Microsoft IT Forum 2004 Europe

SEC400
TCP/IP for Security Administrators

Microsoft Corporation

Overall Event Sponsor:

The OSI model

7. application

6. presentation

5. session

4. transport

3. network

2. link

1. physical

SEC400 1
Microsoft IT Forum 2004 Europe

The real world

Four layers are sufficiently representative
4. application

HTTP, FTP, TFTP, telnet, ping, SMTP,

3. transport POP3, IMAP4, RPC, SMB, NTP, DNS, …

2. network TCP, UDP, IPsec

IP, ICMP, IGMP

1. interface ARP, RARP

Interface Layer Protocols

SEC400 2
Microsoft IT Forum 2004 Europe

ARP
Address Resolution Protocol RFC 826

MAC addresses are 48 bits. IP addresses are 32

bits. How to encode MAC in IP?
ARP to the rescue: resolves IP to MAC
Simple two5
two5frame conversation
Broadcast question; unicast response
Replies kept in a cache to reduce number of
broadcasts
Cache implements timeout because addresses do
change (default 20 minutes)

ARP format
0 8 16 24 31
hardware type protocol type
HA length PA length operation
sender MAC address (bytes 053)
sender MAC address (bytes 455) sender IP address (bytes 051)
sender IP address (bytes 253) target MAC address (bytes 051)
target MAC address (bytes 255)
target IP address (bytes 053)

operation: 1 = ARP request, 2 = ARP reply

SEC400 3
Microsoft IT Forum 2004 Europe

ARP operation

1.1.1.1

1.1.1.2 is5at 00:11:22:33:44:55:66

1.1.1.2

ARP operation

1.1.1.1

1.1.1.2 is5at 00:11:22:33:44:55:66

1.1.1.2

SEC400 4
Microsoft IT Forum 2004 Europe

ARP Man In The Middle attack

1.1.1.1

1.1.1.2 is5at 00:11:22:33:44:55:66

1.1.1.2

ARP defenses
None built into protocol
arpwatch: Monitoring tool
Must mirror all traffic on one switch port
Switch features
Allow only one MAC address per port
Stops people from using hubs
Compare requests and replies to other mapping
information

SEC400 5
Microsoft IT Forum 2004 Europe

Network Layer Protocols

IP
Internet Protocol RFC 791

IP is a lousy network protocol!

Unreliable: no delivery guarantees
Send ICMP message to source if delivery fails
Connectionless: no state maintained
Datagrams routed independently and in no order
Best effort: packets not dropped capriciously
Has one job: to route datagrams
Relies on transport layer for improvements
Hosts must implement error detection and
correction and recovery

SEC400 6
Microsoft IT Forum 2004 Europe

IP format
0 8 16 24 31
header
version length type of service datagram length
identification flags fragment offset
time to live next protocol header checksum
source IP address
destination IP address
options, if any (variable length) (padding)

version: 4
TOS: differentiated services codepoints (no guarantee of honoring)
dg length, ID, flags, offset: for fragmentation (will examine later)
TTL: max. hops through network (decremented by routers); usually 32
next protocol: TCP, 6 | UDP, 17 | ICMP, 1 | IPsec AH, 51 | IPsec ESP, 50
header checksum: 165bit one’s compliment of sum
options: restrictions, record route, record timestamp, source5routing

IP routing
Two types of network nodes—
nodes—
Hosts
Don’t forward datagrams between interfaces
Routers
Do forward datagrams between interfaces
Hosts can be routers if appropriate software is
installed and enabled
Presents security risks

SEC400 7
Microsoft IT Forum 2004 Europe

IP routing operation

search routing
Is it totable
and decrement
my IP?TTL

Datagra
1.1.1.254
m Is it to
for network my IP?
1.1.1.5
9.8.7.6 1.1.1.0/24

1.1.1.1 1.1.1.2 1.1.1.3 1.1.1.4 1.1.1.5

IP checksum is not security

Attacker:
Intercepts datagram
Spoofs addresses
Computes new checksum
Intended for error detection only
A computes and adds to header
B computes and compares to included sum

SEC400 8
Microsoft IT Forum 2004 Europe

Source routing

131.107.0.254 10.0.0.254

10.0.0.1

SA: <doesn’t matter>

DA: 10.0.0.1
SR: via 131.107.0.254

ICMP
Internet Control Message Protocol RFC 792

IP’s “message delivery” service

Reports errors
Asks and answers questions
Encapsulated in IP
Messages might need to be routed
Considered a network layer protocol
Error reports always include first 64 bits of error5
error5
causing datagram
Helps determine which protocol and application
caused the error

SEC400 9
Microsoft IT Forum 2004 Europe

ICMP format
0 8 16 24 31
type code checksum

content (variable length; depends on type and code)

type: message type

code: sub5message type

ICMP messages
Type Code Description Code Description Query Error
0 0 echo reply
3 destination unreachable
0 network unreachable 8 source host isolated (obsolete)
1 host unreachable 9 destination network administratively prohibited
2 protocol unreachable 10 destination host administratively prohibited
3 port unreachable 11 network unreachable for DiffServ
4 fragmentation needed but don’t5
don’t5 12 host unreachable for DiffServ
fragment bit is set
5 source route failed 13 communication administratively
prohibited by filtering
6 destination network unknown 14 host precedence violation
7 destination host unknown 15 precedence cutoff in effect
4 0 source quench
5 redirect
0 for network 2 for DiffServ and network
1 for host 3 for DiffServ and host
8 0 echo request
9 0 router advertisement
10 0 router solicitation
11 time exceeded
0 TTL = 0 during transit 1 TTL = 0 during reassembly
12 parameter problem
0 IP header bad (catchall error) 1 required option missing
13 0 timestamp request
14 0 timestamp reply
15 0 information request (obsolete)
16 0 information reply (obsolete)
17 0 address mask request
18 0 address mask reply

