Scribd
Upload
64 views

11 TCP Ip

The document discusses TCP/IP protocols and packet headers. It provides details on Ethernet, IP, TCP and ICMP headers. It also covers TCP and IP fragmentation, ping of death, smurf attacks, and other DoS exploits.

Uploaded by

marina890416
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
64 views

11 TCP Ip

The document discusses TCP/IP protocols and packet headers. It provides details on Ethernet, IP, TCP and ICMP headers. It also covers TCP and IP fragmentation, ping of death, smurf attacks, and other DoS exploits.

Uploaded by

marina890416
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
You are on page 1/ 20

ECE-6612 http://www.csc.gatech.edu/copeland/jac/6612/ Prof. John A. Copeland [email protected].

edu 404 894-5177 fax 404 894-0035 Office: Klaus 3362 email or call for office visit, 404 894-5177 Slides 11 - Fun with TCP/IP

4/18/2011

Ethernet Header (MAC or Link Layer)

Ethernet Hdr - 14 bytes IP Header - 20 bytes TCP Header - 20 bytes (little-endian) (big-endian) (big-endian)

App. Hdr & Data

0 Bytes 0 - 3 Bytes 4 - 7 Bytes 8 - 11 Source Address - 6 bytes Destination Address - 6 bytes

31 bits

Bytes 12 - 13

Next Protocol #
LSB MSB

Next Level Protocol Header (08 00 -> x8000 ->IP)


2

IP Header (Network Layer)


Ethernet Hdr - 20 bytes IP Header - 20 bytes TCP Header - 20 bytes (little-endian) (big-endian) (big-endian) App. Hdr & Data

Length Frag. Flags Fragment Offset

Next Protocol

Next Protocol # Frag. Flags:

1=ICMP 6=TCP 17=UDP 001 = More Fragments, MF


3

010 = Do Not Fragment, DNF

Fragmented Packet
Ethernet Hdr - 20 bytes IP Header - 20 bytes TCP Header - 20 bytes (MF: 1, offset: 0) (big-endian) App. Hdr & Data

20 bytes
Ethernet Hdr - 20 bytes IP Header - 20 bytes (MF: 1, offset:1280)

20 + 1260 bytes
More Data

20 bytes
Ethernet Hdr - 20 bytes IP Header - 20 bytes (MF: 0, offset:2560)

1280 bytes
Last Data

20 bytes

760 bytes

Data Packet from Token Ring has TCP header (20 bytes) plus App. Header and Data (3300 bytes) = 20 +1280 + 1280 + 760 bytes.

IP Fragment ID number is the same for each fragment.


4

Ping of Death
Ethernet Hdr - 20 bytes IP Header - 20 bytes (MF: 1, offset:65,500) Any Data

20 bytes

1000 bytes

Packet Buffer 65,535 bytes Packet Buffer 65,535 bytes Fragments are assembled in a buffer in memory. Ping of Death fragment causes a buffer overflow, corrupting the next buffer causing an older version of Windows to crash. Ping was used because #ping -s 66500 used to work. fragrouter is a hacker program that generates bad fragments.
5

Fragmented Packets as seen by tcpdump


# tcpdump -nnvli eth3 'tcp and ((ip[6:2]&0x3fff) != 0) Filter for seeing frag.s 22:10:48 128.61.60.143.3472 > 217.98.230.192.6881: . 3041158335:3041158379(44) ack 829468732 win 65535 (frag 43660:64@0+) (ttl 127, len 84) Very small fragments 22:10:48 128.61.60.143 > 217.98.230.192: tcp (frag 43660:44@64) (ttl 127, len 64) ) Very small fragments

22:10:49 219.115.56.223 > 199.77.145.106: tcp (frag 0:20@16384) (ttl 237, len 40) Very small, isolated fragment 22:10:50 217.232.26.184 > 128.61.104.27: tcp Note close times, different IPs (frag 0:20@16384) (ttl 240, len 40) Very small, isolated fragment ------43660:64@0+ = ID : Data-Length (without IP hdr) @ Offset/8, + means More Fragments bit set.
6

Protocols over IP

80 6

161 <- Listening Port No. (Well-Known?)


17 <- IP Next Protocol Numbers

89

46

IPsec ESP 50
ARP

x0800 <- Ethernet Next Protocol Number

Data Link and Physical Layers (e.g., Ethernet, WiFi, Point-to-Point, )

UDP Header
(big endian)

0
Bytes 0 - 3 Type

ICMP Header
(big endian)

31 bits

Code

Checksum

Bytes 4 - 7
Bytes 8 -

Identifier

Sequence Number

Optional Data

Type Field 0 - Echo Reply (Code=0) 3 - Destination Unreachable 5 - Redirect (change route) 8 - Echo Request (Ping) 11 - Timeout (traceroute)

Type 3 - Codes 0 - Network Unreachable 1 - Host Unreachable 3 - Port Unreachable (UDP Reset-old hdr in data) 7 - Destination Host Unknown 12 - Host Unreachable for Type of Service
9

Smurf Attack

Attacker 23.45.67.89
ICMP Echo Request (Ping) To: 222.45.6.255 (Broadcast) From: 130.207.225.23 (spoofed) ICMP Echo Responses To: 130.207.225.23

Victim 130.207.225.23

Network 222.45.6.0/24 Network Broadcast Address = 222.45.6.255 (How is this prevented?)


