🌐 Networking Fundamentals: TCP/IP, Routing & BGP untuk Security Engineer

Vault ini punya banyak catatan security β€” dns-tunneling-deepdive, arp-spoofing-incident-addendum, cgnat-attribution-deepdive, ids-ips-waf-nsm-comparison β€” tapi semuanya berasumsi lo udah paham layer 3/4. Pada kenyataannya, sebagian besar attack vector keamanan jaringan berakar pada celah di TCP state machine, IP fragmentation, atau BGP route leaks. Catatan ini nge-fill gap itu: dari packet flow di kernel, TCP state machine untuk detection, sampe BGP hijacking yang jadi attack vector nyata di wild internet. Tanpa fondasi ini, lo cuma pake tool tanpa ngerti kenapa tool itu bisa detect β€” atau lebih parah, gak bisa bedain false positive dari serangan real.

Posisi di Vault

Catatan ini adalah fondasi layer 3/4 untuk semua catatan security networking di vault. Baca ini dulu sebelum network-security, dns-tunneling-deepdive, atau ids-ips-waf-nsm-comparison. Juga terhubung dengan infrastructure-administrator (ops networking) dan ebpf-beyond-security (kernel-level packet introspection).


Daftar Isi


1. TCP/IP Stack β€” Packet Lifecycle

1.1 Dari Wire ke Application

[Wire] β†’ [NIC Driver] β†’ [Kernel (Netfilter/XDP)] β†’ [Socket] β†’ [Application]
    |           |               |                      |            |
 Layer 1     Layer 2        Layer 3-4               Layer 5     Layer 7
 (Signal)   (Ethernet)    (IP/TCP/UDP)             (Session)   (HTTP/DNS)

Tiap layer punya headers yang ditambahkan (encapsulation) dan attack surface sendiri:

LayerProtocolHeader SizeAttack Vector Umum
L2 β€” EthernetMAC14 byteMAC spoofing, ARP poison, STP manipulation
L3 β€” IPIPv4/IPv620-60 byteIP spoofing, fragmentation overlap, TTL abuse
L4 β€” TCPTCP20-60 byteSYN flood, RST injection, sequence prediction
L4 β€” UDPUDP8 byteUDP flood, DNS amplification, SSRF
L7 β€” AppHTTP/DNS/…VariableSQLi, XSS, RCE (ini urusan WAF)

1.2 Linux Kernel Packet Processing

          β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
          β”‚         Application            β”‚
          β”‚  (nginx, python, curl)         β”‚
          β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜
                         β”‚ Socket API (syscall)
          β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β–Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
          β”‚        TCP/UDP Layer           β”‚
          β”‚  (kernel: tcp_v4_rcv, udp_rcv) β”‚
          β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜
                         β”‚
          β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β–Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
          β”‚     IP Layer (netfilter)        β”‚
          β”‚  PREROUTING β†’ FORWARD β†’ POSTR. β”‚
          β”‚  INPUT β†’ LOCAL β†’ OUTPUT        β”‚
          β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜
                         β”‚
          β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β–Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
          β”‚     Network Driver (NIC)        β”‚
          β”‚  RX ring β†’ IRQ β†’ NAPI poll     β”‚
          β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜

Poin penting untuk security engineer:

  • Netfilter hooks β€” tempat iptables/nftables bekerja. Lima hook: PREROUTING, INPUT, FORWARD, OUTPUT, POSTROUTING. Setiap hook bisa dipasangi rule untuk DROP, REJECT, LOG, atau NAT.
  • XDP (eXpress Data Path) β€” hook sebelum netfilter, di BPF program. Bisa drop packet di level driver, sebelum kernel menyentuhnya. Ini yang dipake ebpf-kernel-security dan ebpf-beyond-security untuk DDoS mitigation kecepatan tinggi.
  • TLS β€” terjadi di application layer (OpenSSL, rustls), kernel gak lihat isi. WAF harus terminate TLS dulu baru bisa inspect.

