Single Network: applications, client and server hosts, switches, access links, trunk links, frames, path. Review of TCP/IP Internetworking

Transcription

1 1 Review of TCP/IP working Single Network: applications, client and server hosts, switches, access links, trunk links, frames, path Frame Path Chapter 3 Client Host Trunk Link Server Host Panko, Corporate Computer and Network Security Copyright 2004 Prentice-Hall Mobile Client Host Access Link Server Host 2 Frame Organization Switching Decision Trailer Frame Data Field Header Switch Frame with Station C In the destination Address field Switch receives A frame, sends It back out Based on Destination Address Structure Other Header Field Destination Address Field Station A Station B Station C Station D 3 4 Figure 3-1: An internet is two or more individual switched networks connected by routers Switched Network 1 Switched Network 3 Router An Multiple Networks Connected by Routers Path of a is its Route Routers Single Network Switched Network 2 Single Network Route 5 6

2 The The global has thousands of networks Figure 3-6: Frames and s Browser Network Software Frame 1 Carrying in Network 1 Router A Router Router Route Client PC Switch Frame 3 Carrying in Network 3 Frame 2 Carrying in Network 2 Router 7 Server Switch Router B 8 Frames and s Like passing a shipment (the packet) from a truck (frame) to an airplane (frame) at an airport. Shipper Truck Airport Same Shipment Airport Airplane Receiver Truck 9 Figure 3-2: TCP/IP Standards (Study Figure) Origins Defense Advanced Research Projects Agency (DARPA) created the ARPANET An internet connects multiple individual networks Global is capitalized Engineering Task Force (IETF) Most IETF documents are requests for comments (RFCs) Official Protocol Standards: List of RFCs that are official standards 10 Figure 3-2: TCP/IP Standards (Study Figure) Hybrid TCP/IP-OSI Architecture (Figure 3-3) Combines TCP/IP standards at layers 3-5 with OSI standards at layers 1-2 TCP/IP Subnet Access: Use OSI Standards Here OSI Presentation Session Network Physical Hybrid TCP/IP-OSI Physical 11 Figure 3-2: TCP/IP Standards (Study Figure) OSI Layers Physical (Layer 1): defines electrical signaling and media between adjacent devices Data link (Layer 2): control of a frame through a single network, across multiple switches Switched Network 1 Physical Link Frame 12

3 Figure 3-2: TCP/IP Standards Layer Governs the transmission of a packet across an entire internet. Path of the packet is its route Figure 3-2: TCP/IP Standards (Study Figure) Frames and s Frames are messages at the data link layer s are messages at the internet layer Switched Network 1 Switched Network 2 Switched Network 3 Route Router s are carried (encapsulated) in frames There is only a single packet that is delivered from source to destination host This packet is carried in a separate frame in each network Figure 3-7: and Layers Figure 3-2: TCP/IP Standards (Study Figure) Client PC Layer End-to-End (Host-to-Host) TCP is Connection-Oriented, Reliable UDP is Connectionless Unreliable Layer (Usually IP) Hop-by-Hop (Host-Router or Router-Router) Connectionless, Unreliable Server and Layers Purposes layer governs hop-by-hop transmission between routers to achieve endto-end delivery layer is end-to-end (host-to-host) protocol involving only the two hosts Router 1 Router 2 Router Figure 3-2: TCP/IP Standards (Study Figure) Figure 3-2: TCP/IP Standards (Study Figure) and Layers Protocol (IP) IP at the internet layer is unreliable does not correct errors in each hop between routers This is good: reduces the work each router along the route must do 17 Layer Standards Transmission Control Protocol (TCP) Reliable and connection-oriented service at the transport layer Corrects errors User Datagram Protocol (UDP) Unreliable and connectionless service at the transport layer Lightweight protocol good when catching errors is not important 18