10

TCP Header
Ethernet Hdr - 20 bytes IP Header - 20 bytes TCP Header - 20 bytes (little-endian) (big-endian) (big-endian) App. Hdr & Data

* Length of TCP Header in bytes /4

TCP Flags: U A P R S F
11

TCP Three-Way Handshake


Syn (only) Syn + Ack Ack Ack( Push, Urgent) Ack( Push, Urgent)

Client

Server

12

TCP Three-Way Disconnect


Ack( Push, Urgent) Ack( Push, Urgent) Fin + Ack Ack Fin + Ack Ack

Host A

or Reset + Ack

Host B

Either A or B can be the Server


13

TCP Initial: SYN, SYN-ACK, ACK


QuickTime an d a TIFF (LZW) decomp resso r are need ed to see this picture.

TCP Final: FIN, ACK, FIN-ACK, ACK


QuickTime and a TIFF (LZW) decomp resso r are need ed to see this picture.

TCP SYN and RES-ACK (no connection)


QuickTime and a TIFF (LZW) decompressor are neede d to see this picture.

as seen using wireshark


14

TCP State Diagram

Reset

15

Reset
0
0 0 0

Fin
0
0 0 1

Syn
0
1 1 0

Ack
1
0 1 0

Comment
OK
1st Packet 2nd Packet Needs Ack

0
0 0 1

1
1 1 0

0
1 1 0

1
0 1 0

OK
Illegal Illegal Needs Ack

1
1 1 1

0
0 0 1

0
1 1 0

1
0 1 0

OK
Illegal Illegal Illegal

1
1 1

1
1 1

0
1 1

1
0 1

Illegal
Illegal Illegal

Illegal flag combinations are used to determine Operating System

16

DoS Exploits using TCP Packets Land - Source Address = Destination Address Crashes some printers, routers, Windows, UNIX.

Tear Drop - IP Fragments that overlap, have gaps (also Bonk, Newtear, Syndrop) Win 95, Win 98, NT, Linux.
Winnuke - Any garbage data to an open file-sharing port (TCP-139) Crashes Win 95 and NT Blue Screen of Death - Set Urgent Flag, & Urgent Offset Pointer = 3 Older Windows OS would crash.

17

TCP Session Highjack


Attacker - (1) sniffs network and watches Alice establish TCP session with Bob

(2) - DOS Attack to Silence Alice (Acks and Resets)

(3) - Highjacks TCP Connection by using correct sequence number (0) - Established TCP Connection

Bob

Alice
Off-LAN Attack (can not sniff) to get by host-based firewall.
1. 2. 3. 4. Open several TCP connections to Bob, to predict next sequence number DoS Alice so it will not send a TCP Reset to Bob.s SYN-ACK. Send Bob a SYN, then an ACK based on predicted Bobs seq. no.(from Alices IP) Send exploit to Bob (assume all packets are Acked).
18

TCP Connect Handshake - shown by tcpdump


20:43:58 192.168.1.132.49194 > 204.127.198.27.25: S [bad tcp cksum e773!] 2818212180:2818212180(0) win 32768 <mss 1460,nop,wscale 0,nop,nop,timestamp 1015223232 0> (DF) (ttl 64, id 13382, len 60) <no ack!> 20:43:59 204.127.198.27.25 > 192.168.1.132.49194: S [tcp sum ok] 261524396:261524396(0) ack 2818212181 win 33304 <nop,nop,timestamp 693175946 1015223232,nop,wscale 1,mss 1460> (DF) (ttl 52, id 16741, len 60) 20:43:59 192.168.1.132.49194 > 204.127.198.27.25: . ack 1 win 33304 <nop,nop,timestamp 1015223234 693175946> (DF) (ttl 64, id 13383, len 52) 20:43:59 204.127.198.27.25 > 192.168.1.132.49194: P 1:62(61) ack 1 win 33304 <nop,nop,timestamp 693175953 1015223234> (DF) (ttl 52, id 16742, len 113) 20:43:59 192.168.1.132.49194 > 204.127.198.27.25: P [bad tcp cksum 24f8!] 1:23(22) ack 62 win 33304 <nop,nop,timestamp 1015223234 693175953> (DF) (ttl 64, id 13384, len 74)

19

TCP Finish Handshake - shown by tcpdump


20:44:01 204.127.198.27.25 > 192.168.1.132.49194: P 2425:2467(42) ack 3889 win 33304 <nop,nop,timestamp 693176146 1015223238> (DF) (ttl 52, id 16760, len 94) 20:44:01 192.168.1.132.49194 > 204.127.198.27.25: F [bad tcp cksum 2c58!] 3889:3889(0) ack 2467 win 33304 <nop,nop,timestamp 1015223238 693176146> (DF) (ttl 64, id 13402, len 52) 20:44:01 204.127.198.27.25 > 192.168.1.132.49194: . [tcp sum ok] ack 3890 win 33304 <nop,nop,timestamp 693176152 1015223238> (DF) (ttl 52, id 16761, len 52) 20:44:01 204.127.198.27.25 > 192.168.1.132.49194: F [tcp sum ok] 2467:2467(0) ack 3890 win 33304 <nop,nop,timestamp 693176152 1015223238> (DF) (ttl 52, id 16762, len 52) 20:44:01 192.168.1.132.49194 > 204.127.198.27.25: . [bad tcp cksum 2c51!] ack 2468 win 33304 <nop,nop,timestamp 1015223238 693176152> (DF) (ttl 64, id 13403, len 52)

20

You might also like