1.3 TCP Three-Way Handshake β€” Anatomi

CLIENT                    SERVER
   |                         |
   |────── SYN (seq=x) ──────→|  LISTEN
   |                         |
   |←── SYN-ACK (seq=y, ack=x+1)──|  SYN_RCVD
   |                         |
   |────── ACK (seq=x+1, ack=y+1)──→|  ESTABLISHED
   |                         |
   |←─────── Data ──────────→|  ESTABLISHED

Kenapa ini penting buat detection:

  • SYN flood β€” attacker kirim banyak SYN tanpa pernah completing handshake. Server allocates resources (TCB) buat tiap SYN β†’ exhaustion. Mitigasi: SYN cookies (kernel default), rate limiting, XDP drop.
  • Sequence number prediction β€” jika attacker bisa predict seq number, dia bisa inject RST atau data palsu ke dalam koneksi. Kernel modern pake RFC 5961 (challenge ACK) untuk mitigasi.
  • TCP Fast Open (TFO) β€” kirim data di SYN packet. Legitimate untuk latency reduction, tapi bisa dipake buat data exfiltration via SYN packet yang gak dilog dengan baik.

1.4 TCP State Transition Diagram

                    β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
                    β”‚  CLOSED  β”‚
                    β””β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”˜
                         β”‚ passive open
                    β”Œβ”€β”€β”€β”€β–Όβ”€β”€β”€β”€β”€β”
                    β”‚  LISTEN  β”‚
                    β””β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”˜
                         β”‚ active open (SYN)
                    β”Œβ”€β”€β”€β”€β–Όβ”€β”€β”€β”€β”€β”         β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
          β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”‚ SYN_SENT β”‚         β”‚ SYN_RCVD │←────────┐
          β”‚         β””β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”˜         β””β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”˜         β”‚
          β”‚              β”‚ SYN+ACK            β”‚ ACK             β”‚
          β”‚         β”Œβ”€β”€β”€β”€β–Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β–Όβ”€β”€β”€β”€β”€β”€β”          β”‚
          β”‚         β”‚         ESTABLISHED            β”‚          β”‚
          β”‚         β””β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”˜          β”‚
          β”‚              β”‚ close             β”‚ close            β”‚
          β”‚         β”Œβ”€β”€β”€β”€β–Όβ”€β”€β”€β”€β”€β”        β”Œβ”€β”€β”€β”€β–Όβ”€β”€β”€β”€β”€β”€β”           β”‚
          β”‚         β”‚ FIN_WAIT1β”‚        β”‚ CLOSE_WAITβ”‚           β”‚
          β”‚         β””β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”˜        β””β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”˜           β”‚
          β”‚              β”‚ ACK               β”‚ close            β”‚
          β”‚         β”Œβ”€β”€β”€β”€β–Όβ”€β”€β”€β”€β”€β”        β”Œβ”€β”€β”€β”€β–Όβ”€β”€β”€β”€β”€β”€β”           β”‚
          β”‚         β”‚ FIN_WAIT2β”‚        β”‚  LAST_ACK β”‚           β”‚
          β”‚         β””β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”˜        β””β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”˜           β”‚
          β”‚              β”‚ FIN               β”‚ ACK              β”‚
          β”‚         β”Œβ”€β”€β”€β”€β–Όβ”€β”€β”€β”€β”€β”        β”Œβ”€β”€β”€β”€β–Όβ”€β”€β”€β”€β”€β”€β”           β”‚
          β”‚         β”‚ TIME_WAIT│────────│   CLOSED  β”‚           β”‚
          β”‚         β””β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”˜  timeout             (back to top)
          β”‚              β”‚ 2*MSL
          β”‚              β–Ό
          β”‚         β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
          └────────→│  CLOSED  β”‚
                     β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜

Setiap state transition adalah potensi detection signal:

SignalPatternKemungkinan
SYN β†’ RST (tanpa SYN-ACK)Port scan (stealth SYN scan)πŸŸ₯ High β€” hampir pasti scan
SYN β†’ SYN-SENT β†’ timeoutHost down atau firewall block🟨 Medium β€” bisa juga network issue
Banyak SYN_SENT ke port berbedaHorizontal port scanπŸŸ₯ High
Banyak SYN ke port sama dari IP bedaDDoS atau distributed scanπŸŸ₯ High
FIN_WAIT1 dalam jumlah besarAttacker kirim FIN tanpa ACK🟨 Medium
ESTABLISHED tiba-tiba β†’ RSTSession hijack / RST injection🟧 Medium-High

