TCP/IP: TCPexr/lectures/networkSecurity/11_12/slides/06... · Hdrlen Reserved Flags Window Checksum Urgent pointer Options (id hdr_len> 5) Padding Data ... Nmap done: 1 IP address

TCP/IP: TCP

Network Security

Lecture 6

TCP

• Based on IP

• Provides connection-oriented, reliable stream delivery service (handles loss, duplication, transmission errors, reordering)

• Provides port abstraction (like UDP)

• Establishes a virtual circuit (over packet switching IP)– (source IP address, source port, destination IP

address, destination port)

– Full duplex: two streams

• RFC 793

Eike Ritter Network Security - Lecture 6 1

TCP segment

Source port Destination port

Sequence number

Acknowledgment number

Hdr len Reserved Flags Window

Checksum Urgent pointer

Options (id hdr_len > 5) Padding

Data


0 4 8 1612 3120 24 28

TCP segment

Eike Ritter 3Network Security - Lecture 6

TCP encapsulation


Frame dataFrame dataFrame headerFrame header

IP headerIP header IP dataIP data

TCP headerTCP header TCP dataTCP data

TCP encapsulation


TCP seq/ack numbers

• The sequence number specifies the position of this segment’s data in the communication stream

– SYN=1234 means that the payload of this segment contains data from byte 1234

• The acknowledgment number specifies the position of the next byte expected from the host

– ACK=1234 means that the host has received correctly up to byte 1233 and expects byte 1234

• Basis for retransmission of lost segments, duplication


TCP flags

• Used for the setup/shutdown of virtual circuit and other operations on it:

– SYN: used in connection setup

– ACK: acknowledgment number is valid

– FIN: request to shutdown one stream

– RST: reset the virtual circuit

– URG: indicates that the urgent pointer is valid

– PSH: indicates that data should be passed to the application as soon as possible (“push”)


TCP virtual circuit setup

• TCP establishes a connection-oriented communication service on top of packet-oriented IP

• The setup is done through the three-way handshake– Client sends a SYN to the server (active open);

sequence number is IA

– Server replies with SYN-ACK; the ack is set to IA+1; sequence number is IB

– Client sends ACK; the ack is set to IB+1; sequence number is IA+1


Initial sequence number


Client:7890 Server:80

Initial sequence numbers

• What to use as the initial sequence number?

• The original standard specified that sequence number should be incremented every 4 microseconds

• BSD UNIXes initially used a number that is incremented by 64,000 every half second and by 64,000 every time a connection is established

• We’ll see in a bit if these are good choices…


TCP data exchange

• Host sends data

– Acknowledgment number: up to previous segment

– Sequence number: initial sequence number increased of data transferred so far

• Recipient (RCV) accepts a segment (SEG) if segment is inside the receive window− RCV.ACK <= SEG.SEQ < RCV.ACK + RCV.WINDOW or

RCV.ACK <= SEG.SEQ + SEG.LENGTH – 1 < RCV.ACK + RCV.WINDOW

• Empty segments may be exchanged to acknowledge received data


Data exchange



data len: 15

data len: 15

TCP virtual circuit shutdown

• One of the hosts, say the server, shuts down its

stream by sending a segment with the FIN flag

set

• The other host, the client, acknowledges the

receipt

• From this point on, the server will not send any

data

– It will only send ACKs for the data it receives

• When the client shuts down its stream, the

virtual circuit is closedEike Ritter Network Security - Lecture 6 13

Virtual circuit shutdown



Server closes its half

of the circuit

Client closes its half

of the circuit

TCP portscan

• Used to determine the TCP services available on a host– Each service is traditionally associated with a specific

port (see /etc/services)

– Assumption: open port implies corresponding service is available

• Simplest form: “connect scan”– connect to all possible ports

– If three-way handshake succeeds, port is open

• Disadvantage:– Noisy


TCP connect scan$ nmap –sT 172.16.48.130

Starting Nmap 5.00 ( http://nmap.org ) at 2011-01-21 01:15 PSTInteresting ports on 172.16.48.130:Not shown: 992 closed portsPORT STATE SERVICE22/tcp open ssh80/tcp open http111/tcp open rpcbind2049/tcp open nfs3306/tcp open mysql5000/tcp open upnp6000/tcp open X118000/tcp open http-alt

