or call for office visit, or call Kathy Cheek,

Slides:



Advertisements
Similar presentations
Overview The TCP/IP Stack. The Link Layer (L2). The Network Layer (L3). The Transport Layer (L4). Port scanning & OS/App detection techniques. Evasion.
Advertisements

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
COEN 252 Computer Forensics Using TCPDump / Windump for package analysis.
CISCO NETWORKING ACADEMY Chabot College ELEC Transport Layer (4)
Fundamentals of Computer Networks ECE 478/578 Lecture #20: Transmission Control Protocol Instructor: Loukas Lazos Dept of Electrical and Computer Engineering.
UDP & TCP Where would we be without them!. UDP User Datagram Protocol.
CSE551: Computer Network Review r Network Layers r TCP/UDP r IP.
1 Reading Log Files. 2 Segment Format
Table of Contents 3 - IDS types 8 - Ethernet Frame 9 - IP frame 10 - TCP frame 11 - UDP frame 12 - ICMP Frame way handshake 15 - TCP flags 16 -
Instructor: Sam Nanavaty TCP/IP protocol. Instructor: Sam Nanavaty Version – Allows for the evolution of the protocol IHL (Internet header length) – Length.
The Network Layer Chapter 5. The IP Protocol The IPv4 (Internet Protocol) header.
CSEE W4140 Networking Laboratory Lecture 6: TCP and UDP Jong Yul Kim
Lecture 23: Network Primer 7/15/2003 CSCE 590 Summer 2003.
Source Port # (16)Destination Port # (16) Sequence Number (32 bits) Acknowledgement Number (32 bits) Hdr Len (4) Flags (6)Window Size (16) Options (if.
Institute of Technology Sligo - Dept of Computing Semester 2 Chapter 9 The TCP/IP Protocol Suite Paul Flynn.
TCP. Learning objectives Reliable Transport in TCP TCP flow and Congestion Control.
1 ELEN 602 Lecture 15 More on IP TCP. 2 byte stream Send buffer segments Receive buffer byte stream Application ACKs Transmitter Receiver TCP Streams.
Transport Layer TCP and UDP IS250 Spring 2010
ECE Prof. John A. Copeland fax Office: Klaus 3362.
Microsoft Windows Server 2003 TCP/IP Protocols and Services Technical Reference Slide: 1 Lesson 12 Transmission Control Protocol (TCP) Basics.
4: Network Layer4a-1 IP datagram format ver length 32 bits data (variable length, typically a TCP or UDP segment) 16-bit identifier Internet checksum time.
Internet Control Message Protocol ICMP. ICMP has two major purposes: –To report erroneous conditions –To diagnose network problems ICMP has two major.
Petrozavodsk State University, Alex Moschevikin, 2003NET TECHNOLOGIES Internet Control Message Protocol ICMP author -- J. Postel, September The purpose.
Packet Analysis with Wireshark
ECE Prof. John A. Copeland fax Office: GCATT.
Chapter 4 TCP/IP Overview Connecting People To Information.
CDPA 網管訓練 駭客任務 2 Ethernet Switching ARP, IP, LAN, Subnet IP Header, Routing ICMP
TCP/IP Basic Theory V1.2. Course Outline OSI model and layer function TCP/IP protocol suite Transfer Control Protocol Internet Protocol Address Resolution.
1 LAN Protocols (Week 3, Wednesday 9/10/2003) © Abdou Illia, Fall 2003.
TCP : Transmission Control Protocol Computer Network System Sirak Kaewjamnong.
© Introduction to Internetworking – Alex Kooijman 04/04/2000 Introduction to internetworking Part Two.
Transmission Control Protocol
CS4550 Computer Networks II IP : internet protocol, part 2 : packet formats, routing, routing tables, ICMP read feit chapter 6.
Lecture 22 Network Security CS 450/650 Fundamentals of Integrated Computer Security Slides are modified from Hesham El-Rewini.
Cisco Networking Academy S2 C9 TCP/IP. ensure communication across any set of interconnected networks Stack components such as protocols to support file.
Internet Protocol Formats. IP (V4) Packet byte 0 byte1 byte 2 byte 3 data... – up to 65 K including heading info Version IHL Serv. Type Total Length Identifcation.
1 Introduction to TCP/IP. 2 OSI and Protocol Stack OSI: Open Systems Interconnect OSI ModelTCP/IP HierarchyProtocols 7 th Application Layer 6 th Presentation.
Computer Science and Engineering Computer System Security CSE 5339/7339 Session 25 November 16, 2004.
Slide #1 CIT 380: Securing Computer Systems TCP/IP.
1 Figure 3-13: Internet Protocol (IP) IP Addresses and Security  IP address spoofing: Sending a message with a false IP address (Figure 3-17)  Gives.
or call for office visit,
Lecture 21: Network Primer 7/9/2003 CSCE 590 Summer 2003.
11 CS716 Advanced Computer Networks By Dr. Amir Qayyum.
or call for office visit, or call Kathy Cheek,
Introduction To TCP/IP Networking Mr. Zeeshan Ali, Asst. Professor
Introduction to TCP/IP networking
Introduction to TCP/IP
Hping2.
Review of TCP/IP Internetworking
or call for office visit,
Chapter 17 and 18: TCP is connection oriented
Internet Protocol Formats
TCP/IP Internetworking
TCP.
8 Network Layer Part V Computer Networks Tutun Juhana
TCP/IP Internetworking
Internet Control Message Protocol (ICMP)
TCP - Part I Karim El Defrawy
The IP, TCP, UDP protocols
TCP - Part I Relates to Lab 5. First module on TCP which covers packet format, data transfer, and connection management.
Internet Control Message Protocol (ICMP)
Internet Protocol Formats
TCP - Part I Relates to Lab 5. First module on TCP which covers packet format, data transfer, and connection management.
46 to 1500 bytes TYPE CODE CHECKSUM IDENTIFIER SEQUENCE NUMBER OPTIONAL DATA ICMP Echo message.
Transport Protocols: TCP Segments, Flow control and Connection Setup
Network Architecture Models: Layered Communications
Transport Protocols: TCP Segments, Flow control and Connection Setup
32 bit destination IP address
Transport Layer 9/22/2019.
TCP Connection Management
Presentation transcript:

