Transcript lecture14

The Transmission Control
Protocol (TCP)
• TCP is a protocol that specifies:
– How to distinguish among multiple destinations on a
given machine
– How to initiate and terminate a stream transfer
– Format of the data and acknowledgments that two
computers exchange to achieve a reliable transfer
– Procedures the computers use to ensure that the data
arrives correctly
Establishing a TCP Connection
• The 3-way handshake
– Guarantee that both sides are ready for connection
– Allows both sides to agree on initial sequence numbers
Site 1
Network
Site 2
Send SYN seq=x
Receive SYN&ACK
Receive SYN
Send SYN seq=y,
ACK x+1
Send ACK y+1
Receive ACK
SYN Flood
• After the second message has been sent but before
the third message has been received the
connection is “half opened”
– Most hosts store these half-opened connections in a
fixed-size table while they await the third message
– Half-opened connections are timed out after after half a
minute or so
SYN Flood (cont)
• Attacker attempts to:
– Fill up the half-opened connection table
• Attacker sends the victim machine a large number of SYN segments
with spoofed source addresses (to nonexistent or unreachable hosts)
• Produces a large number of half-opened connections at the victim’s
machine that will never become fully open
• The half-opened connection table fills and no new connections can be
accepted until space is available
– Keep it full
• Continue sending SYN segments to replace half-open connections as
they time out
• Result: the victim host cannot accept any other, legitimate
attempts to open a connection
Land
• Attack tool exploits a vulnerability in certain TCP
implementations
• Attacker creates an invalid TCP SYN segment:
– Spoofed source address is identical to the destination
address
– Source port is identical to the destination port
• Causes some TCP implementations to freeze or
crash
• Fixed with software patches
Tribe Flood Network (TFN)
• Distributed denial of service attack tool
– Newer versions have been developed (TFN2K, TFN3K,
Stacheldraht)
– Used in February, 2000 to attack several major e-commerce sites
on the Web
• Similar to trinoo:
– Daemon programs: listen for and execute commands from a master
– Master programs
• Control a number of daemons
• Communicate with an attacker and pass his/her commands on to
daemons
TFN (cont)
• “Improvements” over trinoo:
– Random protocol (TCP, UDP, or ICMP) for
communication between master and daemons
– Can send out “decoy” packets to random IP addresses
to obscure the true target of the attack
– Daemons spoof the source IP address in the attack
packets they send
– Daemons can attack multiple targets
– Wider variety of attacks
TFN (cont)
• Daemon attack strategies:
–
–
–
–
–
UDP flood (like with trinoo)
TCP SYN flood
ICMP ping flood
ICMP directed broadcast flood (smurf)
All of the above
Attacks Against Initial Sequence Numbers
• Recall: the 3-way handshake allows two
communicating parties to agree on Initial
Sequence Numbers (ISNs)
• What if the ISN can be guessed by a third-party?