2. IP Fragmentation, MTU & Evasion

2.1 Mekanisme Fragmentasi

Ketika packet melebihi MTU (Maximum Transmission Unit) dari suatu link, IP layer akan memecahnya menjadi fragment:

Original: [IP hdr (20)] [TCP hdr (20)] [Data (1500)] = 1540 byte
  ↓ MTU = 1500 via ethernet

Fragment 1: [IP hdr (20)] [More Fragments=1] [Offset=0]   [TCP hdr (20)] [Data (1460)] = 1480
Fragment 2: [IP hdr (20)] [More Fragments=0] [Offset=185] [Data (40)]                  = 60

Field kunci di IP header fragment:

  • Identification (16-bit) β€” semua fragment dari packet yang sama punya ID sama
  • More Fragments (MF) β€” 1 = ada fragment berikutnya, 0 = fragment terakhir
  • Fragment Offset (13-bit) β€” posisi fragment ini dalam packet original (diukur dalam 8-byte unit)

2.2 Fragmentation Attack Vectors

AttackCara KerjaDeteksi
Tiny FragmentFragment pertama terlalu kecil untuk muat TCP header β†’ firewall lewatinFirewall harus reassemble sebelum rule matching
Fragment OverlapFragment kedua menimpa data fragment pertama (overwrite TCP header)IDS harus deteksi overlap via reassembly
Fragment FloodKirim banyak fragment tanpa fragment terakhir (MF=1 terus) β†’ target habis memory nungguRate limit per source, timeout reassembly
TeardropFragment overlap yang salah (offset inconsistent) β†’ crash stackPatched sejak kernel 2.0.x, tapi masih muncul di IoT

Mitigasi modern:

  • Path MTU Discovery (PMTUD) β€” kernel detect MTU path otomatis. Tapi sering broken karena ICMP β€œFragmentation Needed” diblok firewall.
  • TCP MSS Clamping β€” proxy ngatur MSS (Maximum Segment Size) biar gak perlu fragmentasi.
  • DF (Don’t Fragment) bit β€” set DF β†’ kernel kirim ICMP β€œtoo big” instead of fragmenting. Problem: ICMP sering diblok.
# Nginx TCP MSS clamping
server {
    listen 443 ssl;
    tcp_nodelay on;
    # Proxy ngirim MSS 1400 β†’ gak perlu fragmentasi
    proxy_connect_timeout 60;
}

2.3 Fragmentasi vs IDS/IPS

Ini masalah klasik buat security engineer:

WAF/IDS melihat:
  Fragment 1: GET /index.html HTTP/1.1
  Fragment 2: Host: evil.com%00payload

Masalah:
  - IDS harus reassemble sebelum match rule
  - Reassembly butuh memory β†’ bisa di-exhaust
  - Overlap fragment β†’ tergantung reassembly policy (BSD, Linux, Windows beda)

Teknik ini disebut IP Fragmentation Attack atau FragRoute (tool klasik). ids-ips-waf-nsm-comparison bahas lebih detail tentang reassembly policy.


3. TCP State Machine untuk Detection

3.1 Connection Tracking (conntrack)

Kernel Linux punya conntrack β€” tabel yang melacak semua koneksi TCP/UDP/ICMP. Ini fondasi dari stateful firewall.

# Lihat tabel conntrack
conntrack -L | head -20
 
# Statistik
conntrack -S
 
# Contoh output:
# tcp      6 431999 ESTABLISHED src=10.0.0.1 dst=10.0.0.2 sport=443 dport=54321 ...
# udp      17 174 src=10.0.0.1 dst=8.8.8.8 sport=53000 dport=53 ...

