TCP/IP: TCP Network Security Lecture 6
TCP • Based on IP • Provides connection-oriented , reliable stream delivery service (handles loss, duplication, transmission errors, reordering) • Provides port abstraction (like UDP) • Establishes a virtual circuit (over packet switching IP) – (source IP address, source port, destination IP address, destination port) – Full duplex: two streams • RFC 793 Eike Ritter Network Security - Lecture 6 1
TCP segment 0 4 8 12 16 20 24 28 31 Source port Destination port Sequence number Acknowledgment number Hdr len Reserved Flags Window Checksum Urgent pointer Options (id hdr_len > 5) Padding Data Eike Ritter Network Security - Lecture 6 2
TCP segment Eike Ritter Network Security - Lecture 6 3
TCP encapsulation TCP header TCP data TCP header TCP data IP header IP data IP header IP data Frame header Frame data Frame header Frame data Eike Ritter Network Security - Lecture 6 4
TCP encapsulation Eike Ritter Network Security - Lecture 6 5
TCP seq/ack numbers • The sequence number specifies the position of this segment’s data in the communication stream – SYN=1234 means that the payload of this segment contains data from byte 1234 • The acknowledgment number specifies the position of the next byte expected from the host – ACK=1234 means that the host has received correctly up to byte 1233 and expects byte 1234 • Basis for retransmission of lost segments, duplication Eike Ritter Network Security - Lecture 6 6
TCP flags • Used for the setup/shutdown of virtual circuit and other operations on it: – SYN: used in connection setup – ACK: acknowledgment number is valid – FIN: request to shutdown one stream – RST: reset the virtual circuit – URG: indicates that the urgent pointer is valid – PSH: indicates that data should be passed to the application as soon as possible (“push”) Eike Ritter Network Security - Lecture 6 7
TCP virtual circuit setup • TCP establishes a connection-oriented communication service on top of packet-oriented IP • The setup is done through the three-way handshake – Client sends a SYN to the server ( active open ); sequence number is I A – Server replies with SYN-ACK; the ack is set to I A +1 ; sequence number is I B – Client sends ACK; the ack is set to I B +1 ; sequence number is I A +1 Eike Ritter Network Security - Lecture 6 8
Initial sequence number Server:80 Client:7890 Eike Ritter Network Security - Lecture 6 9
Initial sequence numbers • What to use as the initial sequence number? • The original standard specified that sequence number should be incremented every 4 microseconds • BSD UNIXes initially used a number that is incremented by 64,000 every half second and by 64,000 every time a connection is established • We’ll see in a bit if these are good choices… Eike Ritter Network Security - Lecture 6 10
TCP data exchange • Host sends data – Acknowledgment number: up to previous segment – Sequence number: initial sequence number increased of data transferred so far • Recipient (RCV) accepts a segment (SEG) if segment is inside the receive window − RCV.ACK <= SEG.SEQ < RCV.ACK + RCV.WINDOW or RCV.ACK <= SEG.SEQ + SEG.LENGTH – 1 < RCV.ACK + RCV.WINDOW • Empty segments may be exchanged to acknowledge received data Eike Ritter Network Security - Lecture 6 11
Data exchange Server:80 Client:7890 data len: 15 data len: 15 Eike Ritter Network Security - Lecture 6 12
TCP virtual circuit shutdown • One of the hosts, say the server, shuts down its stream by sending a segment with the FIN flag set • The other host, the client, acknowledges the receipt • From this point on, the server will not send any data – It will only send ACKs for the data it receives • When the client shuts down its stream, the virtual circuit is closed Eike Ritter Network Security - Lecture 6 13
Virtual circuit shutdown Server:80 Client:7890 Server closes its half of the circuit Client closes its half of the circuit Eike Ritter Network Security - Lecture 6 14
TCP portscan • Used to determine the TCP services available on a host – Each service is traditionally associated with a specific port (see /etc/services ) – Assumption: open port implies corresponding service is available • Simplest form: “connect scan” – connect to all possible ports – If three-way handshake succeeds, port is open • Disadvantage: – Noisy Eike Ritter Network Security - Lecture 6 15
