ECE-6612 http://www.csc.gatech.edu/copeland/jac/6612/ Prof. John A. Copeland john.copeland@ece.gatech.

edu 404 894-5177 fax 404 894-0035 Office: Klaus 3362 email or call for office visit, 404 894-5177 Slides 11 - Fun with TCP/IP

4/15/2013

Ethernet Header (MAC or Link Layer)

Ethernet Hdr - 14 bytes IP Header - 20 bytes TCP Header - 20 bytes (big-endian) (big-endian) (big-endian) App. Hdr & Data

0 Bytes 0 - 3 Destination Address - 6 bytes

31 bits

Bytes 4 - 7
Bytes 8 - 11 Bytes 12 - 13
LSB

Source Address - 6 bytes Next Protocol #

MSB

Next Level Protocol Header (0x 0800 -> IP, 0x 0806 -> ARP)

IP Header (Network Layer)

Ethernet Hdr - 20 bytes IP Header - 20 bytes TCP Header - 20 bytes (big-endian) (big-endian) (big-endian) App. Hdr & Data

Length Frag. Flags Fragment Offset

Next Protocol

Next Protocol # Frag. Flags:

1=ICMP 6=TCP 17=UDP 001 = More Fragments, MF

3

010 = Do Not Fragment, DNF

Fragmented Packet
Ethernet Hdr - 20 bytes IP Header - 20 bytes TCP Header - 20 bytes (MF: 1, offset: 0) (big-endian) App. Hdr & Data

20 bytes
Ethernet Hdr - 20 bytes IP Header - 20 bytes (MF: 1, offset:1280)

20 + 1260 bytes
More Data

20 bytes
Ethernet Hdr - 20 bytes IP Header - 20 bytes (MF: 0, offset:2560)

1280 bytes
Last Data

20 bytes

760 bytes

Data Packet from Token Ring has TCP header (20 bytes) plus App. Header and Data (3300 bytes) = 20 +1280 + 1280 + 760 bytes.

IP Fragment ID number is the same for each fragment.

4

Ping of Death
Ethernet Hdr - 20 bytes IP Header - 20 bytes (MF: 1, offset:65,500) Any Data

20 bytes

1000 bytes

Packet Buffer 65,535 bytes Packet Buffer 65,535 bytes Fragments are assembled in a buffer in memory. Ping of Death fragment causes a buffer overflow, corrupting the next buffer causing an older version of Windows to crash. Ping was used because #ping -s 66500 used to work. fragrouter is a network utility that generates bad fragments.
5

Fragmented Packets as seen by tcpdump

# tcpdump -nnvli eth3 'tcp and ((ip[6:2]&0x3fff) != 0) Filter for seeing frag.s
22:10:48 128.61.60.143.3472 > 217.98.230.192.6881: . 3041158335:3041158379(44) ack 829468732 win 65535 (frag 43660:64@0+) (ttl 127, len 84) Very small fragments 22:10:48 128.61.60.143 > 217.98.230.192: tcp (frag 43660:44@64) (ttl 127, len 64) ) Very small fragments

22:10:49 219.115.56.223 > 199.77.145.106: tcp (frag 0:20@16384) (ttl 237, len 40) Very small, isolated fragment 22:10:50 217.232.26.184 > 128.61.104.27: tcp Note close times, different IPs (frag 0:20@16384) (ttl 240, len 40) Very small, isolated fragment ------43660:64@0+ = ID : Data-Length (without IP hdr) @ Offset/8, + means More Fragments bit set. Wireshark display filters: ip.fragment and ip.fragment.X where X can be: count==[number] , error, overlap, overlap.conflict, multipletails, toolongtails)

Protocols over IP

80 6

161 <- Listening Port No. (Well-Known?)

