ECE-6612
http://www.csc.gatech.edu/copeland/jac/6612/
Prof. John A. Copeland
john.copeland@ece.gatech.edu
404 894-5177
fax 404 894-0035
Office: Klaus 3362
email or call for office visit, 404 894-5177
Slides 11 - Fun with TCP/IP
4/9/2015
Ethernet Header (MAC or Link Layer)
Ethernet Hdr - 14 bytes IP Header - 20 bytes TCP Header - 20 bytes
(big-endian)
(big-endian)
(big-endian)
31 bits
0
Bytes 0 - 3
App. Hdr
& Data
Destination Address - 6 bytes
Bytes 4 - 7
Bytes 8 - 11
Bytes 12 - 13
Source Address - 6 bytes
Next Protocol #
LSB
MSB
Next Level Protocol Header
(0x 0800 -> IP, 0x 0806 -> ARP)
2
IP Header (Network Layer)
Ethernet Hdr - 20 bytes IP Header - 20 bytes TCP Header - 20 bytes
(big-endian)
(big-endian)
(big-endian)
App. Hdr
& Data
Length
Frag.
Flags
Fragment Offset
Next Protocol
Next Protocol #
Frag. Flags:
1=ICMP 6=TCP 17=UDP
010 = Do Not Fragment, DNF
001 = More Fragments, MF
3
Fragmented Packet
Ethernet Hdr - 20 bytes IP Header - 20 bytes TCP Header - 20 bytes
(MF: 1, offset: 0)
(big-endian)
20 bytes
Ethernet Hdr - 20 bytes IP Header - 20 bytes
(MF: 1, offset:1280)
20 bytes
Ethernet Hdr - 20 bytes IP Header - 20 bytes
(MF: 0, offset:2560)
20 bytes
App. Hdr
& Data
20 + 1260 bytes
More Data
1280 bytes
Last Data
760 bytes
Data Packet from Token Ring has TCP header (20 bytes) plus App.
Header and Data (3300 bytes) = 20 +1280 + 1280 + 760 bytes.
IP Fragment ID number is the same for each fragment.
4
Ping of Death
Ethernet Hdr - 20 bytes
IP Header - 20 bytes
(MF: 1, offset:65,500)
20 bytes
Any Data
1000 bytes
Packet Buffer 65,535 bytes Packet Buffer 65,535 bytes
Fragments are assembled in a buffer in memory. Ping of Death
fragment causes a buffer overflow, corrupting the next buffer
causing an older version of Windows to crash.
“Ping” was used because #ping -s 66500 used to work.
“fragrouter” is a network utility that generates bad fragments.
5
Fragmented Packets as seen by “tcpdump”
# tcpdump -nnvli eth3 'tcp and ((ip[6:2]&0x3fff) != 0)’ Filter for seeing frag.s
22:10:48 128.61.60.143.3472 > 217.98.230.192.6881: .
3041158335:3041158379(44) ack 829468732 win 65535
(frag 43660:64@0+) (ttl 127, len 84)
Very small fragments
22:10:48 128.61.60.143 > 217.98.230.192: tcp
(frag 43660:44@64) (ttl 127, len 64) )
Very small fragments
22:10:49 219.115.56.223 > 199.77.145.106: tcp
(frag 0:20@16384) (ttl 237, len 40)
Very small, isolated fragment, ID=0
22:10:50 217.232.26.184 > 128.61.104.27: tcp Note close times, different IPs
(frag 0:20@16384) (ttl 240, len 40)
Very small, isolated fragment
------43660:64@0+ = ID : Data-Length (without IP hdr) @ Offset
“+” means More Fragments bit set.
Wireshark display filters: ip.fragment and ip.fragment.X where X can be:
count==[number] , error, overlap, overlap.conflict, multipletails, toolongtails)
6
Protocols over IP
179
21
80
25
6
23
161 <- Listening Port No. (Well-Known?)
