TCP TCP/IP: TCP Network Security Lecture 6 Based on IP Provides connection-oriented, reliable stream delivery service (handles loss, duplication, transmission errors, reordering) Provides port abstraction (like UDP) Establishes a virtual circuit(over packet switching IP) (source IP address, source port, destination IP address, destination port) Full duplex: two streams RFC 793 1 TCP segment TCP segment 0 4 8 12 16 20 24 28 31 Source port Sequence number Acknowledgment number Destination port Hdr len Reserved Flags Window Checksum Options (id hdr_len > 5) Urgent pointer Padding Data 2 3 TCP encapsulation TCP encapsulation TCP header TCP data IP header IP data Frame header Frame data 4 5
TCP seq/ack numbers The sequence number specifies the position of this segment s data in the communication stream SYN=1234 means that the payload of this segment contains data from byte 1234 The acknowledgment number specifies the position of the next byte expected from the host ACK=1234 means that the host has received correctly up to byte 1233 and expects byte 1234 Basis for retransmission of lost segments, duplication TCP flags Used for the setup/shutdown of virtual circuit and other operations on it: SYN: used in connection setup ACK: acknowledgment number is valid FIN: request to shutdown one stream RST: reset the virtual circuit URG: indicates that the urgent pointer is valid PSH: indicates that data should be passed to the application as soon as possible ( push ) 6 7 TCP virtual circuit setup Initial sequence number TCP establishes a connection-oriented communication service on top of packet-oriented IP The setup is done through the three-way handshake Client sends a SYN to the server (active open); sequence number is I A Server replies with SYN-ACK; the ackis set to I A +1; sequence number is I B Client sends ACK; the ackis set to I B +1; sequence number is I A +1 Client:7890 Server:80 8 9 Initial sequence numbers What to use as the initial sequence number? The original standard specified that sequence number should be incremented every 4 microseconds BSD UNIXesinitially used a number that is incremented by 64,000 every half second and by 64,000 every time a connection is established We ll see in a bit if these are good choices TCP data exchange Host sends data Acknowledgment number: up to previous segment Sequence number: initial sequence number increased of data transferred so far Recipient (RCV) accepts a segment (SEG) if segment is inside the receive window RCV.ACK <= SEG.SEQ < RCV.ACK + RCV.WINDOW or RCV.ACK <= SEG.SEQ + SEG.LENGTH 1 < RCV.ACK + RCV.WINDOW Empty segments may be exchanged to acknowledge received data 10 11
Data exchange Client:7890 Server:80 data len: 15 data len: 15 12 TCP virtual circuit shutdown One of the hosts, say the server, shuts down its stream by sending a segment with the FIN flag set The other host, the client, acknowledges the receipt From this point on, the server will not send any data It will only send ACKsfor the data it receives When the client shuts down its stream, the virtual circuit is closed 13 Virtual circuit shutdown TCP portscan Client:7890 Server:80 Server closes its half of the circuit Client closes its half of the circuit Used to determine the TCP services available on a host Each service is traditionally associated with a specific port (see /etc/services) Assumption: open port implies corresponding service is available Simplest form: connect scan connect to all possible ports If three-way handshake succeeds, port is open Disadvantage: Noisy 14 15 $ nmap st 172.16.48.130 TCP connect scan Starting Nmap 5.00 ( http://nmap.org ) at 2011-01-21 01:15 PST 22/tcp open ssh 80/tcp open http 111/tcp open rpcbind 2049/tcp open nfs 3306/tcp open mysql 5000/tcp open upnp 6000/tcp open X11 8000/tcp open http-alt Nmap done: 1 IP address (1 host up) scanned in 0.20 seconds TCP connect scan IP 172.16.48.139.46767 > 172.16.48.130.80: Flags [S] IP 172.16.48.130.80 > 172.16.48.139.46767: Flags [S.] IP 172.16.48.139.46767 > 172.16.48.130.80: Flags [.] IP 172.16.48.139.47399 > 172.16.48.130.3325: Flags [S] IP 172.16.48.139.36666 > 172.16.48.130.2910: Flags [S] IP 172.16.48.139.48912 > 172.16.48.130.1433: Flags [S] IP 172.16.48.139.53332 > 172.16.48.130.1082: Flags [S] IP 172.16.48.139.36286 > 172.16.48.130.63331: Flags [S] IP 172.16.48.139.41808 > 172.16.48.130.5100: Flags [S] IP 172.16.48.139.44684 > 172.16.48.130.444: Flags [S] IP 172.16.48.130.1433 > 172.16.48.139.48912: Flags [R.] IP 172.16.48.130.1082 > 172.16.48.139.53332: Flags [R.] IP 172.16.48.130.63331 > 172.16.48.139.36286: Flags [R.] IP 172.16.48.130.5100 > 172.16.48.139.41808: Flags [R.] IP 172.16.48.130.444 > 172.16.48.139.44684: Flags [R.] 16 17
