Download presentation
Presentation is loading. Please wait.
1
email or call for office visit, or call Kathy Cheek, 404 894-5696
ECE-6612 Prof. John A. Copeland fax Office: Centergy 5138 or call for office visit, or call Kathy Cheek, Slides Fun with TCP/IP
2
Destination Address - 6 bytes
Ethernet Header Ethernet Hdr - 20 bytes (little-endian) IP Header - 20 bytes (big-endian) TCP Header - 20 bytes (big-endian) App. Hdr & Data 31 bits Bytes Destination Address - 6 bytes Bytes Bytes Source Address - 6 bytes Bytes Next Protocol # LSB MSB Next Level Protocol Header (x08 x00 -> 8 ->IP) 2
3
Next Protocol # 1=ICMP 6=TCP 17=UDP
IP Header Ethernet Hdr - 20 bytes (little-endian) IP Header - 20 bytes (big-endian) TCP Header - 20 bytes (big-endian) App. Hdr & Data Length Frag. Flags Fragment Offset Next Protocol Next Protocol # 1=ICMP 6=TCP 17=UDP Frag. Flags: = Do Not Fragment, DNF = More Fragments, MF 3
4
IP Fragment ID number is the same for each fragment.
Fragmented Packet Ethernet Hdr - 20 bytes IP Header - 20 bytes (MF: 1, offset: 0) TCP Header - 20 bytes (big-endian) App. Hdr & Data 20 bytes bytes Ethernet Hdr - 20 bytes IP Header - 20 bytes (MF: 1, offset:1280) More Data 20 bytes 1280 bytes Ethernet Hdr - 20 bytes IP Header - 20 bytes (MF: 0, offset:2560) Last Data 20 bytes 760 bytes Data Packet from Token Ring has TCP header (20 bytes) plus App. Header and Data (3300 bytes) = bytes. IP Fragment ID number is the same for each fragment. 4
5
Ping of Death Packet Buffer 65,535 bytes Packet Buffer 65,535 bytes
Ethernet Hdr - 20 bytes IP Header - 20 bytes (MF: 1, offset:65,500) Any Data 20 bytes 1000 bytes Packet Buffer 65,535 bytes Packet Buffer 65,535 bytes Fragments are assembled in a buffer in memory. Ping of Death fragment causes a buffer overflow, corrupting the next buffer causing an older version of Windows to crash. “Ping” was used because #ping -s used to work. “fragrouter” is a hacker program that generates bad fragments. 5
6
Fragmented Packets as seen by “tcpdump”
# tcpdump -nnvli eth3 'tcp and ((ip[6:2]&0x3fff) != 0)’ 22:10: > : : (44) ack win (frag (ttl 127, len 84) 22:10: > : tcp (frag (ttl 127, len 64) 22:10: > : tcp (frag (ttl 237, len 40) 22:10: > : tcp (frag (ttl 240, len 40) = ID:Data + Length (without IP Offset, “+” means More Fragments bit set. 6
7
Protocols over IP 161 <- Listening Port No. (Well-Known?) 6 1 2 89
17 <- IP Next Protocol Numbers 1 2 89 46 ESP 50 x0800 <- Ethernet “Next Protocol” Number 7
8
UDP Header (big endian) 8
9
ICMP Header 31 bits Bytes 0 - 3 Type Code Checksum Bytes 4 - 7
(big endian) 31 bits Bytes 0 - 3 Type Code Checksum Bytes 4 - 7 Identifier Sequence Number Bytes 8 - Optional Data Type Field 0 - Echo Reply (Code=0) 3 - Destination Unreachable 5 - Redirect (change route) 8 - Echo Request (Ping) 11 - Timeout (traceroute) Type 3 - Codes 0 - Network Unreachable 1 - Host Unreachable 3 - Port Unreachable (UDP Reset-old hdr in data) 7 - Destination Host Unknown 12 - Host Unreachable for Type of Service 9 9
10
Network Broadcast Address = 222.45.6.255
