or call for office visit,

Slides:

Advertisements

Similar presentations

Overview The TCP/IP Stack. The Link Layer (L2). The Network Layer (L3). The Transport Layer (L4). Port scanning & OS/App detection techniques. Evasion.

Advertisements

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.

CISCO NETWORKING ACADEMY Chabot College ELEC Transport Layer (4)

Fundamentals of Computer Networks ECE 478/578 Lecture #20: Transmission Control Protocol Instructor: Loukas Lazos Dept of Electrical and Computer Engineering.

Introduction1-1 message segment datagram frame source application transport network link physical HtHt HnHn HlHl M HtHt HnHn M HtHt M M destination application.

CSE551: Computer Network Review r Network Layers r TCP/UDP r IP.

1 Reading Log Files. 2 Segment Format

CS3505 The Internet and Info Hiway transport layer protocols : TCP/UDP.

The Network Layer Chapter 5. The IP Protocol The IPv4 (Internet Protocol) header.

Source Port # (16)Destination Port # (16) Sequence Number (32 bits) Acknowledgement Number (32 bits) Hdr Len (4) Flags (6)Window Size (16) Options (if.

Institute of Technology Sligo - Dept of Computing Semester 2 Chapter 9 The TCP/IP Protocol Suite Paul Flynn.

TCP. Learning objectives Reliable Transport in TCP TCP flow and Congestion Control.

Transport Layer TCP and UDP IS250 Spring 2010

Defining Network Protocols Application Protocols –Application Layer –Presentation Layer –Session Layer Transport Protocols –Transport Layer Network Protocols.

ECE Prof. John A. Copeland fax Office: Klaus 3362.

4: Network Layer4a-1 IP datagram format ver length 32 bits data (variable length, typically a TCP or UDP segment) 16-bit identifier Internet checksum time.

Internet Control Message Protocol ICMP. ICMP has two major purposes: –To report erroneous conditions –To diagnose network problems ICMP has two major.

Petrozavodsk State University, Alex Moschevikin, 2003NET TECHNOLOGIES Internet Control Message Protocol ICMP author -- J. Postel, September The purpose.

Packet Analysis with Wireshark

ICMP (Internet Control Message Protocol) Computer Networks By: Saeedeh Zahmatkesh spring.

1 ECE453 – Introduction to Computer Networks Lecture 12 – Network Layer (IV)

January 2009Prof. Reuven Aviv: Firewalls1 Firewalls.

1 IP: putting it all together Part 2 G53ACC Chris Greenhalgh.

1 Chapter Overview TCP/IP DoD model. 2 Network Layer Protocols Responsible for end-to-end communications on an internetwork Contrast with data-link layer.

Semester 2v2 Chapter 9: TCP/IP.

Chabot College ELEC Ports (Layer 4).

ECE Prof. John A. Copeland fax Office: GCATT.

Chap 9 TCP/IP Andres, Wen-Yuan Liao Department of Computer Science and Engineering De Lin Institute of Technology

Chapter 4 TCP/IP Overview Connecting People To Information.

CDPA 網管訓練駭客任務 2 Ethernet Switching ARP, IP, LAN, Subnet IP Header, Routing ICMP

TCP/IP Basic Theory V1.2. Course Outline OSI model and layer function TCP/IP protocol suite Transfer Control Protocol Internet Protocol Address Resolution.

1 LAN Protocols (Week 3, Wednesday 9/10/2003) © Abdou Illia, Fall 2003.

TCP : Transmission Control Protocol Computer Network System Sirak Kaewjamnong.

© Introduction to Internetworking – Alex Kooijman 04/04/2000 Introduction to internetworking Part Two.

Chapter 6-2 the TCP/IP Layers. The four layers of the TCP/IP model are listed in Table 6-2. The layers are The four layers of the TCP/IP model are listed.

Review the key networking concepts –TCP/IP reference model –Ethernet –Switched Ethernet –IP, ARP –TCP –DNS.

TCP/IP Honolulu Community College Cisco Academy Training Center Semester 2 Version 2.1.

Lecture 22 Network Security CS 450/650 Fundamentals of Integrated Computer Security Slides are modified from Hesham El-Rewini.

Cisco Networking Academy S2 C9 TCP/IP. ensure communication across any set of interconnected networks Stack components such as protocols to support file.

Internet Protocol Formats. IP (V4) Packet byte 0 byte1 byte 2 byte 3 data... – up to 65 K including heading info Version IHL Serv. Type Total Length Identifcation.

1 Introduction to TCP/IP. 2 OSI and Protocol Stack OSI: Open Systems Interconnect OSI ModelTCP/IP HierarchyProtocols 7 th Application Layer 6 th Presentation.

Computer Science and Engineering Computer System Security CSE 5339/7339 Session 25 November 16, 2004.

