Lecture 20: Network Primer 7/8/2003 CSCE 590 Summer 2003

Obligatory 7 Layer OSI Model Open Systems Interconnection Model –End to End Layers: 7 – Application: interfaces directly with the user 6 – Presentation: provides data independence (different representation of numbers, network byte order) 5 – Session: establishes, manages and terminates connections between applications 4 – Transport: end-to-end error recovery and flow control –Point to Point Layers: 3 – Network: creating logical paths for transmitting data from node to node; i.e. routing, switching 2 – Link: logical organization of data bits transmitted on a particular medium 1 – Physical: physical properties of communications media

4 (5) Layer IP Model IP is older than OSI Model, so IP doesn’t exactly fit it –Application – SSH, DNS –Transport – TCP, UDP –Network - IP –Link/Physical – device drivers/wires and electricity

Packets and Frames Like envelopes within envelopes Frames = hardware layers –Ethernet –ATM –Tokenring Packets = software layers –IP –IPX

Frames Has header and trailer –Trailer 4 bytes –Cyclic Redundancy Check (CRC) Frame header used for synchronization –Tells NIC where frame begins so it can start pulling data –14 bytes Frame data is packet for next layer Max 1518 bytes, min 64 bytes

Ethernet Frame Header IEEE Ethernet frame Layer 2 Start Delimiter Destination MAC Address Preamble Length Source MAC Address Data Field Frame CRC Pad Field … bytes 1 byte 6 bytes 2 bytes 4 bytes Min: 64 bytes Max: 1518 bytes MAC Header Layer 3+

Ethernet Frame Fields Alternating 0’s and 1’s in preamble to synchronize Start delimiter has last 2 bits as 11 Length of data field does not include any padding to get minimum size –In Ethernet II, is the Type field, value > 1500 represents which memory buffer on dst it stored in = protocol of data field (IP = hex 0800) MAC addresses –48 bit hardware address of Network Interface Card –First 3 bytes are the Organizationally Unique Identifier (OUI) of NIC manufacturer –All ones signifies broadcast address CRC does not include preamble and start delimiter

Trace of Ethernet Header tcpdump –en –XX –s 1518 –i eth0 |more Ethernet II: Protocol=IP; Not packet length

Encapsulation and Decapsulation One layer’s header is part of another layer’s data Frame Header DATA TCP Header IP Header DATA TCP Header DATA IP Header DATA Frame Header DATA Frame Footer

Bridging the Layers How do we get from hardware MAC address at Layer 2 to IP address at Layer 3? Address Resolution Protocol (ARP) –We don’t want a permanent mapping between MAC address and IP address, needs to be dynamic –ARP allows us, given an IP address, to find the physical address of the host with that IP address

ARP IP addresses are used to route a packet to its final destination MAC addresses are used to travel from intermediate hop to intermediate hop MAC Addresses are stripped and replaced from the frame at each hop. –Next hop becomes new destination –Current hop becomes new source IP routing provides which hop is next, MAC addresses and ARP get the frame there

ARP Packet Format Opcode Source Protocol Address Hardware Type Target Protocol Address Protocol Type Source Hardware Address Target Hardware Address (cont) Hardware LengthProtocl Addr Len Source Hardware Address (cont) Target Hardware AddressSource Protocol Address (cont)

ARP Packet Fields Hardware Type: –Ethernet = 1 –ATM = 16 Protocol Address Type –IP = 0x0800 Hardware Address Length: length of hardware address in bytes Protocol Address Length: length of hardware address in bytes Operation Code: 1 = Request, 2 = Reply

ARP Request Each machine keeps a local ARP cache of IP address-MAC address mappings for about 120 seconds each If an IP address is not in its cache, it broadcasts an ARP Request to all machines on the local network Non-target machines receiving broadcast may cache sender’s MAC and IP addresses to help reduce broadcast traffic Destination MAC address is all 1’s arp who-has tell

ARP Reply The machine that has that IP address, issues an ARP Reply It also caches the requestor’s IP and MAC addresses Requestor gets response and caches it arp reply is-at 00:06:de:ad:be:ef Many machines will cache an unsolicited arp reply which can enable ARP spoofing and sniffing on switched networks

Malicious ARP Spoofing Unsolicited ARP reply Man-in-the-Middle arp reply is-at 00:00:de:ad:be:ef :00:de:ad:be:ef ARP Cache Contents Afterwards: = 00:00:de:ad:be:ef

