Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Computer Networks

Understanding TCP/IP for Lawful Interception and Traffic

advertisement 
Part 1:
Understanding TCP/IP for Lawful
Interception and Traffic Analysis
Hendrik Schulze
ipoque
hendrik.schulze@ipoque.com
Wednesday, December 19, 12
Understanding TCP/IP for Lawful
Interception and Traffic Analysis
ISS World – IP Tutorial
Wednesday, December 19, 12
2
Understanding TCP/IP for Lawful
Interception and Traffic Analysis
Networking Basics
ISS World – IP Tutorial
Wednesday, December 19, 12
2
Understanding TCP/IP for Lawful
Interception and Traffic Analysis
Interception Basics
Networking Basics
ISS World – IP Tutorial
Wednesday, December 19, 12
2
Understanding TCP/IP for Lawful
Interception and Traffic Analysis
Deep Packet Inspection
Interception Basics
Networking Basics
ISS World – IP Tutorial
Wednesday, December 19, 12
2
Understanding TCP/IP for Lawful
Interception and Traffic Analysis
Application Decoding
Deep Packet Inspection
Interception Basics
Networking Basics
ISS World – IP Tutorial
Wednesday, December 19, 12
2
Part 1: Agenda
Motivation: Why IP interception ?
Helicopter View: How information passes the Internet
TCP/IP basics
OSI Reference Model and TCP/IP Model
Intercepting TCP/IP traffic
Wednesday, December 19, 12
Motivation:
Why IP Interception?
ISS World – IP Tutorial
Wednesday, December 19, 12
4
3 ways to access information
in the Internet
Service Elements
e.g. Facebook, Google, Amazon, Skype
Internet
User Equipment
ISS World – IP Tutorial
Wednesday, December 19, 12
5
4 ways of communication
in the Internet
– UE to SE (online banking)
– UE to UE via SE (Facebook)
– UE to UE mediated by SE
(Skype, IM)
– UE to UE directly
( P2P communication)
ISS World – IP Tutorial
Wednesday, December 19, 12
6
Interception at service element level
Pros:
• most exact results
• lowest investigation effort
• investigation on demand
(information if often buffered)
Cons:
• service provider needs to be included
• service provider is often out of reach
• needs to be done for all kind of service
providers
• how to handle anonymity?
• UE to UE communication is not covered
ISS World – IP Tutorial
Wednesday, December 19, 12
7
Interception at user equipment level
(spyware)
Pros:
• exact results
• also encrypted communication covered
• independent from location of target
( as long as infected hardware is used)
Cons:
• detectable by the target
➡ limited to a very small number of targets
➡ every OS or anti-virus update is a very high
risk
• works only on pre-infected target
hardware
• cleaners available for most spyware
ISS World – IP Tutorial
Wednesday, December 19, 12
8
IP interception
Pros:
• scalable
• costs per case
• exact results
• correlation of different activities
• (semi-)automatic investigation
• undetectable by target
Cons:
• encryption
• roll-out of hardware necessary
ISS World – IP Tutorial
Wednesday, December 19, 12
9
IP interception:
Only two things have to be done
Server
Client
• Probe captures the “bits” off the network
• Analysis software delivers the “who, what, where, when, how”
information
• Advantages: non-intrusive, not bound to CPE or server-side support
• Disadvantages … it is complicated
ISS World – IP Tutorial
Wednesday, December 19, 12
10
Networking Basics
Helicopter View
How information passes the Internet
(on a simplified web browsing example)
© http://www.flickr.com/photos/helico/
Wednesday, December 19, 12
Example: web browsing – user perspective
www.ipoque.com/index.html
request
response
Server
Wednesday, December 19, 12
Client
Application level
request
response
Web Server
Wednesday, December 19, 12
Client Applications
Application level
request
response
Web Server
Wednesday, December 19, 12
Client Applications
Application level
Request:
GET /en/home/index.html HTTP/1.1
Host: www.ipoque.com
User-Agent: Mozilla/5.0 ...
[...]
request
response
Web Server
Wednesday, December 19, 12
Client Applications
Application level
Request:
GET /en/home/index.html HTTP/1.1
Host: www.ipoque.com
User-Agent: Mozilla/5.0 ...
[...]
request
response
Web Server
Wednesday, December 19, 12
Client Applications
Application level
Request:
GET /en/home/index.html HTTP/1.1
Host: www.ipoque.com
User-Agent: Mozilla/5.0 ...
[...]