Attacks Against ISNs (cont)
• If the ISN of an existing or future TCP connection
can be determined an attacker may be able to:
– Complete a 3-way handshake using a spoofed source IP
address
– Close an ongoing connection
– Hijack an ongoing connection
Scans and Probes
• Attackers typically engage in a variety of reconnaissance
activities before attacking:
– To identify important/interesting hosts
– To identify potential vulnerabilities that could be exploited
• A port scanner is a program that tries to determine which
ports have programs listening on them
• Example:
– Attempts to open a TCP connection to each port in order
– If a connection is made then immediately close it and record the
fact that the port is open
– If the connection fails then the port is closed
Port Scanning (cont)
• Using fully-open connections to scan is likely to draw a lot
of attention to the scan
– Most hosts log:
• Each attempt to connect to a closed port
• Each time a newly-opened connection is closed with little or no data
having been sent
• Clandestine scanning methods:
– SYN scan:
• A SYN segment is sent to each port and any port that responds with a
SYN+ACK segment is opened
• Instead of completing the handshake, a RST (reset) segment is sent to
close the connection before it is fully opened
• Some hosts do not log half-opened connections
Closing a TCP Connection
• Applications should close a connection when they have no
more data to transmit
• Connection can be closed in either one or both directions
–
–
–
–
–
–
–
–
Site 1 finishes transmitting data and waits for ACK from site 2
Site 1 transmits a segment with the FIN bit set
Site 2 acknowledges the FIN segment
Site 2 notifies the application that no more data is coming
Data can still be transmitted from site 2 to site 1
Site 1 will still receive and acknowledge data from site 2
Eventually, site 2 will finish transmitting and close its connection
Both endpoints delete record of the connection
Closing a TCP Connection (cont)
Site 1
Network
Site 2
(app closes connection)
Send FIN seq=x
Receive FIN
Send ACK x+1
Receive ACK
(inform application)
(app closes connection)
Send FIN seq=y,
ACK x+1
Receive FIN&ACK
Send ACK y+1
Receive ACK
TCP Connection Reset
• Applications normally close connections
• Sometimes abnormal conditions arise that break a
connection
• Broken connections can be reset:
–
–
–
–
–
Site 1 sends a segment with the RST bit set
Site 2 receives segment and aborts the connection
Transfers in both directions cease immediately
Resources for the connection are released
Applications programs are informed
Forcing Data Delivery
• TCP divides the stream of octets into segments for
transmission
• This improves efficiency since octets can be
buffered until a good-sized segment can be sent
• TCP provides a push operation for applications
that want to force delivery of octets
– Set PSH bit
– Send segment
Reserved TCP Port Numbers
• Like UDP:
– Static port bindings for commonly used services
• Ports 0-1024 are reserved
– Dynamic port bindings
• Port numbers over 1024
• Port numbers for services accessible by both UDP
and TCP usually match
– ECHO (7)
– TIME (37)
Reserved TCP Port Numbers
TCP Performance
• Silly Window Syndrome
– Sender generates data quickly
– Receiver reads incoming data one octet at a time
Sender
Receiver
TCP Performance (cont)
• Silly Window Syndrome
– Each ACK advertises a small amount of space
– Each segment carries a small amount of data
• Problems:
– Poor use of network bandwidth
– Unnecessary computational overhead
TCP Performance (cont)
• Avoiding Silly Window Syndrome
– Use heuristics at sender to avoid transmitting a small
amount of data in each segment
– Use heuristics at receiver to avoid sending small
window advisements
• Receive-side silly window avoidance
– Monitor receive window size
– Delay advertising an increase until a “significant”
increase is possible
• “Significant” = min(half the window, maximum segment size)
Receive-Side Silly Window
Avoidance Example
Receive 6 octets, send ACK 7 with window advisement of 0
Application reads one octet
Application reads one octet
Application reads one octet
Send window advisement of 3, receive 3 octets
Receive-Side Silly
Window Avoidance
• Two approaches:
– Receiver can ACK received octets but does not
advertise an increase in its window until the increase is
significant
– Receiver can not send ACKs when the window is not
large enough to advertise
• Advantages/disadvantages?
Send-Side Silly
Window Avoidance
• Goal: avoid sending small segments
• Application can generate data in small blocks
• TCP must collect data sent by application into a
single large segment (clump) for transmission
• TCP must delay sending a segment until it
contains a reasonable amount of data
• How long should TCP wait before transmitting
data?
Send-Side Silly Window
Avoidance (cont)
• The Nagle Algorithm:
– Application generates data to be sent over a connection
that has already transmitted some data
• If all previous transmissions have been acknowledged send the
data immediately
• If any ACKs are still pending do not transmit until:
– Maximum segment size is reached, or
– An ACK arrives
• Self-clocking - does not compute delays
• Applies even if the application requests a push
TCP Summary
• Provides reliable stream delivery service
– Full duplex
– Out-of-band for urgent data
• Makes efficient use of the network
– Piggybacking
– Sliding windows
• Efficiency
• End-to-end flow control
– Acknowledgment and retransmission
– Congestion recovery/avoidance