Embed Size (px)
Citation preview
1
TCP/IP Internetworking
(February 1, 2012)
© Abdou Illia – Spring 2012
2
Security Goals: ReviewThree main security goals:
Confidentiality of communications and proprietary information
Integrity of corporate data
Availability of network services and resources
CIA
3
TCP/IP and Security Goals
Understanding TCP/IP helps understand: Technical aspects of systems attacks like:
Attack Messages’ structure Attack Messages’ content What makes attack messages dangerous
How defense tools are designed and configured to meet security goals.
4
Network Communication Model?
Communication Models that define tasks and rules for communication in a network
Tasks and rules allow each device to: Generate messages in the required form for transmission “Understand” and process received messages properly
Computer 1
Task 1/ Rule 1
Task 2 / Rule 2
Task 3 / Rule 3
Task 4 /Rule 4
Task 5 / Rule 5
Task 1 / Rule 1
Task 2 / Rule 2
Task 3 / Rule 3
Task 4 / Rule 4
Task 5 / Rule 5
Computer 2
5
OSI Reference Model 7 layers Each layer communicates
with its peer layer, and with layer above and below it.
Different protocols at each layer
Upper layer deal with application issues, and are implemented in software
Lower layers handle data transport issues, and are implemented in software and hardware
App
lica
tion
Dat
a tr
ansp
ort
OSI model created by the International Organization for Standardization
6
OSI Reference Model
Layers RoleApplication • Represent user interface between the application
sofware (e.g. Eudora) and the Network• Provides services like: Identification of the intended
communication partner, determining resources availability for communication, etc.
7
Presentation • Performs code conversion and data reformatting (syntax translation) incluing encryption and compression if required.
• Uses coding & conversion schemes: Common Data Representation Formats, Common Data Encryption Schemes, EBCDIC, ASCII, etc.
6
Session • Responsible for establishing, managing & terminating communication sessions between computers.
• Communication sessions consist of service requests and service responses between applications
• Session layer’s protocols coordinate request & response sessions.
5
7
OSI Reference ModelLayers RoleTransport • Makes sure the data arrives at the destination exactly as it
left source (in case of connection-oriented communication)
• Provides error checking before transmission, and error recovery in case of failed delivery.
4
Network • Responsible for creating, maintaining and ending network connections.
• Provides logical address (IP address) to messages• Provides routing services: determining routes for sending. If
router can’t send large packets, break data into smaller units.
3
• Subdivided into 2 sublayers (Logical Link Control and Media Access Control)
• Provides physical address (MAC address) to messages
• Combines bits into bytes, bytes into a frames with header, address information, error detection code, and trailer
2
DataLink
LLC
MAC
8
OSI Reference ModelLayers RolePhysical • Handles the transmission of bits over a communication
channel.• Defines characteristics such as voltage levels, connector
types and maximum transmission distance.• Places signal on the cable. Responsible to move bits
between devices.
1
9
The TCP/IP (or Internet) Model
7. Application
6. Presentation
5. Session
4. Transport
3. Network
2. Data Link
1. Physical
4 layers Interface layer - equivalent to
the OSI’s Physical and Data Link layers
Network layer - roughly equivalent to the OSI’s Network layer
Transport layer - performs same function as OSI Transport layer
Application layer - equivalent to the OSI’s Presentation and Application layers
4. Application
3. Transport
2. Network
1. Interface
OSI Internet
10
Applications/Protocols Use in Internet Model
Layers Applications/ProtocolsApplication Webservice: HTTP
E-mail: SMTP (Simple Mail Transfer Protocol), POP (Post Office Protocol), IMAP (Internet Message Access Protocol) Telnet applications: Terminal Emulation Protocol File transfer: FTP
Transport TCP (Transmission Control Protocol). Required in webservice when HTTP is used Required in Mailservice when SMTP is used. SMTP messages are encapsulated in TCP segments Connection-oriented: Establishes and maintains connections before sending. Close connections after transmission. Correct errors in TCP segments.