State table untuk stateful firewall:

StateArtiFirewall Action
NEWPacket pertama, belum lihat responseAllow? (tapi hati-hati)
ESTABLISHEDBagian dari koneksi existingβœ… Allow
RELATEDTerkait koneksi existing (ICMP error, FTP data)βœ… Allow (dengan caution)
INVALIDPaket corrupted atau state gak cocok❌ Drop β€” biasanya attack
UNTRACKEDLewat dari rule NOTRACKTergantung rule

3.2 SYN Cookies β€” Defense Against SYN Flood

Saat SYN flood terjadi, kernel bisa enable SYN cookies:

# Cek status
sysctl net.ipv4.tcp_syncookies
# Aktifkan
sysctl -w net.ipv4.tcp_syncookies=1

Cara kerja: Alih-alih alloc TCB (Transmission Control Block) buat setiap SYN, kernel encode informasi koneksi di sequence number SYN-ACK. Jika ACK balik, kernel decode dan alloc TCB hanya untuk koneksi legitimate.

Trade-off: SYN cookies mengorbankan beberapa fitur TCP (large window scaling, SACK, TFO) demi defense.

3.3 Practical Detection Script

#!/bin/bash
# Detect TCP scan via /proc/net/tcp
# Pola: banyak SYN_RECV dari IP berbeda ke port yang sama
 
echo "SYN_RECV connections:"
cat /proc/net/tcp | awk '{print $2, $3, $4}' | grep "0A"  # 0A = SYN_RECV state
 
# Deteksi port scan via tcpdump
tcpdump -i eth0 -nn 'tcp[tcpflags] & (tcp-syn) != 0 and tcp[tcpflags] & (tcp-ack) == 0' \
  | awk '{print $3}' | cut -d. -f1-4 | sort | uniq -c | sort -rn | head -10

4. UDP β€” The Invisible Attack Surface

4.1 UDP vs TCP untuk Security

AspekTCPUDP
Statefulβœ… Ya (sequence, ack)❌ Tidak (fire-and-forget)
Connection trackingMudah (conntrack)Sulit (timeout-based)
SpoofingSulit (seq num)Mudah (source IP bisa palsu)
AmplificationTidak mungkinβœ… Mungkin (DNS, NTP, Memcached)
FragmentasiHanya setelah handshakeKapan saja

4.2 UDP Amplification Attack

Ini attack vector paling merusak di internet:

Attacker            DNS Server (open resolver)            Victim
   |                         |                               |
   |── spoofed src=victim ──→|                               |
   |   query: ANY isc.org    |                               |
   |    (60 bytes)           |                               |
   |                         |── response: 3500 bytes ─────→|
   |                         |   (58x amplification!)       |

Mitigasi:

  • BCP38 β€” jangan forward packet dengan source IP yang不属于 jaringan lo (ingress filtering)
  • Rate limit per source IP untuk DNS/NTP response
  • Disable open resolvers β€” jangan biarkan DNS server lo menjawab query dari arbitrary source

4.3 DNS over UDP vs TCP

# DNS biasanya UDP port 53
# Tapi kalo response > 512 byte β†’ fallback ke TCP (sejak EDNS0)
# DNS over TCP == lebih susah spoof, tapi lebih lambat
 
# Detection: spike di DNS TCP paket volume
# Bisa berarti: DNS tunneling, zone transfer, atau amplification attempt

dns-tunneling-deepdive bahas ini lebih dalam.


5. Routing Fundamentals β€” OSPF, IS-IS, BGP

5.1 IGP vs EGP

IGP (Interior Gateway Protocol)         EGP (Exterior Gateway Protocol)
  Dalam satu AS                            Antar AS
  β”œβ”€β”€ OSPF (link-state, Dijkstra)         └── BGP (path-vector)
  β”œβ”€β”€ IS-IS (link-state, ISO CLNP)
  └── EIGRP (Cisco proprietary, hybrid)

Untuk security engineer: IGP attacks biasanya internal (rogue router advertisement), sedangkan BGP attacks bisa mempengaruhi routing global.

OSPF menggunakan LSA (Link State Advertisement) yang didistribusikan ke semua router di area:

Keamanan OSPF:
  - OSPF authentication (MD5/HMAC-SHA)
  - Tanpa auth β†’ attacker inject LSA palsu β†’ blackhole routing
  - Passive interface β†’ jangan kirim OSPF hello ke segmen yang gak perlu

5.3 BGP β€” The Internet’s Routing Protocol

BGP adalah path-vector protocol β€” bukan berdasarkan metric seperti OSPF, tapi berdasarkan path attributes yang menentukan path selection.

