Every computer on the Internet has its own IP address.
All data on the Internet is carried by IP packets.
IP is an unreliable datagram protocol, meaning that routers may sometimes drop packets during congestion. A protocol like TCP must be added to IP in order to track packets and resend them if necessary.
The ability to manipulate IP headers by programs is limited, so there are few defenses against such techniques. Many hacks rely upon low-level manipulation of headers.
The IP header is shown below. Since IP is carried across a link between router-router or host-router, link headers like Ethernet, PPP, etc. may come before this header. Likewise, the payload of the IP packet comes after this header.
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |Version| IHL |Type of Service| Total Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Identification |Flags| Fragment Offset | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Time to Live | Protocol | Header Checksum | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Source Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Destination Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Options | Padding | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|IP-Header (20 Bytes lang + Daten)|
|Version||Headerlänge||Priorität und Art||Totale Länge||Identifikation||Flags||Fragment Offset||TTL||Protokoll||Header Prüfsumme||Quell-IP-Adresse||Ziel-IP-Adresse||IP-Optionen||Daten|
|4 Bits||4 Bits||8 Bits||16 Bits||16 Bits||3 Bits||13 Bits||8 Bits||8 Bits||16 Bits||32 Bits||32 Bits||0-32 Bits||variabel|
This 4-bit field always has a value of "0100" (binary) or "4" decimal. Many plan to replace IPv4 with the much more complex IPv6 in order to solve addressing and security issues.
IHL (Initial Header Length)
Indicates the length of the IP header. The length of the header is always "20-bytes" unless options are present.
Type of Service (ToS)
Not really used, the ToS field gives hints to the router how the packet should be routed. The typical example is a connection between Las Angeles and New York where a router can choose to send the packet across a low-speed land-line (dial-up) vs. a high-speed satellite connection. The latency for a land-line is a few milliseconds, whereas a satellite can be about a second. Therefore, you want the low-latency for interactive connections like Telnet, but you want the high bandwidth for connections like FTP. Since this field isn't really used that much, hackers can use it as a covert channel.
The total length of the IP datagram once the packet has been reassembled. See: fragmentation.
A unique ID number for the entire packet. All fragments of a packet carry the same ID. Tracking the ID field over time can help fingerprint the OS. Some systems use monotonically increasing IDs, so you monitor activity on a remote machine by pinging it on a regular basis. Key point: A covert channel can be created by encapsulating information in this field. Key point: Windows machines, and many other systems based upon x86 CPUs, will use little-endian ID fields and monotonically increasing numbers. This means that the IP ID that follows 0x1234 will be 0x1334, not 0x1235.
There are two flags that control fragmentation. The DF (Don't Fragment) bit tells routers not to fragment this packet. The MF (More Fragments) bit indicates that this is not the last fragment in the packet. Key point: You can evade network-based IDS sometimes by careful use of the DF bit and oversized packets that must be fragmented. See: fragmentation. Key point: Different systems check the flags differently. For example, in order to test for a SYN (which initiates a connection), code could check using either (flags == TCP_SYN) or (flags & TCP_SYN). The first checks to see if the SYN, and only the SYN is set. The second checks for SYN, but ignores the other flags. This can be useful in fingerprinting an OS by or evading an intrusion detection system.
The offset from the start of the original packet that this fragment starts. The Ping-of-Death exploit resulted by combining a fragment offset plus fragment length in order to exceed the maximum IP packet size.
Time to Live (TTL)
This field indicates how many hops (routers) the packet can pass through before being discarded. Each router who forwards the packet decrements this field by one. When a router decrements the field to zero, it assumes a routing loop has occurred and sends back an ICMP message back to the sender. Key point: Abuse of the TTL field, after fragmentation is the most useful technique for manipulating IP headers. In addition, it is easy to manipulate this field at the sockets layer. The traceroute program finds all the routers in the path to a target by sending out many packets with varying TTL fields. This causes every router to receive a TTL in one of the packets that it zeroes out, causing it to report its existence back to traceroute. Key point: Tracerouting through firewalls is sometimes possible by adjusting the TTL of TCP replies.
This field indicates the next protocol header after the IP header. Examples are a value of 1 for ICMP, 6 for TCP, and 17 for UDP. Some rootkits use this as a way of invisibly transporting data since most systems cannot detect or log unknown protocols at this layer.
The IP address of who sent the packet. This is included in every packet so that the destination knows who to respond to, and any errors can likewise be sent back to the sender. Key point: The IP address can be forged (spoofed). This can sometimes be useful despite the fact that it causes any responses to be sent back to the spoofed IP address rather than the real sender.
The IP address of where the packet is going to. Each router along the way compares this IP address to internal routing tables in order to figure out which direction to forward the packet.
Additional options that can affect how the packet is routed. Multiple options can be specified. 99.999% of all IP packets have no options. Some IDSs trigger simply whenever they see an option field. The most common option used for attacks is source routing.
An IP headers must be aligned on even 32-bit boundaries, which may sometimes require nul bytes to be added.
IP addresses are organized into threee major classes:
0.x.x.x to 127.x.x.x
128.0.x.x to 191.255.x.x
192.0.0.x to 223.255.255.x
As a private person you will always only get Class C IPs. Class A and B are usually only .gov , .edu and big companies.
Quote from: RFC 1117 "Internet Numbers"
"The address zero is to be interpreted as meaning "this", as in "this network".
For example, the address 0.0.0.37 could be interpreted as meaning host 37 on this network.
The address of all ones are to be interpreted as meaning "all", as in "all hosts".
For example, the address 220.127.116.11 could be interpreted as meaning all hosts on the network 128.9.
So, shouldnt ping let me do this instead of complaining??
ping 0.0.0.23 connect: Invalid argument