lecture 23 network primer
Download
Skip this Video
Download Presentation
Lecture 23: Network Primer

Loading in 2 Seconds...

play fullscreen
1 / 25

Lecture 23: Network Primer - PowerPoint PPT Presentation


  • 96 Views
  • Uploaded on

Lecture 23: Network Primer. 7/15/2003 CSCE 590 Summer 2003. Source Port. Destination Port. Sequence Number. Acknowledgement Number. U R G. A C K. P S H. R S T. S Y N. F I N. Hdr Len. Reserved. Window Size. TCP Packet Checksum. Urgent Pointer.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' Lecture 23: Network Primer' - faye


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
lecture 23 network primer

Lecture 23: Network Primer

7/15/2003

CSCE 590

Summer 2003

tcp header

Source Port

Destination Port

Sequence Number

Acknowledgement Number

U

R

G

A

C

K

P

S

H

R

S

T

S

Y

N

F

I

N

Hdr Len

Reserved

Window Size

TCP Packet Checksum

Urgent Pointer

Options (Variable length padded with 0’s)

0

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

16

4

12

20

0

8

5

9

13

21

1

17

10

22

6

2

18

14

23

15

19

11

7

3

TCP Header
tcp fields
TCP Fields
  • Source port and Destination port:
    • 16 bit fields valid values (0)1-65535
    • Destination port, some listening server
    • Source port – random, usually chosen above 1023 and called ephemeral
    • Source ports should change with each new session/connection
what s weird
What’s Weird?

22:08:48.495489 129.252.41.100.62505 > 129.252.176.4.890: S 3938526924:3938526924(0) win 4096

22:08:48.495588 129.252.41.100.62505 > 129.252.176.4.627: S 3938526924:3938526924(0) win 4096

22:08:48.495616 129.252.41.100.62505 > 129.252.176.4.461: S 3938526924:3938526924(0) win 4096

22:08:48.495643 129.252.41.100.62505 > 129.252.176.4.1000: S 3938526924:3938526924(0) win 4096

22:08:48.495668 129.252.41.100.62505 > 129.252.176.4.199: S 3938526924:3938526924(0) win 4096

22:08:48.495693 129.252.41.100.62505 > 129.252.176.4.265: S 3938526924:3938526924(0) win 4096

22:08:48.495718 129.252.41.100.62505 > 129.252.176.4.7597: S 3938526924:3938526924(0) win 4096

22:08:48.495743 129.252.41.100.62505 > 129.252.176.4.826: S 3938526924:3938526924(0) win 4096

22:08:48.495768 129.252.41.100.62505 > 129.252.176.4.645: S 3938526924:3938526924(0) win 4096

22:08:48.495793 129.252.41.100.62505 > 129.252.176.4.84: S 3938526924:3938526924(0) win 4096

what s weird1
What’s Weird?

22:19:30.481578 129.252.41.10.2140 > 129.252.176.4.0: S 1860807593:1860807593(0) win 512

22:19:31.478737 129.252.41.10.2141 > 129.252.176.4.0: S 1456794212:1456794212(0) win 512

22:19:32.478824 129.252.41.10.2142 > 129.252.176.4.0: S 2100191735:2100191735(0) win 512

22:19:33.478916 129.252.41.10.2143 > 129.252.176.4.0: S 1628560220:1628560220(0) win 512

22:19:34.478995 129.252.41.10.2144 > 129.252.176.4.0: S 1658245839:1658245839(0) win 512

22:19:35.479099 129.252.41.10.2145 > 129.252.176.4.0: S 858387126:858387126(0) win 512

22:19:36.479179 129.252.41.10.2146 > 129.252.176.4.0: S 1898100889:1898100889(0) win 512

22:19:37.479293 129.252.41.10.2147 > 129.252.176.4.0: S 164501792:164501792(0) win 512

22:19:38.479382 129.252.41.10.2148 > 129.252.176.4.0: S 1225583647:1225583647(0) win 512

22:19:39.479463 129.252.41.10.2149 > 129.252.176.4.0: S 324333867:324333867(0) win 512

sequence numbers
Sequence Numbers
  • Uniquely identifies the intial byte of each TCP segment sent
  • Keeps track of all data sent and received
  • Should change for all new TCP segments sent (retries have the same since they are duplicates)
  • ISN – Initial Sequence Number – 1st sequence number in session (each side picks one)
isn prediction
ISN Prediction
  • Can fingerprint operating systems by how they generate ISNs
  • If it is a predictable pattern, can hijack a session
  • Nmap keeps an OS fingerprint database and with the –O option and judges how difficult TCP Sequence Prediction might be
now what s weird
Now What’s Weird?

