ECE-6612
Download
1 / 18

ECE-6612 http://www.csc.gatech.edu/copeland/jac/6612/ Prof. John A. Copeland [email protected] 404 894-5177 - PowerPoint PPT Presentation


  • 165 Views
  • Uploaded on

ECE-6612 http://www.csc.gatech.edu/copeland/jac/6612/ Prof. John A. Copeland [email protected] 404 894-5177 fax 404 894-0035 Office: Klaus 3362 email or call for office visit, 404 894-5177 Slides 11 - Fun with TCP/IP. 4/15/2013. Ethernet Header (MAC or Link Layer).

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' ECE-6612 http://www.csc.gatech.edu/copeland/jac/6612/ Prof. John A. Copeland [email protected] 404 894-5177' - liesel


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

ECE-6612

http://www.csc.gatech.edu/copeland/jac/6612/

Prof. John A. Copeland

[email protected]

404 894-5177

fax 404 894-0035

Office: Klaus 3362

email or call for office visit, 404 894-5177

Slides 11 - Fun with TCP/IP

4/15/2013


Ethernet Header (MAC or Link Layer)

Ethernet Hdr - 14 bytes

(big-endian)

IP Header - 20 bytes

(big-endian)

TCP Header - 20 bytes

(big-endian)

App. Hdr

& Data

31 bits

0

Bytes 0 - 3

Destination Address - 6 bytes

Bytes 4 - 7

Bytes 8 - 11

Source Address - 6 bytes

Bytes 12 - 13

Next Protocol #

LSB MSB

Next Level Protocol Header

(0x 0800 -> IP, 0x 0806 -> ARP)

2


IP Header (Network Layer)

Ethernet Hdr - 20 bytes

(big-endian)

IP Header - 20 bytes

(big-endian)

TCP Header - 20 bytes

(big-endian)

App. Hdr

& Data

Length

Frag. Flags

Fragment Offset

Next Protocol

Next Protocol # 1=ICMP 6=TCP 17=UDP

Frag. Flags: 010 = Do Not Fragment, DNF 001 = More Fragments, MF

3


Fragmented Packet

Ethernet Hdr - 20 bytes

IP Header - 20 bytes

(MF: 1, offset: 0)

TCP Header - 20 bytes

(big-endian)

App. Hdr

& Data

20 bytes

20 + 1260 bytes

Ethernet Hdr - 20 bytes

IP Header - 20 bytes

(MF: 1, offset:1280)

More Data

20 bytes

1280 bytes

Ethernet Hdr - 20 bytes

IP Header - 20 bytes

(MF: 0, offset:2560)

Last Data

20 bytes

760 bytes

Data Packet from Token Ring has TCP header (20 bytes) plus App. Header and Data (3300 bytes) = 20 +1280 + 1280 + 760 bytes.

IP Fragment ID number is the same for each fragment.

4


Ping of Death

Ethernet Hdr - 20 bytes

IP Header - 20 bytes

(MF: 1, offset:65,500)

Any Data

20 bytes

1000 bytes

Packet Buffer 65,535 bytes

Packet Buffer 65,535 bytes

Fragments are assembled in a buffer in memory. Ping of Death fragment causes a buffer overflow, corrupting the next buffer causing an older version of Windows to crash.

“Ping” was used because #ping -s 66500 used to work. “fragrouter” is a network utility that generates bad fragments.

5


Fragmented Packets as seen by “tcpdump”

# tcpdump -nnvli eth3 'tcp and ((ip[6:2]&0x3fff) != 0)’Filter for seeing frag.s

22:10:48 128.61.60.143.3472 > 217.98.230.192.6881: . 3041158335:3041158379(44) ack 829468732 win 65535

(frag 43660:[email protected]+) (ttl 127, len 84) Very small fragments

22:10:48 128.61.60.143 > 217.98.230.192: tcp

(frag 43660:[email protected]) (ttl 127, len 64) ) Very small fragments

22:10:49 219.115.56.223 > 199.77.145.106: tcp

(frag 0:[email protected]) (ttl 237, len 40) Very small, isolated fragment

22:10:50 217.232.26.184 > 128.61.104.27: tcp Note close times, different IPs

(frag 0:[email protected]) (ttl 240, len 40) Very small, isolated fragment

-------

43660:[email protected]+ = ID : Data-Length (without IP hdr) @ Offset/8,

“+” means More Fragments bit set.

