ECE-6612 http://www.csc.gatech.edu/copeland/jac/6612/ Prof. John A. Copeland john.copeland@ece.gatech.

edu 404 894-5177 fax 404 894-0035 Office: Klaus 3362 email or call for office visit, 404 894-5177 Slides 11 - Fun with TCP/IP

4/18/2011

Ethernet Header (MAC or Link Layer)

Ethernet Hdr - 14 bytes IP Header - 20 bytes TCP Header - 20 bytes (little-endian) (big-endian) (big-endian)

App. Hdr & Data

0 Bytes 0 - 3 Bytes 4 - 7 Bytes 8 - 11 Source Address - 6 bytes Destination Address - 6 bytes

31 bits

Bytes 12 - 13

Next Protocol #
LSB MSB

Next Level Protocol Header (08 00 -> x8000 ->IP)

2

IP Header (Network Layer)

Ethernet Hdr - 20 bytes IP Header - 20 bytes TCP Header - 20 bytes (little-endian) (big-endian) (big-endian) App. Hdr & Data

Length Frag. Flags Fragment Offset

Next Protocol

Next Protocol # Frag. Flags:

1=ICMP 6=TCP 17=UDP 001 = More Fragments, MF

3

010 = Do Not Fragment, DNF

Fragmented Packet
Ethernet Hdr - 20 bytes IP Header - 20 bytes TCP Header - 20 bytes (MF: 1, offset: 0) (big-endian) App. Hdr & Data

20 bytes
Ethernet Hdr - 20 bytes IP Header - 20 bytes (MF: 1, offset:1280)

20 + 1260 bytes
More Data

20 bytes
Ethernet Hdr - 20 bytes IP Header - 20 bytes (MF: 0, offset:2560)

1280 bytes
Last Data

20 bytes

760 bytes

Data Packet from Token Ring has TCP header (20 bytes) plus App. Header and Data (3300 bytes) = 20 +1280 + 1280 + 760 bytes.

IP Fragment ID number is the same for each fragment.

4

Ping of Death
Ethernet Hdr - 20 bytes IP Header - 20 bytes (MF: 1, offset:65,500) Any Data

20 bytes

1000 bytes

Packet Buffer 65,535 bytes Packet Buffer 65,535 bytes Fragments are assembled in a buffer in memory. Ping of Death fragment causes a buffer overflow, corrupting the next buffer causing an older version of Windows to crash. Ping was used because #ping -s 66500 used to work. fragrouter is a hacker program that generates bad fragments.
5

Fragmented Packets as seen by tcpdump

# tcpdump -nnvli eth3 'tcp and ((ip[6:2]&0x3fff) != 0) Filter for seeing frag.s 22:10:48 128.61.60.143.3472 > 217.98.230.192.6881: . 3041158335:3041158379(44) ack 829468732 win 65535 (frag 43660:64@0+) (ttl 127, len 84) Very small fragments 22:10:48 128.61.60.143 > 217.98.230.192: tcp (frag 43660:44@64) (ttl 127, len 64) ) Very small fragments

22:10:49 219.115.56.223 > 199.77.145.106: tcp (frag 0:20@16384) (ttl 237, len 40) Very small, isolated fragment 22:10:50 217.232.26.184 > 128.61.104.27: tcp Note close times, different IPs (frag 0:20@16384) (ttl 240, len 40) Very small, isolated fragment ------43660:64@0+ = ID : Data-Length (without IP hdr) @ Offset/8, + means More Fragments bit set.
6

Protocols over IP

80 6

161 <- Listening Port No. (Well-Known?)

17 <- IP Next Protocol Numbers

89

46

IPsec ESP 50
ARP

x0800 <- Ethernet Next Protocol Number

Data Link and Physical Layers (e.g., Ethernet, WiFi, Point-to-Point, )

UDP Header
(big endian)

0
Bytes 0 - 3 Type

ICMP Header
(big endian)

31 bits

Code

Checksum

Bytes 4 - 7
Bytes 8 -

Identifier

Sequence Number

Optional Data

Type Field 0 - Echo Reply (Code=0) 3 - Destination Unreachable 5 - Redirect (change route) 8 - Echo Request (Ping) 11 - Timeout (traceroute)

Type 3 - Codes 0 - Network Unreachable 1 - Host Unreachable 3 - Port Unreachable (UDP Reset-old hdr in data) 7 - Destination Host Unknown 12 - Host Unreachable for Type of Service
9

Smurf Attack

Attacker 23.45.67.89
ICMP Echo Request (Ping) To: 222.45.6.255 (Broadcast) From: 130.207.225.23 (spoofed) ICMP Echo Responses To: 130.207.225.23

Victim 130.207.225.23

Network 222.45.6.0/24 Network Broadcast Address = 222.45.6.255 (How is this prevented?)