Nmap done: 1 IP address (1 host up) scanned in 0.20 seconds


TCP connect scan

IP 172.16.48.139.46767 > 172.16.48.130.80: Flags [S]IP 172.16.48.130.80 > 172.16.48.139.46767: Flags [S.]IP 172.16.48.139.46767 > 172.16.48.130.80: Flags [.]IP 172.16.48.139.47399 > 172.16.48.130.3325: Flags [S]IP 172.16.48.139.36666 > 172.16.48.130.2910: Flags [S]IP 172.16.48.139.48912 > 172.16.48.130.1433: Flags [S]IP 172.16.48.139.53332 > 172.16.48.130.1082: Flags [S]IP 172.16.48.139.36286 > 172.16.48.130.63331: Flags [S]IP 172.16.48.139.41808 > 172.16.48.130.5100: Flags [S]IP 172.16.48.139.44684 > 172.16.48.130.444: Flags [S]IP 172.16.48.130.1433 > 172.16.48.139.48912: Flags [R.]IP 172.16.48.130.1082 > 172.16.48.139.53332: Flags [R.]IP 172.16.48.130.63331 > 172.16.48.139.36286: Flags [R.]IP 172.16.48.130.5100 > 172.16.48.139.41808: Flags [R.]IP 172.16.48.130.444 > 172.16.48.139.44684: Flags [R.]


TCP SYN portscan

• Attacker sends a SYN packet

• The target host

– Replies with a SYN/ACK, if the port is open

– Replies with a RST, if the port is closed

• The attacker sends a RST instead of ACK that

would close three-way handshake

• Connection is never completed

– Applications do not record event in their logs


TCP SYN portscan

$ sudo nmap -sS 172.16.48.130

Starting Nmap 5.00 ( http://nmap.org ) at 2011-01-21 01:30 PSTInteresting ports on 172.16.48.130:Not shown: 992 closed portsPORT STATE SERVICE22/tcp open ssh80/tcp open http111/tcp open rpcbind2049/tcp open nfs3306/tcp open mysql5000/tcp open upnp6000/tcp open X118000/tcp open http-alt



TCP SYN portscan

IP 172.16.48.139.39558 > 172.16.48.130.80: Flags [S]IP 172.16.48.130.80 > 172.16.48.139.39558: Flags [S.]IP 172.16.48.139.39558 > 172.16.48.130.80: Flags [R]IP 172.16.48.139.39558 > 172.16.48.130.256: Flags [S]IP 172.16.48.130.256 > 172.16.48.139.39558: Flags [R.]IP 172.16.48.139.39558 > 172.16.48.130.111: Flags [S]IP 172.16.48.130.111 > 172.16.48.139.39558: Flags [S.]IP 172.16.48.139.39558 > 172.16.48.130.111: Flags [R]


TCP FIN/Xmas scans

• TCP RFC says– If port is closed, incoming segment not containing RST

causes a RST to be sent

– If port is open, incoming segment without SYN, RST, or ACK is silently dropped

• FIN scan– Send segment with FIN

– If RST received, port is closed; else open

• Xmas scan– Send segment with FIN, PSH, and URG

– If RST received, port is closed; else open


TCP FIN/Xmas scans$ sudo nmap -sF 172.16.48.130 [target is Linux]Starting Nmap 5.00 ( http://nmap.org )

Interesting ports on 172.16.48.130:Not shown: 992 closed portsPORT STATE SERVICE...8000/tcp open|filtered http-alt

15:50:33.991035 IP 172.16.48.139.49879 > 172.16.48.130.1700: F 2638861074:2638861074(0) win 307215:50:33.991038 IP 172.16.48.130.1700 > 172.16.48.139.49879: R 0:0(0) ack2638861075 win 015:50:33.991041 IP 172.16.48.139.49879 > 172.16.48.130.625: F 2638861074:2638861074(0) win 204815:50:33.991043 IP 172.16.48.130.625 > 172.16.48.139.49879: R 0:0(0) ack2638861075 win 015:50:33.991066 IP 172.16.48.139.49879 > 172.16.48.130.1104: F 2638861074:2638861074(0) win 409615:50:33.991070 IP 172.16.48.130.1104 > 172.16.48.139.49879: R 0:0(0) ack2638861075 win 015:50:34.027421 IP 172.16.48.139.49880 > 172.16.48.130.8000: F 2638795539:2638795539(0) win 2048


TCP FIN/Xmas scans$ sudo nmap -sX 172.16.48.128 [target is Windows]Starting Nmap 5.00 ( http://nmap.org )