SEC400 10
Microsoft IT Forum 2004 Europe

ICMP echo
0 8 16 24 31
type code checksum
identifier sequence number

optional data (variable length)

type: 8 = request, 0 = reply

code: 0
identifier, sequence number: for matching replies to requests
data: returned to sender

ICMP reconnaissance attacks

“Port unreachable” = port closed
“Host unreachable” = host doesn’t exist

SEC400 11
Microsoft IT Forum 2004 Europe

ICMP DoS attacks

Ping attacks
Unreachable attacks
Forged messages can be used to reset existing
connections

DDoS constellation (“smurf” var.)

Wake up!

Ping!

Reply!

SEC400 12
Microsoft IT Forum 2004 Europe

ICMP defenses
Limit which ICMP types and codes you allow into
your network
Don’t permit “unreachable” messages outside
your border
Let the absence of a reply imply a problem

Transport LayerProtocols

SEC400 13
Microsoft IT Forum 2004 Europe

UDP
User Datagram Protocol RFC 768

Datagram55oriented
Datagram
vs. TCP’s stream orientation (later)
No transport reliability
No delivery guarantees
Some applications work better with app5
app5level error
handling

UDP format
0 8 16 24 31
source port destination port
length checksum

data (variable length)

checksum: computed over source and destination IP addresses,

protocol number, length, and entire UDP packet (header and data)

SEC400 14
Microsoft IT Forum 2004 Europe

Port loopback attack (“pingpong”)

Spoof!
from A:19/udp
to B:7/udp (echo)

UDP defenses
Use application5
application5aware proxies to improve
security
Don’t expose applications that you don’t need
echo
daytime

SEC400 15
Microsoft IT Forum 2004 Europe

TCP
Transmission Control Protocol RFC 793

Connection5oriented, reliable, full

Connection5 full55duplex byte
stream transport service
Many decisions are made by the protocol, not
the applications
Segment size (amount of data per packet)
Acknowledgement of packet receipt
Retransmittal of unacknowledged packets
Resequencing of out5
out5of5
of5order packets
Flow control

TCP format
0 8 16 24 31
source port destination port
sequence number
acknowledgement number
header
length reserved flags window size
checksum urgent pointer
options (if any) (variable length)
data (variable length)

seq/ack numbers: track session state; indicate which byte we’re on

flags: urgent | acknowledge | push | reset | synchronize | finish
window size: flow control
checksum: computed over source and destination IP addresses,
protocol number, length, and entire TCP packet (header and data)

SEC400 16
Microsoft IT Forum 2004 Europe

TCP connection establishment

(“three way handshake”)

B sends
A sends packet
packet to
to A
B with:
• SYN with
•ACK set B’s SYN+1
• Destination
B’s ISN port number
• ACK with
A’s ISN (initial sequence
A’s SYN+1
number)

TCP connection establishment

A.1037 > B.23: S 1415531521:1415531521 (0)

win 4096 <mss 1024>
B.23 > A.1037: S 1823083521:1823083521 (0)
ack 1415531522
win 4096 <mss 1024>
A.1037 > B.23: . ack 1823083522 win 4096

A’s sequence number + 1

B’s sequence number + 1

SEC400 17
Microsoft IT Forum 2004 Europe

TCP connection termination

(“four way close”)

B sends
A sends packet
packet to
to A
B with:
• FIN with
•ACK set•ACK with A’s SYN+1
B’s SYN+1
•A’s next
•B’s next sequence
sequence number
number

TCP connection termination

A.1037 > B.23: F 1415531522:1415531522 (0)

ack 1823083522 win 4096
B.23 > A.1037: . ack 1415531523 win 4096
B.23 > A.1037: F 1823083522:1823083522 (0)
ack 1415531523 win 4096
A.1037 > B.23: . ack 1823083523 win 4096

SEC400 18
Microsoft IT Forum 2004 Europe

TCP connection reset

An immediate “go away”
Never acknowledged

B sends packet to A with:

• RST set
• B’s next sequence number
• ACK with A’s SYN+1

MSS (maximum segment size)

Largest “chunk” of data TCP sends
Each side announces; lower of two is chosen
Can go as high as 1460

TCP packet payload (data): 1460 bytes

IP datagram payload (TCP): 1480 bytes
Ethernet frame payload (IP): 1500 bytes
Total length: 1536 bytes

SEC400 19
Microsoft IT Forum 2004 Europe

Sequence number prediction

ACKset
SYN B (predicted!)
ISN
source=A
E
source=A

Huh? SYNset
SYN set
RSTset
SYN ISN
ISNBB
ISN A ACK
ACKEA

TCP defenses
Better sequence number generation
Random
Cryptographic
Router rules to block spoofed packets
TCP attacks are almost always spoofed

SEC400 20
Microsoft IT Forum 2004 Europe

© 2004 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only.
MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.

SEC400 21