1. ECE-6612 http://www.csc.gatech.edu/copeland/jac/6612/ Prof. John A. Copeland john.copeland@ece.gatech.edu 404 894-5177 fax 404 894-0035 Office: Klaus 3362 email or call for office visit, 404 894-5177 Slides 11 - Fun with TCP/IP 4/9/2015

2. 0 31 bits Ethernet Hdr - 14 bytes (big-endian) Destination Address - 6 bytes Source Address - 6 bytes Next Protocol # Bytes 0 - 3 Bytes 4 - 7 Bytes 8 - 11 Bytes 12 - 13 LSB MSB Next Level Protocol Header (0x 0800 -> IP, 0x 0806 -> ARP) IP Header - 20 bytes (big-endian) TCP Header - 20 bytes (big-endian) App. Hdr & Data Ethernet Header (MAC or Link Layer) 2

3. Ethernet Hdr - 20 bytes (big-endian) IP Header - 20 bytes (big-endian) TCP Header - 20 bytes (big-endian) App. Hdr & Data IP Header (Network Layer) N ext P rotocol Length 3 Next Protocol # 1=ICMP 6=TCP 17=UDP Frag. Flags Frag. Flags: 010 = Do Not Fragment, DNF 001 = More Fragments, MF Fragment Offset

4. Ethernet Hdr - 20 bytesIP Header - 20 bytes (MF: 1, offset: 0) TCP Header - 20 bytes (big-endian) App. Hdr & Data Ethernet Hdr - 20 bytesIP Header - 20 bytes (MF: 1, offset:1280) More Data Ethernet Hdr - 20 bytesIP Header - 20 bytes (MF: 0, offset:2560) Last Data 20 bytes 20 + 1260 bytes 1280 bytes 760 bytes Data Packet from Token Ring has TCP header (20 bytes) plus App. Header and Data (3300 bytes) = 20 +1280 + 1280 + 760 bytes. IP Fragment ID number is the same for each fragment. Fragmented Packet 4

5. Ping of Death Ethernet Hdr - 20 bytesIP Header - 20 bytes (MF: 1, offset:65,500) Any Data 20 bytes 1000 bytes Packet Buffer 65,535 bytes Fragments are assembled in a buffer in memory. Ping of Death fragment causes a buffer overflow, corrupting the next buffer causing an older version of Windows to crash. “ Ping ” was used because #ping -s 66500 used to work. “ fragrouter ” is a network utility that generates bad fragments. 5

6. # tcpdump -nnvli eth3 'tcp and ((ip[6:2]&0x3fff) != 0) ’ Filter for seeing frag.s 22:10:48 128.61.60.143.3472 > 217.98.230.192.6881:. 3041158335:3041158379(44) ack 829468732 win 65535 (frag 43660:64@0+) (ttl 127, len 84) Very small fragments 22:10:48 128.61.60.143 > 217.98.230.192: tcp (frag 43660:44@64) (ttl 127, len 64) ) Very small fragments 22:10:49 219.115.56.223 > 199.77.145.106: tcp (frag 0:20@16384) (ttl 237, len 40) Very small, isolated fragment 22:10:50 217.232.26.184 > 128.61.104.27: tcp Note close times, different IPs (frag 0:20@16384) (ttl 240, len 40) Very small, isolated fragment ------- 43660:64@0+ = ID : Data-Length (without IP hdr) @ Offset/8, “ + ” means More Fragments bit set. Wireshark display filters: ip.fragment and ip.fragment.X where X can be: count==[number], error, overlap, overlap.conflict, multipletails, toolongtails) Fragmented Packets as seen by “ tcpdump ” 6

7. 6 17 < - IP Next Protocol Numbers 128946 IPsec ESP 50 Protocols over IP 7 161 <- Listening Port No. (Well-Known?) x0800 <- Ethernet “ Next Protocol ” Number 80 ARP Data Link and Physical Layers (e.g., Ethernet, WiFi, Point-to-Point, …) x0806

8. UDP Header (big endian) 8 Common UDP Server Ports 53 – DNS (Domain Name Server) 123 – NTP (Network Time Protocol) 137 – NBNS (NetBIOS Name Service, Microsoft) 631 – CUPS (Common Unix Printing System 5353 – MDNS (Multicast DNS, Apple)

9. ICMP Header (big endian) 9 31 bits Type Optional Data Bytes 0 - 3 Bytes 4 - 7 Bytes 8 - 0 Sequence NumberIdentifier ChecksumCode Type Field 0 - Echo Reply (Code=0) 3 - Destination Unreachable 5 - Redirect (change route) 8 - Echo Request (Ping) 11 - Timeout (traceroute) Type 3 - Codes 0 - Network Unreachable 1 - Host Unreachable 3 - Port Unreachable (UDP Reset-old hdr in data) 7 - Destination Host Unknown 12 - Host Unreachable for Type of Service 9

10. Smurf Attack Network 222.45.6.0/24 Network Broadcast Address = 222.45.6.255 Attacker 23.45.67.89 ICMP Echo Request (Ping) To: 222.45.6.255 (Broadcast) From: 130.207.225.23 (spoofed) Victim 130.207.225.23 ICMP Echo Responses To: 130.207.225.23 10 (How is this prevented?)

11. Ethernet Hdr - 20 bytes (big-endian) IP Header - 20 bytes (big-endian) TCP Header - 20 bytes (big-endian) App. Hdr & Data TCP Header – 6 Flag Bits * * Length of TCP Header in bytes /4 TCP Flags: U A P R S F 11

12. Client Server Syn (only) Syn + Ack Ack Ack( Push, Urgent) TCP Three-Way Handshake Flags 12 A Flag Bit is “present”, “set” or “true” if it is a binary 1.

13. Host AHost B Ack( Push, Urgent) TCP Three-Way Disconnect Fin + Ack Ack or Reset + Ack 13 Either A or B can be the Server

14. TCP Initial: SYN, SYN-ACK, ACK TCP Final: FIN, ACK, FIN-ACK, ACK TCP SYN and RES-ACK (connection rejected) 14 as seen using wireshark

15. TCP State Diagram 15 Reset

16. 0001OK 00101st Packet 00112nd Packet 0100Needs Ack 0101OK 0110Illegal 0111 1000Needs Ack 1001OK 1010Illegal 1011 1100 1101 1110 1111 Reset Fin Syn Ack Comment Illegal flag combinations are used to determine Operating System 16

17. DoS Exploits using TCP Packets Land - Source Address = Destination Address Crashes some printers, routers, Windows, UNIX. Tear Drop - IP Fragments that overlap, have gaps (also Bonk, Newtear, Syndrop) Win 95, Win 98, NT, Linux. Winnuke - Any garbage data to an open file-sharing port (TCP-139) Crashes Win 95 and NT Blue Screen of Death - Set Urgent Flag, & Urgent Offset Pointer = 3 Older Windows OS would crash. 17

18. Attacker - (1) sniffs network and watches Alice establish TCP session with Bob Bob (2) - DOS Attack to Silence Alice (Acks and Resets) Alice (0) - Established TCP Connection (3) - Highjacks TCP Connection by using correct sequence number TCP Session Highjack 1.Open several TCP connections to Bob, to predict Bob’s next sequence number 2.DoS Alice so it will not send a TCP Reset to Bob.s SYN-ACK. 3.Send Bob a SYN, then an ACK based on predicted Bob ’ s seq. no.(from Alice ’ s IP) 4.Send exploit to Bob (assume all packets are received ok and Ack ’ ed). 18 Off-LAN Attack (can not sniff) to get by host-based firewall.