Attacker sends a SYN packet The target host Replies with a SYN/ACK, if the port is open Replies with a RST, if the port is closed The attacker sends a RST instead of ACK that would close three-way handshake Connection is never completed Applications do not record event in their logs $ sudo nmap -ss 172.16.48.130 Starting Nmap 5.00 ( http://nmap.org ) at 2011-01-21 01:30 PST 22/tcp open ssh 80/tcp open http 111/tcp open rpcbind 2049/tcp open nfs 3306/tcp open mysql 5000/tcp open upnp 6000/tcp open X11 8000/tcp open http-alt Nmap done: 1 IP address (1 host up) scanned in 0.23 seconds 18 19 IP 172.16.48.139.39558 > 172.16.48.130.80: Flags [S] IP 172.16.48.130.80 > 172.16.48.139.39558: Flags [S.] IP 172.16.48.139.39558 > 172.16.48.130.80: Flags [R] IP 172.16.48.139.39558 > 172.16.48.130.256: Flags [S] IP 172.16.48.130.256 > 172.16.48.139.39558: Flags [R.] IP 172.16.48.139.39558 > 172.16.48.130.111: Flags [S] IP 172.16.48.130.111 > 172.16.48.139.39558: Flags [S.] IP 172.16.48.139.39558 > 172.16.48.130.111: Flags [R] TCP RFC says If port is closed, incoming segment not containing RST causes a RST to be sent If port is open, incoming segment without SYN, RST, or ACK is silently dropped FIN scan Send segment with FIN If RST received, port is closed; else open Xmas scan Send segment with FIN, PSH, and URG If RST received, port is closed; else open 20 21 $ sudo nmap -sf 172.16.48.130 [target is Linux] Starting Nmap 5.00 ( http://nmap.org )... 8000/tcp open filtered http-alt 15:50:33.991035 IP 172.16.48.139.49879 > 172.16.48.130.1700: F 2638861074:2638861074(0) win 3072 15:50:33.991038 IP 172.16.48.130.1700 > 172.16.48.139.49879: R 0:0(0) ack 15:50:33.991041 IP 172.16.48.139.49879 > 172.16.48.130.625: F 2638861074:2638861074(0) win 2048 15:50:33.991043 IP 172.16.48.130.625 > 172.16.48.139.49879: R 0:0(0) ack 15:50:33.991066 IP 172.16.48.139.49879 > 172.16.48.130.1104: F 2638861074:2638861074(0) win 4096 15:50:33.991070 IP 172.16.48.130.1104 > 172.16.48.139.49879: R 0:0(0) ack 15:50:34.027421 IP 172.16.48.139.49880 > 172.16.48.130.8000: F 2638795539:2638795539(0) win 2048 22 $ sudo nmap -sx 172.16.48.128 [target is Windows] Starting Nmap 5.00 ( http://nmap.org ) Starting Nmap 5.00 ( http://nmap.org ) at 2011-01-29 15:55 PST All 1000 scanned ports on 172.16.48.128 are open filtered Nmap done: 1 IP address (1 host up) scanned in 21.49 seconds 15:55:31.061908 IP 172.16.48.139.42877 > 172.16.48.128.2869: FP 1557334796:1557334796(0) win 1024 urg 0 15:55:31.069670 IP 172.16.48.139.42877 > 172.16.48.128.10004: FP 1557334796:1557334796(0) win 3072 urg 0 15:55:31.069680 IP 172.16.48.139.42877 > 172.16.48.128.9040: FP 15:55:31.075453 IP 172.16.48.139.42877 > 172.16.48.128.1236: FP 15:55:31.079934 IP 172.16.48.139.42877 > 172.16.48.128.2607: FP 15:55:31.122730 IP 172.16.48.139.42877 > 172.16.48.128.3689: FP 1557334796:1557334796(0) win 2048 urg 0 15:55:31.126760 IP 172.16.48.139.42877 > 172.16.48.128.4125: FP 15:55:31.142278 IP 172.16.48.139.42877 > 172.16.48.128.3690: FP 1557334796:1557334796(0) win 2048 urg 0 15:55:31.145262 IP 172.16.48.139.42877 > 172.16.48.128.1434: FP 1557334796:1557334796(0) win 3072 urg 0 23
OS fingerprinting Leverages differences in how different operating systems implement protocols to remotely identify the OS running on a host Active fingerprinting Send carefully crafted packets and observe response Response to FIN messages Weird combination of TCP flags Initial TCP sequence number Initial TCP window size ICMP messages (error rate, inclusion of packet that triggered the message) Can be noisy nmap, xprobe Passive fingerprinting Observe traffic received or monitored during regular communication Normal traffic, thus hard to detect http://lcamtuf.coredump.cx/p0f/readme Alice trusts Bob (e.g., logins on Alice are allowed with no password if TCP connection comes from host Bob) Mallory wants to impersonate Bob when opening a TCP connection to Alice Steps M sends SYN segment to A with source IP address set to B s IP address A sends a SYN/ACK to B B replies with RST Fail: retry. 24 25 Alice trusts Bob (e.g., logins on Alice are allowed with no password if TCP connection comes from host Bob) Mallory wants to impersonate Bob when opening a TCP connection to Alice Steps M kills B (e.g., flooding) M sends SYN segment to A with source IP address set to B s IP address A sends a SYN/ACK to B, with its initial sequence number I A M completes the 3-way handshake, with ACK set to I A + 1. How does M know I A? There are two cases: M can sniff traffic from A: M just eavesdrops A s response containing I A M cannot sniff traffic from A (e.g., different networks): M guesses the correct I A value ( blind spoofing ) Described in R. T. Morris, A Weakness in the 4.2BSD UNIX TCP/IP Software Used by Kevin Mitnickattack in his attack against the San Diego Supercomputer Center Addressed by S. Bellovin, RFC 1984, Defending Against Sequence Number Attacks Set initial sequence number to the timer prescribed originally +the value of a cryptographic hash function of each connection: ISN = M + F(localhost, localport, remotehost, remoteport) It is vital that F not be computable from the outside, so it is keyed with with some secret data True random number Per-host secret and boot time of the machine Thus, each connection is given a separate sequence number space That s the theory, at least EikeRitter Network Security - Lecture 7 26 EikeRitter Network Security - Lecture 7 27 Take away points and next time NEXT ON TCP format TCP connection Setup, data exchange, shutdown Portscanningand fingerprinting Spoofing Initial sequence numbers TCP Hijacking Denial of service SYN flooding DNS 28 29