22:08:48.495489 129.252.41.100.62505 > 129.252.176.4.890: S 3938526924:3938526924(0) win 4096

22:08:48.495588 129.252.41.100.62505 > 129.252.176.4.627: S 3938526924:3938526924(0) win 4096

22:08:48.495616 129.252.41.100.62505 > 129.252.176.4.461: S 3938526924:3938526924(0) win 4096

22:08:48.495643 129.252.41.100.62505 > 129.252.176.4.1000: S 3938526924:3938526924(0) win 4096

22:08:48.495668 129.252.41.100.62505 > 129.252.176.4.199: S 3938526924:3938526924(0) win 4096

22:08:48.495693 129.252.41.100.62505 > 129.252.176.4.265: S 3938526924:3938526924(0) win 4096

22:08:48.495718 129.252.41.100.62505 > 129.252.176.4.7597: S 3938526924:3938526924(0) win 4096

22:08:48.495743 129.252.41.100.62505 > 129.252.176.4.826: S 3938526924:3938526924(0) win 4096

22:08:48.495768 129.252.41.100.62505 > 129.252.176.4.645: S 3938526924:3938526924(0) win 4096

22:08:48.495793 129.252.41.100.62505 > 129.252.176.4.84: S 3938526924:3938526924(0) win 4096

acknowledgement numbers
Acknowledgement Numbers
  • Receiving host must tell sending host it got the data with an acknowledgement (ack)
  • 32 bit number representing the next byte of data receiving host expects = last received sequence number + 1
  • Has to be > 0, zero is impossible

22:08:48.495489 129.252.41.10.62677 > 129.252.176.4.80: S 3938526924:3938526924(0) win 2048

22:08:48.495588 129.252.176.4.80 > 129.252.41.10.62677: S 373851632:373851632(0) ack 3938526925 win 8576 <mss 1460? (DF)

what s weird2
What’s Weird?

23:12:26.100485 hostA.48776 > machineB.25: . ack 0 win 2048 <wscale 10,nop,mss 265,timestamp 1061109567 0,eol>

tcp flags
TCP Flags
  • Tells the state of a TCP segment
    • SYN – session establishment (tcpdump = S)
    • FIN – session termination (F)
    • RST – session abort (R)
    • ACK – acknowledgement of received data (ack)
    • PUSH – send buffered data up to application (P)
    • URG – send data with higher priority (interrupts like <CTRL-C>) (urg)
  • Flags only make sense in particular combinations
tcp three way handshake

Host B

Host A

Send SYN seq = x

Receive SYN

Send SYN seq = y; ACK = x+1

Receive SYN + ACK

Send ACK = y+1

Receive ACK

TCP Three-Way Handshake
tcp three way handshake1
TCP Three-Way Handshake
  • SYN
  • SYN + ACK
  • ACK
  • Thereafter SYN + ACKs
tcp three way handshake2
TCP Three-Way Handshake

23:49:23.440874 129.252.41.10.57839 > 129.252.41.2.80: S440460922:440460922(0)win 5840 <mss 1460,sackOK,timestamp 114681793 0,nop,wscale 0> (DF)

23:49:23.441040 129.252.41.2.80 > 129.252.41.10.57839: S431660388:431660388(0)ack440460923 win 5792 <mss 1460,sackOK,timestamp 2458279816 114681793,nop,wscale 0> (DF)

23:49:23.441084 129.252.41.10.57839 > 129.252.41.2.80: .ack431660389 win 5840 <nop,nop,timestamp 114681793 2458279816> (DF)

tcp three way handshake3
TCP Three-Way Handshake

23:49:23.440874 129.252.41.10.57839 > 129.252.41.2.80: S440460922:440460922(0)win 5840 <mss 1460,sackOK,timestamp 114681793 0,nop,wscale 0> (DF)

23:49:23.441040 129.252.41.2.80 > 129.252.41.10.57839: S431660388:431660388(0)ack440460923 win 5792 <mss 1460,sackOK,timestamp 2458279816 114681793,nop,wscale 0> (DF)

23:49:23.441084 129.252.41.10.57839 > 129.252.41.2.80: .ack1 win 5840 <nop,nop,timestamp 114681793 2458279816> (DF)

23:49:23.441212 129.252.41.10.57839 > 129.252.41.2.80: P1:104(103) ack1 win 5840 <nop,nop,timestamp 114681793 2458279816> (DF)

23:49:23.441370 129.252.41.2.80 > 129.252.41.10.57839: .ack104 win 5792 <nop,nop,timestamp 2458279816 114681793> (DF)

23:49:23.442322 129.252.41.2.80 > 129.252.41.10.57839: .1:1449(1448) ack104 win 5792 <nop,nop,timestamp 2458279816 114681793> (DF)

