ECE-6612
This presentation is the property of its rightful owner.
Sponsored Links
1 / 18

ECE-6612 http://www.csc.gatech.edu/copeland/jac/6612/ Prof. John A. Copeland [email protected] 404 894-5177 fax 404 894-0035 Office: Klaus 3362 PowerPoint PPT Presentation


  • 118 Views
  • Uploaded on
  • Presentation posted in: General

ECE-6612 http://www.csc.gatech.edu/copeland/jac/6612/ Prof. John A. Copeland [email protected] 404 894-5177 fax 404 894-0035 Office: Klaus 3362 email or call for office visit, 404 894-5177 Slides 11 - Fun with TCP/IP. 4/15/2013. Ethernet Header (MAC or Link Layer).

Download Presentation

ECE-6612 http://www.csc.gatech.edu/copeland/jac/6612/ Prof. John A. Copeland [email protected] 404 894-5177 fax 404 894-0035 Office: Klaus 3362

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Ece 6612 http www csc gatech edu copeland jac 6612 prof john a copeland john copeland ece gatech edu 404 894 5177 fax 404 894 0035 office klaus 3362

ECE-6612

http://www.csc.gatech.edu/copeland/jac/6612/

Prof. John A. Copeland

[email protected]

404 894-5177

fax 404 894-0035

Office: Klaus 3362

email or call for office visit, 404 894-5177

Slides 11 - Fun with TCP/IP

4/15/2013


Ece 6612 http www csc gatech edu copeland jac 6612 prof john a copeland john copeland ece gatech edu 404 894 5177 fax 404 894 0035 office klaus 3362

Ethernet Header (MAC or Link Layer)

Ethernet Hdr - 14 bytes

(big-endian)

IP Header - 20 bytes

(big-endian)

TCP Header - 20 bytes

(big-endian)

App. Hdr

& Data

31 bits

0

Bytes 0 - 3

Destination Address - 6 bytes

Bytes 4 - 7

Bytes 8 - 11

Source Address - 6 bytes

Bytes 12 - 13

Next Protocol #

LSB MSB

Next Level Protocol Header

(0x 0800 -> IP, 0x 0806 -> ARP)

2


Ece 6612 http www csc gatech edu copeland jac 6612 prof john a copeland john copeland ece gatech edu 404 894 5177 fax 404 894 0035 office klaus 3362

IP Header (Network Layer)

Ethernet Hdr - 20 bytes

(big-endian)

IP Header - 20 bytes

(big-endian)

TCP Header - 20 bytes

(big-endian)

App. Hdr

& Data

Length

Frag. Flags

Fragment Offset

Next Protocol

Next Protocol # 1=ICMP 6=TCP 17=UDP

Frag. Flags: 010 = Do Not Fragment, DNF 001 = More Fragments, MF

3


Ece 6612 http www csc gatech edu copeland jac 6612 prof john a copeland john copeland ece gatech edu 404 894 5177 fax 404 894 0035 office klaus 3362

Fragmented Packet

Ethernet Hdr - 20 bytes

IP Header - 20 bytes

(MF: 1, offset: 0)

TCP Header - 20 bytes

(big-endian)

App. Hdr

& Data

20 bytes

20 + 1260 bytes

Ethernet Hdr - 20 bytes

IP Header - 20 bytes

(MF: 1, offset:1280)

More Data

20 bytes

1280 bytes

Ethernet Hdr - 20 bytes

IP Header - 20 bytes

(MF: 0, offset:2560)

Last Data

20 bytes

760 bytes

Data Packet from Token Ring has TCP header (20 bytes) plus App. Header and Data (3300 bytes) = 20 +1280 + 1280 + 760 bytes.

IP Fragment ID number is the same for each fragment.

