TCP/IP: TCP Network Security Lecture 6 TCP Based on IP Provides - - PowerPoint PPT Presentation

tcp ip tcp
SMART_READER_LITE
LIVE PREVIEW

TCP/IP: TCP Network Security Lecture 6 TCP Based on IP Provides - - PowerPoint PPT Presentation

Sep 07, 2022 246 likes •559 views

TCP/IP: TCP Network Security Lecture 6 TCP Based on IP Provides connection-oriented , reliable stream delivery service (handles loss, duplication, transmission errors, reordering) Provides port abstraction (like UDP) Establishes

slide-1
SLIDE 1

TCP/IP: TCP

Network Security Lecture 6

slide-2
SLIDE 2

TCP

  • Based on IP
  • Provides connection-oriented, reliable stream

delivery service (handles loss, duplication, transmission errors, reordering)

  • Provides port abstraction (like UDP)
  • Establishes a virtual circuit (over packet switching

IP)

– (source IP address, source port, destination IP address, destination port) – Full duplex: two streams

  • RFC 793

Eike Ritter Network Security - Lecture 6 1

slide-3
SLIDE 3

TCP segment

Source port Destination port Sequence number Acknowledgment number Hdr len Reserved Flags Window Checksum Urgent pointer Options (id hdr_len > 5) Padding Data

Eike Ritter Network Security - Lecture 6 2

4 8 16 12 31 20 24 28

slide-4
SLIDE 4

TCP segment

Eike Ritter 3 Network Security - Lecture 6

slide-5
SLIDE 5

TCP encapsulation

Eike Ritter Network Security - Lecture 6 4

Frame data Frame data Frame header Frame header IP header IP header IP data IP data TCP header TCP header TCP data TCP data

slide-6
SLIDE 6

TCP encapsulation

Eike Ritter 5 Network Security - Lecture 6

slide-7
SLIDE 7

TCP seq/ack numbers

  • The sequence number specifies the position of

this segment’s data in the communication stream

– SYN=1234 means that the payload of this segment contains data from byte 1234

  • The acknowledgment number specifies the

position of the next byte expected from the host

– ACK=1234 means that the host has received correctly up to byte 1233 and expects byte 1234

  • Basis for retransmission of lost segments,

duplication

Eike Ritter Network Security - Lecture 6 6

slide-8
SLIDE 8

TCP flags

  • Used for the setup/shutdown of virtual circuit

and other operations on it:

– SYN: used in connection setup – ACK: acknowledgment number is valid – FIN: request to shutdown one stream – RST: reset the virtual circuit – URG: indicates that the urgent pointer is valid – PSH: indicates that data should be passed to the application as soon as possible (“push”)

Eike Ritter Network Security - Lecture 6 7

slide-9
SLIDE 9

TCP virtual circuit setup

  • TCP establishes a connection-oriented

communication service on top of packet-oriented IP

  • The setup is done through the three-way

handshake

– Client sends a SYN to the server (active open); sequence number is IA – Server replies with SYN-ACK; the ack is set to IA+1; sequence number is IB – Client sends ACK; the ack is set to IB+1; sequence number is IA+1

Eike Ritter Network Security - Lecture 6 8

slide-10
SLIDE 10

Initial sequence number

Eike Ritter Network Security - Lecture 6 9

Client:7890 Server:80

slide-11
SLIDE 11

Initial sequence numbers

  • What to use as the initial sequence number?
  • The original standard specified that sequence

number should be incremented every 4 microseconds

  • BSD UNIXes initially used a number that is

incremented by 64,000 every half second and by 64,000 every time a connection is established

  • We’ll see in a bit if these are good choices…

Eike Ritter Network Security - Lecture 6 10

slide-12
SLIDE 12

TCP data exchange

  • Host sends data

– Acknowledgment number: up to previous segment – Sequence number: initial sequence number increased