BGP Decision Process (urutan prioritas):
  1. Weight (Cisco proprietary, tertinggi menang)
  2. LOCAL_PREF (tertinggi menang)
  3. Originate (route yang di-generate sendiri)
  4. AS_PATH (terpendek menang)
  5. ORIGIN (IGP < EGP < INCOMPLETE)
  6. MED (terendah menang)
  7. eBGP > iBGP
  8. IGP metric ke next-hop (terendah menang)
  9. Router ID (terendah menang, tiebreaker)

BGP Message Types:

TypeFunctionSize
OPENEstablish session~30 bytes
UPDATEAdvertise/withdraw routesVariable (up to 4096)
NOTIFICATIONError reporting~20 bytes
KEEPALIVESession liveness19 bytes
ROUTE-REFRESHRequest re-advertisement~23 bytes

5.4 BGP Session Protection

# Konfigurasi BGP di FRRouting (frr)
router bgp 64501
  bgp router-id 10.0.0.1
  neighbor 10.0.0.2 remote-as 64502
  neighbor 10.0.0.2 password mysecret   # TCP MD5 signature
  neighbor 10.0.0.2 timers 10 30         # keepalive 10s, hold 30s
  !
  address-family ipv4 unicast
    network 203.0.113.0/24
    neighbor 10.0.0.2 prefix-list PL-IMPORT import
    neighbor 10.0.0.2 prefix-list PL-EXPORT export
  exit-address-family
!
ip prefix-list PL-IMPORT seq 5 deny 0.0.0.0/0 le 8      # Jangan terima /1-/8
ip prefix-list PL-IMPORT seq 10 permit 0.0.0.0/0 ge 24   # Hanya /24+

Best practice security BGP:

  • TTL Security (GTSM) β€” set TTL=255, drop kalo <254 (cegah remote injection)
  • Prefix filtering β€” jangan advertise prefix yang bukan milik lo, jangan terima prefix yang seharusnya gak lewat
  • Max prefix limit β€” putus session jika neighbor advertise > N prefix
  • RPKI (Resource Public Key Infrastructure) β€” validasi origin AS dari prefix
  • BGPsec β€” path validation cryptographic (masih limited deployment)

6. BGP Attack Vectors β€” Hijacking & Route Leaks

6.1 BGP Hijacking

Attacker (rogue AS) mengumumkan prefix yang bukan miliknya, lalu traffic dialihkan:

Normal Route:
  Client β†’ AS1 β†’ AS2 β†’ AS5 β†’ AS7 β†’ Server (203.0.113.0/24)

Hijacked Route:
  Client β†’ AS1 β†’ AS3 β†’ Attacker (203.0.113.0/24 via AS3)
  Attacker β†’ proxy β†’ AS7 β†’ Server (forward traffic, man-in-the-middle)

Real incidents:

  • 2008 β€” Pakistan YouTube block β€” Pakistan Telecom advertise /22 YouTube prefix; traffic global dialihkan
  • 2018 β€” MyEtherWallet β€” AWS DNS server BGP hijack β†’ DNS redirect ke phishing site
  • 2019 β€” China Telecom hijack β€” 37 menit route leak via Google, Amazon, Akamai traffic
  • 2024 β€” CBE (Ethiopia) β€” BGP hijack mencuri traffic cryptocurrency exchange

6.2 Route Leak

Route leak terjadi ketika AS mengumumkan route ke ISP upstream yang seharusnya hanya untuk internal/transit:

Leak pattern:
  AS64501 (customer) ← AS64502 (transit) ← AS64503 (large ISP)

  Leak: AS64501 advertise route "I can reach anything" via default route ke AS64502
  β†’ AS64502 percaya β†’ semua traffic ke 0.0.0.0/0 lewat AS64501
  β†’ AS64501 overload, traffic drop

6.3 Mitigation Techniques

TechniqueDeskripsiCoverage
RPKI (ROA)Signed object yang bind prefix β†’ origin AS40% global (tumbuh)
BGPsecSign tiap AS hop dalam path< 1% deployment
IRR (Internet Routing Registry)Database rute legit, masih manualOutdated sering
Prefix listsFilter manual by AS + prefixBest effort
AS_PATH filteringJangan terima prefix dengan AS_PATH yang suspiciousManual setup
BGP communityTag route dengan community β†’ filter otomatisOperational agreement
# RPKI validation dengan Routinator
docker run -p 3323:3323 nlnetlabs/routinator --strict --rtr 3323
 
