Network Security CS 478/CIS 678 Intro to TCP/IP Objectives Reading: Computer Security Principles and Practice, W Stallings, L Brown • Appendix E The student should be able to: • Interpret output for ARP, IP, TCP, UDP, ICMP on a sniffer: Wireshark (sufficient as shown in this PowerPoint). Internet Architecture TCP/IP Packet What physical node to send to? L2 Ethernet Source & Destination logical addr. L3 IP What data is actually Which app being sent? does this go to? L4 TCP Application Packet checkcode CRC Addressing Requirements • two levels of addressing required • each host on a subnet needs a unique global network address – its IP address • each application on a (multi-tasking) host needs a unique address within the host – known as a port TCP/IP Packet What physical node to send to? L2 Ethernet Source & Destination logical addr. L3 IP What data is actually Which app being sent? does this go to? L4 TCP Ginger.cs.uwp.edu 124.36.92.81 Port 80 = Address on LAN: web 00:0c:29:80:ec:29 Application Hi Alice, Are you coming to the party on Friday? Packet checkcode CRC Operation of TCP and IP Operation of TCP/IP Some TCP/IP Protocols Protocols used at each Layer L5 = Application L4 = Transport: • TCP: Transport Control Protocol (End-to-End Error control: Retransmission) • UDP: User Datagram Protocol (Only Port Addressing) L3 = Network: • IP: Internet Protocol (Routing) • ICMP: Internet Control Message Protocol (Reports errors, performs tests for IP) L2 = Data Link Layer - Medium Access Control (MAC): • Ethernet Protocol • ARP: Address Resolution Protocol (Translates IP to MAC addresses) Physical Layer: Layer 1 • Basic Function: Concerned with physical interface between computer and network • concerned with issues like: – characteristics of transmission medium – signal levels – data rates – other related matters Network Access Layer: Layer 2 • Basic Function: Coordinate multiple access on LAN • exchange of data between an end system and attached network • concerned with issues like : – destination address provision – invoking specific services like priority – access to & routing data across a network link between two attached systems • allows layers above to ignore link specifics • Example protocol: Ethernet Internet Layer (IP): Layer 3 • Basic Function: Routing packets across network(s) • for systems attached to different networks • implemented in end systems and routers • routers connect two networks and relays data between them # Time Source IP Dest IP App 152 919.001559 10.1.1.165 10.1.1.128 IP Fragmented IP protocol (proto=ICMP 0x01, off=0, ID=19d9) Internet Protocol (IP) • • • • Performs routing Addresses hosts Performs fragmentation/reassembly Security problem: Spoofed fragments replace or confuse real data • Security problem: Fragmented attacks may not be noticed by firewalls, IDS (depending on their sophistication) IP Header IP Header Format First 8 nibbles: • 0-3: IP Version (V4 or V6) • 4-7: Header length (in 32-bit words) • 8-15: Type of service (relates to quality of service - ignore for this class) • 16-31: Total length Second 8 nibbles: • 0-15: Identification (used with fragmentation) • 16-18: Flags: More bit, Don’t Fragment • 19-31: Fragment offset Third 8 nibbles: • 0-7: Time to live • 8-15: Next Protocol (e.g. TCP, ICMP) • 16-31: Header Checksum Fourth 8 nibbles: Source IP Address Fifth 8 nibbles: Destination IP Address Transmission Control Protocol (TCP): Layer 4 • Transport protocols are TCP (most common) and UDP • Basic Function (TCP): Provides a reliable connection for transfer of data between applications – Reliable = Packets delivered in order and no packets are missing – Reliability provided by sequencing and retransmission • a TCP segment is the basic protocol unit • TCP tracks segments between end-to-end (source, destination) entities for duration of each connection Transport Control Protocol (TCP) • TCP is responsible for end-to-end retransmission, and reordering of packets received out-of-order. • Addresses applications via 16-bit Port number • Performs error control on an end-to-end basis: – Reorders out-of-sequence segments – Retransmits segments when acknowledgements are not received – Performs flow control to ensure destination is not overwhelmed with data (using a window) – Performs congestion control to ensure network is not overwhelmed TCP Header Fields • • • • • Source Port: Source port (application) address Dest Port: Destination port (application) address Flag: S=SYN, F=FIN, P=PUSH, R=RESET, A=ACK Sequence #: Beginning Sequence number (byte #) AckNr: Acknowledgment sequence number (=next expected seq #) • WindowSize: Size of empty space in receive buffer (in bytes) • Checksum: Verifies no change in segment and parts of IP header • Urgent Pointer: index to urgent data (rarely used) TCP • TCP is connection-oriented, which means that it must explicitly establish and break down a connection before transmission occurs. • Establishes a connection • Sends data • Each side gracefully disconnects TCP Flags The flags within segments that TCP uses includes: S=SYN: