CSC 382: Computer SecuritySlide #1 CSC 382: Computer Security TCP/IP

CSC 382: Computer Security Slide #1

CSC 382: Computer Security

TCP/IP


Topics

1. TCP/IP Layering

2. Encapsulation

3. Internet Addresses

4. Link Layer Protocols

5. IP

6. Routing

7. TCP and UDP

8. Application Layer Protocols


Network Example

A1 A2 A3

B1 B2 B3

Router External Router


TCP/IP Layering

Application

Transport

Network

Data Link

Physical

HTTP, FTP, telnet

TCP, UDP

IP, ICMP, IGMP

PPP, 802.11

Ethernet


TCP/IP Layers

1. Physical– NIC, cabling, electrical signaling.

2. Data Link– Single hop transport of packets.– Wired protocols (ethernet, FDDI, PPP)– Wireless protocols (802.11)

3. Network– End to end delivery of packets.– IP: Internet Protocol


TCP/IP Layers

4. Transport– Flow of data between two hosts for

application layer.– TCP: reliable data flow with

acknowledgements, retransmission, and timeouts.

– UDP: simpler service with no guarantees.

5. Application– Protocols for particular applications.– ex: FTP, HTTP, SMTP


Encapsulation/De-multiplexing

Sending: data sent down protocol stack– Each layer prepends a header to data– Ethernet frame sent as bit stream across wire

Receiving: data moves up protocol stack– NIC moves bits into memory as ethernet frame– Each layer removes its header from packet


Encapsulation


De-multiplexing


TCP/IP Security

TCP/IP has no built-in strong security.– No confidentiality features.– Minimal availability features (ToS options).– Insecure CRC checksums for integrity.– IPsec protocol extension adds security.


Data Link Layer

IEEE Standards– Ethernet (802.3)– Token Ring (802.5)– Wireless (802.11)

Serial Protocols– SLIP and CSLIP– PPP


Hubs and Switches

Hubs– Broadcast packets received to all interfaces.

Switches– Associates MAC addresses with physical

interfaces.– Sends packets only to specified interface.– May have SPAN port for network monitoring.


Data Link Layer

Loopback– Looks like any other link layer device.– Full network processing is performed.– Sends packets to localhost for testing.

48-bit MAC address

Maximum Transmission Unit (MTU)– 1492 or 1500 bytes, depending on ethernet std


Promiscuous Mode

• All ethernet frames to or from any locally connected host are seen by all hosts.

• NIC normally filters out frames that are not addressed to its MAC address.

• In promiscuous mode, NIC processes all ethernet frames, not just ones addressed to it.– Requires administrative access on most OSes.


IP: Internet Protocol

Unreliable, connectionless datagram service– Packets may arrived damaged, out of order,

duplicated or not at all.– Transport/Application layers provide reliability.

IPv4 underlies Internet.– 32-bit addresses in dotted-quad: 10.17.0.90.– IPv6 is successor with 128-bit addresses.

Complexities: addressing, routing


IP Header


IP Header

Protocol version: IPv4

Header length: 5-60 32-bit words

Type of service (TOS):– 3-bit precedence (ignored today)– 4 TOS bits (min delay (telnet), max throughput

(ftp), max reliability, min monetary cost)– unused 0 bit


IP Header

Total length: length of IP datagram (bytes)– maximum size: 65535 bytes– large packets fragmented at data link layer.– small packets may be padded to minimum length.

TTL: upper limit on number of router hops.Protocol: which protocol supplied packet data.Header checksum: IP header checksum


IP Fragments

IP packets may be fragmented by routers for transmission across different media.– Max IP packet size: 65536– Max Ethernet packet size: 1500

IP headers contain fragment data:– Don’t Fragment Flag: 0=allowed, 1=don’t– More Fragments Flag: 0=last, 1=more fragments– Identification: identifies single packet for

reassembly.– Fragment Offset: where contents of fragment go.


Internet Addresses

32-bit IPv4 addresses– Dotted decimal notation: ii.jj.kk.ll

Divided into two parts– Network ID– Host ID– XOR address with netmask to get Network ID.

Network ID Host ID


Address ClassesClass A: 0.0.0.0-127.255.255.255

8-bit net ID, 24-bit host IDClass B: 128.0.0.0-191.255.255.255

16-bit net ID, 16-bit host IDClass C: 192.0.0.0-223.255.255.255

24-bit net ID, 8-bit host IDClass D: 224.0.0.0-239.255.255.255

28-bit multicast group IDClass E: 240.0.0.0-255.255.255.255

Reserved for future use


CIDR

Class addressing too inefficient– Still need to aggregate routes to limit routing table size.