Starting Nmap 5.00 ( http://nmap.org ) at 2011-01-29 15:55 PSTAll 1000 scanned ports on 172.16.48.128 are open|filtered


15:55:31.061908 IP 172.16.48.139.42877 > 172.16.48.128.2869: FP 1557334796:1557334796(0) win 1024 urg 015:55:31.069670 IP 172.16.48.139.42877 > 172.16.48.128.10004: FP1557334796:1557334796(0) win 3072 urg 015:55:31.069680 IP 172.16.48.139.42877 > 172.16.48.128.9040: FP 1557334796:1557334796(0) win 4096 urg 015:55:31.075453 IP 172.16.48.139.42877 > 172.16.48.128.1236: FP 1557334796:1557334796(0) win 4096 urg 015:55:31.079934 IP 172.16.48.139.42877 > 172.16.48.128.2607: FP 1557334796:1557334796(0) win 4096 urg 015:55:31.122730 IP 172.16.48.139.42877 > 172.16.48.128.3689: FP 1557334796:1557334796(0) win 2048 urg 015:55:31.126760 IP 172.16.48.139.42877 > 172.16.48.128.4125: FP 1557334796:1557334796(0) win 4096 urg 015:55:31.142278 IP 172.16.48.139.42877 > 172.16.48.128.3690: FP 1557334796:1557334796(0) win 2048 urg 015:55:31.145262 IP 172.16.48.139.42877 > 172.16.48.128.1434: FP 1557334796:1557334796(0) win 3072 urg 0Eike Ritter 23Network Security - Lecture 6

OS fingerprinting

• Leverages differences in how different operating systems implement protocols to remotely identify the OS running on a host

• Active fingerprinting– Send carefully crafted packets and observe response

• Response to FIN messages

• Weird combination of TCP flags

• Initial TCP sequence number

• Initial TCP window size

• ICMP messages (error rate, inclusion of packet that triggered the message)

– Can be noisy

– nmap, xprobe

• Passive fingerprinting– Observe traffic received or monitored during regular communication

– Normal traffic, thus hard to detect

– http://lcamtuf.coredump.cx/p0f/README


TCP spoofing

• Alice trusts Bob (e.g., logins on Alice are allowed with

no password if TCP connection comes from host Bob)

• Mallory wants to impersonate Bob when opening a

TCP connection to Alice

• Steps– M sends SYN segment to A with source IP address set to B’s IP

address

– A sends a SYN/ACK to B

– B replies with RST

– Fail: retry.


TCP spoofing

• Steps– M kills B (e.g., flooding)

– M sends SYN segment to A with source IP address set to B’s IP address

– A sends a SYN/ACK to B, with its initial sequence number IA

– M completes the 3-way handshake, with ACK set to IA + 1.How does M know IA? There are two cases:

• M can sniff traffic from A: M just eavesdrops A’s response containing IA

• M cannot sniff traffic from A (e.g., different networks): M guesses the correct IA value (“blind spoofing”)

• Alice trusts Bob (e.g., logins on Alice are allowed with

no password if TCP connection comes from host Bob)

• Mallory wants to impersonate Bob when opening a

TCP connection to Alice


TCP spoofing

• Described in R. T. Morris, A Weakness in the 4.2BSD UNIX TCP/IP Software

• Used by Kevin Mitnick attack in his attack against the San Diego Supercomputer Center

• Addressed by S. Bellovin, RFC 1984, Defending Against Sequence Number Attacks– Set initial sequence number to the timer prescribed originally + the

value of a cryptographic hash function of each connection:ISN = M + F(localhost, localport, remotehost, remoteport)

– It is vital that F not be computable from the outside, so it is keyed with with some secret data

• True random number

• Per-host secret and boot time of the machine

– Thus, each connection is given a separate sequence number space

• That’s the theory, at least


NEXT ON


Take away points and next time

• TCP format

• TCP connection

– Setup, data exchange,

shutdown

• Portscanning and

fingerprinting

• Spoofing

– Initial sequence

numbers

• TCP

– Hijacking

– Denial of service

• SYN flooding

• DNS


Documents

TCP/IP: TCPexr/lectures/networkSecurity/11_12/slides/06... · Hdrlen Reserved Flags Window Checksum Urgent pointer Options (id hdr_len> 5) Padding Data ... Nmap done: 1 IP address