ECE-6612 Prof. John A. Copeland 404 894-5177 fax 404 894-0035 Office: Klaus 3362.

Slides:

Advertisements

Similar presentations

Overview The TCP/IP Stack. The Link Layer (L2). The Network Layer (L3). The Transport Layer (L4). Port scanning & OS/App detection techniques. Evasion.

Advertisements

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.

COEN 252 Computer Forensics Using TCPDump / Windump for package analysis.

CISCO NETWORKING ACADEMY Chabot College ELEC Transport Layer (4)

CISCO NETWORKING ACADEMY PROGRAM (CNAP)

Fundamentals of Computer Networks ECE 478/578 Lecture #20: Transmission Control Protocol Instructor: Loukas Lazos Dept of Electrical and Computer Engineering.

UDP & TCP Where would we be without them!. UDP User Datagram Protocol.

CSE551: Computer Network Review r Network Layers r TCP/UDP r IP.

1 Reading Log Files. 2 Segment Format

Table of Contents 3 - IDS types 8 - Ethernet Frame 9 - IP frame 10 - TCP frame 11 - UDP frame 12 - ICMP Frame way handshake 15 - TCP flags 16 -

CS3505 The Internet and Info Hiway transport layer protocols : TCP/UDP.

The Network Layer Chapter 5. The IP Protocol The IPv4 (Internet Protocol) header.

TCP/IP Network and Firewall. IP Packet Protocol  1 ICMP packet  6 TCP packet  17 UDP packet.

Lecture 23: Network Primer 7/15/2003 CSCE 590 Summer 2003.

Source Port # (16)Destination Port # (16) Sequence Number (32 bits) Acknowledgement Number (32 bits) Hdr Len (4) Flags (6)Window Size (16) Options (if.

Institute of Technology Sligo - Dept of Computing Semester 2 Chapter 9 The TCP/IP Protocol Suite Paul Flynn.

1 CCNA 2 v3.1 Module Intermediate TCP/IP CCNA 2 Module 10.

TCP. Learning objectives Reliable Transport in TCP TCP flow and Congestion Control.

Transport Layer TCP and UDP IS250 Spring 2010

Defining Network Protocols Application Protocols –Application Layer –Presentation Layer –Session Layer Transport Protocols –Transport Layer Network Protocols.

4: Network Layer4a-1 IP datagram format ver length 32 bits data (variable length, typically a TCP or UDP segment) 16-bit identifier Internet checksum time.

Packet Analysis with Wireshark

ICMP (Internet Control Message Protocol) Computer Networks By: Saeedeh Zahmatkesh spring.

1 ECE453 – Introduction to Computer Networks Lecture 12 – Network Layer (IV)

Hands-On Microsoft Windows Server 2003 Networking Chapter Three TCP/IP Architecture.

January 2009Prof. Reuven Aviv: Firewalls1 Firewalls.

1 IP: putting it all together Part 2 G53ACC Chris Greenhalgh.

Firewalls. Evil Hackers FirewallYour network Firewalls mitigate risk Block many threats They have vulnerabilities.

1 Chapter Overview TCP/IP DoD model. 2 Network Layer Protocols Responsible for end-to-end communications on an internetwork Contrast with data-link layer.

Semester 2v2 Chapter 9: TCP/IP.

ECE Prof. John A. Copeland fax Office: GCATT.

Chap 9 TCP/IP Andres, Wen-Yuan Liao Department of Computer Science and Engineering De Lin Institute of Technology

Chapter 4 TCP/IP Overview Connecting People To Information.

TCP/IP Basic Theory V1.2. Course Outline OSI model and layer function TCP/IP protocol suite Transfer Control Protocol Internet Protocol Address Resolution.

1 LAN Protocols (Week 3, Wednesday 9/10/2003) © Abdou Illia, Fall 2003.

TCP : Transmission Control Protocol Computer Network System Sirak Kaewjamnong.

© Introduction to Internetworking – Alex Kooijman 04/04/2000 Introduction to internetworking Part Two.

Chapter 6-2 the TCP/IP Layers. The four layers of the TCP/IP model are listed in Table 6-2. The layers are The four layers of the TCP/IP model are listed.

Review the key networking concepts –TCP/IP reference model –Ethernet –Switched Ethernet –IP, ARP –TCP –DNS.

 network appliances to filter network traffic  filter on header (largely based on layers 3-5) Internet Intranet.

