TCP TCP/IP: TCP. TCP segment. TCP segment. TCP encapsulation. TCP encapsulation 1/25/2012. Network Security Lecture 6

Similar documents
ELEC5616 COMPUTER & NETWORK SECURITY

Networking Technologies and Applications

Internet Layers. Physical Layer. Application. Application. Transport. Transport. Network. Network. Network. Network. Link. Link. Link.

TSIN02 - Internetworking

AN TOÀN LỚP 4: TCP/IP ATTACKS NGUYEN HONG SON PTITHCM

TSIN02 - Internetworking

05 Transmission Control Protocol (TCP)

ARP, IP, TCP, UDP. CS 166: Introduction to Computer Systems Security 4/7/18 ARP, IP, TCP, UDP 1

TCP = Transmission Control Protocol Connection-oriented protocol Provides a reliable unicast end-to-end byte stream over an unreliable internetwork.

Introduction to TCP/IP networking

CCNA 1 Chapter 7 v5.0 Exam Answers 2013

Layer 4: UDP, TCP, and others. based on Chapter 9 of CompTIA Network+ Exam Guide, 4th ed., Mike Meyers

Outline. What is TCP protocol? How the TCP Protocol Works SYN Flooding Attack TCP Reset Attack TCP Session Hijacking Attack

INF5290 Ethical Hacking. Lecture 3: Network reconnaissance, port scanning. Universitetet i Oslo Laszlo Erdödi

TSIN02 - Internetworking

TCP : Fundamentals of Computer Networks Bill Nace

UDP and TCP. Introduction. So far we have studied some data link layer protocols such as PPP which are responsible for getting data

TCP Service Model. Today s Lecture. TCP Support for Reliable Delivery. EE 122:TCP, Connection Setup, Reliability

OSI Transport Layer. objectives

ECE 435 Network Engineering Lecture 9

TSIN02 - Internetworking

Unit 2.

Transport Layer. The transport layer is responsible for the delivery of a message from one process to another. RSManiaol

Lecture 3: The Transport Layer: UDP and TCP

Hands-On Ethical Hacking and Network Defense

ECE 435 Network Engineering Lecture 9

CCNA Exploration Network Fundamentals. Chapter 04 OSI Transport Layer

Simulation of TCP Layer

CS457 Transport Protocols. CS 457 Fall 2014

6.1 Internet Transport Layer Architecture 6.2 UDP (User Datagram Protocol) 6.3 TCP (Transmission Control Protocol) 6. Transport Layer 6-1

network security s642 computer security adam everspaugh

EEC-682/782 Computer Networks I

Transport Layer. Gursharan Singh Tatla. Upendra Sharma. 1

Computer Networks. Transmission Control Protocol. Jianping Pan Spring /3/17 CSC361 1

Internet and Intranet Protocols and Applications

Network Technology 1 5th - Transport Protocol. Mario Lombardo -

CCNA R&S: Introduction to Networks. Chapter 7: The Transport Layer

Transport Layer. <protocol, local-addr,local-port,foreign-addr,foreign-port> ϒ Client uses ephemeral ports /10 Joseph Cordina 2005

QUIZ: Longest Matching Prefix

TCP Basics : Computer Networking. Overview. What s Different From Link Layers? Introduction to TCP. TCP reliability Assigned reading

Transport Protocols Reading: Sections 2.5, 5.1, and 5.2. Goals for Todayʼs Lecture. Role of Transport Layer

Transmission Control Protocol (TCP)

Guide To TCP/IP, Second Edition UDP Header Source Port Number (16 bits) IP HEADER Protocol Field = 17 Destination Port Number (16 bit) 15 16

Module 19 : Threats in Network What makes a Network Vulnerable?

CSC 574 Computer and Network Security. TCP/IP Security

EEC-484/584 Computer Networks. Lecture 16. Wenbing Zhao

Category: Informational May 1996

The Transport Layer: TCP & Reliable Data Transfer

Some of the slides borrowed from the book Computer Security: A Hands on Approach by Wenliang Du. TCP Attacks. Chester Rebeiro IIT Madras

The Transport Layer. Part 1

CSCI-GA Operating Systems. Networking. Hubertus Franke

Transport Protocols Reading: Sections 2.5, 5.1, and 5.2

NWEN 243. Networked Applications. Layer 4 TCP and UDP

ECE 650 Systems Programming & Engineering. Spring 2018

User Datagram Protocol (UDP):

Transport layer. UDP: User Datagram Protocol [RFC 768] Review principles: Instantiation in the Internet UDP TCP

Transport layer. Review principles: Instantiation in the Internet UDP TCP. Reliable data transfer Flow control Congestion control

Introduction to Network. Topics

TCP/IP Transport Layer Protocols, TCP and UDP

User Datagram Protocol

Connections. Topics. Focus. Presentation Session. Application. Data Link. Transport. Physical. Network

CS118 Discussion 1A, Week 4. Zengwen Yuan Dodd Hall 78, Friday 10:00 11:50 a.m.

Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning

Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning

EE 122: Transport Protocols. Kevin Lai October 16, 2002

Transport Protocols. Raj Jain. Washington University in St. Louis

Sequence Number. Acknowledgment Number. Checksum. Urgent Pointer plus Sequence Number indicates end of some URGENT data in the packet

FOCUS on Intrusion Detection: Intrusion Detection Level Analysis of Nmap and Queso Page 1 of 6

CIT 480: Securing Computer Systems

The Transport Layer. Internet solutions. Nixu Oy PL 21. (Mäkelänkatu 91) Helsinki, Finland. tel fax.

NETWORK PROGRAMMING. Instructor: Junaid Tariq, Lecturer, Department of Computer Science

ECE 435 Network Engineering Lecture 15

Information Network 1 TCP 1/2

Internet Protocol and Transmission Control Protocol

The Transport Layer Reliable data delivery & flow control in TCP. Transport Layer Protocols & Services Outline

Configuring Flood Protection

TCP /IP Fundamentals Mr. Cantu

ITS323: Introduction to Data Communications

Scanning. Course Learning Outcomes for Unit III. Reading Assignment. Unit Lesson UNIT III STUDY GUIDE

The Transport Layer Reliable data delivery & flow control in TCP. Transport Layer Protocols & Services Outline

Transport Layer: Outline

ECE 435 Network Engineering Lecture 10

Linux Networking: tcp. TCP context and interfaces

Kent State University

Chapter 23 Process-to-Process Delivery: UDP, TCP, and SCTP 23.1

Information Network 1 TCP 1/2. Youki Kadobayashi NAIST

IS370 Data Communications and Computer Networks. Chapter 5 : Transport Layer

Lenuta Alboaie Computer Networks

A Study on Intrusion Detection Techniques in a TCP/IP Environment

Transport Protocols Reading: Sections 2.5, 5.1, and 5.2

EE 122: Transport Protocols: UDP and TCP

CMSC 417. Computer Networks Prof. Ashok K Agrawala Ashok Agrawala. October 25, 2018

Chapter 5 End-to-End Protocols

Announcements Computer Networking. Outline. Transport Protocols. Transport introduction. Error recovery & flow control. Mid-semester grades

Packet Header Formats

Introduction to Networks and the Internet

COMP 431 Internet Services & Protocols. Transport Layer Protocols & Services Outline. The Transport Layer Reliable data delivery & flow control in TCP

Layered Networking and Port Scanning

Multiple unconnected networks

TRANSMISSION CONTROL PROTOCOL. ETI 2506 TELECOMMUNICATION SYSTEMS Monday, 7 November 2016

Transcription:

TCP TCP/IP: TCP Network Security Lecture 6 Based on IP Provides connection-oriented, reliable stream delivery service (handles loss, duplication, transmission errors, reordering) Provides port abstraction (like UDP) Establishes a virtual circuit(over packet switching IP) (source IP address, source port, destination IP address, destination port) Full duplex: two streams RFC 793 1 TCP segment TCP segment 0 4 8 12 16 20 24 28 31 Source port Sequence number Acknowledgment number Destination port Hdr len Reserved Flags Window Checksum Options (id hdr_len > 5) Urgent pointer Padding Data 2 3 TCP encapsulation TCP encapsulation TCP header TCP data IP header IP data Frame header Frame data 4 5

TCP seq/ack numbers The sequence number specifies the position of this segment s data in the communication stream SYN=1234 means that the payload of this segment contains data from byte 1234 The acknowledgment number specifies the position of the next byte expected from the host ACK=1234 means that the host has received correctly up to byte 1233 and expects byte 1234 Basis for retransmission of lost segments, duplication TCP flags Used for the setup/shutdown of virtual circuit and other operations on it: SYN: used in connection setup ACK: acknowledgment number is valid FIN: request to shutdown one stream RST: reset the virtual circuit URG: indicates that the urgent pointer is valid PSH: indicates that data should be passed to the application as soon as possible ( push ) 6 7 TCP virtual circuit setup Initial sequence number TCP establishes a connection-oriented communication service on top of packet-oriented IP The setup is done through the three-way handshake Client sends a SYN to the server (active open); sequence number is I A Server replies with SYN-ACK; the ackis set to I A +1; sequence number is I B Client sends ACK; the ackis set to I B +1; sequence number is I A +1 Client:7890 Server:80 8 9 Initial sequence numbers What to use as the initial sequence number? The original standard specified that sequence number should be incremented every 4 microseconds BSD UNIXesinitially used a number that is incremented by 64,000 every half second and by 64,000 every time a connection is established We ll see in a bit if these are good choices TCP data exchange Host sends data Acknowledgment number: up to previous segment Sequence number: initial sequence number increased of data transferred so far Recipient (RCV) accepts a segment (SEG) if segment is inside the receive window RCV.ACK <= SEG.SEQ < RCV.ACK + RCV.WINDOW or RCV.ACK <= SEG.SEQ + SEG.LENGTH 1 < RCV.ACK + RCV.WINDOW Empty segments may be exchanged to acknowledge received data 10 11