4 Figure 3-8: HTML and at the Layer Figure 3-2: TCP/IP Standards (Study Figure) Client PC with Browser Hypertext Transfer Protocol () Requests and Responses Layer To govern communication between application programs, which may be written by different vendors Document transfer versus document format standards / HTML for WWW service SMTP / RFC 822 (or RFC 2822) in Hypertext Markup Language (HTML) Document or Other File (jpeg, etc.) Many application standards exist because there are many applications Figure 3-3: TCP/IP and OSI Architectures: Recap TCP/IP Subnet Access: Use OSI Standards Here OSI Presentation Session Network Physical Hybrid TCP/IP-OSI Physical Note: The Hybrid TCP/IP-OSI Architecture is used on the and dominates internal corporate networks. 21 Figure 3-5: IP 0100 IP Version 4 Bit 0 Bit 31 Version (4 bits) Header Length (4 bits) Identification (16 bits) Time to Live (8 bits) Diff-Serv (8 bits) Total Length (16 bits) Flags Fragment Offset (13 bits) Protocol (8 bits) 1=ICMP, 6=TCP, Header Checksum (16 bits) 17=TCP Source IP Address (32 bits) Destination IP Address (32 bits) Options (if any) Padding Data Field 22 Figure 3-5: IP Figure 3-5: IP Version Has value of four (0100) Time to Live (TTL) Prevents the endless circulation of mis-addressed packets Value is set by sender Decremented by one by each router along the way If reaches zero, router throws packet away 23 Protocol Field Identifies contents of data field 1 = ICMP 6 = TCP IP Data Field 17 =UDP ICMP IP Data Field TCP Segment IP Header Protocol=6 IP Data Field UDP Datagram IP Header Protocol=1 IP Header Protocol=17 24

5 Figure 3-5: IP Figure 3-9: Layer Cooperation Through Encapsulation on the Source Host Header checksum to check for errors in the header only Faster than checking the whole packet Stops bad headers from causing problems IP Version 6 drops eve this checking Address Fields 32 bits long, of course TCP Encapsulation of message in data field of a TCP segment Encapsulation of TCP segment in data field of an IP packet Options field(s) give optional parameters Data field contains the payload of the packet. TCP IP Figure 3-9: Layer Cooperation Through Encapsulation on the Source Host Figure 3-9: Layer Cooperation Through Encapsulation on the Source Host Trlr TCP TCP IP IP Encapsulation of IP packet in data field of a frame Note: The following is the final frame for supervisory TCP segments: Trlr TCP IP Physical Converts Bits of Frame into Signals Figure 3-10: Layer Cooperation Through Decapsulation on the Destination Host Figure 3-10: Layer Cooperation Through Decapsulation on the Destination Host Decapsulation of message from data field of a TCP segment TCP IP Decapsulation of IP packet from data field of a frame TCP Decapsulation of TCP segment from data field of an IP packet TCP IP TCP IP Physical Converts Signals into the Bits of the Frame 29 30

6 Figure 3-11: Vertical Communication on Router R1 Figure 3-11: Vertical Communication on Router R1 A Decapsulation Frame Port 1 Layer Port 2 Port 3 Port 4 PHY PHY PHY PHY Router R1 Router R1 Port 1 Layer Port 2 Port 3 Port 4 PHY PHY PHY PHY B Encapsulation Frame Switch X2 Notes: A. Router R1 receives frame from Switch X2 in Port 1. Port 1 process decapsulates packet. Port 1 process passes packet to internet process. 31 B. process sends packet out on Port 4. on Port 4 encapsulates packet in a PPP frame. process passes frame to Port 4 PHY. Router 2 32 Figure 3-12: Site Connection to an ISP Site Network Border Firewall 3. Carried in Site Frame 1. Frame for This 4. Between Site and ISP (Difficult to Attack) ISP ISP Router Backbone 2. Carried in ISP Carrier Frame Basic Characteristics There were already single networks, and many more would come in the future Developers needed to make a few assumptions about underlying networks So they kept IP simple 5. Normally, Only the Arriving is Dangerous Not the Frame Fields IP Connection-Oriented Service and Connectionless Service Connection-oriented services have distinct starts and closes (telephone calls) Connectionless services merely send messages (postal letters) IP is connectionless 35 PC IP Connectionless s Sent in Isolation Like Postal Letters Unreliable No Error Correction Discarded by Receiver if Error is Detected Leaves Error Correction to Layer Reduces the Cost of Routers First Router 36

