Presentation is loading. Please wait.

Presentation is loading. Please wait.

or call for office visit,

Published byDamon Ross Modified over 5 years ago

Similar presentations

Presentation on theme: "or call for office visit,"— Presentation transcript:

1 email or call for office visit, 404 894-5177
ECE-6612 Prof. John A. Copeland fax Office: Klaus 3362 or call for office visit, Slides Fun with TCP/IP 4/9/2015

2 Ethernet Header (MAC or Link Layer)
Ethernet Hdr - 14 bytes (big-endian) IP Header - 20 bytes (big-endian) TCP Header - 20 bytes (big-endian) App. Hdr & Data 31 bits Bytes Destination Address - 6 bytes Bytes Bytes Source Address - 6 bytes Bytes Next Protocol # LSB MSB Next Level Protocol Header (0x > IP, 0x > ARP) 2

3 Next Protocol # 1=ICMP 6=TCP 17=UDP
IP Header (Network Layer) Ethernet Hdr - 20 bytes (big-endian) IP Header - 20 bytes (big-endian) TCP Header - 20 bytes (big-endian) App. Hdr & Data Length Frag. Flags Fragment Offset Next Protocol Next Protocol # 1=ICMP 6=TCP 17=UDP Frag. Flags: = Do Not Fragment, DNF = More Fragments, MF 3

4 IP Fragment ID number is the same for each fragment.
Fragmented Packet Ethernet Hdr - 20 bytes IP Header - 20 bytes (MF: 1, offset: 0) TCP Header - 20 bytes (big-endian) App. Hdr & Data 20 bytes bytes Ethernet Hdr - 20 bytes IP Header - 20 bytes (MF: 1, offset:1280) More Data 20 bytes 1280 bytes Ethernet Hdr - 20 bytes IP Header - 20 bytes (MF: 0, offset:2560) Last Data 20 bytes 760 bytes Data Packet from Token Ring has TCP header (20 bytes) plus App. Header and Data (3300 bytes) = bytes. IP Fragment ID number is the same for each fragment. 4

5 Ping of Death Packet Buffer 65,535 bytes Packet Buffer 65,535 bytes
Ethernet Hdr - 20 bytes IP Header - 20 bytes (MF: 1, offset:65,500) Any Data 20 bytes 1000 bytes Packet Buffer 65,535 bytes Packet Buffer 65,535 bytes Fragments are assembled in a buffer in memory. Ping of Death fragment causes a buffer overflow, corrupting the next buffer causing an older version of Windows to crash. “Ping” was used because #ping -s used to work. “fragrouter” is a network utility that generates bad fragments. 5

6 Fragmented Packets as seen by “tcpdump”
# tcpdump -nnvli eth3 'tcp and ((ip[6:2]&0x3fff) != 0)’ Filter for seeing frag.s 22:10: > : : (44) ack win 65535 (frag (ttl 127, len 84) Very small fragments 22:10: > : tcp (frag (ttl 127, len 64) ) Very small fragments 22:10: > : tcp (frag (ttl 237, len 40) Very small, isolated fragment, ID=0 22:10: > : tcp Note close times, different IPs (frag (ttl 240, len 40) Very small, isolated fragment = ID : Data-Length (without IP Offset “+” means More Fragments bit set. Wireshark display filters: ip.fragment and ip.fragment.X where X can be: count==[number] , error, overlap, overlap.conflict, multipletails, toolongtails) 6

7 Protocols over IP 179 21 80 25 23 161 <- Listening Port No. (Well-Known?) 6 17 <- IP Next Protocol Numbers 1 2 89 46 IPsec ESP 50 ARP x0800 <- Ethernet “Next Protocol” Number x0806 Data Link and Physical Layers (e.g., Ethernet, WiFi, Point-to-Point, …) 7

8 UDP Header Common UDP Server Ports 53 – DNS (Domain Name Server)
(big endian) Common UDP Server Ports 53 – DNS (Domain Name Server) 123 – NTP (Network Time Protocol) 137 – NBNS (NetBIOS Name Service, Microsoft) 631 – CUPS (Common Unix Printing System 5353 – MDNS (Multicast DNS, Apple) 8