Response:
request
response
HTTP/1.1 200 OK
Date: Sun, 12 Feb 2012 10:37:02 GMT
Server: Apache/2.2.14 (Ubuntu)
Last-Modified: Sun, 12 Feb 2012 10:37:02 +0000
Content-Language: en
Web Server
Content-Type: text/html; charset=utf-8
[...]
<html>
[ html web site description ]
</html>
Wednesday, December 19, 12
Client Applications
Application level
Request:
GET /en/home/index.html HTTP/1.1
Host: www.ipoque.com
User-Agent: Mozilla/5.0 ...
[...]
Response:
request
response
HTTP/1.1 200 OK
Date: Sun, 12 Feb 2012 10:37:02 GMT
Server: Apache/2.2.14 (Ubuntu)
Last-Modified: Sun, 12 Feb 2012 10:37:02 +0000
Content-Language: en
Web Server
Content-Type: text/html; charset=utf-8
[...]
<html>
[ html web site description ]
</html>
Wednesday, December 19, 12
Client Applications
Application level
Request:
GET /en/home/index.html HTTP/1.1
Host: www.ipoque.com
User-Agent: Mozilla/5.0 ...
[...]
Response:
request
response
HTTP/1.1 200 OK
Date: Sun, 12 Feb 2012 10:37:02 GMT
Server: Apache/2.2.14 (Ubuntu)
Last-Modified: Sun, 12 Feb 2012 10:37:02 +0000
Content-Language: en
Web Server
Content-Type: text/html; charset=utf-8
[...]
<html>
[ html web site description ]
</html>
Wednesday, December 19, 12
Client Applications
Transport level
Web Server
Client Application
request
response
request
response
Wednesday, December 19, 12
Network level
www.ipoque.com/index.html
?
Client
Wednesday, December 19, 12
Domain Name System (DNS)
Web Server
Wednesday, December 19, 12
Client
Domain Name System (DNS)
X
Web Server
Wednesday, December 19, 12
TO: www.ipoque.com
Client
Domain Name System (DNS)
Who is www.ipoque.com?
Web Server
Client
Domain Name Server
Wednesday, December 19, 12
Domain Name System (DNS)
Who is www.ipoque.com?
Web Server
www.ipoque.com has IP
Address 85.214.243.163
Domain Name Server
Wednesday, December 19, 12
Client
Domain Name System (DNS)
TO: 85.214.243.163
Web Server
Client
Domain Name Server
Wednesday, December 19, 12
TCP/IP Basics
OSI Reference Model and TCP/IP Model
http://www.flickr.com/photos/pasukaru76
Wednesday, December 19, 12
OSI Reference vs. TCP/IP Model
7 | Application
7 | Application
6 | Presentation
5 | Session
4 | Transport
4 | Transport
3 | Network
3 | Internet
2 | Data Link
2 | Link
1 | Physical
1 | Physical
OSI Model
ISS World – IP Tutorial
Wednesday, December 19, 12
TCP/IP Model
19
6
5
Application
TCP/IP
protocol
stack
7
DNS
BGP
DHCP
RTCP
4
Transport
3
Internet
OSPF
SIP
1
ISS World – IP Tutorial
Wednesday, December 19, 12
Link
BitTorrent
RTP
SMTP
IPv4
IP Sec
NTP
Skype
IMAP
NFS
Jabber
POP
SSH
FTP
User Datagram
Protocol (UTP)
Transmission Control
Protocol (TCP)
ICMPv4
IPv6
ICMPv6
RARP
ARP
2
HTTP
Ethernet
Physical 100Base-TX/FX
20
802.11 a/b/g/n MAC/LLC
802.11 a/b/g/n PHY
L2TP
DOCSIS
PPP
SDH
L7 Message
Encapsulation:
header vs.