TCP/IP Honolulu Community College Cisco Academy Training Center Semester 2 Version 2.1.

Lecture 22 Network Security CS 450/650 Fundamentals of Integrated Computer Security Slides are modified from Hesham El-Rewini.

Protocol Headers 0x0800 Internet Protocol, Version 4 (IPv4) 0x0806 Address Resolution Protocol (ARP) 0x8100 IEEE 802.1Q-tagged frame 0x86DD Internet Protocol,

Cisco Networking Academy S2 C9 TCP/IP. ensure communication across any set of interconnected networks Stack components such as protocols to support file.

1 Introduction to TCP/IP. 2 OSI and Protocol Stack OSI: Open Systems Interconnect OSI ModelTCP/IP HierarchyProtocols 7 th Application Layer 6 th Presentation.

Computer Science and Engineering Computer System Security CSE 5339/7339 Session 25 November 16, 2004.

8: Network Security 8-1 IPsec: Network Layer Security r network-layer secrecy: m sending host encrypts the data in IP datagram m TCP and UDP segments;

Slide #1 CIT 380: Securing Computer Systems TCP/IP.

1 Figure 3-13: Internet Protocol (IP) IP Addresses and Security  IP address spoofing: Sending a message with a false IP address (Figure 3-17)  Gives.

or call for office visit,

Hands-On Ethical Hacking and Network Defense Chapter 2 TCP/IP Concepts Review Last modified

Lecture 21: Network Primer 7/9/2003 CSCE 590 Summer 2003.

11 CS716 Advanced Computer Networks By Dr. Amir Qayyum.

Packet Switch Network Server client IP Ether IPTCPData.

© 2003, Cisco Systems, Inc. All rights reserved.

or call for office visit, or call Kathy Cheek,

Introduction to TCP/IP networking

Introduction to TCP/IP

or call for office visit, or call Kathy Cheek,

Review of TCP/IP Internetworking

or call for office visit,

Internet Protocol Formats

TCP/IP Internetworking

TCP/IP Internetworking

Internet Protocol Formats

46 to 1500 bytes TYPE CODE CHECKSUM IDENTIFIER SEQUENCE NUMBER OPTIONAL DATA ICMP Echo message.

Network Architecture Models: Layered Communications

32 bit destination IP address

Transport Layer 9/22/2019.

TCP Connection Management

Presentation transcript:

ECE Prof. John A. Copeland fax Office: Klaus or call for office visit, Slides 11 - Fun with TCP/IP 4/9/2015

0 31 bits Ethernet Hdr - 14 bytes (big-endian) Destination Address - 6 bytes Source Address - 6 bytes Next Protocol # Bytes Bytes Bytes Bytes LSB MSB Next Level Protocol Header (0x > IP, 0x > ARP) IP Header - 20 bytes (big-endian) TCP Header - 20 bytes (big-endian) App. Hdr & Data Ethernet Header (MAC or Link Layer) 2

Ethernet Hdr - 20 bytes (big-endian) IP Header - 20 bytes (big-endian) TCP Header - 20 bytes (big-endian) App. Hdr & Data IP Header (Network Layer) N ext P rotocol Length 3 Next Protocol # 1=ICMP 6=TCP 17=UDP Frag. Flags Frag. Flags: 010 = Do Not Fragment, DNF 001 = More Fragments, MF Fragment Offset

Ethernet Hdr - 20 bytesIP Header - 20 bytes (MF: 1, offset: 0) TCP Header - 20 bytes (big-endian) App. Hdr & Data Ethernet Hdr - 20 bytesIP Header - 20 bytes (MF: 1, offset:1280) More Data Ethernet Hdr - 20 bytesIP Header - 20 bytes (MF: 0, offset:2560) Last Data 20 bytes bytes 1280 bytes 760 bytes Data Packet from Token Ring has TCP header (20 bytes) plus App. Header and Data (3300 bytes) = bytes. IP Fragment ID number is the same for each fragment. Fragmented Packet 4

Ping of Death Ethernet Hdr - 20 bytesIP Header - 20 bytes (MF: 1, offset:65,500) Any Data 20 bytes 1000 bytes Packet Buffer 65,535 bytes Fragments are assembled in a buffer in memory. Ping of Death fragment causes a buffer overflow, corrupting the next buffer causing an older version of Windows to crash. “ Ping ” was used because #ping -s used to work. “ fragrouter ” is a network utility that generates bad fragments. 5

