ses. code
TCP/IP For Security
Administrators
Steve Riley
Security Program Manager
Microsoft Corporation
steriley@microsoft.com
Why are we here?
Security is (or will be) your job. Security is your
life. You are security for your org.
If you wanna be good, there are some things you
gotta know—
How to say “I don’t know”
How to say “That’s not allowed” without giving away the
fact that you really don’t know
How to say “It’s not my fault” even though you screwed
up the configuration really good
How to deflect blame toward others
How to speak the language of network communications
Protocols? IANAG!
Ah but yes you are 
Acknowledgement is the first step toward recovery
You’re in a room filled with like-minded Gs
“How do I become a security expert?”
Learn everything you can about how network devices
talk to each other
Attend more conferences
Dream in TCP/IP (lucid/IP?)
Importance
Our goal today: to thoroughly understand
important network protocols (and to boldly split infinitives)
We will explore—
How the protocols work
How attackers abuse them
How to defend them
We will not—
Have any marketing content
Prepare you for passing some (hugely bogus and useless) exam
Be entirely actionable today
But you’ll thank me later! 
The OSI model
7. application
6. presentation
5. session
4. transport
3. network
2. link
1. physical
The real world
Four layers are sufficiently representative
4. application
3. transport
HTTP, FTP, TFTP, telnet, ping, SMTP,
POP3, IMAP4, RPC, SMB, NTP, DNS, …
2. network
TCP, UDP, IPsec
IP, ICMP, IGMP
1. interface
ARP, RARP
Presentation conventions
“A” and “B” represent networked hosts
Protocol format diagrams look like this:
0
8
element
16
24
element
Some protocol dump examples
31
element
Interface Layer
Protocols
ARP
Address Resolution Protocol
RFC 826
MAC addresses are 48 bits. IP addresses are 32
bits. How to encode MAC in IP?
ARP to the rescue: resolves IP to MAC
Simple two-frame conversation
Broadcast question; unicast response
Replies kept in a cache to reduce number of
broadcasts
Cache implements timeout because addresses do
change (default 20 minutes)
ARP format
0
8
hardware type
HA length
16
24
protocol type
PA length
31
operation
sender MAC address (bytes 0-3)
sender MAC address (bytes 4-5)
sender IP address (bytes 0-1)
sender IP address (bytes 2-3)
target MAC address (bytes 0-1)
target MAC address (bytes 2-5)
target IP address (bytes 0-3)
operation: 1 = ARP request, 2 = ARP reply
ARP operation
1.1.1.1
1.1.1.2 is-at 00:11:22:33:44:55
1.1.1.2
ARP conversations
Normal: B saves A’s ARP info in cache, ready for replies
Other machines on same subnet also save A’s ARP
00:80:c8:f8:4a:51 ff:ff:ff:ff:ff:ff: arp who-has 192.168.99.254 tell 192.168.99.35
00:80:c8:f8:5c:73 00:80:c8:f8:4a:51: arp reply 192.168.99.254 is-at 00:80:c8:f8:5c:73
Gratuitous: reply sent before a host is asked
Often addressed to an upstream router or LB device
arp reply 192.168.99.35 is-at 0:80:c8:f8:4a:51 (0:80:c8:f8:4a:51)
Unsolicited: broadcast by host owning an IP address; usually
at boot time
Also good for detecting duplicate IP addresses
00:80:c8:f8:4a:51 ff:ff:ff:ff:ff:ff: arp who-has 192.168.99.35 tell 192.168.99.35
ARP security issues
ARP spoofing
ARP replies are honored and cached, whether normal or
gratuitous
Can poison a host’s ARP cache with spoofed entries to
force redirection
Proxy ARP (routers) does this legitimately
ARP flooding (how to turn a switch into a hub)
Fill a switch’s memory with bogus mappings
Switch will flood all ports with all traffic since it doesn’t
know where hosts are
ARP Man In The Middle attack
1.1.1.1
1.1.1.2 is-at 00:11:22:33:44:55
1.1.1.2
ARP defenses
None built into protocol
arpwatch: Monitoring tool
Must mirror all traffic on one switch port
Switch features
Allow only one MAC address per port
Stops people from using hubs
Unless they steal MAC+IP from another machine…
Compare requests and replies to other mapping
information
Acquired from DHCP servers, DHCP snooping, manual
configuration (avoid)
Network Layer
Protocols
IP
Internet Protocol
RFC 791
IP is a lousy network protocol!