payload
L7
Header
L7
Application Data
L7
TCP/UDP Message
TCP/
UDP
TCP/UDP
Header
L7
Header
Application Data
TCP/
UDP
Application Data
IP
Application Data
Link
IP Datagram
IP
Header
IP
TCP/UDP
Header
L7
Header
L2 Frame
Link
L2
Header
IP
Header
PHY
ISS World – IP Tutorial
Wednesday, December 19, 12
TCP/UDP
Header
L7
Header
PHY
21
L7 Message
L7
Header
L7
Application Data
L7
TCP/UDP Message
TCP/
UDP
TCP/UDP
Header
L7
Header
Application Data
TCP/
UDP
Application Data
IP
Application Data
Link
IP Datagram
Layer 3
IP
Header
IP
TCP/UDP
Header
L7
Header
L2 Frame
Link
L2
Header
IP
Header
PHY
ISS World – IP Tutorial
Wednesday, December 19, 12
TCP/UDP
Header
L7
Header
PHY
22
IP header format (IPv4)
• Contains the Internet’s primary addressing information
4
0
Version
8
Internet Header
Length
Type of Service
Identification
Time To Live (TTL)
32
16
Total Length
Flags
Protocol
Header Checksum
Source Address
Destination Address
Options
Payload
ISS World – IP Tutorial
Wednesday, December 19, 12
Fragment Offset
23
Client
ISS World – IP Tutorial
Wednesday, December 19, 12
24
Routing in the Internet
7 | Application
7 | Application
4 | Transport
4 | Transport
3 | Internet
3 | Internet
3 | Internet
2 | Link
2 | Link
2 | Link
1 | Physical
1 | Physical
1 | Physical
ISS World – IP Tutorial
Wednesday, December 19, 12
25
IP Fragmentation
•
When L1/L2 Changes IP packets might be fragmented
7 | Application
7 | Application
4 | Transport
4 | Transport
3 | Internet
3 | Internet
3 | Internet
3 | Internet
2 | Link
2 | Link
2 | Link
2 | Link
1 | Physical
1 | Physical
1 | Physical
1 | Physical
ISS World – IP Tutorial
Wednesday, December 19, 12
26
L7 Message
L7
Header
L7
Application Data
L7
TCP/UDP Message
TCP/
UDP
TCP/UDP
Header
TCP/UDP Payload
TCP/
UDP
IP Datagram
IP
Header
IP
IP Payload
IP
L2 Frame
Link
L2
Header
L2 Payload
PHY
ISS World – IP Tutorial
Wednesday, December 19, 12
Link
PHY
27
IPv4 Fragmentation
4
0
Version
8
Internet Header
Length
Type of Service
Identification
Time To Live (TTL)
32
16
Total Length
Flags
Protocol
Header Checksum
Source Address
Destination Address
Options
Payload
ISS World – IP Tutorial
Wednesday, December 19, 12
Fragment Offset
28
TCP/IP Basics
IP Address Assignment and User Identity
Wednesday, December 19, 12
16
0
DHCP
…
Client IP Address
• Map layer-3 to
layer-2 addresses
Your IP Address
– mostly IP to MAC
• MAC=subscriber
at cable operators
Server IP Address
Gateway IP Address
Client Hardware Address
…
ISS World – IP Tutorial
Wednesday, December 19, 12
30
32
16
0
DHCP
…
Client IP Address
• Map layer-3 to
layer-2 addresses
Your IP Address
– mostly IP to MAC
• MAC=subscriber
at cable operators
Server IP Address
Gateway IP Address
Client Hardware Address
…
ISS World – IP Tutorial
Wednesday, December 19, 12
30
32
Remote Authentication
Dial In User Service (RADIUS)
• AAA at most ISPs
– IP–subscriber
mapping
ISS World – IP Tutorial
Wednesday, December 19, 12
31
TCP/IP Basics
IP Addresses and Domain Names
Wednesday, December 19, 12
Domain Name System (DNS) – In Theory
• Mapping Domain Name <-> IP
– e.g. www.google.com <-> 72.14.234.104
“Try 64.2.23.41”
“Try 201.144.12.123”
“Where is www.wikipedia.org?”
DNS Recurser
root nameserver
124.21.0.2
.org nameserver
64.2.23.41
wikipedia.org
nameserver
“It’s at 123.45.67.89”
ISS World – IP Tutorial
Wednesday, December 19, 12
33
201.144.12.123
Domain Name System (DNS) – In Practice
ISS World – IP Tutorial
Wednesday, December 19, 12
34
Interception of
Network Traffic
© http://www.flickr.com/photos/dunechaser/
Wednesday, December 19, 12
What if you don’t have access
to the server or client?
Server
•
•
Client
Client is closed CPE
Server is beyond reach of a warrant
• Third-party application service not affiliated with telco
• Jurisdiction
• Interface issues, device capability
Conclusion: The only way to figure out what target is doing is by probing the network
(IP interception).