Request to establish a connection P=PUSH: Request from application to flush (or force) transmission. F=FIN: Request to close a transmission - graceful R=RESET: Notification of aborting of a connection ack: Contains an ack for previous data Initiate a TCP Connection • Establishes a connection via a 3-way handshake. • SYN=Synchronization, establishes send and receive sequence numbers SYN ACK SYN,ACK Send TCP Data • Each byte of TCP data has a sequence number associated with it, which indicates the byte number of the first byte sent. • The acknowledgment indicates the sequence number of the byte # of data expected next (PUSH) ACK # Time Source IP Dest IP App Port 2 Port [Packet Type] SendSeq AckSeq 45 1037.608722 10.1.1.3 10.1.1.165 TCP 3128 > 1270 [ACK] Seq=86244 Ack=6584 Win=19220 Len=0 46 1037.751240 10.1.1.3 10.1.1.165 TCP [TCP segment of a reassembled PDU] 47 1037.751279 10.1.1.3 10.1.1.165 TCP [TCP segment of a reassembled PDU] Terminate TCP Connection • Graceful Disconnect: Both sides must disconnect • FIN = Finish • Sending FIN indicates no more data to transmit ACK FIN ACK FIN Session Abort • I don’t want to participate in this connection • Uses Reset RST TCP Connect – Data - Disconnect # 1 Time 0.000000 Source IP Dest IP 10.1.1.165 10.1.1.3 2 0.000623 10.1.1.3 3 0.000667 10.1.1.165 10.1.1.3 App TCP Port 2 Port [Packet Type] SendSeq AckSeq 1179 > 3128 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 3128 > 1179 [SYN, ACK] Seq=0 Ack=1 Win=5840 Len=0 MSS=1460 1179 > 3128 [ACK] Seq=1 Ack=1 Win=64240 Len=0 10.1.1.165 TCP TCP … 7 0.029386 10.1.1.165 10.1.1.3 TCP 1179 > 3128 [ACK] Seq=860 Ack=3691 Win=64240 Len=0 … 8 0.160003 10.1.1.3 10.1.1.165 TCP 9 0.160598 10.1.1.165 10.1.1.3 TCP 10 0.161706 10.1.1.165 10.1.1.3 TCP 11 0.163407 10.1.1.3 10.1.1.165 TCP 80 > 1190 [FIN, ACK] Seq=341 Ack=436 Win=6432 Len=0 1190 > 80 [ACK] Seq=436 Ack=342 Win=63900 Len=0 1190 > 80 [FIN, ACK] Seq=436 Ack=342 Win=63900 Len=0 80 > 1190 [ACK] Seq=342 Ack=437 Win=6432 Len=0 TCP Wireshark Showing Connection, Data, Disconnect TCP Header User Datagram Protocol (UDP) • UDP can be used instead of TCP to address an application • Does NOT support end-to-end retransmission, reorder out-of-order packets, or perform flow control or congestion control. • Addresses applications via 16-bit Port number Protocol: • UDP is connectionless, which means it sends packets without establishing a connection first. If packets cannot be successfully sent, there may be no indication of failure. • 1 Packet type: Send data 1 0.000000 131.210.13.7 10.1.1.165 UDP Source port: 1060 Dest port: 8881 User Datagram Protocol (UDP) • • • • • • an alternative to TCP no guaranteed delivery no preservation of sequence no protection against duplication minimum overhead adds port addressing to IP Application Layer: Layer 5 (Internet) • Basic Function: User applications • need a separate module for each type of application: File transfer, web, ssh, email, etc. 4 0.001151 10.1.1.165 10.1.1.3 HTTP GET http://www.cs.uwp.edu/Classes/Cs475 HTTP/1.1 90 80.400513 10.1.1.165 10.1.1.10 SNMP get-request RFC1213-MIB::mib-2.25.3.2.1.5.1 RFC1213-MIB::mib2.25.3.5.1.1.1 RFC1213-MIB::mib-2.25.3.5.1.2.1 Application Protocols Application & Port • SMTP: Simple Mail Transfer Protocol (Email): 25 • HTTP: HyperText Transfer Protocol (Web): 80 • FTP: File Transfer Protocol: 20/21 • SNMP: Simple Network Management Protocol: 161 • DNS: Domain Name Server: 53 • NBNS: NetBios Name Service (Microsoft Internal, similar to DNS): 137 • SSL: Secure Socket Layer: 443 Some TCP/IP Protocols Internet Control Message Protocol (ICMP) • Reports errors from IP (e.g. Destination not reachable) • Replies to requests (routing info) • Test connectivity (ping) 71 16.725008 10.1.1.165 207.46.170.123 76 17.813662 207.231.240.7 10.1.1.165 ICMP ICMP 73 13.696159 10.1.1.1 ICMP 10.1.1.165 Echo (ping) request Time-to-live exceeded (Time to live exceeded in transit) Destination unreachable (Communication administratively filtered) Address Resolution Protocol (ARP) • Converts an IP Address (192.164.53.25) to a MAC Address (e.g. 0:90:27:1c:50:d0) Protocol: • Requester broadcasts to all nodes on subnet: ARP Request (IP_Address) • Replier (Me) sends: ARP Response (IP_Address, MAC Address) 3 8.617021 00:0c:29:80:ec:29 ff:ff:ff:ff:ff:ff ARP Who has 10.1.1.3? Tell 10.1.1.165 4 8.617825 00:0e:0c:3d:f7:7d 00:0c:29:80:ec:29 ARP 10.1.1.3 is at 00:0e:0c:3d:f7:7d Domain Name Server (DNS) • Converts a IP address name (e.g. www.cs.uwp.edu) to a numeric IP address, or vice versa. Protocol: • Request describes a name or numeric IP address to transfer • Reply provides information about that IP address. 53 55.927059 10.1.1.165 10.1.1.3 DNS Standard query A www.mozilla.org 54 55.946341 10.1.1.3 10.1.1.165 DNS Standard query response CNAME groups.l.google.com A 74.125.95.138 A 74.125.95.139 A 74.125.95.100 A 74.125.95.101 A 74.125.95.102 A 74.125.95.113 IGMP: Internet Group Management Protocol Sets up multicast for streaming and gaming NTP: Network Time Protocol Synchronizes Clocks And now for a … WIRESHARK DEMO