Unreliable: no delivery guarantees
Send ICMP message to source if delivery fails
Connectionless: no state maintained
Datagrams routed independently and in no order
Best-effort: packets not dropped capriciously
Has one job: to route datagrams
Relies on transport layer for improvements
Hosts must implement error detection and correction
and recovery
IP format
0
version
header
length
8
16
type of service
identification
time to live
24
datagram length
flags
next protocol
31
fragment offset
header checksum
source IP address
destination IP address
options, if any (variable length)
(padding)
version: 4
TOS: differentiated services codepoints (no guarantee of honoring)
dg length, ID, flags, offset: for fragmentation (will examine later)
TTL: max. hops through network (decremented by routers); usually 32
next protocol: TCP, 6 | UDP, 17 | ICMP, 1 | IPsec AH, 51 | IPsec ESP, 50
header checksum: 16-bit one’s compliment of sum
options: restrictions, record route, record timestamp, source-routing
IP routing
Two types of network nodes—
Hosts
Don’t forward datagrams between interfaces
Routers
Do forward datagrams between interfaces
Hosts can be routers if appropriate software is
installed and enabled
Presents security risks
IP routing operation
search routing
Is it totable
and decrement
my IP?TTL
Datagra
m
for
1.1.1.5
9.8.7.6
1.1.1.1
1.1.1.254
network
1.1.1.0/24
1.1.1.2
1.1.1.3
1.1.1.4
Is it to
my IP?
1.1.1.5
Basic routing algorithm
Extract destination address D from datagram
Compute network prefix N
If N matches any directly-connected network address
Deliver datagram to D over that network
Else if routing table contains a host-specific route for D
Send datagram to next hop specified in table
Else if routing table contains a route for N
Send datagram to next hop specified in table
Else if routing table contains a default route
Send datagram to default router specified in table
Else declare a routing error
Route processing
routing
daemon
route
netstat
command command
UDP
ICMP
routing
table
TCP
yes
IP output:
calculate next
hop router
(if necessary)
our packet
no (one of our IP
addresses or
broadcast)?
process IP options
IP input queue
IP layer
network interfaces
IP security issues
Mostly involve spoofed addresses
Unsigned and unencrypted in the headers
Therefore: they are unreliable identifiers
Not useful for hiding IP addresses
Is useful for:
Misdirecting connections (“MITM”)
Source routing
Denial-of-service attacks (“flooding”)
Network attacks that don’t need to see responses (“blind
spoofing”)
IP checksum is not security
Attacker:
Intercepts datagram
Spoofs addresses
Computes new checksum
Intended for error detection only
A computes and adds to header
B computes and compares to included sum
If mismatch: B silently drops
Denial-of-service attacks
Let’s wait until we talk about ICMP…
Source routing
131.107.0.254
10.0.0.254
10.0.0.1
SA: <doesn’t matter>
DA: 10.0.0.1
SR: via 131.107.0.254
IP fragmentation
Some payloads might exceed physical frame size
(MTU)
IP will fragment data if necessary
Reassembled only at destination
Transparent to transport layer
Each fragment is separate datagram
(Possibly) independently routed
No delivery order guarantee
One could get lost
All fragments must then be retransmitted
IP format—fragmentation
0
version
header
length
8
16
type of service
identification
time to live
24
datagram length
flags
next protocol
31
fragment offset
header checksum
source IP address
destination IP address
options, if any (variable length)
(padding)
ID: unique for each datagram; copied into each fragment
flag1: one bit for “more fragments”; off in final fragment
flag2: one bit for “don’t fragment”; if set, IP discards datagram and
returns ICMP error
offset: from beginning of original datagram (8-byte multiples)
length: of this fragment only
Fragmentation example
IP header next hdr
(20 bytes)
(20 bytes)
IP header next hdr
(20 bytes)
(20 bytes)
payload
(1473 bytes)
payload
(1472 bytes)
IP header payload
(20 bytes)
(1 byte)
Note no TCP/UDP header!