Smurf Attack Attacker Victim ICMP Echo Request (Ping) To: From: (spoof) ICMP Echo Responses To: Network /24 Network Broadcast Address = (How is this prevented?) 10
11
TCP Header Ethernet Hdr - 20 bytes (little-endian)
IP Header - 20 bytes (big-endian) TCP Header - 20 bytes (big-endian) App. Hdr & Data * * Length of TCP Header in bytes /4 TCP Flags: U A P R S F 11
12
TCP Three-Way Handshake
Syn (only) Syn + Ack Ack Ack( Push, Urgent) Ack( Push, Urgent) Client Server 12
13
TCP Three-Way Disconnect
Ack( Push, Urgent) Ack( Push, Urgent) Fin + Ack Ack Fin + Ack Ack or Reset + Ack Host A Host B Either A or B can be the Server 13
14
TCP Initial: SYN, SYN-ACK, ACK
TCP Final: FIN, ACK, FIN-ACK, ACK TCP SYN and RES-ACK (no connection) as seen using WireShark 14
15
TCP State Diagram Reset 15
16
Reset Fin Syn Ack Comment
1 OK 1st Packet 2nd Packet Needs Ack Illegal Illegal flag combinations are used to determine Operating System 16
17
DoS Exploits using TCP Packets
Land - Source Address = Destination Address Crashes some printers, routers, Windows, UNIX. Tear Drop - IP Fragments that overlap, have gaps (also Bonk, Newtear, Syndrop) Win 95, Win 98, NT, Linux. Winnuke - Any garbage data to an open file-sharing port (TCP-139) Crashes Win 95 and NT ?? - Set Urgent Flag, and Urgent Offset Pointer = 3 Older Windows OS would crash. 17
18
Mitnik Attack - can not sniff
TCP Session Highjack Attacker - (1) sniffs network and watches Alice establish TCP session with Bob (2) - DOS Attack to Silence Alice Acks and Resets (3) - High Jacks TCP Connection by using correct sequence number (0) - Established TCP Connection Bob Alice Mitnik Attack - can not sniff Open several TCP connections to Bob,to predict next sequence number DoS Alice so it will not send a TCP Reset to Bob.s SYN-ACK. Send Bob a SYN, then an ACK based on predicted Bob’s seq. no. Send exploit to Bob (assume all packets are Ack’ed). 18
19
TCP Connect Handshake - shown by “tcpdump”
20:43: > : S [bad tcp cksum e773!] : (0) win <mss 1460,nop,wscale 0,nop,nop,timestamp > (DF) (ttl 64, id 13382, len 60) <no ack!> 20:43: > : S [tcp sum ok] : (0) ack win <nop,nop,timestamp ,nop,wscale 1,mss 1460> (DF) (ttl 52, id 16741, len 60) 20:43: > : . [bad tcp cksum 45f7!] ack 1 win <nop,nop,timestamp > (DF) (ttl 64, id 13383, len 52) 20:43: > : P 1:62(61) ack 1 win <nop,nop,timestamp > (DF) (ttl 52, id 16742, len 113) 20:43: > : P [bad tcp cksum 24f8!] 1:23(22) ack 62 win <nop,nop,timestamp > (DF) (ttl 64, id 13384, len 74) 19
20
TCP Finish Handshake - shown by “tcpdump”
20:44: > : P 2425:2467(42) ack 3889 win <nop,nop,timestamp > (DF) (ttl 52, id 16760, len 94) 20:44: > : F [bad tcp cksum 2c58!] 3889:3889(0) ack 2467 win <nop,nop,timestamp > (DF) (ttl 64, id 13402, len 52) 20:44: > : . [tcp sum ok] ack 3890 win <nop,nop,timestamp > (DF) (ttl 52, id 16761, len 52) 20:44: > : F [tcp sum ok] 2467:2467(0) ack 3890 win <nop,nop,timestamp > (DF) (ttl 52, id 16762, len 52) 20:44: > : . [bad tcp cksum 2c51!] ack 2468 win <nop,nop,timestamp > (DF) (ttl 64, id 13403, len 52) 20
Similar presentations