email or call for office visit, or call Kathy Cheek, 404 894-5696 ECE-6612 http://www.csc.gatech.edu/copeland/jac/6612/ Prof. John A. Copeland john.copeland@ece.gatech.edu 404 894-5177 fax 404 894-0035 Office: Centergy 5138 email or call for office visit, or call Kathy Cheek, 404 894-5696 Slides 11 - Fun with TCP/IP

Destination Address - 6 bytes Ethernet Header Ethernet Hdr - 20 bytes (little-endian) IP Header - 20 bytes (big-endian) TCP Header - 20 bytes (big-endian) App. Hdr & Data 31 bits Bytes 0 - 3 Destination Address - 6 bytes Bytes 4 - 7 Bytes 8 - 11 Source Address - 6 bytes Bytes 12 - 13 Next Protocol # LSB MSB Next Level Protocol Header (x08 x00 -> 8 ->IP) 2

Next Protocol # 1=ICMP 6=TCP 17=UDP IP Header Ethernet Hdr - 20 bytes (little-endian) IP Header - 20 bytes (big-endian) TCP Header - 20 bytes (big-endian) App. Hdr & Data Length Frag. Flags Fragment Offset Next Protocol Next Protocol # 1=ICMP 6=TCP 17=UDP Frag. Flags: 010 = Do Not Fragment, DNF 001 = More Fragments, MF 3