Data exchange Client:7890 Server:80 data len: 15 data len: 15 12 TCP virtual circuit shutdown One of the hosts, say the server, shuts down its stream by sending a segment with the FIN flag set The other host, the client, acknowledges the receipt From this point on, the server will not send any data It will only send ACKsfor the data it receives When the client shuts down its stream, the virtual circuit is closed 13 Virtual circuit shutdown TCP portscan Client:7890 Server:80 Server closes its half of the circuit Client closes its half of the circuit Used to determine the TCP services available on a host Each service is traditionally associated with a specific port (see /etc/services) Assumption: open port implies corresponding service is available Simplest form: connect scan connect to all possible ports If three-way handshake succeeds, port is open Disadvantage: Noisy 14 15 $ nmap st 172.16.48.130 TCP connect scan Starting Nmap 5.00 ( http://nmap.org ) at 2011-01-21 01:15 PST 22/tcp open ssh 80/tcp open http 111/tcp open rpcbind 2049/tcp open nfs 3306/tcp open mysql 5000/tcp open upnp 6000/tcp open X11 8000/tcp open http-alt Nmap done: 1 IP address (1 host up) scanned in 0.20 seconds TCP connect scan IP 172.16.48.139.46767 > 172.16.48.130.80: Flags [S] IP 172.16.48.130.80 > 172.16.48.139.46767: Flags [S.] IP 172.16.48.139.46767 > 172.16.48.130.80: Flags [.] IP 172.16.48.139.47399 > 172.16.48.130.3325: Flags [S] IP 172.16.48.139.36666 > 172.16.48.130.2910: Flags [S] IP 172.16.48.139.48912 > 172.16.48.130.1433: Flags [S] IP 172.16.48.139.53332 > 172.16.48.130.1082: Flags [S] IP 172.16.48.139.36286 > 172.16.48.130.63331: Flags [S] IP 172.16.48.139.41808 > 172.16.48.130.5100: Flags [S] IP 172.16.48.139.44684 > 172.16.48.130.444: Flags [S] IP 172.16.48.130.1433 > 172.16.48.139.48912: Flags [R.] IP 172.16.48.130.1082 > 172.16.48.139.53332: Flags [R.] IP 172.16.48.130.63331 > 172.16.48.139.36286: Flags [R.] IP 172.16.48.130.5100 > 172.16.48.139.41808: Flags [R.] IP 172.16.48.130.444 > 172.16.48.139.44684: Flags [R.] 16 17