4


Ece 6612 http www csc gatech edu copeland jac 6612 prof john a copeland john copeland ece gatech edu 404 894 5177 fax 404 894 0035 office klaus 3362

Ping of Death

Ethernet Hdr - 20 bytes

IP Header - 20 bytes

(MF: 1, offset:65,500)

Any Data

20 bytes

1000 bytes

Packet Buffer 65,535 bytes

Packet Buffer 65,535 bytes

Fragments are assembled in a buffer in memory. Ping of Death fragment causes a buffer overflow, corrupting the next buffer causing an older version of Windows to crash.

“Ping” was used because #ping -s 66500 used to work. “fragrouter” is a network utility that generates bad fragments.

5


Ece 6612 http www csc gatech edu copeland jac 6612 prof john a copeland john copeland ece gatech edu 404 894 5177 fax 404 894 0035 office klaus 3362

Fragmented Packets as seen by “tcpdump”

# tcpdump -nnvli eth3 'tcp and ((ip[6:2]&0x3fff) != 0)’Filter for seeing frag.s

22:10:48 128.61.60.143.3472 > 217.98.230.192.6881: . 3041158335:3041158379(44) ack 829468732 win 65535

(frag 43660:[email protected]+) (ttl 127, len 84) Very small fragments

22:10:48 128.61.60.143 > 217.98.230.192: tcp

(frag 43660:[email protected]) (ttl 127, len 64) ) Very small fragments

22:10:49 219.115.56.223 > 199.77.145.106: tcp

(frag 0:[email protected]) (ttl 237, len 40) Very small, isolated fragment

22:10:50 217.232.26.184 > 128.61.104.27: tcp Note close times, different IPs

(frag 0:[email protected]) (ttl 240, len 40) Very small, isolated fragment

-------

43660:[email protected]+ = ID : Data-Length (without IP hdr) @ Offset/8,

“+” means More Fragments bit set.

Wireshark display filters: ip.fragment and ip.fragment.X where X can be:

count==[number] , error, overlap, overlap.conflict, multipletails, toolongtails)

6


Ece 6612 http www csc gatech edu copeland jac 6612 prof john a copeland john copeland ece gatech edu 404 894 5177 fax 404 894 0035 office klaus 3362

Protocols over IP

161 <- Listening Port No. (Well-Known?)

80

6

17 <- IP Next Protocol Numbers

1

2

89

46

IPsec ESP

50

x0806

ARP

x0800 <- Ethernet “Next Protocol” Number

Data Link and Physical Layers (e.g., Ethernet, WiFi, Point-to-Point, …)

7


Ece 6612 http www csc gatech edu copeland jac 6612 prof john a copeland john copeland ece gatech edu 404 894 5177 fax 404 894 0035 office klaus 3362

UDP Header

(big endian)

Common UDP Server Ports

53 – DNS (Domain Name Server)

123 – NTP (Network Time Protocol)

137 – NBNS (NetBIOS Name Service, Microsoft)

631 – CUPS (Common Unix Printing System

5353 – MDNS (Multicast DNS, Apple)

8


Ece 6612 http www csc gatech edu copeland jac 6612 prof john a copeland john copeland ece gatech edu 404 894 5177 fax 404 894 0035 office klaus 3362

ICMP Header

(big endian)

0

31 bits

Bytes 0 - 3

Type

Code

Checksum

Bytes 4 - 7

Identifier

Sequence Number

Optional Data

Bytes 8 -

Type Field

0 - Echo Reply (Code=0)

3 - Destination Unreachable

5 - Redirect (change route)

8 - Echo Request (Ping)

11 - Timeout (traceroute)

Type 3 - Codes

0 - Network Unreachable

1 - Host Unreachable

3 - Port Unreachable (UDP Reset-old hdr in data)

7 - Destination Host Unknown

12 - Host Unreachable for Type of Service

9

9


Ece 6612 http www csc gatech edu copeland jac 6612 prof john a copeland john copeland ece gatech edu 404 894 5177 fax 404 894 0035 office klaus 3362

Smurf Attack

Attacker 23.45.67.89

Victim

130.207.225.23

ICMP Echo Request (Ping)

To: 222.45.6.255(Broadcast)

From: 130.207.225.23 (spoofed)

ICMP Echo Responses

To: 130.207.225.23

Network 222.45.6.0/24

Network Broadcast Address = 222.45.6.255

(How is this prevented?)

