Network Security CS 478/CIS 678

advertisement
Network Security
CS 478/CIS 678
Intro to TCP/IP
Objectives
Reading: Computer Security Principles and
Practice, W Stallings, L Brown
• Appendix E
The student should be able to:
• Interpret output for ARP, IP, TCP, UDP, ICMP on
a sniffer: Wireshark (sufficient as shown in
this PowerPoint).
Internet Architecture
TCP/IP Packet
What physical
node to send to?
L2
Ethernet
Source &
Destination
logical addr.
L3
IP
What data is actually
Which app
being sent?
does this go to?
L4
TCP
Application
Packet
checkcode
CRC
Addressing Requirements
• two levels of addressing required
• each host on a subnet needs a unique global
network address
– its IP address
• each application on a (multi-tasking) host
needs a unique address within the host
– known as a port
TCP/IP Packet
What physical
node to send to?
L2
Ethernet
Source &
Destination
logical addr.
L3
IP
What data is actually
Which app
being sent?
does this go to?
L4
TCP
Ginger.cs.uwp.edu
124.36.92.81
Port 80 =
Address on LAN:
web
00:0c:29:80:ec:29
Application
Hi Alice, Are you coming
to the party on Friday?
Packet
checkcode
CRC
Operation of TCP and IP
Operation of TCP/IP
Some TCP/IP Protocols
Protocols used at each Layer
L5 = Application
L4 = Transport:
• TCP: Transport Control Protocol (End-to-End Error control: Retransmission)
• UDP: User Datagram Protocol (Only Port Addressing)
L3 = Network:
• IP: Internet Protocol (Routing)
• ICMP: Internet Control Message Protocol (Reports errors, performs tests
for IP)
L2 = Data Link Layer
- Medium Access Control (MAC):
• Ethernet Protocol
• ARP: Address Resolution Protocol (Translates IP to MAC addresses)
Physical Layer: Layer 1
• Basic Function: Concerned with physical
interface between computer and network
• concerned with issues like:
– characteristics of transmission medium
– signal levels
– data rates
– other related matters
Network Access Layer: Layer 2
• Basic Function: Coordinate multiple access on LAN
• exchange of data between an end system and
attached network
• concerned with issues like :
– destination address provision
– invoking specific services like priority
– access to & routing data across a network link between
two attached systems
• allows layers above to ignore link specifics
• Example protocol: Ethernet
Internet Layer (IP): Layer 3
• Basic Function: Routing packets across
network(s)
• for systems attached to different networks
• implemented in end systems and routers
• routers connect two networks and relays data
between them
# Time
Source IP Dest IP
App
152 919.001559 10.1.1.165 10.1.1.128 IP Fragmented IP protocol (proto=ICMP 0x01, off=0,
ID=19d9)
Internet Protocol (IP)
•
•
•
•
Performs routing
Addresses hosts
Performs fragmentation/reassembly
Security problem: Spoofed fragments replace
or confuse real data
• Security problem: Fragmented attacks may
not be noticed by firewalls, IDS (depending on
their sophistication)
IP Header
IP Header Format
First 8 nibbles:
• 0-3: IP Version (V4 or V6)
• 4-7: Header length (in 32-bit words)
• 8-15: Type of service (relates to quality of service - ignore for this class)
• 16-31: Total length
Second 8 nibbles:
• 0-15: Identification (used with fragmentation)
• 16-18: Flags: More bit, Don’t Fragment
• 19-31: Fragment offset
Third 8 nibbles:
• 0-7: Time to live
• 8-15: Next Protocol (e.g. TCP, ICMP)
• 16-31: Header Checksum
Fourth 8 nibbles: Source IP Address
Fifth 8 nibbles: Destination IP Address
Transmission Control Protocol (TCP):
Layer 4
• Transport protocols are TCP (most common) and UDP
• Basic Function (TCP): Provides a reliable connection
for transfer of data between applications
– Reliable = Packets delivered in order and no packets are
missing
– Reliability provided by sequencing and retransmission
• a TCP segment is the basic protocol unit
• TCP tracks segments between end-to-end (source,
destination) entities for duration of each connection
Transport Control Protocol (TCP)
• TCP is responsible for end-to-end retransmission,
and reordering of packets received out-of-order.
