tcp/ip: tcpexr/lectures/networksecurity/11_12/slides/06... · hdrlen reserved flags window checksum...
TRANSCRIPT
TCP
• Based on IP
• Provides connection-oriented, reliable stream delivery service (handles loss, duplication, transmission errors, reordering)
• Provides port abstraction (like UDP)
• Establishes a virtual circuit (over packet switching IP)– (source IP address, source port, destination IP
address, destination port)
– Full duplex: two streams
• RFC 793
Eike Ritter Network Security - Lecture 6 1
TCP segment
Source port Destination port
Sequence number
Acknowledgment number
Hdr len Reserved Flags Window
Checksum Urgent pointer
Options (id hdr_len > 5) Padding
Data
Eike Ritter Network Security - Lecture 6 2
0 4 8 1612 3120 24 28
TCP encapsulation
Eike Ritter Network Security - Lecture 6 4
Frame dataFrame dataFrame headerFrame header
IP headerIP header IP dataIP data
TCP headerTCP header TCP dataTCP data
TCP seq/ack numbers
• The sequence number specifies the position of this segment’s data in the communication stream
– SYN=1234 means that the payload of this segment contains data from byte 1234
• The acknowledgment number specifies the position of the next byte expected from the host
– ACK=1234 means that the host has received correctly up to byte 1233 and expects byte 1234
• Basis for retransmission of lost segments, duplication
Eike Ritter Network Security - Lecture 6 6
TCP flags
• Used for the setup/shutdown of virtual circuit and other operations on it:
– SYN: used in connection setup
– ACK: acknowledgment number is valid
– FIN: request to shutdown one stream
– RST: reset the virtual circuit
– URG: indicates that the urgent pointer is valid
– PSH: indicates that data should be passed to the application as soon as possible (“push”)
Eike Ritter Network Security - Lecture 6 7
TCP virtual circuit setup
• TCP establishes a connection-oriented communication service on top of packet-oriented IP
• The setup is done through the three-way handshake– Client sends a SYN to the server (active open);
sequence number is IA
– Server replies with SYN-ACK; the ack is set to IA+1; sequence number is IB
– Client sends ACK; the ack is set to IB+1; sequence number is IA+1
Eike Ritter Network Security - Lecture 6 8
Initial sequence numbers
• What to use as the initial sequence number?
• The original standard specified that sequence number should be incremented every 4 microseconds
• BSD UNIXes initially used a number that is incremented by 64,000 every half second and by 64,000 every time a connection is established
• We’ll see in a bit if these are good choices…
Eike Ritter Network Security - Lecture 6 10
TCP data exchange
• Host sends data
– Acknowledgment number: up to previous segment
– Sequence number: initial sequence number increased of data transferred so far
• Recipient (RCV) accepts a segment (SEG) if segment is inside the receive window− RCV.ACK <= SEG.SEQ < RCV.ACK + RCV.WINDOW or
RCV.ACK <= SEG.SEQ + SEG.LENGTH – 1 < RCV.ACK + RCV.WINDOW
• Empty segments may be exchanged to acknowledge received data
Eike Ritter Network Security - Lecture 6 11
Data exchange
Eike Ritter Network Security - Lecture 6 12
Client:7890 Server:80
data len: 15
data len: 15
TCP virtual circuit shutdown
• One of the hosts, say the server, shuts down its
stream by sending a segment with the FIN flag
set
• The other host, the client, acknowledges the
receipt
• From this point on, the server will not send any
data
– It will only send ACKs for the data it receives
• When the client shuts down its stream, the
virtual circuit is closedEike Ritter Network Security - Lecture 6 13
Virtual circuit shutdown
Eike Ritter Network Security - Lecture 6 14
Client:7890 Server:80
Server closes its half
of the circuit
Client closes its half
of the circuit
TCP portscan
• Used to determine the TCP services available on a host– Each service is traditionally associated with a specific
port (see /etc/services)
