Network Attacks, Con’t CS 161: Computer Security Prof. Vern Paxson TAs: Paul Bramsen, Apoorva Dornadula, David Fifield, Mia Gil Epner, David Hahn, Warren He, Grant Ho, Frank Li, Nathan Malkin, Mitar Milutinovic, Rishabh Poddar, Rebecca Portnoff, Nate Wang http://inst.eecs.berkeley.edu/~cs161 / March 14, 2017
The Transport Layer: TCP
“ Best Effort ” is Lame! What to do? • It’s the job of our Transport (layer 4) protocols to build data delivery services that our apps need out of IP’s modest layer-3 service
Layer 4: Transport Layer End-to-end communication between processes 7 Application Different services provided: TCP = reliable byte stream 4 Transport UDP = unreliable datagrams 3 (Inter)Network ( Datagram = single packet message) 2 Link 1 Physical
“ Best Effort ” is Lame! What to do? • It’s the job of our Transport (layer 4) protocols to build data delivery services that our apps need out of IP’s modest layer-3 service • #1 workhorse: TCP ( Transmission Control Protocol ) • Service provided by TCP: – Connection oriented (explicit set-up / tear-down) o End hosts (processes) can have multiple concurrent long-lived communication – Reliable , in-order, byte-stream delivery o Robust detection & retransmission of lost data
TCP “ Bytestream ” Service Process A on host H1 Byte 0 Byte 1 Byte 2 Byte 3 Byte 80 Processes don’t ever see packet boundaries, lost or corrupted packets, retransmissions, etc. Process B on host H2 Byte 0 Byte 1 Byte 2 Byte 3 Byte 80
Bidirectional communication: Process B on host H2 Byte 0 Byte 1 Byte 2 Byte 3 Byte 73 There are two separate bytestreams , one in each direction Process A on host H1 Byte 0 Byte 1 Byte 2 Byte 3 Byte 73
(Link Layer Header) TCP Header (IP Header) Source port Destination port Sequence number Acknowledgment HdrLen Advertised window Flags 0 Checksum Urgent pointer Options (variable) Data …
(Link Layer Header) TCP Header (IP Header) Ports are Source port Destination port associated with OS Sequence number processes Acknowledgment HdrLen Advertised window Flags 0 Checksum Urgent pointer Options (variable) Data …
(Link Layer Header) TCP Header (IP Header) Ports are Source port Destination port associated with OS Sequence number processes Acknowledgment IP source & destination HdrLen Advertised window Flags 0 addresses plus TCP source and destination Checksum Urgent pointer ports uniquely identifies a (bidirectional) TCP Options (variable) connection Data …
4. Connect to google.com server Ti Ti e Res gateway 216.97.19.132 ti e In ti e In tf tf router resolver Suppose our browser used port 23144 for our connection, and Google’s server used 443 . 172.217.6.78 Then our connection will be fully specified by the single tuple < 216.97.19.132 , 23144 , 172.217.6.78 , 443 >
TCP Header Ports are Source port Destination port associated with OS Sequence number processes Acknowledgment IP source & destination HdrLen Advertised window Flags 0 addresses plus TCP source and destination Checksum Urgent pointer ports uniquely identifies a (bidirectional) TCP Options (variable) connection Some port numbers are Data … “ well known ” e.g. port 443 = HTTPS
TCP Header Source port Destination port Starting sequence Sequence number number (byte offset) of data Acknowledgment carried in this HdrLen Advertised window Flags 0 “segment” Checksum Urgent pointer Options (variable) Data …
TCP Header Source port Destination port Starting sequence Sequence number number (byte offset) of data Acknowledgment carried in this HdrLen Advertised window Flags 0 “segment” Checksum Urgent pointer Byte streams Options (variable) numbered independently in each direction Data …
TCP Header Source port Destination port Starting sequence Sequence number number (byte offset) of data Acknowledgment carried in this HdrLen Advertised window Flags 0 “segment” Checksum Urgent pointer Byte streams Options (variable) numbered independently in each direction Data … Sequence number assigned to start of byte stream is picked when connection begins; doesn’t start at 0
TCP Header Source port Destination port Sequence number Acknowledgment gives seq # just Acknowledgment beyond highest seq. received in order . HdrLen Advertised window Flags 0 Checksum Urgent pointer If sender successfully sends N bytestream Options (variable) bytes starting at seq S then “ ack ” for that Data … will be S+N .