• Addresses applications via 16-bit Port number
• Performs error control on an end-to-end basis:
– Reorders out-of-sequence segments
– Retransmits segments when acknowledgements are
not received
– Performs flow control to ensure destination is not
overwhelmed with data (using a window)
– Performs congestion control to ensure network is not
overwhelmed
TCP Header Fields
•
•
•
•
•
Source Port: Source port (application) address
Dest Port: Destination port (application) address
Flag: S=SYN, F=FIN, P=PUSH, R=RESET, A=ACK
Sequence #: Beginning Sequence number (byte #)
AckNr: Acknowledgment sequence number (=next
expected seq #)
• WindowSize: Size of empty space in receive buffer (in
bytes)
• Checksum: Verifies no change in segment and parts of
IP header
• Urgent Pointer: index to urgent data (rarely used)
TCP
• TCP is connection-oriented, which means that
it must explicitly establish and break down a
connection before transmission occurs.
• Establishes a connection
• Sends data
• Each side gracefully disconnects
TCP Flags
The flags within segments that TCP uses includes:
S=SYN: Request to establish a connection
P=PUSH: Request from application to flush (or
force) transmission.
F=FIN: Request to close a transmission - graceful
R=RESET: Notification of aborting of a connection
ack: Contains an ack for previous data
Initiate a TCP Connection
• Establishes a connection via a 3-way
handshake.
• SYN=Synchronization, establishes send and
receive sequence numbers
SYN 

ACK 
SYN,ACK
Send TCP Data
• Each byte of TCP data has a sequence number associated with it, which
indicates the byte number of the first byte sent.
• The acknowledgment indicates the sequence number of the byte # of data
expected next
(PUSH) 

ACK
# Time
Source IP Dest IP App Port 2 Port [Packet Type] SendSeq AckSeq
45 1037.608722 10.1.1.3 10.1.1.165 TCP 3128 > 1270 [ACK] Seq=86244 Ack=6584
Win=19220 Len=0
46 1037.751240 10.1.1.3 10.1.1.165 TCP [TCP segment of a reassembled PDU]
47 1037.751279 10.1.1.3 10.1.1.165 TCP [TCP segment of a reassembled PDU]
Terminate TCP Connection
• Graceful Disconnect: Both sides must disconnect
• FIN = Finish
• Sending FIN indicates no more data to transmit



ACK 
FIN
ACK
FIN
Session Abort
• I don’t want to participate in this connection
• Uses Reset
RST 
TCP Connect – Data - Disconnect
#
1
Time
0.000000
Source IP Dest IP
10.1.1.165 10.1.1.3
2
0.000623
10.1.1.3
3
0.000667
10.1.1.165 10.1.1.3
App
TCP
Port 2 Port [Packet Type] SendSeq AckSeq
1179 > 3128 [SYN] Seq=0 Win=64240 Len=0
MSS=1460
3128 > 1179 [SYN, ACK] Seq=0 Ack=1
Win=5840 Len=0 MSS=1460
1179 > 3128 [ACK] Seq=1 Ack=1 Win=64240
Len=0
10.1.1.165 TCP
TCP
…
7
0.029386
10.1.1.165 10.1.1.3
TCP
1179 > 3128 [ACK] Seq=860 Ack=3691
Win=64240 Len=0
…
8
0.160003
10.1.1.3
10.1.1.165 TCP
9
0.160598
10.1.1.165 10.1.1.3
TCP
10 0.161706
10.1.1.165 10.1.1.3
TCP
11 0.163407
10.1.1.3
10.1.1.165 TCP
80 > 1190 [FIN, ACK] Seq=341 Ack=436
Win=6432 Len=0
1190 > 80 [ACK] Seq=436 Ack=342
Win=63900 Len=0
1190 > 80 [FIN, ACK] Seq=436 Ack=342
Win=63900 Len=0
80 > 1190 [ACK] Seq=342 Ack=437
Win=6432 Len=0
TCP Wireshark
Showing Connection, Data, Disconnect
TCP Header
User Datagram Protocol (UDP)
• UDP can be used instead of TCP to address an application
• Does NOT support end-to-end retransmission, reorder out-of-order
packets, or perform flow control or congestion control.