ISS World – IP Tutorial
Wednesday, December 19, 12
36
Only two things have to be done
Server
Client
• Probe captures the “bits” off the network
• Analysis software delivers the “who, what, where, when, how”
information
• Advantages: non-intrusive, not bound to CPE or server-side support
• Disadvantages … it is complicated
ISS World – IP Tutorial
Wednesday, December 19, 12
37
Interception of
Network Traffic
Step 1:
Tapping the network
© http://www.flickr.com/photos/dunechaser/
Wednesday, December 19, 12
Tapping the network
Tap into physical connectivity:
NO PACKET LOSS
• Options:
– Passive optical splitters
– Promiscuous Ethernet probes
– Ethernet switch taps
– DSL splitters
– Mirror ports – router/switch packet replication
ISS World – IP Tutorial
Wednesday, December 19, 12
39
Mirror ports
• aka. SPAN ports (Cisco)
+ Available in many switches
and routers
− Performance limitation
– packet loss under high load
− Often limited number if
mirror ports per system
− Requires two mirror ports
per full duplex link
ISS World – IP Tutorial
Wednesday, December 19, 12
40
Network taps
Network Tap Implementation
1 The passive Tap creates a permanent,
in-line access port to monitor all
full-duplex traffic without data stream
interference.
• Copper
– regeneration of signal
• Fiber
– split of signal, e.g.
50:50, 70:30,Internet
90:10
– multi-mode, single-mode
Router
Network Tap
A
Firewall
B
A
B
Switch
Switch
+ Completely passive
+ Identical copyDepending
of traffic
on whether the Tap is fiber 2
or copper, the network signal is split
Network
link
needs
to so
bethatinterrupted
−
or
regenerated
the monitoring
device has full access to the signal.
(for installation)
3 The monitoring device sees
the same traffic as if it were
also in-line, including physical
layer errors.
Monitoring Device
Copyright © 1996-2006 Net Optics, Inc.
ISS World – IP Tutorial
Wednesday, December 19, 12
41
Network taps – examples
ISS World – IP Tutorial
Wednesday, December 19, 12
42
Interception of
Network Traffic
Step 2:
Analyze captured traffic
© http://www.flickr.com/photos/myf/
Wednesday, December 19, 12
L7 Message
L7
Header
L7
Application Data
L7
TCP/UDP Message
TCP/
UDP
TCP/UDP
Header
L7
Header
Application Data
TCP/
UDP
Application Data
IP
Application Data
Link
IP Datagram
IP
Header
IP
TCP/UDP
Header
L7
Header
L2 Frame
Link
L2
Header
IP
Header
PHY
ISS World – IP Tutorial
Wednesday, December 19, 12
TCP/UDP
Header
L7
Header
PHY
44
L7 Message
L7
Header
Application Data
L7
TCP/UDP Message
TCP/UDP
Header
L7
Header
Application Data
TCP/
UDP
Application Data
IP
Application Data
Link
IP Datagram
IP
Header
TCP/UDP
Header
L7
Header
L2 Frame
L2
Header
IP
Header
TCP/UDP
Header
L7
Header
PHY
ISS World – IP Tutorial
Wednesday, December 19, 12
45
L8
L7 Message
L7
Header
Analysis System
(Monitoring Center)
Application
Data
L7
TCP/UDP Message
TCP/UDP
Header
L7
Header
Application
Data
TCP/
UDP
Application
Data
IP
Application
Data
Link
IP Datagram
IP Hdr
TCP/UDP
Header
L7
Header
Mediation Device
L2 Frame
Mirror
Port on
Router
ISS World – IP Tutorial
Wednesday, December 19, 12
Probe
L2
Header
IP
Header
Tap
TCP/UDP
Header
L7
Header
PHY
46
Challenge: Growing bandwidth
• Mediation device – mirror port on router / probe
– reconstruction of data from signal
– filtering for wanted/unwanted data
• Performance problem for high speed networks
• Storage problem
ISS World – IP Tutorial
Wednesday, December 19, 12
47
Legacy probe vs. smart probe
ISS World – IP Tutorial
Wednesday, December 19, 12
L8
Analysis System
(Monitoring Center)
L7 Message
L7
Header
Mediation Device
Application
Data
L7
TCP/UDP Message
TCP/UDP
Header
L7
Header
Application
Data
TCP/
UDP
Application
Data
IP
Application
Data
Link
Probe
IP Datagram
Probe
IP Hdr
TCP/UDP
Header
L7
Header
L2 Frame
Mirror
Port on
Router
ISS World – IP Tutorial
Wednesday, December 19, 12
L2
Header
IP
Header
Tap
TCP/UDP
Header
L7
Header
PHY
49
Probe hardware – 2007
• Special-purpose network measurement systems
+ powerful for what they are built
− expensive
− inflexible
• Standard PC hardware
+ cheap
+ flexible
− limitations in performance
• Hybrid system
– try to combine best of both worlds
– standard PC host hardware + special-purpose measurement cards
ISS World – IP Tutorial
Wednesday, December 19, 12
50
Probe hardware – today
• Special-purpose network measurement systems
+ powerful for what they are built
− expensive
− inflexible
• Hybrid system
– try to combine best of both worlds
– standard PC host hardware + special-purpose measurement cards
• Standard PC hardware
+ cheap
+ flexible
− limitations in performance and accuracy
ISS World – IP Tutorial
Wednesday, December 19, 12
51
Filtering relevant traffic
Voice, video, data …
Router
ISS World – IP Tutorial
Wednesday, December 19, 12
Link
Router
How do you know what IP packets or
content to keep?