9 ICMP Header 31 bits Bytes 0 - 3 Type Code Checksum Bytes 4 - 7
(big endian) 31 bits Bytes 0 - 3 Type Code Checksum Bytes 4 - 7 Identifier Sequence Number Bytes 8 - Optional Data Type Field 0 - Echo Reply (Code=0) 3 - Destination Unreachable 5 - Redirect (change route) 8 - Echo Request (Ping) 11 - Timeout (traceroute) Type 3 - Codes 0 - Network Unreachable 1 - Host Unreachable 3 - Port Unreachable (UDP Reset-old hdr in data) 7 - Destination Host Unknown 12 - Host Unreachable for Type of Service 9 9

10 Network Broadcast Address = 222.45.6.255
Smurf Attack Attacker Victim ICMP Echo Request (Ping) To: (Broadcast) From: (spoofed) ICMP Echo Responses To: Network /24 Network Broadcast Address = (How is this prevented?) 10

11 TCP Header – 6 Flag Bits Ethernet Hdr - 20 bytes (big-endian)
IP Header - 20 bytes (big-endian) TCP Header - 20 bytes (big-endian) App. Hdr & Data * * Length of TCP Header in bytes /4 TCP Flags: U A P R S F 11

12 TCP Three-Way Handshake Flags
Syn (only) Syn + Ack Ack Ack( Push, Urgent) Ack( Push, Urgent) Client Server A Flag Bit is “present”, “set” or “true” if it is a binary 1. 12

13 TCP Three-Way Disconnect
Ack( Push, Urgent) Ack( Push, Urgent) Fin + Ack Ack Fin + Ack Ack or Reset + Ack Host A Host B Either A or B can be the Server 13

14 TCP Initial: SYN, SYN-ACK, ACK
TCP Final: FIN, ACK, FIN-ACK, ACK TCP SYN and RES-ACK (connection rejected) as seen using wireshark 14

15 TCP State Diagram Reset 15

16 Reset Fin Syn Ack Comment
1 OK 1st Packet 2nd Packet Needs Ack Illegal Illegal flag combinations are used to determine Operating System 16

17 DoS Exploits using TCP Packets
Land - Source Address = Destination Address Crashes some printers, routers, Windows, UNIX. Tear Drop - IP Fragments that overlap, have gaps (also Bonk, Newtear, Syndrop) Win 95, Win 98, NT, Linux. Winnuke - Any garbage data to an open file-sharing port (TCP-139) Crashes Win 95 and NT Blue Screen of Death - Set Urgent Flag, & Urgent Offset Pointer = 3 Older Windows OS would crash. 17

18 TCP Session Highjack Bob
Attacker - (1) sniffs network and watches Alice establish TCP session with Bob (2) - DOS Attack to Silence Alice (Acks and Resets) (3) - Highjacks TCP Connection by using correct sequence number (0) - Established TCP Connection Bob IP connections can be determined by the remote host's sequence no. – not IP ! Alice Off-LAN Attack (can not sniff) to get by host-based firewall. Open several TCP connections to Bob, to predict Bob’s next sequence number DoS Alice so it will not send a TCP Reset to Bob.s SYN-ACK. Send Bob a SYN, then an ACK based on predicted Bob’s seq. no.(from Alice’s IP) Send exploit to Bob (assume all packets are received ok and Ack’ed). 18

Download ppt "or call for office visit,"

Similar presentations

Overview The TCP/IP Stack. The Link Layer (L2). The Network Layer (L3). The Transport Layer (L4). Port scanning & OS/App detection techniques. Evasion.

Overview The TCP/IP Stack. The Link Layer (L2). The Network Layer (L3). The Transport Layer (L4). Port scanning & OS/App detection techniques. Evasion.
Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
CISCO NETWORKING ACADEMY Chabot College ELEC 99.05 Transport Layer (4)

CISCO NETWORKING ACADEMY Chabot College ELEC Transport Layer (4)
Fundamentals of Computer Networks ECE 478/578 Lecture #20: Transmission Control Protocol Instructor: Loukas Lazos Dept of Electrical and Computer Engineering.