Example:196.1.1.0/24– 24-bits of Net ID: 196.1.1

– Remaining 8-bits are host ID

Not limited to network class sizes– Example: 192.168.128.0/22

– 4 class C networks: 192.168.{128,129,130,131}.0


Network Address Translation

Local network uses IETF reserved addresses.– Non-routable: no router knows how to send packets to.– RFC 1918: 10.x.y.z, 192.168.y.z, 172.16.y.z

Gateway translates reserved addresses to unique, routable IP addresses.– NAT: Dynamic mapping to pool of routable IP addresses.

• 10.0.0.1 -> 4.2.3.5• 10.0.0.2 -> 4.2.3.6

– NAPT: Dynamic mapping to IP addresss/pool of src ports.• 10.0.0.1 -> 4.2.3.5:1• 10.0.0.2 -> 4.2.3.5:2


ARP: Address Resolution Protocol

MAC address determines packet destination.

How does network layer supply the link layer with a MAC address?

ARP: Address Resolution Protocol– Maps 32-bit IP addresses to 48-bit MAC addrs– Data link layer protocol above ethernet– RARP: Reverse ARP


ARP Example

sftp zappa.nku.edu

1. Obtains IP address via gethostbyname() 2. sftp asks TCP to connect to IP address3. TCP sends connection request to brahms using an IP

datagram4. Sending host emits ARP broadcast, asking for MAC

address of given IP address5. Destination host’s ARP layer receives broadcast, answers

with an ARP reply w/ IP->MAC mapping6. Sending host constructs ethernet frame with destination

MAC address containing IP datagram7. Sending host sends IP datagram


ARP Cacheat204m02 (10.1.0.90) > arp -a

Net to Media Table: IPv4Device IP Address Phys Addr ------ -------------------- ------------------hme0 at_elan.lc3net 00:00:a2:cb:28:5ehme0 10.1.0.79 00:e0:cf:00:0e:92hme0 at204m02 08:00:20:d8:e0:07hme0 10.1.7.103 00:90:27:b6:b5:e5hme0 10.1.0.139 00:e0:cf:00:15:bd


ARP Features

Proxy ARP– Router can answer ARP requests on network B

for a host on network A that doesn’t see broadcast.

Gratuitous ARP– Host sends ARP for own IP address at boot.– No reply should be received.– Network misconfiguration if reply received.


IP Connectivity

No Network– loopback only

Single LAN– direct connectivity to hosts

Single Router– Direct connectivity to local LAN– Other networks reachable through one router

Multiple Routes to Other Networks


IP Routing


Routing Table

Where to send an IP packet to?Use a table lookup: routing tableSearch Process:

1. Search for a matching host address.2. Search for a matching network address.3. Search for a default route.

No route to destination: Host or network unreachable error if search fails.


Routing Tableat204m02 (10.1.0.90) > netstat –rn

Routing Table: IPv4Destination Gateway Flags Ref Use Int------------- -------------------- ----- -----10.1.0.0 10.1.0.90 U 1 4977 hme0224.0.0.0 10.1.0.90 U 1 0 hme0default 10.1.0.1 UG 1 66480 127.0.0.1 127.0.0.1 UH 6 798905 lo0


Routing Table

Destination: final destination host/networkGateway: next host in route to destinationFlags

U: Route is upG: Route is to a gateway (router)H: Route destination is a host (not a network)D: Route created by a redirectM: Route modified by a redirect


Routing Table

10.1.0.0direct access to local subnet

224.0.0.0multicast route

defaultforward packets to router at IP 10.1.0.1

127.0.0.1loopback


IP RoutingManual (static) routes

Added with the route command.

ICMP redirects can alter routesRouter sends ICMP redirect when packet should’ve been

sent to another router.

Routing protocolsRouters exchange routes with each other using special

routing protocols.

Full internet router tables contain ~30,000 routes.

Source routingSender includes routing info in packet header.


ICMP (Internet Control Message Protocol)

Network layer protocol encapsulated in IP– Communicates error messages and exceptions.– Messages handled by either IP or TCP/UDP.

IP Header (20 bytes) ICMP Message

8-bit type 8-bit code 16-bit checksum

Contents (always

depend contains

on type and code

IP header + 8 data bytes)


ICMP Message TypesType 0: echo (ping) replyType 3: destination unreachableType 4: source quenchType 5: redirectType 8: echo (ping) requestType 9, 10: router advertisement, solicitationType 11: time (TTL) exceededType 12: parameter (header) problemType 13: timestampType 14: timestamp replyType 15, 16: information request, reply


UDP: User Datagram Protocol

Simple datagram transport layer protocol.Each application output generates one UDP

datagram, which produces one IP datagram.Trades reliability for speed

Sends datagrams directly to unreliable IP layer.