• Addresses applications via 16-bit Port number
Protocol:
• UDP is connectionless, which means it sends packets without
establishing a connection first. If packets cannot be successfully sent,
there may be no indication of failure.
• 1 Packet type: Send data
1 0.000000
131.210.13.7
10.1.1.165
UDP
Source port: 1060
Dest port: 8881
User Datagram Protocol
(UDP)
•
•
•
•
•
•
an alternative to TCP
no guaranteed delivery
no preservation of sequence
no protection against duplication
minimum overhead
adds port addressing to IP
Application Layer: Layer 5
(Internet)
• Basic Function: User applications
• need a separate module for each type of
application: File transfer, web, ssh, email, etc.
4 0.001151 10.1.1.165 10.1.1.3 HTTP GET
http://www.cs.uwp.edu/Classes/Cs475 HTTP/1.1
90 80.400513 10.1.1.165 10.1.1.10 SNMP get-request
RFC1213-MIB::mib-2.25.3.2.1.5.1 RFC1213-MIB::mib2.25.3.5.1.1.1 RFC1213-MIB::mib-2.25.3.5.1.2.1
Application Protocols
Application & Port
• SMTP: Simple Mail Transfer Protocol (Email): 25
• HTTP: HyperText Transfer Protocol (Web): 80
• FTP: File Transfer Protocol: 20/21
• SNMP: Simple Network Management Protocol:
161
• DNS: Domain Name Server: 53
• NBNS: NetBios Name Service (Microsoft Internal,
similar to DNS): 137
• SSL: Secure Socket Layer: 443
Some TCP/IP Protocols
Internet Control Message Protocol
(ICMP)
• Reports errors from IP (e.g. Destination not
reachable)
• Replies to requests (routing info)
• Test connectivity (ping)
71 16.725008 10.1.1.165
207.46.170.123
76 17.813662 207.231.240.7 10.1.1.165
ICMP
ICMP
73 13.696159 10.1.1.1
ICMP
10.1.1.165
Echo (ping) request
Time-to-live exceeded (Time
to live exceeded in transit)
Destination unreachable
(Communication
administratively filtered)
Address Resolution Protocol (ARP)
• Converts an IP Address (192.164.53.25) to a MAC Address (e.g.
0:90:27:1c:50:d0)
Protocol:
• Requester broadcasts to all nodes on subnet: ARP Request
(IP_Address)
• Replier (Me) sends: ARP Response (IP_Address, MAC Address)
3 8.617021 00:0c:29:80:ec:29 ff:ff:ff:ff:ff:ff
ARP Who has
10.1.1.3? Tell 10.1.1.165
4 8.617825 00:0e:0c:3d:f7:7d 00:0c:29:80:ec:29 ARP 10.1.1.3 is at
00:0e:0c:3d:f7:7d
Domain Name Server (DNS)
• Converts a IP address name (e.g. www.cs.uwp.edu) to a numeric IP
address, or vice versa.
Protocol:
• Request describes a name or numeric IP address to transfer
• Reply provides information about that IP address.
53 55.927059 10.1.1.165 10.1.1.3
DNS Standard query A
www.mozilla.org
54 55.946341 10.1.1.3
10.1.1.165 DNS Standard query response
CNAME groups.l.google.com A 74.125.95.138 A 74.125.95.139 A
74.125.95.100 A 74.125.95.101 A 74.125.95.102 A 74.125.95.113
IGMP: Internet Group Management Protocol
Sets up multicast for streaming and gaming
NTP: Network Time Protocol
Synchronizes Clocks
And now for a …
WIRESHARK DEMO
Download