23:49:23.442354 129.252.41.10.57839 > 129.252.41.2.80: .ack1449 win 8688 <nop,nop,timestamp 114681793 2458279816> (DF)

gracefully ending a connection
Gracefully Ending a Connection
  • Gracefully – FIN
    • One side sends a FIN/ACK
    • The other side sends an ACK (One side closed)
    • Then the other side sends a FIN/ACK
    • And the first side sends an ACK (Two sides closed)
  • Both sides should close their half of the full duplex connection
  • Sometimes they don’t.
gracefully ending a connection1
Gracefully Ending a Connection

23:49:23.443343 129.252.41.10.57839 > 129.252.41.2.80: F 440461026:440461026(0)ack 431662073 win 8688 <nop,nop,timestamp 114681793 2458279816> (DF)

23:49:23.443489 129.252.41.2.80 > 129.252.41.10.57839: F 431662073:431662073(0)ack440461027 win 5792 <nop,nop,timestamp 2458279817 114681793> (DF)

23:49:23.443532 129.252.41.10.57839 > 129.252.41.2.80: .ack431662074 win 8688 <nop,nop,timestamp 114681793 2458279817> (DF)

abruptly ending a connection
Abruptly Ending a Connection
  • RESET halts it abruptly

00:20:30.427166 129.252.41.2.22 > 129.252.41.10.57878: P 2398201982:2398202990(1008) ack 2394778362 win 16704 <nop,nop,timestamp 2458466499 114868474> (DF)

00:20:30.427265 129.252.41.10.57878 > 129.252.41.2.22: R 2394778362:2394778362(0) win 0 (DF)

invalid flag combinations

U

R

G

A

C

K

P

S

H

R

S

T

S

Y

N

F

I

N

Hdr Len

Reserved

Window Size

Invalid Flag Combinations
  • Why?
    • Evading detection systems
    • Network mapping
    • Port scanning
    • OS fingerprinting
    • Could just be a corrupt packet
  • Ex. Can’t start and end a session in the same packet
  • Reserved bits are used for fingerprinting too
what s weird3
What’s Weird?

23:12:26.100477 129.252.41.10.48775 > 129.252.176.4.25: SFP 1933921669:1933921669(0) win 2048 urg 0 <wscale 10,nop,mss 265,timestamp 1061109567 0,eol>

23:12:26.100850 129.252.176.4.25 > 129.252.41.10.48775: S 4253896955:4253896955(0) ack 1933921670 win 65535 <mss 1260,nop,wscale 0,nop,nop,timestamp 0 0> (DF)

23:12:26.100866 129.252.41.10.48775 > 129.252.176.4.25: R 1933921670:1933921670(0) win 0 (DF)

tcp retries
TCP Retries
  • What if a packet doesn’t get acknowledged?
  • Eventually sender resends the exact packet
  • Waits a little longer between each retry:
    • 3seconds, 6 seconds, 12 seconds, etc
    • Different Oses use different backoff algorithms
  • What might cause retries?
    • Destination host went down, ICMP message didn’t get through
    • Packet filtering device silently dropping
    • RESET sent, but we didn’t get it
tcp retries guess which
TCP Retries – Guess Which

23:46:04.527781 10.10.33.4.1140 > 129.252.41.16.22: S 698192483:698192483(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)

23:46:07.509678 10.10.33.4.1140 > 129.252.41.16.22: S 698192483:698192483(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)

23:46:13.518688 10.10.33.4.1140 > 129.252.41.16.22: S 698192483:698192483(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)

23:46:25.537689 10.10.33.4.1140 > 129.252.41.16.22: S 698192483:698192483(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)

-------------------------------------------------------------------

23:46:40.529581 10.10.33.4.39344 > 129.252.41.16.22: S 698192483:698192483(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)

23:46:41.509678 10.10.33.4.39345 > 129.252.41.16.22: S 698735981:698735981(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)

23:46:53.518688 10.10.33.4.39378 > 129.252.41.16.22: S 698654463:698654463(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)

23:46:53.923679 10.10.33.4.39379 > 129.252.41.16.22: S 699129230:699129230(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)

tcp options
TCP Options
  • At the end of the header
    • MSS: Maximum Segment Size
    • Window Scale: allows window receive buffers to be > 65535
    • Timestamp: carries a timestamp for each segment
    • Selective Acknowledgement: non-contiguous segments can be acknowledged
    • No Operation: NOP, padding to 4-byte boundaries
    • End of List Option: pad final option to 4 byte boundary
  • More OS fingerprinting possibilities
    • Not all OSes support all options
    • OSes list options in different orders
tcp window size
TCP Window Size
  • Receiving host’s TCP buffer size for connection
  • Flow control
    • Window size changes dynamically as data is received
    • Size of zero means stop sending data for a while
    • Gtes bigger than zero when it can take more data
  • Initial window sizes can be used for OS fingerprinting (surprise!)
  • Labeled with a “win” in tcpdump
references
References
  • Highly recommend:
  • http://www.sans.org/resources/tcpip.pdf
ad