Documente Academic
Documente Profesional
Documente Cultură
edu 404 894-5177 fax 404 894-0035 Office: Klaus 3362 email or call for office visit, 404 894-5177 Slides 11 - Fun with TCP/IP
4/15/2013
31 bits
Bytes 4 - 7
Bytes 8 - 11 Bytes 12 - 13
LSB
Next Level Protocol Header (0x 0800 -> IP, 0x 0806 -> ARP)
Next Protocol
Fragmented Packet
Ethernet Hdr - 20 bytes IP Header - 20 bytes TCP Header - 20 bytes (MF: 1, offset: 0) (big-endian) App. Hdr & Data
20 bytes
Ethernet Hdr - 20 bytes IP Header - 20 bytes (MF: 1, offset:1280)
20 + 1260 bytes
More Data
20 bytes
Ethernet Hdr - 20 bytes IP Header - 20 bytes (MF: 0, offset:2560)
1280 bytes
Last Data
20 bytes
760 bytes
Data Packet from Token Ring has TCP header (20 bytes) plus App. Header and Data (3300 bytes) = 20 +1280 + 1280 + 760 bytes.
Ping of Death
Ethernet Hdr - 20 bytes IP Header - 20 bytes (MF: 1, offset:65,500) Any Data
20 bytes
1000 bytes
Packet Buffer 65,535 bytes Packet Buffer 65,535 bytes Fragments are assembled in a buffer in memory. Ping of Death fragment causes a buffer overflow, corrupting the next buffer causing an older version of Windows to crash. Ping was used because #ping -s 66500 used to work. fragrouter is a network utility that generates bad fragments.
5
22:10:49 219.115.56.223 > 199.77.145.106: tcp (frag 0:20@16384) (ttl 237, len 40) Very small, isolated fragment 22:10:50 217.232.26.184 > 128.61.104.27: tcp Note close times, different IPs (frag 0:20@16384) (ttl 240, len 40) Very small, isolated fragment ------43660:64@0+ = ID : Data-Length (without IP hdr) @ Offset/8, + means More Fragments bit set. Wireshark display filters: ip.fragment and ip.fragment.X where X can be: count==[number] , error, overlap, overlap.conflict, multipletails, toolongtails)
Protocols over IP
80 6
89
46
IPsec ESP 50
x0806 ARP
UDP Header
(big endian)
0
Bytes 0 - 3 Type
ICMP Header
(big endian)
31 bits
Code
Checksum
Bytes 4 - 7
Bytes 8 -
Identifier
Sequence Number
Optional Data
Type Field 0 - Echo Reply (Code=0) 3 - Destination Unreachable 5 - Redirect (change route) 8 - Echo Request (Ping) 11 - Timeout (traceroute)
Type 3 - Codes 0 - Network Unreachable 1 - Host Unreachable 3 - Port Unreachable (UDP Reset-old hdr in data) 7 - Destination Host Unknown 12 - Host Unreachable for Type of Service
9
Smurf Attack
Attacker 23.45.67.89
ICMP Echo Request (Ping) To: 222.45.6.255 (Broadcast) From: 130.207.225.23 (spoofed) ICMP Echo Responses To: 130.207.225.23
Victim 130.207.225.23
TCP Flags: U A P R S F
11
Client
Server
Host A
or Reset + Ack
Host B
Reset
15
Reset
0
0 0 0 0 0 0 1 1 1 1 1 1 1 1
Fin
0
0 0 1 1 1 1 0 0 0 0 1 1 1 1
Syn
0
1 1 0 0 1 1 0 0 1 1 0 0 1 1
Ack
1
0 1 0 1 0 1 0 1 0 1 0 1 0 1
Comment
OK
1st Packet 2nd Packet Needs Ack OK Illegal Illegal Needs Ack OK Illegal Illegal Illegal Illegal Illegal Illegal
16
DoS Exploits using TCP Packets Land - Source Address = Destination Address Crashes some printers, routers, Windows, UNIX.
Tear Drop - IP Fragments that overlap, have gaps (also Bonk, Newtear, Syndrop) Win 95, Win 98, NT, Linux.
Winnuke - Any garbage data to an open file-sharing port (TCP-139) Crashes Win 95 and NT Blue Screen of Death - Set Urgent Flag, & Urgent Offset Pointer = 3 Older Windows OS would crash.
17
(3) - Highjacks TCP Connection by using correct sequence number (0) - Established TCP Connection
Bob
Alice
Off-LAN Attack (can not sniff) to get by host-based firewall.
1. 2. 3. 4. Open several TCP connections to Bob, to predict Bobs next sequence number DoS Alice so it will not send a TCP Reset to Bob.s SYN-ACK. Send Bob a SYN, then an ACK based on predicted Bobs seq. no.(from Alices IP) Send exploit to Bob (assume all packets are received ok and Acked).
18