16-bit port numbersIdentify sending and receiving processes.

ApplicationsDNS, SNMP, TFTP, streaming audio/video


UDP Header


UDP Example: TFTP

Trivial File Transfer ProtocolNo authentication

TFTP Session:

sun16 > tftp at204m02tftp> get readme.txtReceived 1024 bytes in 0.2 seconds.tftp> quit


TFTP Packet Types

Packet types1) read a file (filename, ascii/binary)

2) write a file (filename, ascii/binary)

3) file data block

4) ACK

5) error


TFTP Packet Diagram


TFTP Session Traceat204m02 > snoop udp sun16 1 0.00000 sun16 -> at204m02 TFTP Read "2sun"

(netascii)

2 0.00498 at204m02 -> sun16 TFTP Data block 1 (512 bytes)

3 0.00136 sun16 -> at204m02 TFTP Ack block 1

4 0.00010 at204m02 -> sun16 TFTP Data block 2 (300 bytes) (last block)

5 0.00119 sun16 -> at204m02 TFTP Ack block 2


TFTP Security

Feature: no username/password requiredTFTP used for diskless hosts to boot.

How to protect /etc/passwd?Limit TFTP server filesystem access.

Generally only can access /tftpboot directory.


TCP: Transmission Control Protocol

Connection-orientedMust establish connection before sending data.

3-way handshake.

Reliable byte-streamTCP decides how to divide stream into packets.

ACK, timeout, retransmit, reordering.

16-bit source and destination ports.FTP(21), HTTP(80), POP(110), SMTP(25)


TCP Reliability1. Breaks data into best-sized chunks.2. After sending segment, maintains timer; if no

ACK within time limit, resends segment.3. Sends ACK on receipt of packets.4. Discards pkts on bad checkum of header and

data.5. Receiver resequences TCP segments so data

arrives in order sent.6. Receiver discards duplicate segments.7. Flow control: only sends as much data as

receiver can process.


TCP Header


TCP Header• Sequence Number: 32-bit segment identifier.• Acknowledgment: next sequence number

expected by sender of ACK– TCP is full duplex so both sides of connection

have own set of sequence numbers

• Header length: length of header in 32-bit words (20bytes default–60bytes w/ options)

• Window size: number of bytes receiver is willing to accept (flow control)


TCP Header Flags (Code Bits)

URG: urgent pointer is valid

ACK: acknowledgement number is valid

PSH: rcvr should pass data to app asap

RST: reset connection

SYN: synchronize sequence numbers to initiate a connection

FIN: sender is finished sending data


TCP Options

End of option list (kind=0)NOP (kind=1)

Used to pad fields to 32-bit boundary

Maximum Segment Size (MSS) (kind=2)Len=4 (length includes kind + len bytes)16-bit MSSDefault: 536 data + 20 TCP hdr + 20 IP hdr

Window Scale Factor (kind=3)Timestamp (kind=8)


TCP Connections

Establishment3-way handshake

Connection Trace

TerminationNormal Termination

Connection Trace

Reset


Connection Establishment Protocol

1. Requester (client) sends a SYN segment, specifying the port number of the server to which it wants to connect and the client’s initial sequence number (ISN).

2. Server responds with SYN segment containing server’s ISN. Server acknowledges client’s SYN by ACKing the client’s ISN+1.

3. Client acknowledges server SYN by ACKing server’s ISN+1.


TCP 3-way Handshake


Connection Establishment Test

at204m02> /usr/sbin/snoop sun09

at204m02> nc sun09 22SSH-1.99-OpenSSH_3.7.1p2^C

If no services running, start your own:at204m02> nc -l -p 8192


TCP Connection Trace

at204m02 -> sun09 TCP D=22 S=37519 Syn Seq=477982308 Len=0 Win=24820 Options=<nop,nop,sackOK,mss 1460>

sun09 -> at204m02 TCP D=37519 S=22 Syn Ack=477982309 Seq=3227257622 Len=0 Win=24820 Options=<nop,nop,sackOK,mss 1460>

at204m02 -> sun09 TCP D=22 S=37519 Ack=3227257623 Seq=477982309 Len=0 Win=24820


Connection Termination Protocol

As TCP is full duplex, each side must terminate half of the connection as follows:

Send FIN segment (active close)

Other side ACKs w/ FIN sequence number +1

Half-closed connectionsSide that sent FIN can still receive data.