17 <- IP Next Protocol Numbers

89

46

IPsec ESP 50
x0806 ARP

x0800 <- Ethernet Next Protocol Number

Data Link and Physical Layers (e.g., Ethernet, WiFi, Point-to-Point, )

UDP Header
(big endian)

Common UDP Server Ports

53 DNS (Domain Name Server) 123 NTP (Network Time Protocol) 137 NBNS (NetBIOS Name Service, Microsoft) 631 CUPS (Common Unix Printing System 5353 MDNS (Multicast DNS, Apple)
8

0
Bytes 0 - 3 Type

ICMP Header
(big endian)

31 bits

Code

Checksum

Bytes 4 - 7
Bytes 8 -

Identifier

Sequence Number

Optional Data

Type Field 0 - Echo Reply (Code=0) 3 - Destination Unreachable 5 - Redirect (change route) 8 - Echo Request (Ping) 11 - Timeout (traceroute)

Type 3 - Codes 0 - Network Unreachable 1 - Host Unreachable 3 - Port Unreachable (UDP Reset-old hdr in data) 7 - Destination Host Unknown 12 - Host Unreachable for Type of Service
9

Smurf Attack

Attacker 23.45.67.89
ICMP Echo Request (Ping) To: 222.45.6.255 (Broadcast) From: 130.207.225.23 (spoofed) ICMP Echo Responses To: 130.207.225.23

Victim 130.207.225.23

Network 222.45.6.0/24 Network Broadcast Address = 222.45.6.255 (How is this prevented?)

10

TCP Header 6 Flag Bits

Ethernet Hdr - 20 bytes IP Header - 20 bytes TCP Header - 20 bytes (big-endian) (big-endian) (big-endian) App. Hdr & Data

* Length of TCP Header in bytes /4

TCP Flags: U A P R S F
11

TCP Three-Way Handshake Flags

Syn (only) Syn + Ack Ack Ack( Push, Urgent) Ack( Push, Urgent)

Client

Server

A Flag Bit is present, set or true if it is a binary 1.

12

TCP Three-Way Disconnect

Ack( Push, Urgent) Ack( Push, Urgent) Fin + Ack Ack Fin + Ack Ack

Host A

or Reset + Ack

Host B

Either A or B can be the Server

13

TCP Initial: SYN, SYN-ACK, ACK

TCP Final: FIN, ACK, FIN-ACK, ACK

TCP SYN and RES-ACK (connection rejected)

as seen using wireshark

14

TCP State Diagram

Reset

15

Reset
0
0 0 0 0 0 0 1 1 1 1 1 1 1 1

Fin
0
0 0 1 1 1 1 0 0 0 0 1 1 1 1

Syn
0
1 1 0 0 1 1 0 0 1 1 0 0 1 1

Ack
1
0 1 0 1 0 1 0 1 0 1 0 1 0 1

Comment
OK
1st Packet 2nd Packet Needs Ack OK Illegal Illegal Needs Ack OK Illegal Illegal Illegal Illegal Illegal Illegal

Illegal flag combinations are used to determine Operating System

16

DoS Exploits using TCP Packets Land - Source Address = Destination Address Crashes some printers, routers, Windows, UNIX.

Tear Drop - IP Fragments that overlap, have gaps (also Bonk, Newtear, Syndrop) Win 95, Win 98, NT, Linux.
Winnuke - Any garbage data to an open file-sharing port (TCP-139) Crashes Win 95 and NT Blue Screen of Death - Set Urgent Flag, & Urgent Offset Pointer = 3 Older Windows OS would crash.

17

TCP Session Highjack

Attacker - (1) sniffs network and watches Alice establish TCP session with Bob

(2) - DOS Attack to Silence Alice (Acks and Resets)

(3) - Highjacks TCP Connection by using correct sequence number (0) - Established TCP Connection

Bob

Alice
Off-LAN Attack (can not sniff) to get by host-based firewall.
1. 2. 3. 4. Open several TCP connections to Bob, to predict Bobs next sequence number DoS Alice so it will not send a TCP Reset to Bob.s SYN-ACK. Send Bob a SYN, then an ACK based on predicted Bobs seq. no.(from Alices IP) Send exploit to Bob (assume all packets are received ok and Acked).
18