1 / 18

ECE-6612 http://www.csc.gatech.edu/copeland/jac/6612/ Prof. John A. Copeland john.copeland@ece.gatech.edu 404 894-5177

ECE-6612 http://www.csc.gatech.edu/copeland/jac/6612/ Prof. John A. Copeland john.copeland@ece.gatech.edu 404 894-5177 fax 404 894-0035 Office: Klaus 3362 email or call for office visit, 404 894-5177 Slides 11 - Fun with TCP/IP. 4/15/2013. Ethernet Header (MAC or Link Layer).

liesel
Télécharger la présentation

ECE-6612 http://www.csc.gatech.edu/copeland/jac/6612/ Prof. John A. Copeland john.copeland@ece.gatech.edu 404 894-5177

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. ECE-6612 http://www.csc.gatech.edu/copeland/jac/6612/ Prof. John A. Copeland john.copeland@ece.gatech.edu 404 894-5177 fax 404 894-0035 Office: Klaus 3362 email or call for office visit, 404 894-5177 Slides 11 - Fun with TCP/IP 4/15/2013

  2. Ethernet Header (MAC or Link Layer) Ethernet Hdr - 14 bytes (big-endian) IP Header - 20 bytes (big-endian) TCP Header - 20 bytes (big-endian) App. Hdr & Data 31 bits 0 Bytes 0 - 3 Destination Address - 6 bytes Bytes 4 - 7 Bytes 8 - 11 Source Address - 6 bytes Bytes 12 - 13 Next Protocol # LSB MSB Next Level Protocol Header (0x 0800 -> IP, 0x 0806 -> ARP) 2

  3. IP Header (Network Layer) Ethernet Hdr - 20 bytes (big-endian) IP Header - 20 bytes (big-endian) TCP Header - 20 bytes (big-endian) App. Hdr & Data Length Frag. Flags Fragment Offset Next Protocol Next Protocol # 1=ICMP 6=TCP 17=UDP Frag. Flags: 010 = Do Not Fragment, DNF 001 = More Fragments, MF 3

  4. Fragmented Packet Ethernet Hdr - 20 bytes IP Header - 20 bytes (MF: 1, offset: 0) TCP Header - 20 bytes (big-endian) App. Hdr & Data 20 bytes 20 + 1260 bytes Ethernet Hdr - 20 bytes IP Header - 20 bytes (MF: 1, offset:1280) More Data 20 bytes 1280 bytes Ethernet Hdr - 20 bytes IP Header - 20 bytes (MF: 0, offset:2560) Last Data 20 bytes 760 bytes Data Packet from Token Ring has TCP header (20 bytes) plus App. Header and Data (3300 bytes) = 20 +1280 + 1280 + 760 bytes. IP Fragment ID number is the same for each fragment. 4

  5. Ping of Death Ethernet Hdr - 20 bytes IP Header - 20 bytes (MF: 1, offset:65,500) Any Data 20 bytes 1000 bytes Packet Buffer 65,535 bytes Packet Buffer 65,535 bytes Fragments are assembled in a buffer in memory. Ping of Death fragment causes a buffer overflow, corrupting the next buffer causing an older version of Windows to crash. “Ping” was used because #ping -s 66500 used to work. “fragrouter” is a network utility that generates bad fragments. 5

  6. Fragmented Packets as seen by “tcpdump” # tcpdump -nnvli eth3 'tcp and ((ip[6:2]&0x3fff) != 0)’Filter for seeing frag.s 22:10:48 128.61.60.143.3472 > 217.98.230.192.6881: . 3041158335:3041158379(44) ack 829468732 win 65535 (frag 43660:64@0+) (ttl 127, len 84) Very small fragments 22:10:48 128.61.60.143 > 217.98.230.192: tcp (frag 43660:44@64) (ttl 127, len 64) ) Very small fragments 22:10:49 219.115.56.223 > 199.77.145.106: tcp (frag 0:20@16384) (ttl 237, len 40) Very small, isolated fragment 22:10:50 217.232.26.184 > 128.61.104.27: tcp Note close times, different IPs (frag 0:20@16384) (ttl 240, len 40) Very small, isolated fragment ------- 43660:64@0+ = ID : Data-Length (without IP hdr) @ Offset/8, “+” means More Fragments bit set. Wireshark display filters: ip.fragment and ip.fragment.X where X can be: count==[number] , error, overlap, overlap.conflict, multipletails, toolongtails) 6

