11-TCP-IP

standguideNetworking and Communications

Oct 26, 2013 (3 years and 9 months ago)

95 views

ECE
-
6612

http://www.csc.gatech.edu/copeland/jac/6612/


Prof. John A. Copeland

john.copeland@ece.gatech.edu

404 894
-
5177

fax 404 894
-
0035


Office: Klaus 3362

email or call for office visit, 404 894
-
5177


Slides 11
-

Fun with TCP/IP

4/15/2013

0

31 bits

Ethernet
Hdr

-

14 bytes

(big
-
endian)

Destination Address
-

6 bytes

Source Address
-

6 bytes

Next Protocol #

Bytes 0
-

3

Bytes 4
-

7

Bytes 8
-

11

Bytes 12
-

13

LSB MSB

Next Level Protocol Header


(0x 0800
-
> IP, 0x 0806
-
> ARP)

IP Header
-

20 bytes

(big
-
endian)

TCP Header
-

20 bytes

(big
-
endian)

App. Hdr

& Data

Ethernet Header (MAC or Link Layer)

2

Ethernet
Hdr

-

20 bytes

(big
-
endian)

IP Header
-

20 bytes

(big
-
endian)

TCP Header
-

20 bytes

(big
-
endian)

App. Hdr

& Data

IP Header (Network Layer)

N
ext
P
rotocol

Length

3

Next Protocol # 1=ICMP 6=TCP 17=UDP

Frag.
Flags

Frag. Flags: 010 = Do Not Fragment, DNF 001 = More Fragments, MF

Fragment Offset

Ethernet Hdr
-

20 bytes


IP Header
-

20 bytes

(MF: 1, offset: 0)

TCP Header
-

20 bytes

(big
-
endian)

App. Hdr

& Data

Ethernet Hdr
-

20 bytes


IP Header
-

20 bytes

(MF: 1, offset:1280)

More Data


Ethernet Hdr
-

20 bytes


IP Header
-

20 bytes

(MF: 0, offset:2560)

Last Data


20 bytes

20 bytes

20 bytes

20 + 1260 bytes

1280 bytes

760 bytes

Data Packet from Token Ring has TCP header (20 bytes) plus App.
Header and Data (3300 bytes) = 20 +1280 + 1280 + 760 bytes.


IP Fragment ID number is the same for each fragment.

Fragmented Packet

4

Ping of Death

Ethernet Hdr
-

20 bytes


IP Header
-

20 bytes

(MF: 1, offset:65,500)

Any Data


20 bytes

1000 bytes

Packet Buffer 65,535 bytes

Packet Buffer 65,535 bytes

Fragments are assembled in a buffer in memory. Ping of Death
fragment causes a buffer overflow, corrupting the next buffer
causing an older version of Windows to crash.



Ping


was used because #ping
-
s 66500 used to work.

fragrouter


is a network utility that generates bad fragments.

5

# tcpdump
-
nnvli eth3 'tcp and ((ip[6:2]&0x3fff) != 0)


Filter for seeing frag.s


22:10:48 128.61.60.143.3472 > 217.98.230.192.6881: .
3041158335:3041158379(44) ack 829468732 win 65535

(frag 43660:
64
@0+)

(ttl 127, len 84)
Very small fragments


22:10:48 128.61.60.143 > 217.98.230.192: tcp

(frag 43660:44@
64
)

(ttl 127, len 64) )
Very small fragments


22:10:49
219.115.56.223

> 199.77.145.106: tcp

(frag
0
:20@16384)

(ttl 237, len 40)
Very small, isolated fragment


22:10:50
217.232.26.184

> 128.61.104.27: tcp
Note close times, different IPs

(frag
0
:20@16384)

(ttl 240, len 40)
Very small, isolated fragment

-------

43660:
64
@0+ = ID : Data
-
Length (without IP hdr) @ Offset/8,



+


means More Fragments bit set.