IP Fragment ID number is the same for each fragment. Fragmented Packet Ethernet Hdr - 20 bytes IP Header - 20 bytes (MF: 1, offset: 0) TCP Header - 20 bytes (big-endian) App. Hdr & Data 20 bytes 20 + 1260 bytes Ethernet Hdr - 20 bytes IP Header - 20 bytes (MF: 1, offset:1280) More Data 20 bytes 1280 bytes Ethernet Hdr - 20 bytes IP Header - 20 bytes (MF: 0, offset:2560) Last Data 20 bytes 760 bytes Data Packet from Token Ring has TCP header (20 bytes) plus App. Header and Data (3300 bytes) = 20 +1280 + 1280 + 760 bytes. IP Fragment ID number is the same for each fragment. 4

Ping of Death Packet Buffer 65,535 bytes Packet Buffer 65,535 bytes Ethernet Hdr - 20 bytes IP Header - 20 bytes (MF: 1, offset:65,500) Any Data 20 bytes 1000 bytes Packet Buffer 65,535 bytes Packet Buffer 65,535 bytes Fragments are assembled in a buffer in memory. Ping of Death fragment causes a buffer overflow, corrupting the next buffer causing an older version of Windows to crash. “Ping” was used because #ping -s 66500 used to work. “fragrouter” is a hacker program that generates bad fragments. 5

Fragmented Packets as seen by “tcpdump” # tcpdump -nnvli eth3 'tcp and ((ip[6:2]&0x3fff) != 0)’ 22:10:48 128.61.60.143.3472 > 217.98.230.192.6881: . 3041158335:3041158379(44) ack 829468732 win 65535 (frag 43660:64@0+) (ttl 127, len 84) 22:10:48 128.61.60.143 > 217.98.230.192: tcp (frag 43660:44@64) (ttl 127, len 64) 22:10:49 219.115.56.223 > 199.77.145.106: tcp (frag 0:20@16384) (ttl 237, len 40) 22:10:50 217.232.26.184 > 128.61.104.27: tcp (frag 0:20@16384) (ttl 240, len 40) ------- 43660:64@0+ = ID:Data + Length (without IP hdr) @ Offset, “+” means More Fragments bit set. 6

Protocols over IP 161 <- Listening Port No. (Well-Known?) 6 1 2 89 17 <- IP Next Protocol Numbers 1 2 89 46 ESP 50 x0800 <- Ethernet “Next Protocol” Number 7

UDP Header (big endian) 8

ICMP Header 31 bits Bytes 0 - 3 Type Code Checksum Bytes 4 - 7 (big endian) 31 bits Bytes 0 - 3 Type Code Checksum Bytes 4 - 7 Identifier Sequence Number Bytes 8 - Optional Data Type Field 0 - Echo Reply (Code=0) 3 - Destination Unreachable 5 - Redirect (change route) 8 - Echo Request (Ping) 11 - Timeout (traceroute) Type 3 - Codes 0 - Network Unreachable 1 - Host Unreachable 3 - Port Unreachable (UDP Reset-old hdr in data) 7 - Destination Host Unknown 12 - Host Unreachable for Type of Service 9 9

Network Broadcast Address = 222.45.6.255 Smurf Attack Attacker 23.45.67.89 Victim 130.207.225.23 ICMP Echo Request (Ping) To: 222.45.6.255 From: 130.207.225.23 (spoof) ICMP Echo Responses To: 130.207.225.23 Network 222.45.6.0/24 Network Broadcast Address = 222.45.6.255 (How is this prevented?) 10

TCP Header Ethernet Hdr - 20 bytes (little-endian) IP Header - 20 bytes (big-endian) TCP Header - 20 bytes (big-endian) App. Hdr & Data * * Length of TCP Header in bytes /4 TCP Flags: U A P R S F 11

TCP Three-Way Handshake Syn (only) Syn + Ack Ack Ack( Push, Urgent) Ack( Push, Urgent) Client Server 12

TCP Three-Way Disconnect Ack( Push, Urgent) Ack( Push, Urgent) Fin + Ack Ack Fin + Ack Ack or Reset + Ack Host A Host B Either A or B can be the Server 13

TCP Initial: SYN, SYN-ACK, ACK TCP Final: FIN, ACK, FIN-ACK, ACK TCP SYN and RES-ACK (no connection) as seen using WireShark 14

