email or call for office visit, 404 894-5177 ECE-6612 http://www.csc.gatech.edu/copeland/jac/6612/ Prof. John A. Copeland john.copeland@ece.gatech.edu 404 894-5177 fax 404 894-0035 Office: Klaus 3362 email or call for office visit, 404 894-5177 Slides 11 - Fun with TCP/IP 4/9/2015
Ethernet Header (MAC or Link Layer) Ethernet Hdr - 14 bytes (big-endian) IP Header - 20 bytes (big-endian) TCP Header - 20 bytes (big-endian) App. Hdr & Data 31 bits Bytes 0 - 3 Destination Address - 6 bytes Bytes 4 - 7 Bytes 8 - 11 Source Address - 6 bytes Bytes 12 - 13 Next Protocol # LSB MSB Next Level Protocol Header (0x 0800 -> IP, 0x 0806 -> ARP) 2
Next Protocol # 1=ICMP 6=TCP 17=UDP IP Header (Network Layer) Ethernet Hdr - 20 bytes (big-endian) IP Header - 20 bytes (big-endian) TCP Header - 20 bytes (big-endian) App. Hdr & Data Length Frag. Flags Fragment Offset Next Protocol Next Protocol # 1=ICMP 6=TCP 17=UDP Frag. Flags: 010 = Do Not Fragment, DNF 001 = More Fragments, MF 3
IP Fragment ID number is the same for each fragment. Fragmented Packet Ethernet Hdr - 20 bytes IP Header - 20 bytes (MF: 1, offset: 0) TCP Header - 20 bytes (big-endian) App. Hdr & Data 20 bytes 20 + 1260 bytes Ethernet Hdr - 20 bytes IP Header - 20 bytes (MF: 1, offset:1280) More Data 20 bytes 1280 bytes Ethernet Hdr - 20 bytes IP Header - 20 bytes (MF: 0, offset:2560) Last Data 20 bytes 760 bytes Data Packet from Token Ring has TCP header (20 bytes) plus App. Header and Data (3300 bytes) = 20 +1280 + 1280 + 760 bytes. IP Fragment ID number is the same for each fragment. 4
Ping of Death Packet Buffer 65,535 bytes Packet Buffer 65,535 bytes Ethernet Hdr - 20 bytes IP Header - 20 bytes (MF: 1, offset:65,500) Any Data 20 bytes 1000 bytes Packet Buffer 65,535 bytes Packet Buffer 65,535 bytes Fragments are assembled in a buffer in memory. Ping of Death fragment causes a buffer overflow, corrupting the next buffer causing an older version of Windows to crash. “Ping” was used because #ping -s 66500 used to work. “fragrouter” is a network utility that generates bad fragments. 5
Fragmented Packets as seen by “tcpdump” # tcpdump -nnvli eth3 'tcp and ((ip[6:2]&0x3fff) != 0)’ Filter for seeing frag.s 22:10:48 128.61.60.143.3472 > 217.98.230.192.6881: . 3041158335:3041158379(44) ack 829468732 win 65535 (frag 43660:64@0+) (ttl 127, len 84) Very small fragments 22:10:48 128.61.60.143 > 217.98.230.192: tcp (frag 43660:44@64) (ttl 127, len 64) ) Very small fragments 22:10:49 219.115.56.223 > 199.77.145.106: tcp (frag 0:20@16384) (ttl 237, len 40) Very small, isolated fragment, ID=0 22:10:50 217.232.26.184 > 128.61.104.27: tcp Note close times, different IPs (frag 0:20@16384) (ttl 240, len 40) Very small, isolated fragment ------- 43660:64@0+ = ID : Data-Length (without IP hdr) @ Offset “+” means More Fragments bit set. Wireshark display filters: ip.fragment and ip.fragment.X where X can be: count==[number] , error, overlap, overlap.conflict, multipletails, toolongtails) 6
Protocols over IP 179 21 80 25 23 161 <- Listening Port No. (Well-Known?) 6 17 <- IP Next Protocol Numbers 1 2 89 46 IPsec ESP 50 ARP x0800 <- Ethernet “Next Protocol” Number x0806 Data Link and Physical Layers (e.g., Ethernet, WiFi, Point-to-Point, …) 7
UDP Header Common UDP Server Ports 53 – DNS (Domain Name Server) (big endian) Common UDP Server Ports 53 – DNS (Domain Name Server) 123 – NTP (Network Time Protocol) 137 – NBNS (NetBIOS Name Service, Microsoft) 631 – CUPS (Common Unix Printing System 5353 – MDNS (Multicast DNS, Apple) 8
ICMP Header 31 bits Bytes 0 - 3 Type Code Checksum Bytes 4 - 7 (big endian) 31 bits Bytes 0 - 3 Type Code Checksum Bytes 4 - 7 Identifier Sequence Number Bytes 8 - Optional Data Type Field 0 - Echo Reply (Code=0) 3 - Destination Unreachable 5 - Redirect (change route) 8 - Echo Request (Ping) 11 - Timeout (traceroute) Type 3 - Codes 0 - Network Unreachable 1 - Host Unreachable 3 - Port Unreachable (UDP Reset-old hdr in data) 7 - Destination Host Unknown 12 - Host Unreachable for Type of Service 9 9
Network Broadcast Address = 222.45.6.255 Smurf Attack Attacker 23.45.67.89 Victim 130.207.225.23 ICMP Echo Request (Ping) To: 222.45.6.255 (Broadcast) From: 130.207.225.23 (spoofed) ICMP Echo Responses To: 130.207.225.23 Network 222.45.6.0/24 Network Broadcast Address = 222.45.6.255 (How is this prevented?) 10
TCP Header – 6 Flag Bits Ethernet Hdr - 20 bytes (big-endian) IP Header - 20 bytes (big-endian) TCP Header - 20 bytes (big-endian) App. Hdr & Data * * Length of TCP Header in bytes /4 TCP Flags: U A P R S F 11
TCP Three-Way Handshake Flags Syn (only) Syn + Ack Ack Ack( Push, Urgent) Ack( Push, Urgent) Client Server A Flag Bit is “present”, “set” or “true” if it is a binary 1. 12
TCP Three-Way Disconnect Ack( Push, Urgent) Ack( Push, Urgent) Fin + Ack Ack Fin + Ack Ack or Reset + Ack Host A Host B Either A or B can be the Server 13
TCP Initial: SYN, SYN-ACK, ACK TCP Final: FIN, ACK, FIN-ACK, ACK TCP SYN and RES-ACK (connection rejected) as seen using wireshark 14
TCP State Diagram Reset 15
Reset Fin Syn Ack Comment 1 OK 1st Packet 2nd Packet Needs Ack Illegal Illegal flag combinations are used to determine Operating System 16
DoS Exploits using TCP Packets Land - Source Address = Destination Address Crashes some printers, routers, Windows, UNIX. Tear Drop - IP Fragments that overlap, have gaps (also Bonk, Newtear, Syndrop) Win 95, Win 98, NT, Linux. Winnuke - Any garbage data to an open file-sharing port (TCP-139) Crashes Win 95 and NT Blue Screen of Death - Set Urgent Flag, & Urgent Offset Pointer = 3 Older Windows OS would crash. 17
TCP Session Highjack Bob Attacker - (1) sniffs network and watches Alice establish TCP session with Bob (2) - DOS Attack to Silence Alice (Acks and Resets) (3) - Highjacks TCP Connection by using correct sequence number (0) - Established TCP Connection Bob IP connections can be determined by the remote host's sequence no. – not IP ! Alice Off-LAN Attack (can not sniff) to get by host-based firewall. Open several TCP connections to Bob, to predict Bob’s next sequence number DoS Alice so it will not send a TCP Reset to Bob.s SYN-ACK. Send Bob a SYN, then an ACK based on predicted Bob’s seq. no.(from Alice’s IP) Send exploit to Bob (assume all packets are received ok and Ack’ed). 18