Fundamentals of Computer Networks ECE 478/578 Lecture #20: Transmission Control Protocol Instructor: Loukas Lazos Dept of Electrical and Computer Engineering.
Introduction1-1 message segment datagram frame source application transport network link physical HtHt HnHn HlHl M HtHt HnHn M HtHt M M destination application.

Introduction1-1 message segment datagram frame source application transport network link physical HtHt HnHn HlHl M HtHt HnHn M HtHt M M destination application.
CSE551: Computer Network Review r Network Layers r TCP/UDP r IP.

CSE551: Computer Network Review r Network Layers r TCP/UDP r IP.
1 Reading Log Files. 2 Segment Format

1 Reading Log Files. 2 Segment Format
CS3505 The Internet and Info Hiway transport layer protocols : TCP/UDP.

CS3505 The Internet and Info Hiway transport layer protocols : TCP/UDP.
The Network Layer Chapter 5. The IP Protocol The IPv4 (Internet Protocol) header.

The Network Layer Chapter 5. The IP Protocol The IPv4 (Internet Protocol) header.
Source Port # (16)Destination Port # (16) Sequence Number (32 bits) Acknowledgement Number (32 bits) Hdr Len (4) Flags (6)Window Size (16) Options (if.

Source Port # (16)Destination Port # (16) Sequence Number (32 bits) Acknowledgement Number (32 bits) Hdr Len (4) Flags (6)Window Size (16) Options (if.
Institute of Technology Sligo - Dept of Computing Semester 2 Chapter 9 The TCP/IP Protocol Suite Paul Flynn.

Institute of Technology Sligo - Dept of Computing Semester 2 Chapter 9 The TCP/IP Protocol Suite Paul Flynn.
TCP. Learning objectives Reliable Transport in TCP TCP flow and Congestion Control.

TCP. Learning objectives Reliable Transport in TCP TCP flow and Congestion Control.
Transport Layer TCP and UDP IS250 Spring 2010

Transport Layer TCP and UDP IS250 Spring 2010
Defining Network Protocols Application Protocols –Application Layer –Presentation Layer –Session Layer Transport Protocols –Transport Layer Network Protocols.

Defining Network Protocols Application Protocols –Application Layer –Presentation Layer –Session Layer Transport Protocols –Transport Layer Network Protocols.
ECE-6612 Prof. John A. Copeland 404 894-5177 fax 404 894-0035 Office: Klaus 3362.

ECE Prof. John A. Copeland fax Office: Klaus 3362.
4: Network Layer4a-1 IP datagram format ver length 32 bits data (variable length, typically a TCP or UDP segment) 16-bit identifier Internet checksum time.

4: Network Layer4a-1 IP datagram format ver length 32 bits data (variable length, typically a TCP or UDP segment) 16-bit identifier Internet checksum time.
Internet Control Message Protocol ICMP. ICMP has two major purposes: –To report erroneous conditions –To diagnose network problems ICMP has two major.

Internet Control Message Protocol ICMP. ICMP has two major purposes: –To report erroneous conditions –To diagnose network problems ICMP has two major.
Petrozavodsk State University, Alex Moschevikin, 2003NET TECHNOLOGIES Internet Control Message Protocol ICMP author -- J. Postel, September 1981. The purpose.

Petrozavodsk State University, Alex Moschevikin, 2003NET TECHNOLOGIES Internet Control Message Protocol ICMP author -- J. Postel, September The purpose.
Packet Analysis with Wireshark

Packet Analysis with Wireshark
ICMP (Internet Control Message Protocol) Computer Networks By: Saeedeh Zahmatkesh 90-91 spring.

ICMP (Internet Control Message Protocol) Computer Networks By: Saeedeh Zahmatkesh spring.

Similar presentations

Ads by Google