• If you know that link belongs to the client or server (e.g., DSL,
LAN port, ATM PVC)
• By referencing the IP address with carrier OSS – Billing/CRM – customer information
– Provisioning/inventory – network elements assigned to customer ID
– Radius server (dynamically assigned IP address, although legislation
may change this).
• Or, by the content in the IP packet (one key function of DPI)
– Application login information
– Keywords, application signature, other
• Or because intercept point is provisioned to capture what you
are looking for.
ISS World – IP Tutorial
Wednesday, December 19, 12
53
Forward the packet data to analysis
system
• Considerations
– Session data can’t be dropped. One lost packet, can’t reconstruct a file.
Evidence may not hold up -> need to use TCP.
– For real-time feed -> VC must be established between access point,
mediation device and collection function at peak bandwidth of
subject’s access.
• Problem: IP networks don’t provide switched bandwidth on
demand, or deterministic QoS-based packet delivery.
• Buffering is required at all points in the collection/delivery
chain as a function of network throughput, access speeds and
maximum session length.
ISS World – IP Tutorial
Wednesday, December 19, 12
Last step – parsing out the application data
and reconstruct session
Each application has its own proprietary data exchange protocols/methodology: data
structure, signaling information, data coding, etc.
Decoding this ranges from easy to very difficult
ISS World – IP Tutorial
Wednesday, December 19, 12
The first step in decoding the application
data, is to decode the transport protocol.
Web Server
Client Application
request
response
request
response
Wednesday, December 19, 12
TCP – Transmission Control Protocol
The transmission control protocol (TCP) is used by applications that require reliable
transmission of data – such as the web. Here’s how it works:
• TCP starts a communications session (via SYN message)
• TCP chop the data into discrete pieces, fragments
• TCP adds sequence number and control information for error recovery
• Each TCP fragment is sent via an IP to destination (TCP/IP packet)
• TCP acknowledges each data packet received
• TCP recovers lost data.
ISS World – IP Tutorial
Wednesday, December 19, 12
TCP – Basics
• Connection-oriented
– connection setup with 3-way handshake
– SYN, SYN/ACK, ACK
➡ explicit flow semantic
• Reliable
– uses acknowledgements and time-outs
– header and data checksum
– sequence numbers for out-of-order and duplicate packet handling
– flow control
• Byte stream
– no record markers
– bytes send by transmitter arrive at receiver without any structure
ISS World – IP Tutorial
Wednesday, December 19, 12
58
How TCP works
Client
Server
SYN
SYN; ACK
Setup
Get rid of this
ACK
Data
Good stuff (data)
ACK
Data
Time
Data
Transfer
ACK
Data
Remove dup data
X
Data (Retransmit)
Session complete
FIN
ACK (FIN);FIN
ACK (FIN)
ISS World – IP Tutorial
Wednesday, December 19, 12
Teardown
TCP Header – This is (part
of) what the
data (if any)
probe sees
CP Header
0
15 16
16-bit source port number
31
16-bit destination port number
32-bit sequence number
32-bit acknowledgment number
4-bit header
length
reserved
(6 bits)
U A P R S F
R C S S Y I
G K H T N N
16-bit window size
16-bit TCP checksum
16-bit urgent pointer
options (if any)
data (if any)
ISS World – IP Tutorial
Wednesday, December 19, 12
60
Reprinted from TCP/IP Illustrated, Volume 1: The Protocols
20 bytes
Thank you!
Hendrik Schulze
hendrik.schulze@ipoque.com
ISS World – IP Tutorial
Wednesday, December 19, 12
61
Related documents
: Tuesday morning Wednesday after school
: Tuesday morning Wednesday after school
Learn TCP/IP Quiz
Learn TCP/IP Quiz
Homework Week of September 8 – 12 Tuesday, September 9
Homework Week of September 8 – 12 Tuesday, September 9
Download
advertisement