17 <- IP Next Protocol Numbers
1
2
89
46
IPsec ESP 50
ARP
x0800 <- Ethernet “Next Protocol” Number
x0806
Data Link and Physical Layers (e.g., Ethernet, WiFi, Point-to-Point, …)
7
UDP Header
(big endian)
Common UDP Server Ports
53 – DNS (Domain Name Server)
123 – NTP (Network Time Protocol)
137 – NBNS (NetBIOS Name Service, Microsoft)
631 – CUPS (Common Unix Printing System
5353 – MDNS (Multicast DNS, Apple)
8
ICMP Header
0
Bytes 0 - 3
Bytes 4 - 7
(big endian)
Type
Code
Identifier
Bytes 8 -
Type Field
0 - Echo Reply (Code=0)
3 - Destination Unreachable
5 - Redirect (change route)
8 - Echo Request (Ping)
11 - Timeout (traceroute)
31 bits
Checksum
Sequence Number
Optional Data
Type 3 - Codes
0 - Network Unreachable
1 - Host Unreachable
3 - Port Unreachable (UDP Reset-old hdr in data)
7 - Destination Host Unknown
12 - Host Unreachable for Type of Service
9
Smurf Attack
Attacker 23.45.67.89
ICMP Echo Request (Ping)
To: 222.45.6.255 (Broadcast)
From: 130.207.225.23 (spoofed)
Victim
130.207.225.23
ICMP Echo Responses
To: 130.207.225.23
Network 222.45.6.0/24
Network Broadcast Address = 222.45.6.255
(How is this prevented?)
10
TCP Header – 6 Flag Bits
Ethernet Hdr - 20 bytes IP Header - 20 bytes TCP Header - 20 bytes
(big-endian)
(big-endian)
(big-endian)
App. Hdr
& Data
*
* Length of TCP Header in bytes /4
TCP Flags: U A P R S F
11
TCP Three-Way Handshake Flags
Syn (only)
Syn + Ack
Ack
Ack( Push, Urgent)
Ack( Push, Urgent)
Client
Server
A Flag Bit is “present”, “set” or “true” if it is a binary 1.
12
TCP Three-Way Disconnect
Ack( Push, Urgent)
Ack( Push, Urgent)
Fin + Ack
Ack
Fin + Ack
Ack
Host A
or Reset + Ack
Host B
Either A or B can be the Server
13
TCP Initial: SYN, SYN-ACK, ACK
TCP Final: FIN, ACK, FIN-ACK, ACK
TCP SYN and RES-ACK (connection rejected)
as seen using wireshark
14
TCP State Diagram
Reset
15
Reset
Fin
0
0
0
Syn
Ack
Comment
0
1
OK
0
1
0
1st Packet
0
0
1
1
2nd Packet
0
1
0
0
Needs Ack
0
1
0
1
OK
0
1
1
0
Illegal
0
1
1
1
Illegal
1
0
0
0
Needs Ack
1
0
0
1
OK
1
0
1
0
Illegal
1
0
1
1
Illegal
1
1
0
0
Illegal
1
1
0
1
Illegal
1
1
1
0
Illegal
1
1
1
1
Illegal
Illegal flag combinations are used to determine Operating System
16
DoS Exploits using TCP Packets
Land - Source Address = Destination Address
Crashes some printers, routers, Windows, UNIX.
Tear Drop - IP Fragments that overlap, have gaps
(also Bonk, Newtear, Syndrop) Win 95, Win 98, NT, Linux.
Winnuke - Any garbage data to an open file-sharing port (TCP-139)
Crashes Win 95 and NT
Blue Screen of Death - Set Urgent Flag, & Urgent Offset Pointer = 3
Older Windows OS would crash.
17
TCP Session Highjack
Attacker - (1) sniffs network and watches
Alice establish TCP session with Bob
(2) - DOS
Attack to
Silence
Alice (Acks
and Resets)
Alice
(3) - Highjacks TCP Connection
by using correct sequence number
(0) - Established
TCP Connection
Bob
IP connections can be determined by the
remote host's sequence no. – not IP !
Off-LAN Attack (can not sniff) to get by host-based firewall.
1.
2.
3.
4.
Open several TCP connections to Bob, to predict Bob’s next sequence number
DoS Alice so it will not send a TCP Reset to Bob.s SYN-ACK.
Send Bob a SYN, then an ACK based on predicted Bob’s seq. no.(from Alice’s IP)
Send exploit to Bob (assume all packets are received ok and Ack’ed).
18