10


Ece 6612 http www csc gatech edu copeland jac 6612 prof john a copeland john copeland ece gatech edu 404 894 5177 fax 404 894 0035 office klaus 3362

TCP Header – 6 Flag Bits

Ethernet Hdr - 20 bytes

(big-endian)

IP Header - 20 bytes

(big-endian)

TCP Header - 20 bytes

(big-endian)

App. Hdr

& Data

*

* Length of TCP Header in bytes /4 TCP Flags: U A P R S F

11


Ece 6612 http www csc gatech edu copeland jac 6612 prof john a copeland john copeland ece gatech edu 404 894 5177 fax 404 894 0035 office klaus 3362

TCP Three-Way Handshake Flags

Syn (only)

Syn + Ack

Ack

Ack( Push, Urgent)

Ack( Push, Urgent)

Server

Client

A Flag Bit is “present”, “set” or “true” if it is a binary 1.

12


Ece 6612 http www csc gatech edu copeland jac 6612 prof john a copeland john copeland ece gatech edu 404 894 5177 fax 404 894 0035 office klaus 3362

TCP Three-Way Disconnect

Ack( Push, Urgent)

Ack( Push, Urgent)

Fin + Ack

Ack

Fin + Ack

Ack

or Reset + Ack

Host A

Host B

Either A or B can be the Server

13


Ece 6612 http www csc gatech edu copeland jac 6612 prof john a copeland john copeland ece gatech edu 404 894 5177 fax 404 894 0035 office klaus 3362

TCP Initial: SYN, SYN-ACK, ACK

TCP Final: FIN, ACK, FIN-ACK, ACK

TCP SYN and RES-ACK (connection rejected)

as seen using wireshark

14


Ece 6612 http www csc gatech edu copeland jac 6612 prof john a copeland john copeland ece gatech edu 404 894 5177 fax 404 894 0035 office klaus 3362

TCP State Diagram

Reset

15


Ece 6612 http www csc gatech edu copeland jac 6612 prof john a copeland john copeland ece gatech edu 404 894 5177 fax 404 894 0035 office klaus 3362

Reset Fin Syn Ack Comment

Illegal flag combinations are used to determine Operating System

16


Ece 6612 http www csc gatech edu copeland jac 6612 prof john a copeland john copeland ece gatech edu 404 894 5177 fax 404 894 0035 office klaus 3362

DoS Exploits using TCP Packets

Land - Source Address = Destination Address

Crashes some printers, routers, Windows, UNIX.

Tear Drop - IP Fragments that overlap, have gaps

(also Bonk, Newtear, Syndrop) Win 95, Win 98, NT, Linux.

Winnuke - Any garbage data to an open file-sharing port (TCP-139)

Crashes Win 95 and NT

Blue Screen of Death - Set Urgent Flag, & Urgent Offset Pointer = 3

Older Windows OS would crash.

17


Ece 6612 http www csc gatech edu copeland jac 6612 prof john a copeland john copeland ece gatech edu 404 894 5177 fax 404 894 0035 office klaus 3362

TCP Session Highjack

Attacker - (1) sniffs network and watches Alice establish TCP session with Bob

(2) - DOS Attack to Silence Alice (Acks and Resets)

(3) - Highjacks TCP Connection

by using correct sequence number

(0) - Established TCP Connection

Bob

Alice

Off-LAN Attack (can not sniff) to get by host-based firewall.

Open several TCP connections to Bob, to predict Bob’s next sequence number

DoS Alice so it will not send a TCP Reset to Bob.s SYN-ACK.

Send Bob a SYN, then an ACK based on predicted Bob’s seq. no.(from Alice’s IP)

Send exploit to Bob (assume all packets are received ok and Ack’ed).

18


  • Login