Malicious ARP Sniffing on Switched Networks ARP spoof the default gateway of the subnet sending to the switch Switch will have 2 entries for default gateway in cache, and will send each packet to both Or on older switches, you could flood ARP cache with bogus entries, causing the switch to fail open, like a hub. Sends each packet to all ports

Switch Sniffing arp reply is-at 00:00:de:ad:be:ef :00:de:ad:be:ef ARP Cache Contents Afterwards: = 00:00:da:da:be:ee = 11:11:de:ad:be:ef 11:11:da:da:be:ee

Packets Packets have positional fields Predefined number of bits allocated to each field Some optional fields vary in size –Other fields describe their length –Example is data field No footers like with frames

IP Header Total Length in Bytes Fragment Offset (13 bits) Header Checksum IP Identification Number (Frag ID) Source IP Address Destination IP Address TTLIP Protocol Type of ServiceVersion Options (Variable Length 0-40 bytes, padded with 0’s) R DFDF MFMF Hdr Len

IP Header Fields Version: 4 bits, version of IP, usually 4, but 6 is becoming more common Header Length: 4 bits, Length of IP header in 32- bit (4 byte) words –Maximum of 60 words –Commonly 5 words (with no IP options) Type of Service (TOS): 8 bits, nominally the type of service the packet should receive Total Length: 16 bits, total length of IP packets in bytes. Max possible bytes

IP Fragmentation Need fragmentation because not all networks’ MTUs (Maximum Transition Units) are the same Occurs when MTU is smaller than datagram Reassembled at destination host Each fragment in encapsulated in an IP datagram Can be used to bypass routers and IDS

IP Fragmentation IP fragmentation fields: –Fragmentation ID, Offset, and Flags –Fragments must share a common fragment identification number –Must tell the offset of this data fragment in original unfragmented datagram –Must tell length of data in this fragment –Must tell whether more fragments are to follow

Fragment ID Field Each IP packet has a unique IP Identification number Increments by 1 for each datagram in a session In a fragmented packet, each datagram fragment retains the original IP ID Number as a Fragment ID Number. This identifies a fragment as belonging to an original datagram to the reassembling host

Fragmentation Flags Three bit flag field Bit 0 is reserved and not used Bit 1: DF – Don’t Fragment when set to 1 –What if fragmentation is needed? A router will send back an ICMP unreachable – need to fragment packet to the source with the size of the maximum MTU Bit 2: MF – More Fragments when set to 1

Fragmentation Offset Field 13 bit field Tells the receiving system where the datagram belongs in the original datagram so that it can be reconstructed From the perspective of IP data field: TCP, ICMP, UDP fields are included in the offset

Fragmentation Example On Windows: –ping –n 1 –l

Fragmentation Example The Math Ethernet = 1500 bytes Each IP header takes 20 bytes So 1480 bytes of data in each fragment The total packet size we have to break up is 3300 data bytes + 20 bytes IP header + 8 bytes ICMP header = 3328 bytes First fragment gets IP header and ICMP header and ( ) 1472 bytes data The rest of the fragments do not have the ICMP header

Fragmentation Example 1.20 bytes IP, 8 bytes ICMP, 1472 bytes data fragment ID = 4620, length = 1480 offset = 0, MF = – 1472 = 1828 bytes remaining 2.20 bytes IP, 1480 bytes data fragment ID = 4620, length = 1480 offset = 1480, MF = – 1480 = 348 bytes remaining 3.20 bytes IP, 348 bytes data fragment ID = 4620, length = 348 offset = 2960, MF = 0 0 bytes remaining

Malicious Fragmentation Fragmenting to blind IDS –Never sends final piece –Or piece missing in middle –Some IDS reconstruct fragmented packets to ‘normalize’ them and check against signatures –Only so much memory assigned to it –Or a limited number of fragmented packets can be reconstructed at once If IDS does not normalize, split attack up into frags and it won’t match signatures

Ping of Death Denial of Service Very large datagram crafted using fragments When reassembled by victim, the maximum IP datagram size of is exceeded Causes crashes, system hangs, BSOD Is *OLD*, all vendors should have a patch

Teardrop Attack What’s wrong with this picture? 1.evilfragger.org.139 > target.edu.139: udp 28 (frag 2.evilfragger.org > target.edu: (frag Remember (frag It reboots or crashes some unpatched machines

Teardrop Attack 1.evilfragger.org.139 > target.edu.139: udp 28 (frag 2.evilfragger.org > target.edu: (frag Fragment 2 Fragment 1 Byte 0Byte 24 Byte 27 Byte 35 (frag (frag

References Read Chapter 6