# tcpdump -nnvli eth3 'tcp and ((ip[6:2]&0x3fff) != 0) ’ Filter for seeing frag.s 22:10: > : : (44) ack win (frag (ttl 127, len 84) Very small fragments 22:10: > : tcp (frag (ttl 127, len 64) ) Very small fragments 22:10: > : tcp (frag (ttl 237, len 40) Very small, isolated fragment 22:10: > : tcp Note close times, different IPs (frag (ttl 240, len 40) Very small, isolated fragment = ID : Data-Length (without IP Offset/8, “ + ” means More Fragments bit set. Wireshark display filters: ip.fragment and ip.fragment.X where X can be: count==[number], error, overlap, overlap.conflict, multipletails, toolongtails) Fragmented Packets as seen by “ tcpdump ” 6

6 17 < - IP Next Protocol Numbers IPsec ESP 50 Protocols over IP <- Listening Port No. (Well-Known?) x0800 <- Ethernet “ Next Protocol ” Number 80 ARP Data Link and Physical Layers (e.g., Ethernet, WiFi, Point-to-Point, …) x0806

UDP Header (big endian) 8 Common UDP Server Ports 53 – DNS (Domain Name Server) 123 – NTP (Network Time Protocol) 137 – NBNS (NetBIOS Name Service, Microsoft) 631 – CUPS (Common Unix Printing System 5353 – MDNS (Multicast DNS, Apple)

ICMP Header (big endian) 9 31 bits Type Optional Data Bytes Bytes Bytes Sequence NumberIdentifier ChecksumCode Type Field 0 - Echo Reply (Code=0) 3 - Destination Unreachable 5 - Redirect (change route) 8 - Echo Request (Ping) 11 - Timeout (traceroute) Type 3 - Codes 0 - Network Unreachable 1 - Host Unreachable 3 - Port Unreachable (UDP Reset-old hdr in data) 7 - Destination Host Unknown 12 - Host Unreachable for Type of Service 9

Smurf Attack Network /24 Network Broadcast Address = Attacker ICMP Echo Request (Ping) To: (Broadcast) From: (spoofed) Victim ICMP Echo Responses To: (How is this prevented?)

Ethernet Hdr - 20 bytes (big-endian) IP Header - 20 bytes (big-endian) TCP Header - 20 bytes (big-endian) App. Hdr & Data TCP Header – 6 Flag Bits * * Length of TCP Header in bytes /4 TCP Flags: U A P R S F 11

Client Server Syn (only) Syn + Ack Ack Ack( Push, Urgent) TCP Three-Way Handshake Flags 12 A Flag Bit is “present”, “set” or “true” if it is a binary 1.

Host AHost B Ack( Push, Urgent) TCP Three-Way Disconnect Fin + Ack Ack or Reset + Ack 13 Either A or B can be the Server

TCP Initial: SYN, SYN-ACK, ACK TCP Final: FIN, ACK, FIN-ACK, ACK TCP SYN and RES-ACK (connection rejected) 14 as seen using wireshark

TCP State Diagram 15 Reset

0001OK 00101st Packet 00112nd Packet 0100Needs Ack 0101OK 0110Illegal Needs Ack 1001OK 1010Illegal Reset Fin Syn Ack Comment Illegal flag combinations are used to determine Operating System 16

DoS Exploits using TCP Packets Land - Source Address = Destination Address Crashes some printers, routers, Windows, UNIX. Tear Drop - IP Fragments that overlap, have gaps (also Bonk, Newtear, Syndrop) Win 95, Win 98, NT, Linux. Winnuke - Any garbage data to an open file-sharing port (TCP-139) Crashes Win 95 and NT Blue Screen of Death - Set Urgent Flag, & Urgent Offset Pointer = 3 Older Windows OS would crash. 17

Attacker - (1) sniffs network and watches Alice establish TCP session with Bob Bob (2) - DOS Attack to Silence Alice (Acks and Resets) Alice (0) - Established TCP Connection (3) - Highjacks TCP Connection by using correct sequence number TCP Session Highjack 1.Open several TCP connections to Bob, to predict Bob’s next sequence number 2.DoS Alice so it will not send a TCP Reset to Bob.s SYN-ACK. 3.Send Bob a SYN, then an ACK based on predicted Bob ’ s seq. no.(from Alice ’ s IP) 4.Send exploit to Bob (assume all packets are received ok and Ack ’ ed). 18 Off-LAN Attack (can not sniff) to get by host-based firewall.