  • f data transferred so far
  • Recipient (RCV) accepts a segment (SEG) if

segment is inside the receive window

− RCV.ACK <= SEG.SEQ < RCV.ACK + RCV.WINDOW or RCV.ACK <= SEG.SEQ + SEG.LENGTH – 1 < RCV.ACK + RCV.WINDOW

  • Empty segments may be exchanged to

acknowledge received data

Eike Ritter Network Security - Lecture 6 11

slide-13
SLIDE 13

Data exchange

Eike Ritter Network Security - Lecture 6 12

Client:7890 Server:80

data len: 15 data len: 15

slide-14
SLIDE 14

TCP virtual circuit shutdown

  • One of the hosts, say the server, shuts down its

stream by sending a segment with the FIN flag set

  • The other host, the client, acknowledges the

receipt

  • From this point on, the server will not send any

data

– It will only send ACKs for the data it receives

  • When the client shuts down its stream, the

virtual circuit is closed

Eike Ritter Network Security - Lecture 6 13

slide-15
SLIDE 15

Virtual circuit shutdown

Eike Ritter Network Security - Lecture 6 14

Client:7890 Server:80

Server closes its half

  • f the circuit

Client closes its half

  • f the circuit
slide-16
SLIDE 16

TCP portscan

  • Used to determine the TCP services available on a

host

– Each service is traditionally associated with a specific port (see /etc/services) – Assumption: open port implies corresponding service is available

  • Simplest form: “connect scan”

– connect to all possible ports – If three-way handshake succeeds, port is open

  • Disadvantage:

– Noisy

Eike Ritter 15 Network Security - Lecture 6

slide-17
SLIDE 17

TCP connect scan

$ nmap –sT 172.16.48.130 Starting Nmap 5.00 ( http://nmap.org ) at 2011-01-21 01:15 PST Interesting ports on 172.16.48.130: Not shown: 992 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 111/tcp open rpcbind 2049/tcp open nfs 3306/tcp open mysql 5000/tcp open upnp 6000/tcp open X11 8000/tcp open http-alt Nmap done: 1 IP address (1 host up) scanned in 0.20 seconds

Eike Ritter 16 Network Security - Lecture 6

slide-18
SLIDE 18

TCP connect scan

IP 172.16.48.139.46767 > 172.16.48.130.80: Flags [S] IP 172.16.48.130.80 > 172.16.48.139.46767: Flags [S.] IP 172.16.48.139.46767 > 172.16.48.130.80: Flags [.] IP 172.16.48.139.47399 > 172.16.48.130.3325: Flags [S] IP 172.16.48.139.36666 > 172.16.48.130.2910: Flags [S] IP 172.16.48.139.48912 > 172.16.48.130.1433: Flags [S] IP 172.16.48.139.53332 > 172.16.48.130.1082: Flags [S] IP 172.16.48.139.36286 > 172.16.48.130.63331: Flags [S] IP 172.16.48.139.41808 > 172.16.48.130.5100: Flags [S] IP 172.16.48.139.44684 > 172.16.48.130.444: Flags [S] IP 172.16.48.130.1433 > 172.16.48.139.48912: Flags [R.] IP 172.16.48.130.1082 > 172.16.48.139.53332: Flags [R.] IP 172.16.48.130.63331 > 172.16.48.139.36286: Flags [R.] IP 172.16.48.130.5100 > 172.16.48.139.41808: Flags [R.] IP 172.16.48.130.444 > 172.16.48.139.44684: Flags [R.]

Eike Ritter 17 Network Security - Lecture 6

slide-19
SLIDE 19

TCP SYN portscan

  • Attacker sends a SYN packet
  • The target host

– Replies with a SYN/ACK, if the port is open – Replies with a RST, if the port is closed

  • The attacker sends a RST instead of ACK that

would close three-way handshake

  • Connection is never completed

– Applications do not record event in their logs

Eike Ritter 18 Network Security - Lecture 6

slide-20
SLIDE 20

TCP SYN portscan

$ sudo nmap -sS 172.16.48.130 Starting Nmap 5.00 ( http://nmap.org ) at 2011-01-21 01:30 PST Interesting ports on 172.16.48.130: Not shown: 992 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 111/tcp open rpcbind 2049/tcp open nfs 3306/tcp open mysql 5000/tcp open upnp 6000/tcp open X11 8000/tcp open http-alt Nmap done: 1 IP address (1 host up) scanned in 0.23 seconds