Attacker sends a SYN packet The target host Replies with a SYN/ACK, if the port is open Replies with a RST, if the port is closed The attacker sends a RST instead of ACK that would close three-way handshake Connection is never completed Applications do not record event in their logs $ sudo nmap -ss 172.16.48.130 Starting Nmap 5.00 ( http://nmap.org ) at 2011-01-21 01:30 PST 22/tcp open ssh 80/tcp open http 111/tcp open rpcbind 2049/tcp open nfs 3306/tcp open mysql 5000/tcp open upnp 6000/tcp open X11 8000/tcp open http-alt Nmap done: 1 IP address (1 host up) scanned in 0.23 seconds 18 19 IP 172.16.48.139.39558 > 172.16.48.130.80: Flags [S] IP 172.16.48.130.80 > 172.16.48.139.39558: Flags [S.] IP 172.16.48.139.39558 > 172.16.48.130.80: Flags [R] IP 172.16.48.139.39558 > 172.16.48.130.256: Flags [S] IP 172.16.48.130.256 > 172.16.48.139.39558: Flags [R.] IP 172.16.48.139.39558 > 172.16.48.130.111: Flags [S] IP 172.16.48.130.111 > 172.16.48.139.39558: Flags [S.] IP 172.16.48.139.39558 > 172.16.48.130.111: Flags [R] TCP RFC says If port is closed, incoming segment not containing RST causes a RST to be sent If port is open, incoming segment without SYN, RST, or ACK is silently dropped FIN scan Send segment with FIN If RST received, port is closed; else open Xmas scan Send segment with FIN, PSH, and URG If RST received, port is closed; else open 20 21 $ sudo nmap -sf 172.16.48.130 [target is Linux] Starting Nmap 5.00 ( http://nmap.org )... 8000/tcp open filtered http-alt 15:50:33.991035 IP 172.16.48.139.49879 > 172.16.48.130.1700: F 2638861074:2638861074(0) win 3072 15:50:33.991038 IP 172.16.48.130.1700 > 172.16.48.139.49879: R 0:0(0) ack 15:50:33.991041 IP 172.16.48.139.49879 > 172.16.48.130.625: F 2638861074:2638861074(0) win 2048 15:50:33.991043 IP 172.16.48.130.625 > 172.16.48.139.49879: R 0:0(0) ack 15:50:33.991066 IP 172.16.48.139.49879 > 172.16.48.130.1104: F 2638861074:2638861074(0) win 4096 15:50:33.991070 IP 172.16.48.130.1104 > 172.16.48.139.49879: R 0:0(0) ack 15:50:34.027421 IP 172.16.48.139.49880 > 172.16.48.130.8000: F 2638795539:2638795539(0) win 2048 22 $ sudo nmap -sx 172.16.48.128 [target is Windows] Starting Nmap 5.00 ( http://nmap.org ) Starting Nmap 5.00 ( http://nmap.org ) at 2011-01-29 15:55 PST All 1000 scanned ports on 172.16.48.128 are open filtered Nmap done: 1 IP address (1 host up) scanned in 21.49 seconds 15:55:31.061908 IP 172.16.48.139.42877 > 172.16.48.128.2869: FP 1557334796:1557334796(0) win 1024 urg 0 15:55:31.069670 IP 172.16.48.139.42877 > 172.16.48.128.10004: FP 1557334796:1557334796(0) win 3072 urg 0 15:55:31.069680 IP 172.16.48.139.42877 > 172.16.48.128.9040: FP 15:55:31.075453 IP 172.16.48.139.42877 > 172.16.48.128.1236: FP 15:55:31.079934 IP 172.16.48.139.42877 > 172.16.48.128.2607: FP 15:55:31.122730 IP 172.16.48.139.42877 > 172.16.48.128.3689: FP 1557334796:1557334796(0) win 2048 urg 0 15:55:31.126760 IP 172.16.48.139.42877 > 172.16.48.128.4125: FP 15:55:31.142278 IP 172.16.48.139.42877 > 172.16.48.128.3690: FP 1557334796:1557334796(0) win 2048 urg 0 15:55:31.145262 IP 172.16.48.139.42877 > 172.16.48.128.1434: FP 1557334796:1557334796(0) win 3072 urg 0 23

OS fingerprinting Leverages differences in how different operating systems implement protocols to remotely identify the OS running on a host Active fingerprinting Send carefully crafted packets and observe response Response to FIN messages Weird combination of TCP flags Initial TCP sequence number Initial TCP window size ICMP messages (error rate, inclusion of packet that triggered the message) Can be noisy nmap, xprobe Passive fingerprinting Observe traffic received or monitored during regular communication Normal traffic, thus hard to detect http://lcamtuf.coredump.cx/p0f/readme Alice trusts Bob (e.g., logins on Alice are allowed with no password if TCP connection comes from host Bob) Mallory wants to impersonate Bob when opening a TCP connection to Alice Steps M sends SYN segment to A with source IP address set to B s IP address A sends a SYN/ACK to B B replies with RST Fail: retry. 24 25 Alice trusts Bob (e.g., logins on Alice are allowed with no password if TCP connection comes from host Bob) Mallory wants to impersonate Bob when opening a TCP connection to Alice Steps M kills B (e.g., flooding) M sends SYN segment to A with source IP address set to B s IP address A sends a SYN/ACK to B, with its initial sequence number I A M completes the 3-way handshake, with ACK set to I A + 1. How does M know I A? There are two cases: M can sniff traffic from A: M just eavesdrops A s response containing I A M cannot sniff traffic from A (e.g., different networks): M guesses the correct I A value ( blind spoofing ) Described in R. T. Morris, A Weakness in the 4.2BSD UNIX TCP/IP Software Used by Kevin Mitnickattack in his attack against the San Diego Supercomputer Center Addressed by S. Bellovin, RFC 1984, Defending Against Sequence Number Attacks Set initial sequence number to the timer prescribed originally +the value of a cryptographic hash function of each connection: ISN = M + F(localhost, localport, remotehost, remoteport) It is vital that F not be computable from the outside, so it is keyed with with some secret data True random number Per-host secret and boot time of the machine Thus, each connection is given a separate sequence number space That s the theory, at least EikeRitter Network Security - Lecture 7 26 EikeRitter Network Security - Lecture 7 27 Take away points and next time NEXT ON TCP format TCP connection Setup, data exchange, shutdown Portscanningand fingerprinting Spoofing Initial sequence numbers TCP Hijacking Denial of service SYN flooding DNS 28 29

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback