TCP/IP Internetworking (February 3, 2016) © Abdou Illia – Spring 2016
Security Goals Main security goals: Confidentiality of communications and proprietary information Integrity of corporate data Availability of network services and resources CIA Authenticity: ensuring that the data, transactions, communications or documents are genuine. Also validating that both parties involved are who they claim to be. Non-repudiation: Ensuring that one party of a transaction cannot deny having received a transaction nor can the other party deny having sent a transaction.
TCP/IP and Security Goals Understanding TCP/IP helps understand: Technical aspects of systems attacks like: Attack Messages’ structure Attack Messages’ content What makes attack messages dangerous How defense tools are designed and configured to meet security goals.
The TCP/IP (or Internet) Model 4 or 5 layers Interface layer – represents network adapters, modems, etc. Network layer – responsible of identifying sender/receiver Transport layer – deals with managing data transport issues Application layer – represents user’s interface/ network applications Application layer Transport layer Network layer Interface layer Data Link Physical
Protocols Used in TCP/IP Layers Applications/Protocols Application Webservice: HTTP E-mail: SMTP (Simple Mail Transfer Protocol), POP (Post Office Protocol), IMAP (Internet Message Access Protocol) Telnet applications: Terminal Emulation Protocol File transfer: FTP Transport TCP (Transmission Control Protocol). Required in webservice when HTTP is used Required in Mailservice when SMTP is used. SMTP messages are encapsulated in TCP segments Connection-oriented: Establishes and maintains connections before sending. Close connections after transmission. Correct errors in TCP segments. UDP (User Datagram Protocol) Connectionless: Don’t open connection. Simply sends. Discards incorrect UDP datagrams (no retransmission) Network IP (Internet Protocol) Interface PPP (Point-to-Point Protocol) V.90 for 56 Kbps modems
Layered Communications: Encapsulation – De-encapsulation Application programs on different computers cannot communicate directly There is no direct connection between them! They need to use an indirect communication system called layered communications or layer cooperation HTTP Request Browser Web App Trans Trans Int Int DL DL Phy Phy User PC Webserver
Layer Cooperation on the User PC Encapsulation on the sending machine Embedding message received from upper layer in a new message HTTP request Application HTTP req. Encapsulation of HTTP request in data field of a TCP segment Transport HTTP req. TCP-H TCP segment Internet HTTP req. TCP-H IP-H IP Packet Data Link PPP-T HTTP req. TCP-H IP-H PPP-H Frame User PC Physical
Layer Cooperation on the Web server De-encapsulation Other layers pass successive data fields (containing next-lower layer messages) up to the next-higher layer HTTP request HTTP req. Application TCP segment HTTP req. TCP-H Transport IP Packet HTTP req. TCP-H IP-H Internet Frame PPP-T HTTP req. TCP-H IP-H PPP-H Data Link Transmission media Webserver
IP Packet Bit 0 IP Version 4 Packet Bit 31 Version (4 bits) Header 0100 IP Version 4 Packet Bit 31 Version (4 bits) Header Length (4 bits) QoS (8 bits) Total Length (16 bits) Identification (16 bits) Flags Fragment Offset (13 bits) Time To Live (8 bits) Protocol (8 bits) 1=ICMP, 6=TCP,17=UDP Header Checksum (16 bits) Source IP Address (32 bits) Destination IP Address (32 bits) Options (if any) Padding Data Field QoS: Also called Type of Service, indicates the priority level the packet should have Identification tag: to help reconstruct the packet from several fragments Flags: indicates whether packet could be fragmented or not (DF: Don't fragment), indicates whether more fragments of a packet follow (MF: More Fragments or NF: No More Fragments) Fragment offset: identify which fragment this packet is attached to TTL: Indicates maximum number of hops (or routers) the packet could pass before a hop discards it. Header checksum: to check for errors in the headers only
Summary Questions (Part 1) What is the main version of the Internet Protocol in use today? What is the other version? What does a router do with an IP packet if it decrements its TTL value to zero? Assume that a router received an IP packet with the Protocol in header set to 6. What Transport layer protocol is used in the message: TCP, UDP, or ICMP?
IP Fragmentation Subnet 1 Subnet 2 When a packet arrives at a router, the router selects the port and subnet to forward the packet to If packet too large for the subnet to handle, router fragments the packet; ie. Divides packet’s data field into fragments Gives each fragment same Identification tag value, i.e. the Identification tag of original packet First fragment is given Fragment Offset value of 0 Subsequent fragments get Fragment Offset values consistent with their data’s place in original packet Last fragment’s Flag is set to “No More Fragments” Destination host reassemble fragments based on the offsets. Identification (16 bits) Flags Fragment Offset (13 bits)
Firewalls and Fragmented IP Packet Fragmentation makes it hard for firewalls to filter individual packets TCP or UDP header appears only in the first fragment Firewall might drop the first fragment, but not subsequent fragments Some firewalls drop all fragmented packets 2. Second Fragment 1. First Fragment Router TCP Data Field IP Header 4. TCP Data Field No TCP Header IP Header 5. Firewall 60.168.47.47 Can Only Filter TCP Header in First Fragment Attacker 1.34.150.37 3. TCP Header Only in First Fragment
TCP Segment Bit 0 Bit 31 Source Port Number (16 bits) Destination Port Number (16 bits) Sequence Number (32 bits) Acknowledgment Number (32 bits) Header Length (4 bits) Reserved (6 bits) Flag Fields: ACK, SYN,… (6 bits) Window Size (16 bits) TCP Checksum (16 bits) Urgent Pointer (16 bits) Data Port number: identifies sending and receiving application programs. Sequence number: Identifies segment’s place in the sequence. Allows receiving Transport layer to put arriving TCP segments in order. Acknowledgement number: identifies which segment is being acknowledged Flag fields: Six one-bit flags: ACK, SYN, FIN, RST, URG, PSH. Can be set to 0 (off) or 1 (on). e.g. SYN=1 means a request for connection/synchronization. Q: If the ACK flag is set to 1, what other field must also be set to allow the receiver know what TCP segment is being acknowledged?
2. SYN, ACK (1) (Acknowledgment of 1) TCP and use of Flags Flag Fields (6 bits) ACK SYN FIN RST URG PSH TCP is a connection-oriented protocol Sender and receiver need to establish connection Sender and receiver need to agree to “talk” Flags are used for establishing connection Sender requests connection opening: SYN flag set to 1 If receiver is ready to “talk”, it responds by a SYN/ACK segment Sender acknowledges the acknowledgment If sender does not get ACK, it resends the segment PC Transport Process Webserver Transport Process 1. SYN (Open) 2. SYN, ACK (1) (Acknowledgment of 1) 3-way Handshake 3. ACK (2) Note: With connectionless protocols like UDP, there is no flags. Messages are just sent. If part of sent messages not received, there is no retransmission.
Communication during a normal TCP Session FIGURE A-15: Q1: How many segments are sent in a normal TCP communication opening? ____ Q2: How many segments are sent in a normal TCP communication closing? ____ Note: At any time, either process can send a TCP RST (reset) segment with RST bit set to 1 to drop the connection (i.e. to abruptly end the connection).
SYN/ACK Probing Attack 1. Probe 60.168.47.47 2. No SYN (Open): Makes No Sense! SYN/ACK Segment IP Hdr RST Segment Attacker 1.34.150.37 5. 60.168.47.47 is Live! Victim 60.168.47.47 4. Source IP Addr= 60.168.47.47 3. Go Away! Sending SYN/ACK segments helps attackers locate “live” targets Older Windows OS could crash when they receive a SYN/ACK probe
TCP and use of Port numbers Source Port Number (16 bits) Destination Port Number (16 bits) TCP and use of Port numbers Port Number identify applications Well-known ports (0-1023): used by major server applications for providing network services. HTTP web service=80, Telnet=23, FTP=21, SMTP email =25 Registered ports (1024-49151): Used by client and server applications. Developer must register # with IANA Ephemeral/dynamic/private ports (49152-65535) Can’t be registered with IANA. For custom/temporary purpose. Web server applications www:80 FTP:21 SMTP:25 Operating System Computer hardware RAM chip Socket notation: IP address:Port # HD Processor http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers#Dynamic.2C_private_or_ephemeral_ports
Summary Questions (Part 2) A host sends a TCP segment with source port number 25 and destination port number 49562. Is the source host a server or a client? Why? If the host is a server, what kind of service does it provide? Is the destination host a server or a client ? Why?
TCP and Port spoofing Attackers set their application to use well-known port despite not being the service associated with the port Most companies set their firewall to accept packet to and from port 80 Attackers set their client program to use well-know port 80
Summary Questions (Part 4) What is IP Fragmentation? Does IP fragmentation make it easier for firewall to filter incoming packets? Why? What is SYN/ACK probing attack? What kind of port numbers do major server applications, such as email service, use? What kind of port numbers do client applications usually use? What is socket notation? What is port spoofing? How many well-known TCP ports are vulnerable to being scanned, exploited, or attacked?