Eike Ritter 19 Network Security - Lecture 6

slide-21
SLIDE 21

TCP SYN portscan

IP 172.16.48.139.39558 > 172.16.48.130.80: Flags [S] IP 172.16.48.130.80 > 172.16.48.139.39558: Flags [S.] IP 172.16.48.139.39558 > 172.16.48.130.80: Flags [R] IP 172.16.48.139.39558 > 172.16.48.130.256: Flags [S] IP 172.16.48.130.256 > 172.16.48.139.39558: Flags [R.] IP 172.16.48.139.39558 > 172.16.48.130.111: Flags [S] IP 172.16.48.130.111 > 172.16.48.139.39558: Flags [S.] IP 172.16.48.139.39558 > 172.16.48.130.111: Flags [R]

Eike Ritter 20 Network Security - Lecture 6

slide-22
SLIDE 22

TCP FIN/Xmas scans

  • TCP RFC says

– If port is closed, incoming segment not containing RST causes a RST to be sent – If port is open, incoming segment without SYN, RST,

  • r ACK is silently dropped
  • FIN scan

– Send segment with FIN – If RST received, port is closed; else open

  • Xmas scan

– Send segment with FIN, PSH, and URG – If RST received, port is closed; else open

Eike Ritter 21 Network Security - Lecture 6

slide-23
SLIDE 23

TCP FIN/Xmas scans

$ sudo nmap -sF 172.16.48.130 [target is Linux] Starting Nmap 5.00 ( http://nmap.org ) Interesting ports on 172.16.48.130: Not shown: 992 closed ports PORT STATE SERVICE ... 8000/tcp open|filtered http-alt 15:50:33.991035 IP 172.16.48.139.49879 > 172.16.48.130.1700: F 2638861074:2638861074(0) win 3072 15:50:33.991038 IP 172.16.48.130.1700 > 172.16.48.139.49879: R 0:0(0) ack 2638861075 win 0 15:50:33.991041 IP 172.16.48.139.49879 > 172.16.48.130.625: F 2638861074:2638861074(0) win 2048 15:50:33.991043 IP 172.16.48.130.625 > 172.16.48.139.49879: R 0:0(0) ack 2638861075 win 0 15:50:33.991066 IP 172.16.48.139.49879 > 172.16.48.130.1104: F 2638861074:2638861074(0) win 4096 15:50:33.991070 IP 172.16.48.130.1104 > 172.16.48.139.49879: R 0:0(0) ack 2638861075 win 0 15:50:34.027421 IP 172.16.48.139.49880 > 172.16.48.130.8000: F 2638795539:2638795539(0) win 2048

Eike Ritter 22 Network Security - Lecture 6

slide-24
SLIDE 24

TCP FIN/Xmas scans

$ sudo nmap -sX 172.16.48.128 [target is Windows] Starting Nmap 5.00 ( http://nmap.org ) Starting Nmap 5.00 ( http://nmap.org ) at 2011-01-29 15:55 PST All 1000 scanned ports on 172.16.48.128 are open|filtered Nmap done: 1 IP address (1 host up) scanned in 21.49 seconds 15:55:31.061908 IP 172.16.48.139.42877 > 172.16.48.128.2869: FP 1557334796:1557334796(0) win 1024 urg 0 15:55:31.069670 IP 172.16.48.139.42877 > 172.16.48.128.10004: FP 1557334796:1557334796(0) win 3072 urg 0 15:55:31.069680 IP 172.16.48.139.42877 > 172.16.48.128.9040: FP 1557334796:1557334796(0) win 4096 urg 0 15:55:31.075453 IP 172.16.48.139.42877 > 172.16.48.128.1236: FP 1557334796:1557334796(0) win 4096 urg 0 15:55:31.079934 IP 172.16.48.139.42877 > 172.16.48.128.2607: FP 1557334796:1557334796(0) win 4096 urg 0 15:55:31.122730 IP 172.16.48.139.42877 > 172.16.48.128.3689: FP 1557334796:1557334796(0) win 2048 urg 0 15:55:31.126760 IP 172.16.48.139.42877 > 172.16.48.128.4125: FP 1557334796:1557334796(0) win 4096 urg 0 15:55:31.142278 IP 172.16.48.139.42877 > 172.16.48.128.3690: FP 1557334796:1557334796(0) win 2048 urg 0 15:55:31.145262 IP 172.16.48.139.42877 > 172.16.48.128.1434: FP 1557334796:1557334796(0) win 3072 urg 0