Example: ssh fasthost sort < words.txt


TCP Disconnection


Connection Termination Test

at204m02> /usr/lib/sendmail -bdat204m02> /usr/sbin/snoop port 25sun09>nc at204m02 25

220 at204m02.lc3net ESMTP Sendmail 8.11.7+Sun/8.11.7; Mon, 29 Mar 2004 14:09:40 -0500 (EST)

quit


TCP Disconnection Trace at204m02 -> sun09 TCP D=33042 S=25 Fin Ack=3597541820 Seq=872479258 Len=0 Win=24820

sun09 -> at204m02 TCP D=25 S=33042 Ack=872479259 Seq=3597541820 Len=0 Win=24820

sun09 -> at204m02 TCP D=25 S=33042 Fin Ack=872479259 Seq=3597541820 Len=0 Win=24820

at204m02 -> sun09 TCP D=33042 S=25 Ack=3597541821 Seq=872479259 Len=0 Win=24820


TCP Reset

Connection Refused> telnet at204m02 8192Trying 10.1.0.90...telnet: Unable to connect to remote host: Connection refused

Packet Trace sun09 -> at204m02 TCP D=8192 S=33048 Syn Seq=3848454475 Len=0 Win=24820 Options=<nop,nop,sackOK,mss 1460>

at204m02 -> sun09 TCP D=33048 S=8192 Rst Ack=3848454476 Win=0


TCP Reset (cont.)

Connection AbortAny queued data is thrown away.

Other side is informed of abnormal close.

Packet Detail:One side sends RST.

Other side aborts connection.

There is no ACK sent in response.


Half-Open Connections

Connections where one side has aborted or closed connection w/o knowledge of other.– Client or server host has crashed.– DOS attack: requester sends SYN, doesn’t

respond to SYN+ACK.


Example List of TCP PortsTCP: IPv4 (netstat –na output)Local Addr Rmt Addr State---------- -------------------- *.111 *.* LISTEN *.32771 *.* LISTEN *.32772 *.* LISTEN *.32773 *.* LISTEN *.32774 *.* LISTEN *.4045 *.* LISTEN *.22 *.* LISTEN *.2049 *.* LISTEN *.515 *.* LISTEN *.80 *.* LISTEN *.6000 *.* LISTEN *.22 10.17.0.23.32827 ESTABLISHED *.2049 10.17.0.23.799 ESTABLISHED


TCP ServersLocal Address

*.80 means that it will accept connections on any network interface on TCP port 80.

Foreign Address*.* means that the server will accept connections from

any source host and port.Conn=(src IP, src port, dst IP, dst port)

All connections to same server will have same dst IP and port, but will have different source IPs and ports

Kernel maintains queue of ~5 incoming connections for each server.


Key Points

1. TCP/IP Layers: encapsulation/de-multiplexing1. Physical/Data Link: ethernet, PPP2. Network: IP, ICMP3. Transport: UDP, TCP4. Application: ftp, http, smtp, telnet, etc.

2. IP 1. Addressing: DNS/IP/MAC, netmasks, CIDR, NAT.2. Routing: tables, hubs/switches/routers.

3. TCP 1. Connection and Termination: 3-way handshake2. Addressing: source and destination ports.


References1. K. Egevang and P. Francis, “The IP Network Address Translator

(NAT),” RFC 1631, http://www.ietf.org/rfc/rfc1631.txt, 1994.2. J.B. Postel, “Internet Protocol,” RFC 791, “

http://www.ietf.org/rfc/rfc0791.txt, 1981.3. J.B. Postel, “Internet Control Message Protocol,” RFC 792, “

http://www.ietf.org/rfc/rfc0792.txt, 1981.4. J.B. Postel, “Transmission Control Protocol,” RFC 793, http

://www.ietf.org/rfc/rfc0793.txt, 1981.5. Ed Skoudis, Counter Hack, Prentice Hall, 2002.6. Richard Stevens, TCP/IP Illustrated, Vol. 1, Addison-Wesley,

1994.7. Richard Stevens, UNIX Network Programming, Vol. 1, Prentice-

Hall, 1998.8. Andrew Tannenbaum, Computer Networks, 4th edition, Prentice-

Hall, 2002.

http://www.ietf.org/rfc/rfc1631.txt

http://www.ietf.org/rfc/rfc0791.txt?number=791




Documents

CSC 382: Computer SecuritySlide #1 CSC 382: Computer Security TCP/IP