– Assumption: open port implies corresponding service is available
• Simplest form: “connect scan”– connect to all possible ports
– If three-way handshake succeeds, port is open
• Disadvantage:– Noisy
Eike Ritter 15Network Security - Lecture 6
TCP connect scan$ nmap –sT 172.16.48.130
Starting Nmap 5.00 ( http://nmap.org ) at 2011-01-21 01:15 PSTInteresting ports on 172.16.48.130:Not shown: 992 closed portsPORT STATE SERVICE22/tcp open ssh80/tcp open http111/tcp open rpcbind2049/tcp open nfs3306/tcp open mysql5000/tcp open upnp6000/tcp open X118000/tcp open http-alt
Nmap done: 1 IP address (1 host up) scanned in 0.20 seconds
Eike Ritter 16Network Security - Lecture 6
TCP connect scan
IP 172.16.48.139.46767 > 172.16.48.130.80: Flags [S]IP 172.16.48.130.80 > 172.16.48.139.46767: Flags [S.]IP 172.16.48.139.46767 > 172.16.48.130.80: Flags [.]IP 172.16.48.139.47399 > 172.16.48.130.3325: Flags [S]IP 172.16.48.139.36666 > 172.16.48.130.2910: Flags [S]IP 172.16.48.139.48912 > 172.16.48.130.1433: Flags [S]IP 172.16.48.139.53332 > 172.16.48.130.1082: Flags [S]IP 172.16.48.139.36286 > 172.16.48.130.63331: Flags [S]IP 172.16.48.139.41808 > 172.16.48.130.5100: Flags [S]IP 172.16.48.139.44684 > 172.16.48.130.444: Flags [S]IP 172.16.48.130.1433 > 172.16.48.139.48912: Flags [R.]IP 172.16.48.130.1082 > 172.16.48.139.53332: Flags [R.]IP 172.16.48.130.63331 > 172.16.48.139.36286: Flags [R.]IP 172.16.48.130.5100 > 172.16.48.139.41808: Flags [R.]IP 172.16.48.130.444 > 172.16.48.139.44684: Flags [R.]
Eike Ritter 17Network Security - Lecture 6
TCP SYN portscan
• Attacker sends a SYN packet
• The target host
– Replies with a SYN/ACK, if the port is open
– Replies with a RST, if the port is closed
• The attacker sends a RST instead of ACK that
would close three-way handshake
• Connection is never completed
– Applications do not record event in their logs
Eike Ritter 18Network Security - Lecture 6
TCP SYN portscan
$ sudo nmap -sS 172.16.48.130
Starting Nmap 5.00 ( http://nmap.org ) at 2011-01-21 01:30 PSTInteresting ports on 172.16.48.130:Not shown: 992 closed portsPORT STATE SERVICE22/tcp open ssh80/tcp open http111/tcp open rpcbind2049/tcp open nfs3306/tcp open mysql5000/tcp open upnp6000/tcp open X118000/tcp open http-alt
Nmap done: 1 IP address (1 host up) scanned in 0.23 seconds
Eike Ritter 19Network Security - Lecture 6
TCP SYN portscan
IP 172.16.48.139.39558 > 172.16.48.130.80: Flags [S]IP 172.16.48.130.80 > 172.16.48.139.39558: Flags [S.]IP 172.16.48.139.39558 > 172.16.48.130.80: Flags [R]IP 172.16.48.139.39558 > 172.16.48.130.256: Flags [S]IP 172.16.48.130.256 > 172.16.48.139.39558: Flags [R.]IP 172.16.48.139.39558 > 172.16.48.130.111: Flags [S]IP 172.16.48.130.111 > 172.16.48.139.39558: Flags [S.]IP 172.16.48.139.39558 > 172.16.48.130.111: Flags [R]
Eike Ritter 20Network Security - Lecture 6
TCP FIN/Xmas scans
• TCP RFC says– If port is closed, incoming segment not containing RST
causes a RST to be sent
– If port is open, incoming segment without SYN, RST, or ACK is silently dropped
• FIN scan– Send segment with FIN
– If RST received, port is closed; else open
• Xmas scan– Send segment with FIN, PSH, and URG
– If RST received, port is closed; else open
Eike Ritter 21Network Security - Lecture 6
TCP FIN/Xmas scans$ sudo nmap -sF 172.16.48.130 [target is Linux]Starting Nmap 5.00 ( http://nmap.org )
Interesting ports on 172.16.48.130:Not shown: 992 closed portsPORT STATE SERVICE...8000/tcp open|filtered http-alt
15:50:33.991035 IP 172.16.48.139.49879 > 172.16.48.130.1700: F 2638861074:2638861074(0) win 307215:50:33.991038 IP 172.16.48.130.1700 > 172.16.48.139.49879: R 0:0(0) ack2638861075 win 015:50:33.991041 IP 172.16.48.139.49879 > 172.16.48.130.625: F 2638861074:2638861074(0) win 204815:50:33.991043 IP 172.16.48.130.625 > 172.16.48.139.49879: R 0:0(0) ack2638861075 win 015:50:33.991066 IP 172.16.48.139.49879 > 172.16.48.130.1104: F 2638861074:2638861074(0) win 409615:50:33.991070 IP 172.16.48.130.1104 > 172.16.48.139.49879: R 0:0(0) ack2638861075 win 015:50:34.027421 IP 172.16.48.139.49880 > 172.16.48.130.8000: F 2638795539:2638795539(0) win 2048