1 Figure 3-13: Internet Protocol (IP) IP Addresses and Security  IP address spoofing: Sending a message with a false IP address (Figure 3-17)  Gives.

or call for office visit,

Lecture 21: Network Primer 7/9/2003 CSCE 590 Summer 2003.

11 CS716 Advanced Computer Networks By Dr. Amir Qayyum.

© 2003, Cisco Systems, Inc. All rights reserved.

or call for office visit, or call Kathy Cheek,

or call for office visit Chapter 6 - IPsec (IP Secure)

Introduction to TCP/IP networking

Introduction to TCP/IP

or call for office visit, or call Kathy Cheek,

Review of TCP/IP Internetworking

Internet Protocol Formats

TCP/IP Internetworking

8 Network Layer Part V Computer Networks Tutun Juhana

TCP/IP Internetworking

The IP, TCP, UDP protocols

TCP - Part I Relates to Lab 5. First module on TCP which covers packet format, data transfer, and connection management.

Wide Area Networks and Internet CT1403

Internet Protocol Formats

46 to 1500 bytes TYPE CODE CHECKSUM IDENTIFIER SEQUENCE NUMBER OPTIONAL DATA ICMP Echo message.

Transport Protocols: TCP Segments, Flow control and Connection Setup

Network Architecture Models: Layered Communications

Transport Protocols: TCP Segments, Flow control and Connection Setup

ITIS 6167/8167: Network and Information Security

32 bit destination IP address

Transport Layer 9/22/2019.

TCP Connection Management

Presentation transcript:

email or call for office visit, 404 894-5177 ECE-6612 http://www.csc.gatech.edu/copeland/jac/6612/ Prof. John A. Copeland john.copeland@ece.gatech.edu 404 894-5177 fax 404 894-0035 Office: Klaus 3362 email or call for office visit, 404 894-5177 Slides 11 - Fun with TCP/IP 4/9/2015

Ethernet Header (MAC or Link Layer) Ethernet Hdr - 14 bytes (big-endian) IP Header - 20 bytes (big-endian) TCP Header - 20 bytes (big-endian) App. Hdr & Data 31 bits Bytes 0 - 3 Destination Address - 6 bytes Bytes 4 - 7 Bytes 8 - 11 Source Address - 6 bytes Bytes 12 - 13 Next Protocol # LSB MSB Next Level Protocol Header (0x 0800 -> IP, 0x 0806 -> ARP) 2

Next Protocol # 1=ICMP 6=TCP 17=UDP IP Header (Network Layer) Ethernet Hdr - 20 bytes (big-endian) IP Header - 20 bytes (big-endian) TCP Header - 20 bytes (big-endian) App. Hdr & Data Length Frag. Flags Fragment Offset Next Protocol Next Protocol # 1=ICMP 6=TCP 17=UDP Frag. Flags: 010 = Do Not Fragment, DNF 001 = More Fragments, MF 3

IP Fragment ID number is the same for each fragment. Fragmented Packet Ethernet Hdr - 20 bytes IP Header - 20 bytes (MF: 1, offset: 0) TCP Header - 20 bytes (big-endian) App. Hdr & Data 20 bytes 20 + 1260 bytes Ethernet Hdr - 20 bytes IP Header - 20 bytes (MF: 1, offset:1280) More Data 20 bytes 1280 bytes Ethernet Hdr - 20 bytes IP Header - 20 bytes (MF: 0, offset:2560) Last Data 20 bytes 760 bytes Data Packet from Token Ring has TCP header (20 bytes) plus App. Header and Data (3300 bytes) = 20 +1280 + 1280 + 760 bytes. IP Fragment ID number is the same for each fragment. 4

Ping of Death Packet Buffer 65,535 bytes Packet Buffer 65,535 bytes Ethernet Hdr - 20 bytes IP Header - 20 bytes (MF: 1, offset:65,500) Any Data 20 bytes 1000 bytes Packet Buffer 65,535 bytes Packet Buffer 65,535 bytes Fragments are assembled in a buffer in memory. Ping of Death fragment causes a buffer overflow, corrupting the next buffer causing an older version of Windows to crash. “Ping” was used because #ping -s 66500 used to work. “fragrouter” is a network utility that generates bad fragments. 5