UDP (User Datagram Protocol) Connectionless: Don’t open connection. Simply sends. Discards incorrect UDP datagrams (no retransmission)
Network IP (Internet Protocol)
Interface PPP (Point-to-Point Protocol) V.90 for 56 Kbps modems
11
Hybrid TCP/IP-OSI Model
Layers Sample protocols for Web access
Application HTTP
Transport TCP, UDP, ICMP
Internet IP
Data Link Ethernet, PPP
Physical Ethernet, Modem standards, Telephone standards
12
Layered Communications: Encapsulation – De-encapsulation Application programs on different computers cannot
communicate directly There is no direct connection between them! They need to use an indirect communication system
called layered communications or layer cooperation
BrowserBrowser
TransTrans
IntInt
DLDL
PhyPhy
User PC
Web AppWeb App
TransTrans
IntInt
DLDL
PhyPhy
Webserver
HTTP RequestHTTP Request
13
PPP-TPPP-T
Layer Cooperation on the User PC
Encapsulation on the sending machine Embedding message received from upper layer
in a new message
ApplicationApplication
TransportTransport
InternetInternet
Data LinkData Link
HTTP req.HTTP req.
PhysicalUser PC
HTTP req.HTTP req. TCP-HTCP-H
HTTP req.HTTP req. TCP-HTCP-H IP-HIP-H
HTTP req.HTTP req. TCP-HTCP-H IP-HIP-H PPP-HPPP-H
IP Packet
TCPsegment
HTTP request
Frame
Encapsulation of HTTPrequest in data field ofa TCP segment
14
Layer Cooperation on the Web server
De-encapsulation Other layers pass successive data fields (containing next-lower
layer messages) up to the next-higher layer
ApplicationApplication
TransportTransport
InternetInternet
Data LinkData Link
Transmission mediaWebserver
PPP-TPPP-T
HTTP req.HTTP req.
HTTP req.HTTP req. TCP-HTCP-H
HTTP req.HTTP req. TCP-HTCP-H IP-HIP-H
HTTP req.HTTP req. TCP-HTCP-H IP-HIP-H PPP-HPPP-H
IP Packet
TCPsegment
HTTP request
Frame
15
Summary Questions (Part 1)
1. What is encapsulation? On what machine does it occur: sending or receiving machine?
2. If layer N creates a message, does Layer N or Layer N-1 encapsulate the message?
3. What layer creates frames? Segments? Packets?
4. Which of the following network communication models is used on the Internet?
a) The OSI model
b) The HTML model
c) The TCP/IP model
d) The IP model
16
IP Packet
Total Length(16 bits)
Identification (16 bits)
Header Checksum (16 bits)Time To Live
(8 bits)
Flags
Protocol (8 bits)1=ICMP, 6=TCP,17=UDP
Bit 0 Bit 31IP Version 4 Packet
Source IP Address (32 bits)
Fragment Offset (13 bits)
QoS(8 bits)
HeaderLength(4 bits)
Version(4 bits)
Destination IP Address (32 bits)
Options (if any) Padding
Data Field
0100
QoS: Also called Type of Service, indicates the priority level the packet should have Identification tag: to help reconstruct the packet from several fragments Flags: indicates whether packet could be fragmented or not (DF: Don't fragment), indicates
whether more fragments of a packet follow (MF: More Fragments or NF: No More Fragments)
Fragment offset: identify which fragment this packet is attached to TTL: Indicates maximum number of hops (or routers) the packet could pass before a hop discards
it. Header checksum: to check for errors in the headers only
17
Summary Questions (Part 2)
What is the main version of the Internet Protocol in use today? What is the other version?
What does a router do with an IP packet if it decrements its TTL value to zero?
Assume that a router received an IP packet with the Protocol in header set to 6. What Transport layer protocol is used in the message: TCP, UDP, or ICMP?
18
IP Fragmentation
When a packet arrives at a router, the router selects the port and subnet to forward the packet to
If packet too large for the subnet to handle, router fragments the packet; ie.
Divides packet’s data field into fragments Gives each fragment same Identification tag value, i.e. the
Identification tag of original packet First fragment is given Fragment Offset value of 0 Subsequent fragments get Fragment Offset values consistent with their
data’s place in original packet Last fragment’s Flag is set to “No More Fragments”
Destination host reassemble fragments based on the offsets.