Many firewalls will allow fragments through…hmm!
Fragmentation example
A.1234 > B.500: udp 1473
(frag 26304:1480@0+)
A > B: (frag 26304:1@1480)
frame size = 1501; must fragment
identification field
1472 (payload) + 8 (UDP header)
0 offset = beginning; + = more fragments
no port info
fragment number @ byte offset
IP defenses
Can block nearly all attacks at border
Need five rules
Block all inbound where SA in internal nets
Block all outbound where SA not in internal nets
Block all in/out where SA | DA in RFC1918 or APIPA
Block all source-routed datagrams
Block all datagram fragments
ICMP
Internet Control Message Protocol
RFC 792
IP’s “message delivery” service
Reports errors
Asks and answers questions
Encapsulated in IP
Messages might need to be routed
Considered a network layer protocol
Error reports always include first 64 bits of errorcausing datagram
Helps determine which protocol and application caused
the error
ICMP format
0
8
type
16
code
24
checksum
content (variable length; depends on type and code)
type: message type
code: sub-message type
31
ICMP messages
Type
0
3
4
5
8
9
10
11
12
13
14
15
16
17
18
Code Description
0
echo reply
destination unreachable
0
network unreachable
1
host unreachable
2
protocol unreachable
3
port unreachable
4
fragmentation needed but don’tfragment bit is set
5
source route failed
6
7
0
0
1
0
0
0
0
0
0
0
0
0
0
0
destination network unknown
destination host unknown
source quench
redirect
for network
for host
echo request
router advertisement
router solicitation
time exceeded
TTL = 0 during transit
parameter problem
IP header bad (catchall error)
timestamp request
timestamp reply
information request (obsolete)
information reply (obsolete)
address mask request
address mask reply
Code Description
8
9
10
11
12
source host isolated (obsolete)
destination network administratively prohibited
destination host administratively prohibited
network unreachable for DiffServ
host unreachable for DiffServ
13
communication administratively
prohibited by filtering
14
15
host precedence violation
precedence cutoff in effect
2
3
Query

Error



for DiffServ and network
for DiffServ and host



1
TTL = 0 during reassembly
1
required option missing








ICMP echo
0
8
16
type
code
identifier
24
checksum
sequence number
optional data (variable length)
type: 8 = request, 0 = reply
code: 0
identifier, sequence number: for matching replies to requests
data: returned to sender
31
ICMP reconnaissance attacks
“Port unreachable” = port closed
“Host unreachable” = host doesn’t exist
ICMP redirect attacks
Advise hosts of better routes
Difficult to spoof
Can come only from host’s existing DG
Must be tied to an existing connection
Can’t be used for unsolicited route table updates
Redirects generally aren’t used
Best to block them
Useful only on LANs with multiple gateways to the
Internet
ICMP DoS attacks
Ping attacks
Forged source address can create havoc when replies
arrive
Unreachable attacks
Forged messages can be used to reset existing
connections
netstat gives the attacker everything necessary to
generate messages
DDoS constellation (“smurf” var.)
Wake up!
Ping!
Reply!
