Scribd
Upload
70 views18 pages

11 TCP Ip

The document discusses TCP/IP protocols like Ethernet, IP, TCP and UDP, including packet headers and fragmentation; it also covers TCP connection establishment and termination, common port numbers, and DoS exploits that abuse protocol behaviors like ICMP flooding, TCP flag combinations, and highjacking established TCP sessions.

Uploaded by

Ing. Armando Olvera
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
70 views18 pages

11 TCP Ip

The document discusses TCP/IP protocols like Ethernet, IP, TCP and UDP, including packet headers and fragmentation; it also covers TCP connection establishment and termination, common port numbers, and DoS exploits that abuse protocol behaviors like ICMP flooding, TCP flag combinations, and highjacking established TCP sessions.

Uploaded by

Ing. Armando Olvera
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
You are on page 1/ 18

ECE-6612

http://www.csc.gatech.edu/copeland/jac/6612/

Prof. John A. Copeland


[email protected]
404 894-5177
fax 404 894-0035

Office: Klaus 3362


email or call for office visit, 404 894-5177

Slides 11 - Fun with TCP/IP

4/9/2015
Ethernet Header (MAC or Link Layer)

Ethernet Hdr - 14 bytes IP Header - 20 bytes TCP Header - 20 bytes App. Hdr
(big-endian) (big-endian) (big-endian) & Data

0 31 bits
Bytes 0 - 3 Destination Address - 6 bytes
Bytes 4 - 7

Bytes 8 - 11 Source Address - 6 bytes


Bytes 12 - 13 Next Protocol #
LSB MSB

Next Level Protocol Header


(0x 0800 -> IP, 0x 0806 -> ARP)
2
IP Header (Network Layer)
Ethernet Hdr - 20 bytes IP Header - 20 bytes TCP Header - 20 bytes App. Hdr
(big-endian) (big-endian) (big-endian) & Data

Length

Frag.
Flags Fragment Offset

Next Protocol

Next Protocol # 1=ICMP 6=TCP 17=UDP


Frag. Flags: 010 = Do Not Fragment, DNF 001 = More Fragments, MF
3
Fragmented Packet
Ethernet Hdr - 20 bytes IP Header - 20 bytes TCP Header - 20 bytes App. Hdr
(MF: 1, offset: 0) (big-endian) & Data
20 bytes 20 + 1260 bytes
Ethernet Hdr - 20 bytes IP Header - 20 bytes More Data
(MF: 1, offset:1280)

20 bytes 1280 bytes

Ethernet Hdr - 20 bytes IP Header - 20 bytes Last Data


(MF: 0, offset:2560)

20 bytes 760 bytes

Data Packet from Token Ring has TCP header (20 bytes) plus App.
Header and Data (3300 bytes) = 20 +1280 + 1280 + 760 bytes.

IP Fragment ID number is the same for each fragment.


4
Ping of Death

Ethernet Hdr - 20 bytes IP Header - 20 bytes Any Data


(MF: 1, offset:65,500)

20 bytes 1000 bytes

Packet Buffer 65,535 bytes Packet Buffer 65,535 bytes

Fragments are assembled in a buffer in memory. Ping of Death


fragment causes a buffer overflow, corrupting the next buffer
causing an older version of Windows to crash.

“Ping” was used because #ping -s 66500 used to work.


“fragrouter” is a network utility that generates bad fragments.
5
Fragmented Packets as seen by “tcpdump”
# tcpdump -nnvli eth3 'tcp and ((ip[6:2]&0x3fff) != 0)’ Filter for seeing frag.s

22:10:48 128.61.60.143.3472 > 217.98.230.192.6881: .


3041158335:3041158379(44) ack 829468732 win 65535
(frag 43660:64@0+) (ttl 127, len 84) Very small fragments

22:10:48 128.61.60.143 > 217.98.230.192: tcp


(frag 43660:44@64) (ttl 127, len 64) ) Very small fragments

22:10:49 219.115.56.223 > 199.77.145.106: tcp


(frag 0:20@16384) (ttl 237, len 40) Very small, isolated fragment, ID=0

22:10:50 217.232.26.184 > 128.61.104.27: tcp Note close times, different IPs
(frag 0:20@16384) (ttl 240, len 40) Very small, isolated fragment
-------
43660:64@0+ = ID : Data-Length (without IP hdr) @ Offset
“+” means More Fragments bit set.
Wireshark display filters: ip.fragment and ip.fragment.X where X can be:
count==[number] , error, overlap, overlap.conflict, multipletails, toolongtails)
6
Protocols over IP

179 21 80 25 23 161 <- Listening Port No. (Well-Known?)