# Di FRR:
router bgp 64501
  neighbor 10.0.0.2 rpki             # Enable RPKI untuk neighbor
  rpki table 10.0.0.3 3323           # Routinator server
  !
  route-map RPKI-FILTER permit 10
    match rpki valid                  # Hanya terima route yang valid
  route-map RPKI-FILTER deny 20
    match rpki invalid                # Tolak yang invalid

7. Network Segmentation & Microsegmentation

7.1 Traditional Segmentation (VLAN)

VLAN 10 β€” Management (10.0.10.0/24)
  β”œβ”€β”€ SSH, RDP, IPMI β€” hanya dari jumpbox
  └── Firewall: allow only from VLAN 100

VLAN 20 β€” Production (10.0.20.0/24)
  β”œβ”€β”€ Web servers, API servers
  └── Firewall: allow 80/443 from WAN, allow DB access to VLAN 30

VLAN 30 β€” Database (10.0.30.0/24)
  β”œβ”€β”€ PostgreSQL, Redis, MongoDB
  └── Firewall: allow only from VLAN 20 on port 5432/6379/27017

VLAN 100 β€” Admin/Jumpbox (10.0.100.0/24)
  β”œβ”€β”€ SSH bastion, VPN termination
  └── Firewall: allow SSH from WAN via VPN only

7.2 Microsegmentation (Zero Trust)

Prinsip: setiap host adalah segmen sendiri. Dipake di zero-trust-security:

# Di level hypervisor (Proxmox/VMware):
# Setiap VM punya firewall sendiri
# Rules: allow specific L4 flows only
 
# Contoh: Web VM β†’ DB VM hanya port 5432 TCP
#   Web VM (10.0.20.5): allow out TCP 5432 to 10.0.30.5
#   DB VM (10.0.30.5): allow in TCP 5432 from 10.0.20.5
#   DB VM (10.0.30.5): deny all other inbound

Tools: ebpf-beyond-security (Cilium), Istio (sidecar), Calico (K8s)


8. NAT, CGNAT & Carrier-Grade Tracking

8.1 NAT Types

TypeBehaviorUse Case
SNAT (Source NAT)Ganti source IP + port outboundInternet access dari LAN
DNAT (Destination NAT)Ganti dest IP + port inboundPort forwarding
MASQUERADESNAT tapi source IP dinamis (PPPoE)Home router
CGNAT (Carrier-Grade)NAT di ISP level, satu IP publik ribuan pelangganIPv4 exhaustion

8.2 CGNAT Problem untuk Attribution

Satu IP publik (203.0.113.1) β†’ digunakan oleh 1000+ pelanggan
  └── Berdasarkan IP aja, gak bisa bedain siapa yang melakukan request
  └── Butuh log CGNAT (port + timestamp + subscriber ID)
  └── Ini yang dibahas di [[cgnat-attribution-deepdive]]

8.3 NAT Traversal untuk Security

STUN/TURN/ICE β€” protokol untuk NAT traversal, penting buat content-remote-using-webrtc:

STUN: "What's my public IP:port?"
TURN: "Relay my traffic through your server" (fallback)
ICE: "Pick the best path between STUN and TURN"

Dari sisi security: TURN relay bisa jadi lubang firewall kalau gak dikonfigurasi dengan baik β€” relay server bisa dipake buat traffic exfiltration.