ICMP scanning
ICMP’s implementation-specific responses to
certain queries helps attackers learn about a
network
Ofir Arkin’s work
http://www.sys-security.com/html/projects/icmp.html
http://www.sys-security.com/html/projects/X.html
ICMP defenses
Limit which ICMP types and codes you allow into
your network
Avoid those which are little used and have better
alternatives
Redirects
Router solicitations and advertisements
Timestamps
Don’t permit “unreachable” messages outside your
border
Let the absence of a reply imply a problem
Transport Layer
Protocols
UDP
User Datagram Protocol
RFC 768
Datagram-oriented
vs. TCP’s stream orientation (later)
No transport reliability
No delivery guarantees
Some applications work better with app-level error
handling
UDP format
0
8
source port
16
length
24
destination port
31
checksum
data (variable length)
checksum: computed over source and destination IP addresses,
protocol number, length, and entire UDP packet (header and data)
UDP app responsibilities
Handle all error detection and correction
Understand size of underlying MTU to avoid
packet fragmentation
Recover from out-of-order delivery
Track communications state between peers
UDP security issues
Streaming media and VoIP often use dynamic
ports
Lack of a connection makes it difficult to
determine flows
Port loopback attack (“pingpong”)
Spoof!
from A:19/udp (chargen)
to B:7/udp (echo)
UDP defenses
Use application-aware proxies to improve security
Don’t expose applications that you don’t need
echo
daytime
chargen
TCP
Transmission Control Protocol
RFC 793
Connection-oriented, reliable, full-duplex byte
stream transport service
Many decisions are made by the protocol, not the
applications
Segment size (amount of data per packet)
Acknowledgement of packet receipt
Retransmittal of unacknowledged packets
Resequencing of out-of-order packets
Flow control
TCP format
0
8
source port
16
24
destination port
31
sequence number
acknowledgement number
header
length
reserved
flags
checksum
window size
urgent pointer
options (if any) (variable length)
data (variable length)
seq/ack numbers: track session state; indicate which byte we’re on
flags: urgent | acknowledge | push | reset | synchronize | finish
window size: flow control
checksum: computed over source and destination IP addresses,
protocol number, length, and entire TCP packet (header and data)
TCP connection establishment
(“three-way handshake”)
B sends
sends packet
packet to
to A
A
B with:
• SYN with
set B’s SYN+1
•ACK
Destination
port number
• B’s
ISN
• ACK
with(initial
A’s SYN+1
A’s ISN
sequence number)
TCP connection establishment
A.1037 > B.23: S 1415531521:1415531521 (0)
win 4096 <mss 1024>
B.23 > A.1037: S 1823083521:1823083521 (0)
ack 1415531522
win 4096 <mss 1024>
A.1037 > B.23: . ack 1823083522 win 4096
A’s sequence number + 1
B’s sequence number + 1
TCP connection termination
(“four-way close”)
B sends
sends packet
packet to
to A
A
B with:
• FIN with
set B’s
A’s SYN+1
SYN+1
•ACK
•A’s next
•B’s
next sequence
sequence number
number
TCP connection termination
A.1037 > B.23: F 1415531522:1415531522 (0)
ack 1823083522 win 4096
B.23 > A.1037: . ack 1415531523 win 4096
B.23 > A.1037: F 1823083522:1823083522 (0)
ack 1415531523 win 4096
A.1037 > B.23: . ack 1823083523 win 4096
TCP connection reset
An immediate “go away”
Never acknowledged
B sends packet to A with:
• RST set
• B’s next sequence number
• ACK with A’s SYN+1
MSS (maximum segment size)
Largest “chunk” of data TCP sends
Each side announces; lower of two is chosen
Can go as high as 1460
TCP packet payload (data): 1460 bytes
IP datagram payload (TCP): 1480 bytes
Ethernet frame payload (IP): 1500 bytes
Total length: 1536 bytes
TCP security issues
SYN flooding
Consume memory with many half-opens
Session hijacking
Source-routed packets
Sniffing
Predictable sequence numbers
Sequence number prediction
SYN
ACKset
B (predicted!)
ISN
source=A
E
source=A
Huh?
SYN
RSTset
ISN A
SYN
SYNset
set
ISN
ISNBB
ACK
ACKEA
TCP defenses
Better sequence number generation
Random
Cryptographic
Changes to implementations
Don’t allocate resources until complete open
Router rules to block spoofed packets
TCP attacks are almost always spoofed
Steve Riley
steriley@microsoft.com
© 2004 Microsoft Corporation. All rights reserved.
This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.