7 IP is Unreliable (Checks for Errors but does not Correct Errors) (Figure 3-14) Not doing error correction at each hop between switches reduces switch work and so switch cost Does not even guarantee packets will arrive in order Hierarchical IP Addresses Postal addresses are hierarchical (state, city, postal zone, specific address) Most post offices have to look only at state and city Only the final post offices have to be concerned with specific addresses Figure 3-15: Hierarchical IP Address Host The Network Part (not always 16 bits) Subnet Part (not always 8 bits) Host Part (not always 8 bits) Total always is 32 bits. UH Network ( ) CBA Subnet (17) 39 Hierarchical IP Addresses 32-bit IP addresses are hierarchical (Figure 3-15) Network part tells what network host is on Subnet part tells what subnet host is on within the network Host part specifies the host on its subnet Routers have to look only at network or subnet parts, except for the router that delivers the packet to the destination host 40 Figure 3-16: IP Address Masking with Network and Subnet Masks Hierarchical IP Addresses 32-bit IP addresses are hierarchical Total is 32 bits; part sizes vary Network mask tells you the size of the network part (Figure 3-16) Subnet mask tells you the length of the network plus subnet parts combined Mask Represents Eight ones give the decimal value Eight zeros give the decimal value Masking gives Network Masking Tells the size of the network part IP address bit where the mask value is 1; 0 where the mask bit is 0 Subnet Masking Tells the size of the network and the subnet parts combined IP address bit where the mask value is 1; 0 where mask bit is

8 Figure 3-16: IP Address Masking with Network and Subnet Masks Figure 3-17: IP Address Spoofing Example 1 IP Address Mask Result Meaning Example 2 IP Address Mask Result Meaning Network Masking bit network part is bit network part is 60 Subnet Masking Combined 24-bit network plus subnet part are Combined 16-bit network plus subnet parts are Trusted Server Attacker s Client PC Trust Relationship 3. Server Accepts Attack 2. Attack Spoofed Source IP Address Attacker s Identity is Not Revealed Victim Server 44 IP Addresses and Security IP address spoofing: Sending a message with a false IP address (Figure 3-17) Gives sender anonymity so that attacker cannot be identified Can exploit trust between hosts if spoofed IP address is that of a host the victim host trusts IP Addresses and Security LAND attack: send victim a packet with victim s IP address in both source and destination address fields and the same port number for the source and destination (Figure 3-18). In 1997, many computers, switches, routers, and even printers, crashed when they received such a packet Figure 3-18: LAND Attack Based on IP Address Spoofing Other IP Header Fields Protocol field: Identifies content of IP data field Attacker From: :23 To: :23 Victim Port 23 Open Crashes Firewalls need this information to know how to process the packet Source and Destination IP Addresses are the Same Source and Destination Port Numbers are the Same 47 48

9 Other IP Header Fields Time-to-Live field Each router decrements the TTL value by one Router decrementing TTL field to zero discards the packet Other IP Header Fields Time-to-Live field Router also sends an error advisement message to the sender The packet containing this message reveals the sender s IP address to the attacker Traceroute uses TTL to map the route to a host (Figure 3-19) Tracert on Windows machines Figure 3-19: Tracert Program in Windows Other IP Header Fields Header Length field and Options With no options, Header Length is 5 Expressed in units of 32 bits So, 20 bytes Many options are dangerous So if Header Length is More Than 5, be Suspicious Some firms drop all packets with options Figure 3-20: Ping-of-Death Attack Other IP Header Fields Length Field Gives length of entire packet Maximum is 65,536 bytes Ping-of-Death attack sent IP packets with longer data fields Attacker IP Containing ICMP Echo That is Illegally Long Victim Crashes Many systems crashed 53 54