6 17 <- IP Next Protocol Numbers


1 2 89 46

IPsec ESP 50

ARP
x0800 <- Ethernet “Next Protocol” Number x0806
Data Link and Physical Layers (e.g., Ethernet, WiFi, Point-to-Point, …)

7
UDP Header
(big endian)

Common UDP Server Ports


53 – DNS (Domain Name Server)
123 – NTP (Network Time Protocol)
137 – NBNS (NetBIOS Name Service, Microsoft)
631 – CUPS (Common Unix Printing System
5353 – MDNS (Multicast DNS, Apple)
8
ICMP Header
0 (big endian) 31 bits
Bytes 0 - 3 Type Code Checksum
Bytes 4 - 7 Identifier Sequence Number

Bytes 8 - Optional Data

Type Field Type 3 - Codes


0 - Echo Reply (Code=0) 0 - Network Unreachable
3 - Destination Unreachable 1 - Host Unreachable
5 - Redirect (change route) 3 - Port Unreachable (UDP Reset-old hdr in data)
8 - Echo Request (Ping) 7 - Destination Host Unknown
11 - Timeout (traceroute) 12 - Host Unreachable for Type of Service

9
Smurf Attack
Attacker 23.45.67.89

ICMP Echo Request (Ping) Victim


To: 222.45.6.255 (Broadcast) 130.207.225.23
From: 130.207.225.23 (spoofed)
ICMP Echo Responses
To: 130.207.225.23

Network 222.45.6.0/24
Network Broadcast Address = 222.45.6.255

(How is this prevented?)

10
TCP Header – 6 Flag Bits
Ethernet Hdr - 20 bytes IP Header - 20 bytes TCP Header - 20 bytes App. Hdr
(big-endian) (big-endian) (big-endian) & Data

* Length of TCP Header in bytes /4 TCP Flags: U A P R S F


11
TCP Three-Way Handshake Flags

Syn (only)

Syn + Ack

Ack

Ack( Push, Urgent)

Ack( Push, Urgent)

Client Server

A Flag Bit is “present”, “set” or “true” if it is a binary 1.


12
TCP Three-Way Disconnect

Ack( Push, Urgent)

Ack( Push, Urgent)

Fin + Ack

Ack

Fin + Ack

Ack

Host A or Reset + Ack Host B


Either A or B can be the Server

13
TCP Initial: SYN, SYN-ACK, ACK

TCP Final: FIN, ACK, FIN-ACK, ACK

TCP SYN and RES-ACK (connection rejected)

as seen using wireshark


14
TCP State Diagram

Reset

15
Reset Fin Syn Ack Comment
0 0 0 1 OK
0 0 1 0 1st Packet
0 0 1 1 2nd Packet
0 1 0 0 Needs Ack
0 1 0 1 OK
0 1 1 0 Illegal
0 1 1 1 Illegal
1 0 0 0 Needs Ack
1 0 0 1 OK
1 0 1 0 Illegal
1 0 1 1 Illegal
1 1 0 0 Illegal
1 1 0 1 Illegal
1 1 1 0 Illegal
1 1 1 1 Illegal

Illegal flag combinations are used to determine Operating System


16
DoS Exploits using TCP Packets
Land - Source Address = Destination Address
Crashes some printers, routers, Windows, UNIX.

Tear Drop - IP Fragments that overlap, have gaps


(also Bonk, Newtear, Syndrop) Win 95, Win 98, NT, Linux.

Winnuke - Any garbage data to an open file-sharing port (TCP-139)


Crashes Win 95 and NT

Blue Screen of Death - Set Urgent Flag, & Urgent Offset Pointer = 3
Older Windows OS would crash.

17
TCP Session Highjack
Attacker - (1) sniffs network and watches
Alice establish TCP session with Bob

(2) - DOS
Attack to (3) - Highjacks TCP Connection
Silence by using correct sequence number
Alice (Acks
and Resets) (0) - Established Bob
TCP Connection

IP connections can be determined by the remote


Alice host's sequence no. – not IP !
Off-LAN Attack (can not sniff) to get by host-based firewall.
1. Open several TCP connections to Bob, to predict Bob’s next sequence number
2. DoS Alice so it will not send a TCP Reset to Bob.s SYN-ACK.
3. Send Bob a SYN, then an ACK based on predicted Bob’s seq. no.(from Alice’s IP)
4. Send exploit to Bob (assume all packets are received ok and Ack’ed).
18

You might also like