TCP State Diagram Reset 15

Reset Fin Syn Ack Comment 1 OK 1st Packet 2nd Packet Needs Ack Illegal Illegal flag combinations are used to determine Operating System 16

DoS Exploits using TCP Packets Land - Source Address = Destination Address Crashes some printers, routers, Windows, UNIX. Tear Drop - IP Fragments that overlap, have gaps (also Bonk, Newtear, Syndrop) Win 95, Win 98, NT, Linux. Winnuke - Any garbage data to an open file-sharing port (TCP-139) Crashes Win 95 and NT ?? - Set Urgent Flag, and Urgent Offset Pointer = 3 Older Windows OS would crash. 17

Mitnik Attack - can not sniff TCP Session Highjack Attacker - (1) sniffs network and watches Alice establish TCP session with Bob (2) - DOS Attack to Silence Alice Acks and Resets (3) - High Jacks TCP Connection by using correct sequence number (0) - Established TCP Connection Bob Alice Mitnik Attack - can not sniff Open several TCP connections to Bob,to predict next sequence number DoS Alice so it will not send a TCP Reset to Bob.s SYN-ACK. Send Bob a SYN, then an ACK based on predicted Bob’s seq. no. Send exploit to Bob (assume all packets are Ack’ed). 18

TCP Connect Handshake - shown by “tcpdump” 20:43:58 192.168.1.132.49194 > 204.127.198.27.25: S [bad tcp cksum e773!] 2818212180:2818212180(0) win 32768 <mss 1460,nop,wscale 0,nop,nop,timestamp 1015223232 0> (DF) (ttl 64, id 13382, len 60) <no ack!> 20:43:59 204.127.198.27.25 > 192.168.1.132.49194: S [tcp sum ok] 261524396:261524396(0) ack 2818212181 win 33304 <nop,nop,timestamp 693175946 1015223232,nop,wscale 1,mss 1460> (DF) (ttl 52, id 16741, len 60) 20:43:59 192.168.1.132.49194 > 204.127.198.27.25: . [bad tcp cksum 45f7!] ack 1 win 33304 <nop,nop,timestamp 1015223234 693175946> (DF) (ttl 64, id 13383, len 52) 20:43:59 204.127.198.27.25 > 192.168.1.132.49194: P 1:62(61) ack 1 win 33304 <nop,nop,timestamp 693175953 1015223234> (DF) (ttl 52, id 16742, len 113) 20:43:59 192.168.1.132.49194 > 204.127.198.27.25: P [bad tcp cksum 24f8!] 1:23(22) ack 62 win 33304 <nop,nop,timestamp 1015223234 693175953> (DF) (ttl 64, id 13384, len 74) 19

TCP Finish Handshake - shown by “tcpdump” 20:44:01 204.127.198.27.25 > 192.168.1.132.49194: P 2425:2467(42) ack 3889 win 33304 <nop,nop,timestamp 693176146 1015223238> (DF) (ttl 52, id 16760, len 94) 20:44:01 192.168.1.132.49194 > 204.127.198.27.25: F [bad tcp cksum 2c58!] 3889:3889(0) ack 2467 win 33304 <nop,nop,timestamp 1015223238 693176146> (DF) (ttl 64, id 13402, len 52) 20:44:01 204.127.198.27.25 > 192.168.1.132.49194: . [tcp sum ok] ack 3890 win 33304 <nop,nop,timestamp 693176152 1015223238> (DF) (ttl 52, id 16761, len 52) 20:44:01 204.127.198.27.25 > 192.168.1.132.49194: F [tcp sum ok] 2467:2467(0) ack 3890 win 33304 <nop,nop,timestamp 693176152 1015223238> (DF) (ttl 52, id 16762, len 52) 20:44:01 192.168.1.132.49194 > 204.127.198.27.25: . [bad tcp cksum 2c51!] ack 2468 win 33304 <nop,nop,timestamp 1015223238 693176152> (DF) (ttl 64, id 13403, len 52) 20

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.