TCP/IP Internetworking-1

Download Report

Transcript TCP/IP Internetworking-1 

TCP/IP Internetworking
(February 4, 2015)
© Abdou Illia – Spring 2015
1
Security Goals
 Main security goals:
Confidentiality of communications and
proprietary information
Integrity of corporate data
Availability of network services and
resources
CIA

Authenticity: ensuring that the data, transactions, communications or documents are genuine. Also
validating that both parties involved are who they claim to be.

Non-repudiation: Ensuring that one party of a transaction cannot deny having received a transaction nor
can the other party deny having sent a transaction.
2
TCP/IP and Security Goals
 Understanding TCP/IP helps understand:

Technical aspects of systems attacks like:
 Attack Messages’ structure
 Attack Messages’ content
 What makes attack messages dangerous

How defense tools are designed and configured to
meet security goals.
3
The TCP/IP (or Internet) Model
Internet
Application layer
Transport layer
Network layer
Interface layer
Data Link
Physical
 4 or 5 layers
 Interface layer – represents
network adapters, modems,
etc.
 Network layer – responsible of
identifying sender/receiver
 Transport layer – deals with
managing data transport
issues
 Application layer – represents
user’s interface/ network
applications
4
Protocols Used in TCP/IP
Layers
Applications/Protocols
Application
 Webservice: HTTP
 E-mail: SMTP (Simple Mail Transfer Protocol), POP (Post
Office Protocol), IMAP (Internet Message Access
Protocol)
 Telnet applications: Terminal Emulation Protocol
 File transfer: FTP
Transport
 TCP (Transmission Control Protocol).
 Required in webservice when HTTP is used
 Required in Mailservice when SMTP is used. SMTP
messages are encapsulated in TCP segments
 Connection-oriented: Establishes and maintains connections
before sending. Close connections after transmission. Correct
errors in TCP segments.
 UDP (User Datagram Protocol)
 Connectionless: Don’t open connection. Simply sends.
Discards incorrect UDP datagrams (no retransmission)
Network
 IP (Internet Protocol)
Interface
 PPP (Point-to-Point Protocol)
 V.90 for 56 Kbps modems
5
Layered Communications:
Encapsulation – De-encapsulation
 Application programs on different computers cannot
communicate directly


There is no direct connection between them!
They need to use an indirect communication system
called layered communications or layer cooperation
Browser
HTTP Request
Web App
Trans
Trans
Int
Int
DL
DL
Phy
User PC
Phy
Webserver
6
Layer Cooperation on the User PC
 Encapsulation on the sending machine

Embedding message received from upper layer in
HTTP
a new message
request
Encapsulation of HTTP
request in data field of
a TCP segment
Application
HTTP req.
Transport
HTTP req.
TCP-H
Internet
HTTP req.
TCP-H IP-H
HTTP req.
TCP-H IP-H PPP-H
Data Link
PPP-T
TCP
segment
IP Packet
Frame
7
User PC
Physical
Layer Cooperation on the Web server
 De-encapsulation

Frame
Other layers pass successive data fields (containing next-lower
layer messages) up to the next-higher layer
HTTP
request
HTTP req.
TCP
segment
HTTP req.
TCP-H
IP Packet
HTTP req.
TCP-H IP-H
PPP-T
HTTP req.
TCP-H IP-H PPP-H
Application
Transmission media
Transport
Internet
Data Link
Webserver
8
IP Packet
Bit 0
0100
IP Version 4 Packet
Header
Version
Length
(4 bits)
(4 bits)
QoS
(8 bits)
Bit 31
Total Length
(16 bits)
Identification (16 bits)
Flags
Time To Live
Protocol (8 bits)
1=ICMP, 6=TCP,17=UDP
(8 bits)
Fragment Offset (13 bits)
Header Checksum (16 bits)
Source IP Address (32 bits)
Destination IP Address (32 bits)
Options (if any)
Padding
Data Field
 QoS: Also called Type of Service, indicates the priority level the packet should have
 Identification tag: to help reconstruct the packet from several fragments
 Flags: indicates whether packet could be fragmented or not (DF: Don't fragment), indicates whether
more fragments of a packet follow (MF: More Fragments or NF: No More Fragments)
 Fragment offset: identify which fragment this packet is attached to
 TTL: Indicates maximum number of hops (or routers) the packet could pass before a hop discards it.
 Header checksum: to check for errors in the headers only
9
Summary Questions (Part 1)
 What is the main version of the Internet
Protocol in use today? What is the other
version?
 What does a router do with an IP packet if it
decrements its TTL value to zero?
 Assume that a router received an IP packet
with the Protocol in header set to 6. What
Transport layer protocol is used in the
message: TCP, UDP, or ICMP?
10
IP Fragmentation
Subnet
1
Subnet
2
 When a packet arrives at a router, the router selects the port and
subnet to forward the packet to
 If packet too large for the subnet to handle, router fragments the
packet; ie.