Eike Ritter 22Network Security - Lecture 6
TCP FIN/Xmas scans$ sudo nmap -sX 172.16.48.128 [target is Windows]Starting Nmap 5.00 ( http://nmap.org )
Starting Nmap 5.00 ( http://nmap.org ) at 2011-01-29 15:55 PSTAll 1000 scanned ports on 172.16.48.128 are open|filtered
Nmap done: 1 IP address (1 host up) scanned in 21.49 seconds
15:55:31.061908 IP 172.16.48.139.42877 > 172.16.48.128.2869: FP 1557334796:1557334796(0) win 1024 urg 015:55:31.069670 IP 172.16.48.139.42877 > 172.16.48.128.10004: FP1557334796:1557334796(0) win 3072 urg 015:55:31.069680 IP 172.16.48.139.42877 > 172.16.48.128.9040: FP 1557334796:1557334796(0) win 4096 urg 015:55:31.075453 IP 172.16.48.139.42877 > 172.16.48.128.1236: FP 1557334796:1557334796(0) win 4096 urg 015:55:31.079934 IP 172.16.48.139.42877 > 172.16.48.128.2607: FP 1557334796:1557334796(0) win 4096 urg 015:55:31.122730 IP 172.16.48.139.42877 > 172.16.48.128.3689: FP 1557334796:1557334796(0) win 2048 urg 015:55:31.126760 IP 172.16.48.139.42877 > 172.16.48.128.4125: FP 1557334796:1557334796(0) win 4096 urg 015:55:31.142278 IP 172.16.48.139.42877 > 172.16.48.128.3690: FP 1557334796:1557334796(0) win 2048 urg 015:55:31.145262 IP 172.16.48.139.42877 > 172.16.48.128.1434: FP 1557334796:1557334796(0) win 3072 urg 0Eike Ritter 23Network Security - Lecture 6
OS fingerprinting
• Leverages differences in how different operating systems implement protocols to remotely identify the OS running on a host
• Active fingerprinting– Send carefully crafted packets and observe response
• Response to FIN messages
• Weird combination of TCP flags
• Initial TCP sequence number
• Initial TCP window size
• ICMP messages (error rate, inclusion of packet that triggered the message)
– Can be noisy
– nmap, xprobe
• Passive fingerprinting– Observe traffic received or monitored during regular communication
– Normal traffic, thus hard to detect
– http://lcamtuf.coredump.cx/p0f/README
Eike Ritter 24Network Security - Lecture 6
TCP spoofing
• Alice trusts Bob (e.g., logins on Alice are allowed with
no password if TCP connection comes from host Bob)
• Mallory wants to impersonate Bob when opening a
TCP connection to Alice
• Steps– M sends SYN segment to A with source IP address set to B’s IP
address
– A sends a SYN/ACK to B
– B replies with RST
– Fail: retry.
Eike Ritter 25Network Security - Lecture 6
TCP spoofing
• Steps– M kills B (e.g., flooding)
– M sends SYN segment to A with source IP address set to B’s IP address
– A sends a SYN/ACK to B, with its initial sequence number IA
– M completes the 3-way handshake, with ACK set to IA + 1.How does M know IA? There are two cases:
• M can sniff traffic from A: M just eavesdrops A’s response containing IA
• M cannot sniff traffic from A (e.g., different networks): M guesses the correct IA value (“blind spoofing”)
• Alice trusts Bob (e.g., logins on Alice are allowed with
no password if TCP connection comes from host Bob)
• Mallory wants to impersonate Bob when opening a
TCP connection to Alice
Eike Ritter 26Network Security - Lecture 7
TCP spoofing
• Described in R. T. Morris, A Weakness in the 4.2BSD UNIX TCP/IP Software
• Used by Kevin Mitnick attack in his attack against the San Diego Supercomputer Center
• Addressed by S. Bellovin, RFC 1984, Defending Against Sequence Number Attacks– Set initial sequence number to the timer prescribed originally + the
value of a cryptographic hash function of each connection:ISN = M + F(localhost, localport, remotehost, remoteport)
– It is vital that F not be computable from the outside, so it is keyed with with some secret data
• True random number
• Per-host secret and boot time of the machine
– Thus, each connection is given a separate sequence number space
• That’s the theory, at least
Eike Ritter 27Network Security - Lecture 7