy or pen drives used to boot the computers.
During system boot, boot sector virus is loaded into main memory and
destroys data stored in hard disk, e.g. Polyboot, Disk killer, Stone,
AntiEXE.
3. Polymorphic –
Changes itself with each infection and creates multiple copies.
Multipartite: use more than one propagation method. >Difficult for
antivirus to detect, e.g. Involutionary, Cascade, Evil, Virus 101.,
Stimulate.
Three major parts: Encrypted virus body, Decryption routine varies
from infection to infection, and Mutation engine.
4. Memory Resident –
Installs code in the computer memory. Gets activated for OS run and
damages all files opened at that time, e.g. Randex, CMJ, Meve.
5. Stealth –
Hides its path after infection. It modifies itself hence difficult to detect
and masks the size of infected file, e.g. Frodo, Joshi, Whale.
6. Macro –
Associated with application software like word and excel. When
opening the infected document, macro virus is loaded into main
memory and destroys the data stored in hard disk. As attached with
documents; spreads with those infected documents only, e.g. DMV,
Melissa, A, Relax, Nuclear, Word Concept.
7. Hybrids –
Features of various viruses are combined, e.g. Happy99 (Email virus).
Worm:
A worm is a destructive program that fills a computer system with self-
replicating information, clogging the system so that its operations are slowed
down or stopped.
Types of Worm:
1. Email worm – Attaching to fake email messages.
2. Instant messaging worm – Via instant messaging applications using
loopholes in network.
3. Internet worm – Scans systems using OS services.
4. Internet Relay Chat (IRC) worm – Transfers infected files to web
sites.
5. Payloads – Delete or encrypt file, install backdoor, creating zombie
etc.
6. Worms with good intent – Downloads application patches.
Logical Bomb:
A logical bomb is a destructive program that performs an activity when a
certain action has occurred. These are hidden in programming code. Executes
only when a specific condition is met, e.g. Jerusalem.
Script Virus:
Commonly found script viruses are written using the Visual Basic Scripting
Edition (VBS) and the JavaScript programming language.
Trojan / Backdoor:
Trojan Horse is a destructive program. It usually pretends as computer games or
application software. If executed, the computer system will be damaged. Trojan
Horse usually comes with monitoring tools and key loggers. These are active
only when specific events are alive. These are hidden with packers, crypters and
wrappers.< Hence, difficult to detect through antivirus. These can use manual
removal or firewall precaution.

RootKits:
Collection of tools that allow an attacker to take control of a system.
 Can be used to hide evidence of an attacker’s presence and give them
backdoor access.
 Can contain log cleaners to remove traces of attacker.
 Can be divided as:
– Application or file rootkits: replaces binaries in Linux system
– Kernel: targets kernel of OS and is known as a loadable kernel
module (LKM)
 Gains control of infected m/c by:
– DLL injection: by injecting malicious DLL (dynamic link library)
– Direct kernel object manipulation: modify kernel structures and
directly target trusted part of OS
– Hooking: changing applicant’s execution flow
Advanced Persistent Threat:
Created by well funded, organized groups, nation-state actors, etc. Desire to
compromise government and commercial entities, e.g. Flame: used for
reconnaissance and information gathering of system.
Spyware and Adware:
Normally gets installed along with free software downloads. Spies on the end-
user, attempts to redirect the user to specific sites. Main tasks: Behavioral
surveillance and advertising with pop up ads Slows down the system.