Wireshark display filters: ip.fragment and ip.fragment.X where X can be:

count==[number] , error, overlap, overlap.conflict, multipletails, toolongtails)

6


Protocols over IP

161 <- Listening Port No. (Well-Known?)

80

6

17 <- IP Next Protocol Numbers

1

2

89

46

IPsec ESP

50

x0806

ARP

x0800 <- Ethernet “Next Protocol” Number

Data Link and Physical Layers (e.g., Ethernet, WiFi, Point-to-Point, …)

7


UDP Header

(big endian)

Common UDP Server Ports

53 – DNS (Domain Name Server)

123 – NTP (Network Time Protocol)

137 – NBNS (NetBIOS Name Service, Microsoft)

631 – CUPS (Common Unix Printing System

5353 – MDNS (Multicast DNS, Apple)

8


ICMP Header

(big endian)

0

31 bits

Bytes 0 - 3

Type

Code

Checksum

Bytes 4 - 7

Identifier

Sequence Number

Optional Data

Bytes 8 -

Type Field

0 - Echo Reply (Code=0)

3 - Destination Unreachable

5 - Redirect (change route)

8 - Echo Request (Ping)

11 - Timeout (traceroute)

Type 3 - Codes

0 - Network Unreachable

1 - Host Unreachable

3 - Port Unreachable (UDP Reset-old hdr in data)

7 - Destination Host Unknown

12 - Host Unreachable for Type of Service

9

9


Smurf Attack

Attacker 23.45.67.89

Victim

130.207.225.23

ICMP Echo Request (Ping)

To: 222.45.6.255(Broadcast)

From: 130.207.225.23 (spoofed)

ICMP Echo Responses

To: 130.207.225.23

Network 222.45.6.0/24

Network Broadcast Address = 222.45.6.255

(How is this prevented?)

10


TCP Header – 6 Flag Bits

Ethernet Hdr - 20 bytes

(big-endian)

IP Header - 20 bytes

(big-endian)

TCP Header - 20 bytes

(big-endian)

App. Hdr

& Data

*

* Length of TCP Header in bytes /4 TCP Flags: U A P R S F

11


TCP Three-Way Handshake Flags

Syn (only)

Syn + Ack

Ack

Ack( Push, Urgent)

Ack( Push, Urgent)

Server

Client

A Flag Bit is “present”, “set” or “true” if it is a binary 1.

12


TCP Three-Way Disconnect

Ack( Push, Urgent)

Ack( Push, Urgent)

Fin + Ack

Ack

Fin + Ack

Ack

or Reset + Ack

Host A

Host B

Either A or B can be the Server

13


TCP Initial: SYN, SYN-ACK, ACK

TCP Final: FIN, ACK, FIN-ACK, ACK

TCP SYN and RES-ACK (connection rejected)

as seen using wireshark

14



Reset Fin Syn Ack Comment

Illegal flag combinations are used to determine Operating System

16


DoS Exploits using TCP Packets Comment

Land - Source Address = Destination Address

Crashes some printers, routers, Windows, UNIX.

Tear Drop - IP Fragments that overlap, have gaps

(also Bonk, Newtear, Syndrop) Win 95, Win 98, NT, Linux.

Winnuke - Any garbage data to an open file-sharing port (TCP-139)

Crashes Win 95 and NT

Blue Screen of Death - Set Urgent Flag, & Urgent Offset Pointer = 3

Older Windows OS would crash.

17


TCP Session Highjack Comment

Attacker - (1) sniffs network and watches Alice establish TCP session with Bob

(2) - DOS Attack to Silence Alice (Acks and Resets)

(3) - Highjacks TCP Connection

by using correct sequence number

(0) - Established TCP Connection

Bob

Alice

Off-LAN Attack (can not sniff) to get by host-based firewall.

Open several TCP connections to Bob, to predict Bob’s next sequence number

DoS Alice so it will not send a TCP Reset to Bob.s SYN-ACK.

Send Bob a SYN, then an ACK based on predicted Bob’s seq. no.(from Alice’s IP)

Send exploit to Bob (assume all packets are received ok and Ack’ed).

18


ad