  7. Protocols over IP 161 <- Listening Port No. (Well-Known?) 80 6 17 <- IP Next Protocol Numbers 1 2 89 46 IPsec ESP 50 x0806 ARP x0800 <- Ethernet “Next Protocol” Number Data Link and Physical Layers (e.g., Ethernet, WiFi, Point-to-Point, …) 7

  8. UDP Header (big endian) Common UDP Server Ports 53 – DNS (Domain Name Server) 123 – NTP (Network Time Protocol) 137 – NBNS (NetBIOS Name Service, Microsoft) 631 – CUPS (Common Unix Printing System 5353 – MDNS (Multicast DNS, Apple) 8

  9. ICMP Header (big endian) 0 31 bits Bytes 0 - 3 Type Code Checksum Bytes 4 - 7 Identifier Sequence Number Optional Data Bytes 8 - Type Field 0 - Echo Reply (Code=0) 3 - Destination Unreachable 5 - Redirect (change route) 8 - Echo Request (Ping) 11 - Timeout (traceroute) Type 3 - Codes 0 - Network Unreachable 1 - Host Unreachable 3 - Port Unreachable (UDP Reset-old hdr in data) 7 - Destination Host Unknown 12 - Host Unreachable for Type of Service 9 9

  10. Smurf Attack Attacker 23.45.67.89 Victim 130.207.225.23 ICMP Echo Request (Ping) To: 222.45.6.255(Broadcast) From: 130.207.225.23 (spoofed) ICMP Echo Responses To: 130.207.225.23 Network 222.45.6.0/24 Network Broadcast Address = 222.45.6.255 (How is this prevented?) 10

  11. TCP Header – 6 Flag Bits Ethernet Hdr - 20 bytes (big-endian) IP Header - 20 bytes (big-endian) TCP Header - 20 bytes (big-endian) App. Hdr & Data * * Length of TCP Header in bytes /4 TCP Flags: U A P R S F 11

  12. TCP Three-Way Handshake Flags Syn (only) Syn + Ack Ack Ack( Push, Urgent) Ack( Push, Urgent) Server Client A Flag Bit is “present”, “set” or “true” if it is a binary 1. 12

  13. TCP Three-Way Disconnect Ack( Push, Urgent) Ack( Push, Urgent) Fin + Ack Ack Fin + Ack Ack or Reset + Ack Host A Host B Either A or B can be the Server 13

  14. TCP Initial: SYN, SYN-ACK, ACK TCP Final: FIN, ACK, FIN-ACK, ACK TCP SYN and RES-ACK (connection rejected) as seen using wireshark 14

  15. TCP State Diagram Reset 15

  16. Reset Fin Syn Ack Comment Illegal flag combinations are used to determine Operating System 16

  17. DoS Exploits using TCP Packets Land - Source Address = Destination Address Crashes some printers, routers, Windows, UNIX. Tear Drop - IP Fragments that overlap, have gaps (also Bonk, Newtear, Syndrop) Win 95, Win 98, NT, Linux. Winnuke - Any garbage data to an open file-sharing port (TCP-139) Crashes Win 95 and NT Blue Screen of Death - Set Urgent Flag, & Urgent Offset Pointer = 3 Older Windows OS would crash. 17

  18. TCP Session Highjack Attacker - (1) sniffs network and watches Alice establish TCP session with Bob (2) - DOS Attack to Silence Alice (Acks and Resets) (3) - Highjacks TCP Connection by using correct sequence number (0) - Established TCP Connection Bob Alice Off-LAN Attack (can not sniff) to get by host-based firewall. Open several TCP connections to Bob, to predict Bob’s next sequence number DoS Alice so it will not send a TCP Reset to Bob.s SYN-ACK. Send Bob a SYN, then an ACK based on predicted Bob’s seq. no.(from Alice’s IP) Send exploit to Bob (assume all packets are received ok and Ack’ed). 18

More Related