Fragmented Packets as seen by “tcpdump” # tcpdump -nnvli eth3 'tcp and ((ip[6:2]&0x3fff) != 0)’ Filter for seeing frag.s 22:10:48 128.61.60.143.3472 > 217.98.230.192.6881: . 3041158335:3041158379(44) ack 829468732 win 65535 (frag 43660:64@0+) (ttl 127, len 84) Very small fragments 22:10:48 128.61.60.143 > 217.98.230.192: tcp (frag 43660:44@64) (ttl 127, len 64) ) Very small fragments 22:10:49 219.115.56.223 > 199.77.145.106: tcp (frag 0:20@16384) (ttl 237, len 40) Very small, isolated fragment, ID=0 22:10:50 217.232.26.184 > 128.61.104.27: tcp Note close times, different IPs (frag 0:20@16384) (ttl 240, len 40) Very small, isolated fragment ------- 43660:64@0+ = ID : Data-Length (without IP hdr) @ Offset “+” means More Fragments bit set. Wireshark display filters: ip.fragment and ip.fragment.X where X can be: count==[number] , error, overlap, overlap.conflict, multipletails, toolongtails) 6

Protocols over IP 179 21 80 25 23 161 <- Listening Port No. (Well-Known?) 6 17 <- IP Next Protocol Numbers 1 2 89 46 IPsec ESP 50 ARP x0800 <- Ethernet “Next Protocol” Number x0806 Data Link and Physical Layers (e.g., Ethernet, WiFi, Point-to-Point, …) 7

UDP Header Common UDP Server Ports 53 – DNS (Domain Name Server) (big endian) Common UDP Server Ports 53 – DNS (Domain Name Server) 123 – NTP (Network Time Protocol) 137 – NBNS (NetBIOS Name Service, Microsoft) 631 – CUPS (Common Unix Printing System 5353 – MDNS (Multicast DNS, Apple) 8

ICMP Header 31 bits Bytes 0 - 3 Type Code Checksum Bytes 4 - 7 (big endian) 31 bits Bytes 0 - 3 Type Code Checksum Bytes 4 - 7 Identifier Sequence Number Bytes 8 - Optional Data Type Field 0 - Echo Reply (Code=0) 3 - Destination Unreachable 5 - Redirect (change route) 8 - Echo Request (Ping) 11 - Timeout (traceroute) Type 3 - Codes 0 - Network Unreachable 1 - Host Unreachable 3 - Port Unreachable (UDP Reset-old hdr in data) 7 - Destination Host Unknown 12 - Host Unreachable for Type of Service 9 9

Network Broadcast Address = 222.45.6.255 Smurf Attack Attacker 23.45.67.89 Victim 130.207.225.23 ICMP Echo Request (Ping) To: 222.45.6.255 (Broadcast) From: 130.207.225.23 (spoofed) ICMP Echo Responses To: 130.207.225.23 Network 222.45.6.0/24 Network Broadcast Address = 222.45.6.255 (How is this prevented?) 10

TCP Header – 6 Flag Bits Ethernet Hdr - 20 bytes (big-endian) IP Header - 20 bytes (big-endian) TCP Header - 20 bytes (big-endian) App. Hdr & Data * * Length of TCP Header in bytes /4 TCP Flags: U A P R S F 11

TCP Three-Way Handshake Flags Syn (only) Syn + Ack Ack Ack( Push, Urgent) Ack( Push, Urgent) Client Server A Flag Bit is “present”, “set” or “true” if it is a binary 1. 12

TCP Three-Way Disconnect Ack( Push, Urgent) Ack( Push, Urgent) Fin + Ack Ack Fin + Ack Ack or Reset + Ack Host A Host B Either A or B can be the Server 13

TCP Initial: SYN, SYN-ACK, ACK TCP Final: FIN, ACK, FIN-ACK, ACK TCP SYN and RES-ACK (connection rejected) as seen using wireshark 14

TCP State Diagram Reset 15

Reset Fin Syn Ack Comment 1 OK 1st Packet 2nd Packet Needs Ack Illegal Illegal flag combinations are used to determine Operating System 16

DoS Exploits using TCP Packets Land - Source Address = Destination Address Crashes some printers, routers, Windows, UNIX. Tear Drop - IP Fragments that overlap, have gaps (also Bonk, Newtear, Syndrop) Win 95, Win 98, NT, Linux. Winnuke - Any garbage data to an open file-sharing port (TCP-139) Crashes Win 95 and NT Blue Screen of Death - Set Urgent Flag, & Urgent Offset Pointer = 3 Older Windows OS would crash. 17

TCP Session Highjack Bob Attacker - (1) sniffs network and watches Alice establish TCP session with Bob (2) - DOS Attack to Silence Alice (Acks and Resets) (3) - Highjacks TCP Connection by using correct sequence number (0) - Established TCP Connection Bob IP connections can be determined by the remote host's sequence no. – not IP ! Alice Off-LAN Attack (can not sniff) to get by host-based firewall. Open several TCP connections to Bob, to predict Bob’s next sequence number DoS Alice so it will not send a TCP Reset to Bob.s SYN-ACK. Send Bob a SYN, then an ACK based on predicted Bob’s seq. no.(from Alice’s IP) Send exploit to Bob (assume all packets are received ok and Ack’ed). 18