Identification (16 bits) Flags Fragment Offset (13 bits)
Subnet 1
Subnet 2
19
Firewalls and Fragmented IP Packet
5. Firewall 60.168.47.47
Can Only Filter TCP
Header in First Fragment
Attacker 1.34.150.37
2. Second Fragment
4. TCP Data Field
NoTCP Header
IP Header
TCP Data Field
1. First Fragment
IP Header
3. TCP Header Only in First Fragment
Fragmentation makes it hard for firewalls to filter individual packets TCP or UDP header appears only in the first fragment
Firewall might drop the first fragment, but not subsequent fragments Some firewalls drop all fragmented packets
Router
20
TCP Segment
Source Port Number (16 bits) Destination Port Number (16 bits)
Bit 0 Bit 31
Acknowledgment Number (32 bits)
Sequence Number (32 bits)
TCP Checksum (16 bits)
Window Size(16 bits)
Flag Fields:ACK, SYN,…
(6 bits)
Reserved(6 bits)
HeaderLength(4 bits)
Urgent Pointer (16 bits)
Data Port number: identifies sending and receiving application programs. Sequence number: Identifies segment’s place in the sequence. Allows receiving
Transport layer to put arriving TCP segments in order. Acknowledgement number: identifies which segment is being acknowledged Flag fields: Six one-bit flags: ACK, SYN, FIN, RST, URG, PSH. Can be set to 0 (off) or 1 (on). e.g. SYN=1 means a request for connection/synchronization.
Q: If the ACK flag is set to 1, what other field must also be set to allow the receiver know what TCP segment is being acknowledged?
21
TCP and use of Flags TCP is a connection-oriented protocol
Sender and receiver need to establish connection Sender and receiver need to agree to “talk” Flags are used for establishing connection
Sender requests connection opening: SYN flag set to 1 If receiver is ready to “talk”, it responds by a SYN/ACK segment Sender acknowledges the acknowledgment
If sender does not get ACK, it resends the segment
PCTransport Process
WebserverTransport Process
1. SYN (Open)
2. SYN, ACK (1) (Acknowledgment of 1)
3. ACK (2)
Note: With connectionless protocols like UDP, there is no flags. Messages are just sent. If part of sent messages not received, there is no retransmission.
3-way Handshake
Flag Fields(6 bits)
ACK SYN FIN RSTURG PSH
22
Communication during a normal TCP Session
Note: At any time, either process can send a TCP RST (reset) segment with RST bit set to 1 to drop the connection (i.e. to abruptly end the connection).
Q1: How many segments are sent in a normal TCP communication opening? ____
Q2: How many segments are sent in a normal TCP communication closing? ____
23
SYN/ACK Probing Attack
SYN/ACK Segment
Victim 60.168.47.47
Attacker 1.34.150.37
1. Probe 60.168.47.47
5. 60.168.47.47
is Live! 4. Source IP Addr=
60.168.47.473. Go Away!
2. No SYN (Open): Makes No Sense!
IP Hdr RST Segment
Sending SYN/ACK segments helps attackers locate “live” targets
Older Windows OS could crash when they receive a SYN/ACK probe
24
TCP and use of Port numbers Port Number identify applications
Well-known ports (0-1023): used by major server applications running at root authority.
HTTP web service=80, Telnet=23, FTP=21, SMTP email =25
Registered ports (1024-49151): Used by client and server applications.
Ephemeral/dynamic/private ports (49152-65535) Not permanently assigned by ICANN.
Web server applicationswww:80 FTP:21 SMTP:25
Operating System
Computer hardware
HDRAM chip
Processor
Socket notation:IP address:Port #
Source Port Number (16 bits) Destination Port Number (16 bits)
25
Summary Questions (Part 3)
A host sends a TCP segment with source port number 25 and destination port number 49562.
1) Is the source host a server or a client? Why?
2) If the host is a server, what kind of service does it provide?
3) Is the destination host a server or a client ? Why?
26
TCP and Port spoofing
Most companies set their firewall to accept packet to and from port 80 Attackers set their client program to use well-know port 80
Attackers set their application to use well-known port despite not being the service associated with the port
27
Summary Questions (Part 4)
1. What is IP Fragmentation? Does IP fragmentation make it easier for firewall to filter incoming packets? Why?
2. What is SYN/ACK probing attack?
3. What kind of port numbers do major server applications, such as email service, use?
4. What kind of port numbers do client applications usually use?
5. What is socket notation?
6. What is port spoofing?
7. How many well-known TCP ports are vulnerable to being scanned, exploited, or attacked?