Wireshark display filters: ip.fragment and ip.fragment.X where X can be:

count==[number] , error, overlap, overlap.conflict, multipletails, toolongtails)

Fragmented Packets as seen by

tcpdump


6

6

17 <
-

IP

Next Protocol Numbers

1

2

89

46

IPsec ESP

50

Protocols over IP

7

161 <
-

Listening Port No. (Well
-
Known?)

x0800 <
-

Ethernet

Ne硴xPr潴潣潬


Number



ARP


Data Link and Physical Layers (e.g., Ethernet, WiFi, Point
-
to
-
Point, …)

x0806

UDP Header

(big endian)

8


Common UDP Server Ports


53


DNS (Domain Name Server)


123


NTP (Network Time Protocol)


137


NBNS (NetBIOS Name Service, Microsoft)


631


CUPS (Common Unix Printing System

5353


MDNS (Multicast DNS, Apple)

ICMP Header

(big endian)

9

31 bits

Type

Optional Data

Bytes 0
-

3

Bytes 4
-

7

Bytes 8
-


0

Sequence Number

Identifier

Checksum

Code


Type Field


0
-

Echo Reply (Code=0)


3

-

Destination Unreachable


5
-

Redirect (change route)


8
-

Echo Request (Ping)

11
-

Timeout (traceroute)


Type
3

-

Codes


0
-

Network Unreachable


1
-

Host Unreachable


3
-

Port Unreachable (UDP Reset
-
old hdr in data)


7
-

Destination Host Unknown

12
-

Host Unreachable for Type of Service

9

Smurf Attack

Network 222.45.6.0/24

Network Broadcast Address = 222.45.6.
255

Attacker 23.45.67.89

ICMP Echo Request (Ping)


To: 222.45.6.
255

(Broadcast)


From:
130.207.225.23

(spoofed)

Victim

130.207.225.23

ICMP Echo Responses


To: 130.207.225.23

10

(How is this prevented?)

Ethernet
Hdr

-

20 bytes

(big
-
endian)

IP Header
-

20 bytes

(big
-
endian)

TCP Header
-

20 bytes

(big
-
endian)

App. Hdr

& Data

TCP Header


6 Flag Bits

*

* Length of TCP Header in bytes /4
TCP Flags
: U
A

P
R S F

11

Client

Server

Syn (only)

Syn + Ack

Ack

Ack( Push, Urgent)

Ack( Push, Urgent)

TCP Three
-
Way Handshake Flags

12

A Flag Bit is “present”, “set” or “true” if it is a binary 1.

Host A

Host B

Ack( Push, Urgent)

Ack( Push, Urgent)

TCP Three
-
Way Disconnect

Fin + Ack

Fin + Ack

Ack

Ack

or Reset + Ack

13

Either A or B can be the Server

TCP Initial: SYN, SYN
-
ACK, ACK

TCP Final: FIN, ACK, FIN
-
ACK, ACK

TCP SYN and RES
-
ACK (connection rejected)

14

as seen using wireshark

TCP State Diagram

15

Reset

0

0

0

1

OK

0

0

1

0

1st Packet

0

0

1

1

2nd Packet

0

1

0

0

Needs Ack

0

1

0

1

OK

0

1

1

0

Illegal

0

1

1

1

Illegal

1

0

0

0

Needs Ack

1

0

0

1

OK

1

0

1

0

Illegal

1

0

1

1

Illegal

1

1

0

0

Illegal

1

1

0

1

Illegal

1

1

1

0

Illegal

1

1

1

1

Illegal

Reset Fin Syn Ack Comment

Illegal flag combinations are used to determine Operating System

16

DoS Exploits using TCP Packets

Land

-

Source Address = Destination Address


Crashes some printers, routers, Windows, UNIX.


Tear Drop

-

IP Fragments that overlap, have gaps


(also Bonk, Newtear, Syndrop) Win 95, Win 98, NT, Linux.


Winnuke

-

Any garbage data to an open file
-
sharing port (TCP
-
139)


Crashes Win 95 and NT


Blue Screen of Death

-

Set Urgent Flag, & Urgent Offset Pointer = 3


Older Windows OS would crash.

17

Attacker
-

(1) sniffs network and watches
Alice establish TCP session with Bob

Bob

(2)
-

DOS
Attack to
Silence
Alice (Acks
and Resets)

Alice

(0)
-

Established
TCP Connection

(3)
-

Highjacks TCP Connection

by using correct sequence number

TCP Session Highjack

1.
Open several TCP connections to Bob, to predict Bob’s next sequence number

2.
DoS Alice so it will not send a TCP Reset to Bob.s SYN
-
ACK.

3.
Send Bob a SYN, then an ACK based on predicted Bob

s seq. no.(from Alice

s IP)

4.
Send exploit to Bob (assume all packets are received ok and Ack

ed).

18

Off
-
LAN Attack (can not sniff) to get by host
-
based firewall.