9. iptables/nftables β€” Packet Filtering dari Layer 3

9.1 iptables Chain Flow

                    β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
                    β”‚  Routing  β”‚
                    β”‚ Decision  β”‚
                    β””β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”˜
                          β”‚
         β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
         β”‚                β”‚                β”‚
    β”Œβ”€β”€β”€β”€β–Όβ”€β”€β”€β”€β”     β”Œβ”€β”€β”€β”€β–Όβ”€β”€β”€β”€β”     β”Œβ”€β”€β”€β”€β”€β–Όβ”€β”€β”€β”€β”
    β”‚PREROUTINGβ”‚     β”‚  INPUT  β”‚     β”‚  FORWARD  β”‚
    β””β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”˜     β””β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”˜     β””β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”˜
         β”‚               β”‚                β”‚
    β”Œβ”€β”€β”€β”€β–Όβ”€β”€β”€β”€β”     β”Œβ”€β”€β”€β”€β–Όβ”€β”€β”€β”€β”     β”Œβ”€β”€β”€β”€β”€β–Όβ”€β”€β”€β”€β”
    β”‚ Routing β”‚     β”‚  Local  β”‚     β”‚ Routing  β”‚
    β”‚ Decisionβ”‚     β”‚Process  β”‚     β”‚ Decision β”‚
    β””β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”˜     β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜     β””β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”˜
         β”‚                               β”‚
    β”Œβ”€β”€β”€β”€β–Όβ”€β”€β”€β”€β”                      β”Œβ”€β”€β”€β”€β–Όβ”€β”€β”€β”€β”
    β”‚  INPUT  β”‚                      β”‚POSTROUTINGβ”‚
    β””β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”˜                      β””β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”˜
         β”‚                               β”‚
    β”Œβ”€β”€β”€β”€β–Όβ”€β”€β”€β”€β”                      β”Œβ”€β”€β”€β”€β–Όβ”€β”€β”€β”€β”
    β”‚  Local  β”‚                      β”‚   Out   β”‚
    β”‚Process  β”‚                      β”‚  Wire   β”‚
    β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜                      β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜

9.2 Practical Rule Set

# Contoh stateful firewall untuk server web
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
 
# Allow established connections
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
 
# SSH from management VLAN only
iptables -A INPUT -p tcp --dport 22 -s 10.0.100.0/24 -j ACCEPT
 
# HTTP/HTTPS from anywhere
iptables -A INPUT -p tcp -m multiport --dports 80,443 -j ACCEPT
 
# Rate limit SSH (prevents brute force)
iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -m limit --limit 3/min -j ACCEPT
 
# Log and drop everything else
iptables -A INPUT -j LOG --log-prefix "FW-DROP: "
iptables -A INPUT -j DROP

9.3 eBPF-based Filtering

// XDP program β€” drop at driver level (sebelum netfilter)
// Ini yang dipake [[ebpf-kernel-security]]
SEC("xdp")
int xdp_drop_ddos(struct xdp_md *ctx) {
    void *data_end = (void *)(long)ctx->data_end;
    void *data = (void *)(long)ctx->data;
    struct ethhdr *eth = data;
 
    if ((void *)(eth + 1) > data_end)
        return XDP_PASS;
 
    // Drop traffic from known bad IPs
    if (eth->h_proto == htons(ETH_P_IP)) {
        struct iphdr *ip = data + sizeof(*eth);
        if ((void *)(ip + 1) > data_end)
            return XDP_PASS;
        if (ip->saddr == 0x0100007f)  // 127.0.0.1
            return XDP_DROP;
    }
    return XDP_PASS;
}

10. Tools untuk Network Security Engineer

ToolFungsinyaLayer
tcpdumpPacket capture & analysisL2-L7
tsharkCLI Wireshark, protocol dissectionL2-L7
nmapPort scan, service detectionL3-L4
masscanHigh-speed port scan (10M pps)L3-L4
ScapyPython packet crafting & injectionL2-L4
netstat/ssSocket statisticsL4-L7
conntrackConnection tracking tableL3-L4
iptables/nftablesPacket filtering & NATL3-L4
tcTraffic control (QoS, shaping)L3
iftop/nloadBandwidth monitoringL2-L4
BGP.toolsBGP route lookup & historyL3
RIPE RIS / RouteViewsGlobal routing tableL3

Homelab: Packet Analysis Playground

# 1. Capture TCP handshake
sudo tcpdump -i eth0 -nn 'tcp port 80' -c 10 -X
 
# 2. Detect SYN flood
sudo tcpdump -i eth0 -nn 'tcp[tcpflags] & (tcp-syn) != 0 and tcp[tcpflags] & (tcp-ack) == 0' \
  | tshark -T fields -e ip.src -e ip.dst -e tcp.srcport -e tcp.dstport
 