TCP connect scan $ nmap –sT 172.16.48.130 Starting Nmap 5.00 ( http://nmap.org ) at 2011-01-21 01:15 PST Interesting ports on 172.16.48.130: Not shown: 992 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 111/tcp open rpcbind 2049/tcp open nfs 3306/tcp open mysql 5000/tcp open upnp 6000/tcp open X11 8000/tcp open http-alt Nmap done: 1 IP address (1 host up) scanned in 0.20 seconds Eike Ritter Network Security - Lecture 6 16
TCP connect scan IP 172.16.48.139.46767 > 172.16.48.130.80: Flags [S] IP 172.16.48.130.80 > 172.16.48.139.46767: Flags [S.] IP 172.16.48.139.46767 > 172.16.48.130.80: Flags [.] IP 172.16.48.139.47399 > 172.16.48.130.3325: Flags [S] IP 172.16.48.139.36666 > 172.16.48.130.2910: Flags [S] IP 172.16.48.139.48912 > 172.16.48.130.1433: Flags [S] IP 172.16.48.139.53332 > 172.16.48.130.1082: Flags [S] IP 172.16.48.139.36286 > 172.16.48.130.63331: Flags [S] IP 172.16.48.139.41808 > 172.16.48.130.5100: Flags [S] IP 172.16.48.139.44684 > 172.16.48.130.444: Flags [S] IP 172.16.48.130.1433 > 172.16.48.139.48912: Flags [R.] IP 172.16.48.130.1082 > 172.16.48.139.53332: Flags [R.] IP 172.16.48.130.63331 > 172.16.48.139.36286: Flags [R.] IP 172.16.48.130.5100 > 172.16.48.139.41808: Flags [R.] IP 172.16.48.130.444 > 172.16.48.139.44684: Flags [R.] Eike Ritter Network Security - Lecture 6 17
TCP SYN portscan • Attacker sends a SYN packet • The target host – Replies with a SYN/ACK, if the port is open – Replies with a RST, if the port is closed • The attacker sends a RST instead of ACK that would close three-way handshake • Connection is never completed – Applications do not record event in their logs Eike Ritter Network Security - Lecture 6 18
TCP SYN portscan $ sudo nmap -sS 172.16.48.130 Starting Nmap 5.00 ( http://nmap.org ) at 2011-01-21 01:30 PST Interesting ports on 172.16.48.130: Not shown: 992 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 111/tcp open rpcbind 2049/tcp open nfs 3306/tcp open mysql 5000/tcp open upnp 6000/tcp open X11 8000/tcp open http-alt Nmap done: 1 IP address (1 host up) scanned in 0.23 seconds Eike Ritter Network Security - Lecture 6 19
TCP SYN portscan IP 172.16.48.139.39558 > 172.16.48.130.80: Flags [S] IP 172.16.48.130.80 > 172.16.48.139.39558: Flags [S.] IP 172.16.48.139.39558 > 172.16.48.130.80: Flags [R] IP 172.16.48.139.39558 > 172.16.48.130.256: Flags [S] IP 172.16.48.130.256 > 172.16.48.139.39558: Flags [R.] IP 172.16.48.139.39558 > 172.16.48.130.111: Flags [S] IP 172.16.48.130.111 > 172.16.48.139.39558: Flags [S.] IP 172.16.48.139.39558 > 172.16.48.130.111: Flags [R] Eike Ritter Network Security - Lecture 6 20
TCP FIN/Xmas scans • TCP RFC says – If port is closed, incoming segment not containing RST causes a RST to be sent – If port is open, incoming segment without SYN, RST, or ACK is silently dropped • FIN scan – Send segment with FIN – If RST received, port is closed; else open • Xmas scan – Send segment with FIN, PSH, and URG – If RST received, port is closed; else open Eike Ritter Network Security - Lecture 6 21
TCP FIN/Xmas scans $ sudo nmap -sF 172.16.48.130 [target is Linux] Starting Nmap 5.00 ( http://nmap.org ) Interesting ports on 172.16.48.130: Not shown: 992 closed ports PORT STATE SERVICE ... 8000/tcp open|filtered http-alt 15:50:33.991035 IP 172.16.48.139.49879 > 172.16.48.130.1700: F 2638861074:2638861074(0) win 3072 15:50:33.991038 IP 172.16.48.130.1700 > 172.16.48.139.49879: R 0:0(0) ack 2638861075 win 0 15:50:33.991041 IP 172.16.48.139.49879 > 172.16.48.130.625: F 2638861074:2638861074(0) win 2048 15:50:33.991043 IP 172.16.48.130.625 > 172.16.48.139.49879: R 0:0(0) ack 2638861075 win 0 15:50:33.991066 IP 172.16.48.139.49879 > 172.16.48.130.1104: F 2638861074:2638861074(0) win 4096 15:50:33.991070 IP 172.16.48.130.1104 > 172.16.48.139.49879: R 0:0(0) ack 2638861075 win 0 15:50:34.027421 IP 172.16.48.139.49880 > 172.16.48.130.8000: F 2638795539:2638795539(0) win 2048 Eike Ritter Network Security - Lecture 6 22
Recommend
More recommend