10 Other IP Header Fields Fragmentation Routers may fragment IP packets (really, packet data fields) en route All fragments have same Identification field value Fragment offset values allows fragments to be ordered More fragments is 0 in the last fragment Other IP Header Fields Fragmentation Harms packet inspection: TCP header, etc. only in first packet in series Cannot filter on TCP header, etc. in subsequent packets Figure 3-22: TCP Header is Only in the First Fragment of a Fragmented IP Attacker Second Fragment 4. TCP Data IP Field Header No TCP Header 1. Fragmented IP 2. First Fragment TCP Data Field IP Header 3. TCP Header Only in First Fragment 5. Firewall Can Only Filter TCP Header in First Fragment Other IP Header Fields Fragmentation Teardrop attack: Crafted fragmented packet does not make sense when reassembled Some firewalls drop all fragmented packets, which are rare today Figure 3-21: Teardrop Denial-of- Service Attack Figure 3-24: IP with a TCP Segment Data Field Bit 0 Bit 31 Defragmented IP Gap Overlap Source Port Number (16 bits) IP Header (Usually 20 Bytes) Destination Port Number (16 bits) Sequence Number (32 bits) Attacker Attack Pretends to be Fragmented IP When Reassembled, does not Make Sense. Gaps and Overlaps Victim Crashes Header Length (4 bits) Reserved (6 bits) TCP Checksum (16 bits) Acknowledgment Number (32 bits) Flag Fields (6 bits) Window Size (16 bits) Urgent Pointer (16 bits) 59 60

11 Figure 3-23: Transmission Control Protocol (TCP) TCP s are TCP Segments Flags field has several one-bit flags: ACK, SYN, FIN, RST, etc. Figure 3-23: Transmission Control Protocol (TCP) Reliable Receiving process sends ACK to sending process if segment is correctly received ACK bit is set (1) in acknowledgement segments If sending process does not get ACK, resends the segment Header Length (4 bits) Reserved (6 bits) Flag Fields (6 bits) Window Size (16 bits) PC TCP Segment TCP Segment (ACK) Figure 3-23: Transmission Control Protocol (TCP) Figure 3-25: Communication During a TCP Session Connections: Opens and Closes Formal open and close Three-way open: SYN, SYN/ACK, ACK (Figure 3-25) Normal four-way close: FIN, ACK, FIN, ACK (Figure 3-25) Abrupt close: RST (Figure 3-26) PC Open (3) 1. SYN (Open) 2. SYN, ACK (1) (Acknowledgement of 1) 3. ACK (2) 3-Way Open Figure 3-25: Communication During a TCP Session Figure 3-25: Communication During a TCP Session PC Open (3) Carry Req & Resp (4) 1. SYN (Open) 2. SYN, ACK (1) (Acknowledgement of 1) 3. ACK (2) 4. Data = Request 5. ACK (4) 6. Data = Response 7. ACK (6) 65 PC Carry Req & Resp (4) 8. Data = Request (Error) 9. Data = Request (No ACK so Retransmit) 10. ACK (9) 11. Data = Response 12. ACK (11) Error Handling 66