Sequence Numbers Host A ISN (initial sequence number) Sequence ACK sequence TCP TCP Data HDR number from A number from B = 1 st byte of = next data expected byte TCP TCP Data HDR Host B
TCP Header Source port Destination port Sequence number Uses include: Acknowledgment acknowledging data ( “ ACK ” ) HdrLen Advertised window Flags 0 Checksum Urgent pointer setting up ( “ SYN ” ) and closing Options (variable) connections ( “ FIN ” and “ RST ” ) Data …
Establishing a TCP Connection B A • Three-way handshake to establish connection
Establishing a TCP Connection B A Each host tells its Initial Sequence Number (ISN) to the other host. (Spec says to pick based on a clock) • Three-way handshake to establish connection
Establishing a TCP Connection B A SYN Each host tells its Initial Sequence Number (ISN) to the other host. (Spec says to pick based on a clock) • Three-way handshake to establish connection – Host A sends a SYN (open; “synchronize sequence numbers”) to host B
Establishing a TCP Connection B A SYN Each host tells its Initial Sequence Number SYN+ACK (ISN) to the other host. (Spec says to pick based on a clock) • Three-way handshake to establish connection – Host A sends a SYN (open; “synchronize sequence numbers”) to host B – Host B returns a SYN acknowledgment ( SYN + ACK )
Establishing a TCP Connection B A SYN Each host tells its Initial Sequence Number SYN+ACK (ISN) to the other host. ACK (Spec says to pick based on a clock) • Three-way handshake to establish connection – Host A sends a SYN (open; “synchronize sequence numbers”) to host B – Host B returns a SYN acknowledgment ( SYN + ACK ) – Host A sends an ACK to acknowledge the SYN + ACK
Establishing a TCP Connection B A SYN Each host tells its Initial Sequence Number SYN+ACK (ISN) to the other host. ACK (Spec says to pick based D a t on a clock) a D a t a • Three-way handshake to establish connection – Host A sends a SYN (open; “synchronize sequence numbers”) to host B – Host B returns a SYN acknowledgment ( SYN + ACK ) – Host A sends an ACK to acknowledge the SYN + ACK
Timing Diagram: 3-Way Handshaking Passive Different starting Open initial sequence Active numbers (ISNs) in Server Open each direction listen() Client (initiator) connect() SYN, SeqNum = x 1 + x = k c A , y = m u N q e S K , C A + N Y S ACK, SeqNum = x + 1, Ack = y + 1 accept()
TCP Conn. Setup & Data Exchange Client (initiator) Server IP address 1.2.1.2, port 3344 IP address 9.8.7.6, port 80 S r c A = 1 . 2 . 1 . 2 , S r c D P s = 3 t A 3 = 4 9 4 . 8 , . 7 . 6 , D s t P = 8 0 , S Y N , S e q = x SrcA=9.8.7.6, SrcP=80, DstA=1.2.1.2, DstP=3344, SYN+ACK, Seq = y, Ack = x+1 S r c A = 1 . 2 . 1 . 2 , S r D c s P t A = 3 = 3 9 4 . 8 4 . , 7 . 6 , D s t P = 8 0 , A C K , A c k = y + 1 S r c A = 1 . 2 . 1 . 2 , S r c P = 3 3 A 4 C 4 , D K s , S t e A q = = 9 . x 8 + . 7 1 , . 6 A , c D k s = t P y = + 8 1 0 , , D a t a = “ “ G E T / l o g i n . h t m l SrcA=9.8.7.6, SrcP=80, DstA=1.2.1.2, DstP=3344, ACK, Seq = y+1, Ack = x+16, Data= “ 200 OK … <html> … ”
TCP Threat: Disruption • Normally, TCP finishes ( “ closes ” ) a connection by each side sending a FIN control message – Reliably delivered, since other side must ack • But: if a TCP endpoint finds unable to continue (process dies; info from other “ peer ” is inconsistent), it abruptly terminates by sending a RST control message – Unilateral – Takes effect immediately (no ack needed) – Only accepted by peer if has correct* sequence number 27
Source port Destination port Sequence number Acknowledgment HdrLen Advertised window Flags 0 Checksum Urgent pointer Options (variable) Data …
Source port Destination port Sequence number Acknowledgment RST HdrLen Advertised window 0 Checksum Urgent pointer Options (variable)
Abrupt Termination X B ACK SYN ACK SYN A T a t S C a R D K A time • A sends a TCP packet with RESET ( RST ) flag to B – E.g., because app. process on A crashed – (Could instead be that B sends a RST to A) • Assuming that the sequence numbers in the RST fit with what B expects, That’s It: – B’s user-level process receives: ECONNRESET – No further communication on connection is possible
Recommend
More recommend