# 3. Check fragment overlap (Fragroute-style)
sudo tcpdump -i eth0 -nn 'ip[6] & 0x20 != 0 or ip[6:2] & 0x1fff != 0'
 
# 4. BGP session monitoring
sudo tcpdump -i eth0 -nn 'tcp port 179'
 
# 5. DNS amplification check
sudo tcpdump -i eth0 -nn 'udp port 53 and greater 512'

Tabel Perbandingan

Layer 4 vs Layer 7 Filtering

AspekLayer 4 (iptables)Layer 7 (WAF/Proxy)
Kecepatan🟒 Kernel level🟑 Userspace
Visibilitas❌ IP:Port onlyβœ… Full content
State trackingβœ… conntrackβœ… Session management
Attacker evade🟑 IP spoof❌ HTTP manipulation
Resource usageSangat rendahModerate to high
Contoh toolsiptables, nftables, eBPFNginx, ModSecurity, Envoy

Routing Protocols

AspekOSPFIS-ISBGP
TypeLink-stateLink-statePath-vector
MetricCost (bandwidth)Metric (default 10)Path attributes
ConvergenceFastFastSlow
ScalabilityArea-basedLevel-basedAS-based
AuthMD5/HMACHMAC-SHATCP MD5
Attack surfaceLSA injectionSimilar to OSPFRoute hijack/leak

πŸ”— Koneksi ke Catatan Lain


βœ… Checklist

  • Paham TCP 3-way handshake + sequence number + flags
  • Bisa baca tcpdump output dan bedain SYN, SYN-ACK, ACK, RST, FIN
  • Paham conntrack states (NEW, ESTABLISHED, RELATED, INVALID)
  • Bisa setup iptables stateful rule untuk server web
  • Paham perbedaan stateful vs stateless firewall
  • Bisa jelasin IP fragmentation & overlap attack
  • Paham BGP path selection: LOCAL_PREF β†’ AS_PATH β†’ MED
  • Tahu cara detect BGP hijack (RIPE RIS, BGPMon, Cloudflare Radar)
  • Bisa setup prefix list / AS_PATH filter di FRRouting
  • Paham NAT types + CGNAT attribution problem

Roadmap Belajar

HARI 1: TCP/IP Fundamentals
  - Baca dokumen ini sampai selesai
  - Capture handshake dengan tcpdump, analisis dengan Wireshark
  - Setup iptables stateful firewall

HARI 2: Advanced TCP Detection
  - Setup suricata/zeek di homelab, lihat alert TCP anomaly
  - Tes SYN flood dengan hping3, lihat SYN cookies effect
  - Analisis fragment overlap dengan Fragroute

HARI 3: Routing & BGP
  - Setup FRRouting di 2 VM, konfigurasi BGP
  - Inject prefix, test path selection
  - Baca RIPE RIS untuk melihat global routing table

HARI 4: BGP Security
  - Setup Routinator (RPKI) di docker
  - Tes BGP hijack dengan prefix yang lo miliki di lab
  - Pelajari IRR and RPKI validation

HARI 5: Integration
  - Setup packet capture pipeline: tcpdump β†’ Suricata β†’ Elasticsearch
  - Tulis Python script dengan Scapy untuk packet injection
  - Review [[ebpf-kernel-security]] untuk kernel-level filtering

Bottom Line

Networking adalah foundational skill yang memisahkan security engineer biasa dari yang exceptional. Tanpa paham TCP state machine, lo gak bisa bedain SYN flood dari legitimate traffic spike. Tanpa paham BGP, lo gak akan ngerti kenapa 37 menit route leak bisa mengalihkan traffic Google ke China. Investasi waktu di layer 3/4 adalah force multiplier untuk semua skill security lainnya β€” setiap catatan di vault ini yang menyentuh networking jadi lebih masuk akal setelah lo paham material ini.

Ponytail

Catatan ini belum mencakup IPv6 secara detail (header format, Neighbor Discovery, RA guard, SLAAC security), MPLS (L3VPN, L2VPN, segment routing), SDN/OpenFlow (controller-based routing), dan VXLAN/GENEVE (network virtualization). Ketika lo udah deploy IPv6 atau bekerja di data center dengan VXLAN, tambahkan catatan terpisah untuk masing-masing topik.