12 Figure 3-25: Communication During a TCP Session Figure 3-25: Communication During a TCP Session PC Normal Four-Way Close PC Abrupt Close Close (4) 13. FIN (Close) 14. ACK (13) Close (1) RST 15. FIN 16. ACK (15) Note: An ACK may be combined with the next message if the next message is sent quickly enough Either side can send A Reset (RST) Segment At Any Time Ends the Session Immediately Figure 3-26: SYN/ACK Probing Attack Using Reset (RST) Figure 3-23: Transmission Control Protocol (TCP) Attacker Probe SYN/ACK Segment 5. is Live! 4. Source IP Addr= 2. No Connection: Makes No Sense! IP RST Segment 3. Go Away! Victim Crashes 69 Sequence and Acknowledgement Number Sequence numbers identify segment s place in the sequence Acknowledgement number identifies which segment is being acknowledged Source Port Number (16 bits) Sequence Number (32 bits) Acknowledgment Number (32 bits) Destination Port Number (16 bits) 70 Figure 3-23: Transmission Control Protocol (TCP) Figure 3-23: Transmission Control Protocol (TCP) Port Number Port numbers identify applications Well-known ports (0-1023) used by applications that run as root (Figure 3-27) =80, Telnet=23, FTP=21 for supervision, 20 for data transfer, SMTP=25 Port Number Registered ports ( ) for any application Ephemeral/dynamic/private ports ( ) used by client (16,383 possible) Not all operating systems uses these port ranges, although all use well-known ports Source Port Number (16 bits) Destination Port Number (16 bits) 71 72

13 Figure 3-23: Transmission Control Protocol (TCP) Figure 3-27: Use of TCP and UDP Port Number Port Number :80 Socket format is IP address: Port, for instance, :80 Designates a specific program on a specific machine Client From: :50047 To: : Port 80 Port spoofing (Figure 3-28) Incorrect application uses a well-known port Especially 80, which is often allowed through firewalls SMTP Server Port Figure 3-27: Use of TCP and UDP Port Number Figure 3-27: Use of TCP and UDP Port Number Client From: :50047 To: : Port 80 Client Port 80 From: :80 To: :50047 SMTP Server Port 25 From: :60003 To: :25 SMTP Server Port Figure 3-27: Use of TCP and UDP Port Number Client From: :50047 To: :80 From: :60003 To: :25 Clients Used Different Ephemeral Ports for Different Connections SMTP Server Port Port Figure 3-29: User Data Protocol (UDP) UDP Datagrams are Simple (Figure 3-30) Source and destination port numbers (16 bits each) UDP length (16 bits) UDP checksum (16 bits) Bit 0 Bit 31 Source Port Number (16 bits) UDP Length (16 bits) IP Header (Usually 20 Bytes) Data Field Destination Port Number (16 bits) UDP Checksum (16 bits) 78

14 Figure 3-29: User Data Protocol (UDP) Figure 3-33: Control Protocol (ICMP) Port Spoofing Still Possible UDP Datagram Insertion Insert UDP datagram into an ongoing dialog stream Hard to detect because no sequence numbers in UDP 79 ICMP is for Supervisory s at the Layer ICMP and IP An ICMP message is delivered (encapsulated) in the data field of an IP packet Types and Codes (Figure 3-2) Type: General category of supervisory message Code: Subcategory of type (set to zero if there is no code) 80 Figure 8.13: Control Protocol (ICMP) for Supervisory s Figure 3-32: IP with an ICMP Data Field Host Unreachable Error Router Bit 0 Type (8 bits) Bit 31 IP Header (Usually 20 Bytes) Code (8 bits) Depends on Type and Code Echo Reply Echo ICMP IP Header Depends on Type and Code Figure 3-32: control Protocol (ICMP) Network Analysis s Echo (Type 8, no code) asks target host if it is operational and available Echo reply (Type 0, no code). Target host responds to echo sender Ping program implements Echo and Echo Reply. Like submarine pinging a target Ping is useful for network managers to diagnose problems based on failures to reply Ping is useful for hackers to identify potential targets: live ones reply 83 Figure 3-32: control Protocol (ICMP) Error Advisement s Advise sender of error but there is no error correction Host Unreachable (Type 3, multiple codes) Many codes for specific reasons for host being unreachable Host unreachable packet s source IP address confirms to hackers that the IP address is live and therefore a potential victim Usually sent by a router 84