Eike Ritter 23 Network Security - Lecture 6

slide-25
SLIDE 25

OS fingerprinting

  • Leverages differences in how different operating systems

implement protocols to remotely identify the OS running on a host

  • Active fingerprinting

– Send carefully crafted packets and observe response

  • Response to FIN messages
  • Weird combination of TCP flags
  • Initial TCP sequence number
  • Initial TCP window size
  • ICMP messages (error rate, inclusion of packet that triggered the message)

– Can be noisy – nmap, xprobe

  • Passive fingerprinting

– Observe traffic received or monitored during regular communication – Normal traffic, thus hard to detect – http://lcamtuf.coredump.cx/p0f/README

Eike Ritter 24 Network Security - Lecture 6

slide-26
SLIDE 26

TCP spoofing

  • Alice trusts Bob (e.g., logins on Alice are allowed with

no password if TCP connection comes from host Bob)

  • Mallory wants to impersonate Bob when opening a

TCP connection to Alice

  • Steps

– M sends SYN segment to A with source IP address set to B’s IP address – A sends a SYN/ACK to B – B replies with RST – Fail: retry.

Eike Ritter 25 Network Security - Lecture 6

slide-27
SLIDE 27

TCP spoofing

  • Steps

– M kills B (e.g., flooding) – M sends SYN segment to A with source IP address set to B’s IP address – A sends a SYN/ACK to B, with its initial sequence number IA – M completes the 3-way handshake, with ACK set to IA + 1. How does M know IA? There are two cases:

  • M can sniff traffic from A: M just eavesdrops A’s response containing IA
  • M cannot sniff traffic from A (e.g., different networks): M guesses the correct

IA value (“blind spoofing”)

  • Alice trusts Bob (e.g., logins on Alice are allowed with

no password if TCP connection comes from host Bob)

  • Mallory wants to impersonate Bob when opening a

TCP connection to Alice

Eike Ritter 26 Network Security - Lecture 7

slide-28
SLIDE 28

TCP spoofing

  • Described in R. T. Morris, A Weakness in the 4.2BSD UNIX TCP/IP

Software

  • Used by Kevin Mitnick attack in his attack against the San Diego

Supercomputer Center

  • Addressed by S. Bellovin, RFC 1984, Defending Against Sequence

Number Attacks

– Set initial sequence number to the timer prescribed originally + the value of a cryptographic hash function of each connection:

ISN = M + F(localhost, localport, remotehost, remoteport)

– It is vital that F not be computable from the outside, so it is keyed with with some secret data

  • True random number
  • Per-host secret and boot time of the machine

– Thus, each connection is given a separate sequence number space

  • That’s the theory, at least

Eike Ritter 27 Network Security - Lecture 7

slide-29
SLIDE 29

NEXT ON

Eike Ritter 28 Network Security - Lecture 6

slide-30
SLIDE 30

Take away points and next time

  • TCP format
  • TCP connection

– Setup, data exchange, shutdown

  • Portscanning and

fingerprinting

  • Spoofing

– Initial sequence numbers

  • TCP

– Hijacking – Denial of service

  • SYN flooding
  • DNS

Eike Ritter 29 Network Security - Lecture 6