10

TCP Header
Ethernet Hdr - 20 bytes IP Header - 20 bytes TCP Header - 20 bytes (little-endian) (big-endian) (big-endian) App. Hdr & Data

* Length of TCP Header in bytes /4

TCP Flags: U A P R S F
11

TCP Three-Way Handshake

Syn (only) Syn + Ack Ack Ack( Push, Urgent) Ack( Push, Urgent)

Client

Server

12

TCP Three-Way Disconnect

Ack( Push, Urgent) Ack( Push, Urgent) Fin + Ack Ack Fin + Ack Ack

Host A

or Reset + Ack

Host B

Either A or B can be the Server

13

TCP Initial: SYN, SYN-ACK, ACK

QuickTime an d a TIFF (LZW) decomp resso r are need ed to see this picture.

TCP Final: FIN, ACK, FIN-ACK, ACK

QuickTime and a TIFF (LZW) decomp resso r are need ed to see this picture.

TCP SYN and RES-ACK (no connection)

QuickTime and a TIFF (LZW) decompressor are neede d to see this picture.

as seen using wireshark

14

TCP State Diagram

Reset

15

Reset
0
0 0 0

Fin
0
0 0 1

Syn
0
1 1 0

Ack
1
0 1 0

Comment
OK
1st Packet 2nd Packet Needs Ack

0
0 0 1

1
1 1 0

0
1 1 0

1
0 1 0

OK
Illegal Illegal Needs Ack

1
1 1 1

0
0 0 1

0
1 1 0

1
0 1 0

OK
Illegal Illegal Illegal

1
1 1

1
1 1

0
1 1

1
0 1

Illegal
Illegal Illegal

Illegal flag combinations are used to determine Operating System

16

DoS Exploits using TCP Packets Land - Source Address = Destination Address Crashes some printers, routers, Windows, UNIX.

Tear Drop - IP Fragments that overlap, have gaps (also Bonk, Newtear, Syndrop) Win 95, Win 98, NT, Linux.
Winnuke - Any garbage data to an open file-sharing port (TCP-139) Crashes Win 95 and NT Blue Screen of Death - Set Urgent Flag, & Urgent Offset Pointer = 3 Older Windows OS would crash.

17

TCP Session Highjack

Attacker - (1) sniffs network and watches Alice establish TCP session with Bob

(2) - DOS Attack to Silence Alice (Acks and Resets)

(3) - Highjacks TCP Connection by using correct sequence number (0) - Established TCP Connection

Bob

Alice
Off-LAN Attack (can not sniff) to get by host-based firewall.
1. 2. 3. 4. Open several TCP connections to Bob, to predict next sequence number DoS Alice so it will not send a TCP Reset to Bob.s SYN-ACK. Send Bob a SYN, then an ACK based on predicted Bobs seq. no.(from Alices IP) Send exploit to Bob (assume all packets are Acked).
18

TCP Connect Handshake - shown by tcpdump

20:43:58 192.168.1.132.49194 > 204.127.198.27.25: S [bad tcp cksum e773!] 2818212180:2818212180(0) win 32768 <mss 1460,nop,wscale 0,nop,nop,timestamp 1015223232 0> (DF) (ttl 64, id 13382, len 60) <no ack!> 20:43:59 204.127.198.27.25 > 192.168.1.132.49194: S [tcp sum ok] 261524396:261524396(0) ack 2818212181 win 33304 <nop,nop,timestamp 693175946 1015223232,nop,wscale 1,mss 1460> (DF) (ttl 52, id 16741, len 60) 20:43:59 192.168.1.132.49194 > 204.127.198.27.25: . ack 1 win 33304 <nop,nop,timestamp 1015223234 693175946> (DF) (ttl 64, id 13383, len 52) 20:43:59 204.127.198.27.25 > 192.168.1.132.49194: P 1:62(61) ack 1 win 33304 <nop,nop,timestamp 693175953 1015223234> (DF) (ttl 52, id 16742, len 113) 20:43:59 192.168.1.132.49194 > 204.127.198.27.25: P [bad tcp cksum 24f8!] 1:23(22) ack 62 win 33304 <nop,nop,timestamp 1015223234 693175953> (DF) (ttl 64, id 13384, len 74)

19

TCP Finish Handshake - shown by tcpdump

20:44:01 204.127.198.27.25 > 192.168.1.132.49194: P 2425:2467(42) ack 3889 win 33304 <nop,nop,timestamp 693176146 1015223238> (DF) (ttl 52, id 16760, len 94) 20:44:01 192.168.1.132.49194 > 204.127.198.27.25: F [bad tcp cksum 2c58!] 3889:3889(0) ack 2467 win 33304 <nop,nop,timestamp 1015223238 693176146> (DF) (ttl 64, id 13402, len 52) 20:44:01 204.127.198.27.25 > 192.168.1.132.49194: . [tcp sum ok] ack 3890 win 33304 <nop,nop,timestamp 693176152 1015223238> (DF) (ttl 52, id 16761, len 52) 20:44:01 204.127.198.27.25 > 192.168.1.132.49194: F [tcp sum ok] 2467:2467(0) ack 3890 win 33304 <nop,nop,timestamp 693176152 1015223238> (DF) (ttl 52, id 16762, len 52) 20:44:01 192.168.1.132.49194 > 204.127.198.27.25: . [bad tcp cksum 2c51!] ack 2468 win 33304 <nop,nop,timestamp 1015223238 693176152> (DF) (ttl 64, id 13403, len 52)

20