15 Figure 3-31: control Protocol (ICMP) Error Advisement s Time Exceeded (Type 11, no codes) Router decrementing TTL to 0 discards packet, sends time exceeded message IP header containing error message reveals router s IP address By progressively incrementing TTL values by 1 in successive packets, attacker can scan progressively deeper into the network, mapping the network Also usually sent by a router 85 Figure 3-31: control Protocol (ICMP) Control Codes Control network/host operation Source Quench (Type=4, no code) Tells destination host to slow down its transmission rate Legitimate use: Flow control if host sending source quench is overloaded Attackers can use for denial-of-service attack 86 Figure 3-31: control Protocol (ICMP) Control Codes Redirect (Type 5, multiple codes) Tells host or router to send packets in different way than they have Attackers can disrupt network operations, for example, by sending packets down black holes Many Other ICMP s Network Elements Client and server stations s Trunk lines and access lines Switches and routers s (frames) s (frames) may have headers, data fields, and trailers Headers have source and destination address fields Switches forward (switch) frames based on the value in the destination address field Based on field value, switch sends frames out a different port that the one on which the frame arrived 89 s Group of networks connected by routers The is a global internet Organizations connect via ISPs messages are called packets Path of a packet is its route s travel within frames in networks If route goes through four networks, There will be one packet and four frames 90

16 TCP/IP Standards Dominate the Created by the Engineering Task Force (IETF) Documents are called requests for comments (RFCs) OSI Standards Dominate for single networks Physical and data link layers TCP/IP Subnet Access: Use OSI Standards Here OSI Presentation Session Network Physical Hybrid TCP/IP-OSI Physical working Layers layer Protocol (IP) Governs packet organization Governs hop-by-hop router forwarding (routing) layer Governs end-to-end connection between the two hosts TCP adds reliability, flow control, etc. UDP is simpler, offers no reliability, etc. 93 Layer Standards Govern interaction between two application programs Usually, a message formatting standard and a message transfer standard HTML / in WWW RFC 2822 / SMTP in 94 IP Version 4 32-bit source and destination addresses Time to live (TTLS) Header checksum Protocol (type of message in data field) Data field IP Version 4 Option fields may be used, but more likely to be used by hackers rather than legitimately may be fragmented; this too is done mainly by attackers Data field Version bit addresses to allow more addresses 95 96

17 Vertical Communication on the Source Host One layer (Layer N) creates a message Passes message down to the next-lower layer (Layer N-1) The Layer N-1 process encapsulates the Layer N message in the data field of a Layer N-1 record Layer N-1 passes the Layer N-1 message down to Layer N-2 is Reversed on the Destination Host Decapsulation occurs at each layer Vertical es on Router The router first receives, then sends So the router first decapsulates, then encapsulates There is one internet layer process on each router Firewalls Only Need to Look at,, and s The attacker cannot manipulate the frame going from the ISP to the organization IP Connectionless and unreliable Hierarchical IP addresses Network part Subnet part Host part Part lengths vary IP Masks You cannot tell by looking at an IP address what its network or subnet parts are Network mask has 1s in the network part, followed by all zeros Subnet mask has 1s in the network and subnet parts, followed by all zeros IP address spoofing Change the source IP address To conceal identity of the attacker To have the victim think the packet comes from a trusted host LAND attack

18 TCP s Called TCP segments Flags fields for SYN, ACK, FIN, RST 3-way handshake with SYN to open Each segment is received correctly is ACKed This provides reliability TCP s Normally, FIN is used in a four-way close RST can create a single-message close Attackers try to generate RSTs because the RST message is in a packet revealing the victim s IP address Port Numbers Used in both TCP and UDP 16-bit source and destination port numbers Clients use ephemeral port numbers Randomly generated by the client Major applications on servers use well-known port numbers 0 to 1023 ICMP For supervisory messages at the internet layer ICMP messages are encapsulated in the data fields of IP packets Type and code designate contents of IP packet Attackers use ICMP messages in scanning Replies tell them IP addresses ICMP Echo (Type 8, no code) asks target host if it is operational and available Echo reply (Type 0, no code). Target host responds to echo sender Ping program implements Echo and Echo Reply. Like submarine pinging a target ICMP error messages of several types Allow only ICMP echo replies in border router ingress filtering 107