Divides packet’s data field into fragments
Gives each fragment same Identification tag value, i.e. the
Identification tag of original packet
 First fragment is given Fragment Offset value of 0
 Subsequent fragments get Fragment Offset values consistent with their
data’s place in original packet
 Last fragment’s Flag is set to “No More Fragments”

Destination host reassemble fragments based on the offsets.
Identification (16 bits)
Flags
Fragment Offset (13 bits)
11
Firewalls and Fragmented IP Packet
 Fragmentation makes it hard for firewalls to filter individual packets

TCP or UDP header appears only in the first fragment
 Firewall might drop the first fragment, but not subsequent fragments
 Some firewalls drop all fragmented packets
Router
2. Second
Fragment
4. TCP Data
IP
Field
Header
Attacker
1.34.150.37
No
TCP Header
1. First
Fragment
TCP Data
Field
IP
Header
3. TCP Header
Only in First
Fragment
5. Firewall
60.168.47.47
Can Only
Filter TCP
Header in
First Fragment
12
TCP Segment
Bit 0
Bit 31
Source Port Number (16 bits)
Destination Port Number (16 bits)
Sequence Number (32 bits)
Acknowledgment Number (32 bits)
Header
Length
(4 bits)
Reserved
(6 bits)
Flag Fields:
ACK, SYN,…
(6 bits)
TCP Checksum (16 bits)
Window Size
(16 bits)
Urgent Pointer (16 bits)
Data
 Port number: identifies sending and receiving application programs.
 Sequence number: Identifies segment’s place in the sequence. Allows receiving
Transport layer to put arriving TCP segments in order.
 Acknowledgement number: identifies which segment is being acknowledged
 Flag fields: Six one-bit flags: ACK, SYN, FIN, RST, URG, PSH. Can be set to 0
(off) or 1 (on). e.g. SYN=1 means a request for connection/synchronization. 13
Q: If the ACK flag is set to 1, what other field must also be set to allow the receiver know what TCP segment is being acknowledged?
TCP and use of Flags
Flag Fields
(6 bits)
URG ACK
SYN FIN RST
PSH
 TCP is a connection-oriented protocol



Sender and receiver need to establish connection
Sender and receiver need to agree to “talk”
Flags are used for establishing connection



Sender requests connection opening: SYN flag set to 1
If receiver is ready to “talk”, it responds by a SYN/ACK segment
Sender acknowledges the acknowledgment
If sender does not get ACK, it resends the segment
PC
Webserver
Transport Process
Transport Process
1. SYN (Open)

2. SYN, ACK (1) (Acknowledgment of 1)
3. ACK (2)
3-way
Handshake
Note: With connectionless protocols like UDP, there is no flags. Messages are
just sent. If part of sent messages not received, there is no retransmission.
14
Communication during a normal TCP
Session
FIGURE A-15:
Q1: How many segments are sent
in a normal TCP communication
opening? ____
Q2: How many segments are sent
in a normal TCP communication
closing? ____
Note: At any time, either
process can send a TCP RST
(reset) segment with RST bit
set to 1 to drop the connection
(i.e. to abruptly end the
connection).
15
SYN/ACK Probing Attack
1. Probe
60.168.47.47
2. No SYN (Open):
Makes No Sense!
SYN/ACK Segment
IP Hdr RST Segment
Attacker
1.34.150.37
5.
60.168.47.47
is Live!
4. Source IP
Addr=
60.168.47.47
Victim
60.168.47.47
3. Go Away!
 Sending SYN/ACK segments helps attackers locate “live” targets
 Older Windows OS could crash when they receive a SYN/ACK probe
16
Source Port Number (16 bits)
Destination Port Number (16 bits)
TCP and use of Port numbers
 Port Number identify applications
 Well-known ports (0-1023): used by major server
applications for providing network services.


HTTP web service=80, Telnet=23, FTP=21, SMTP email =25
Registered ports (1024-49151): Used by client and
server applications. Developer must register # with IANA

Ephemeral/dynamic/private ports (49152-65535)
Can’t be registered with IANA. For custom/temporary purpose.
Web server applications
www:80 FTP:21 SMTP:25
Operating System
Socket notation:
IP address:Port #
Computer hardware
RAM chip
HD
Processor
http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers#Dynamic.2C_private_or_ephemeral_ports
17
Summary Questions (Part 2)
 A host sends a TCP segment with source port
number 25 and destination port number
49562.
1)
2)
3)
Is the source host a server or a client? Why?
If the host is a server, what kind of service
does it provide?
Is the destination host a server or a client ?
Why?
18
TCP and Port spoofing
 Attackers set their application to use well-known port despite not being
the service associated with the port
 Most companies set their firewall to accept packet to and from port 80
 Attackers set their client program to use well-know port 80
19
Summary Questions (Part 4)
1. What is IP Fragmentation? Does IP fragmentation
make it easier for firewall to filter incoming packets?
Why?
2. What is SYN/ACK probing attack?
3. What kind of port numbers do major server
applications, such as email service, use?
4. What kind of port numbers do client applications
usually use?
5. What is socket notation?
6. What is port spoofing?
7. How many well-known TCP ports are vulnerable to
being scanned, exploited, or attacked?
20