* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download TCP, UDP, ICMP - Dr. Stephen C. Hayne
Survey
Document related concepts
SIP extensions for the IP Multimedia Subsystem wikipedia , lookup
Network tap wikipedia , lookup
Asynchronous Transfer Mode wikipedia , lookup
Computer network wikipedia , lookup
Spanning Tree Protocol wikipedia , lookup
Wake-on-LAN wikipedia , lookup
Parallel port wikipedia , lookup
TCP congestion control wikipedia , lookup
Zero-configuration networking wikipedia , lookup
Deep packet inspection wikipedia , lookup
Communication protocol wikipedia , lookup
Real-Time Messaging Protocol wikipedia , lookup
Cracking of wireless networks wikipedia , lookup
Recursive InterNetwork Architecture (RINA) wikipedia , lookup
Transcript
TCP/IP Refresher This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited and added material. Dr. Stephen C. Hayne Vertical & Horizontal Communication sender receiver Protocol Layer n+1 Protocol Layer n+1 Protocol Layer n Protocol Layer n Protocol Layer 1 Protocol Layer 1 The TCP/IP “Suite” of Protocols RFCs developed & maintained by the Internet Engineering Task Force (IETF) Originally, no security provisions Transmission Control Protocol (TCP) User Datagram Protocol (UDP) Internet Protocol (IP) Internet Control Message Protocol (ICMP) security provided at application level IPSec is a security add-on for IPv4 IPv6 incorporates IPSec TCP/IP In this model, the top 3 layers in the OSI model are usually reduced to just “the application layer” Application Layer TCP IP Data Link Layer Physical Layer In reality, we will later squeeze a layer in between the application layer and TCP’s layer TCP/IP Transmission Control Protocol the “workhorse” on the Internet at OSI Layer 4 (Transport Layer) ensures packets get to the right place, in the right order creates TCP segment by adding a header the User Datagram Protocol (UDP) also operates as this layer Internet Protocol most commonly used protocol at OSI Layer 3 (Network Layer) delivers packets end-toend creates the IP datagram by adding a header the Internet Control Message Protocol (ICMP) also operates at this layer The TCP Header 32-bit words TCP Source Port TCP Destination Port Sequence Number Data Offset Acknowledgment Number Window . Reserved Control Bits Checksum Urgent Pointer Options (if any) Padding . Data Data TCP Control/Code Bits URG ACK synchronize sequence numbers FIN used during the 3-way handshake to establish a connection reset the connection (due to an error condition) SYN Push Function — flush data RST the Acknowledgement field is significant PSH the Urgent Pointer is significant “the end” en français 3-way TCP Handshake by Steve Gibson, Gibson Research Corporation TCP/IP Port Numbers Client sets destination port to a well known port on the server. Client source port is generated dynamically and is set to > 1023. Use ‘netstat –an” command to see which ports are currently used. Application’s TCP Ports File Transfer Protocol (FTP) — Port 21 Secure Shell (SSH) — Port 22 Telnet — Port 23 Simple Mail Transfer Protocol (SMTP) — Port 25 Post Office Protocol version 3 (POP3) — Port 110 HyperText Transfer Protocol (HTTP) — Port 80 Secure HyperText Transfer Protocol (HTTPS) — Port 443 Kerberos — Port 88 [Stallings, §4.1] Echo — Port 7 Finger — Port 79 Network News Transfer Protocol (NNTP) — Port 119 Gopher — Port 70 Doom — Port 666 31337 – Back Orifice Trojan ! TCP v. UDP has control (= code) bits has 3-way handshake 6 bits what part of the session? SYN=1, initial seq. no. ACK=SYN=1, initial seq. no., acknowledgment no. ACK=1, ack. no. has sequence numbers has more overhead SYN, ACK, RST help attackers find open ports “connectionless” protocol “unreliable” protocol no control bits no 3-way handshake can’t tell if a packet is ... start of message a response a malicious scan no sequence numbers packets may be permuted dropped packets are not retransmitted The UDP Header 32-bit words UDP Source Port UDP Destination Port Message Length Checksum Data Data UDP UDP Header contains only source, destination ports, message length, checksum and the data. 16 bit port number so 65535 possible ports. It’s harder for network devices to understand and track UDP status. You can’t tell from the header what part of the transmission it is. More difficult to secure therefore easy to use to attack. Application’s UDP Ports Requests for Domain Name Service (DNS) lookup Trivial File Transfer Protocol (TFTP) Port 69 Simple Network Management Protocol (SNMP) Port 53 Port 161 [Stallings, Chp.8] Echo — Port 7 Gopher — Port 70 RealPlayer [streaming] Data Port 7070 (among others) The IP Header 32-bit words Version . Time IHL Service Type Identification to Live Protocol Total Length Flags Fragment Offset Header Checksum Source IP Address Destination IP Address Options (if any) Data Data Padding Some IP Header Components Internet Header Length (IHL) Service type Identification “Don’t Fragment,” “More Fragments” Fragment Offset Supports fragment reassembly Flags sensitivity to delays this fragment’s position in the packet Time-to-Live (TTL) max. no. of router-to-router hops packet can take Internet Control Message Protocol (ICMP) Network layer, “network plumber” Provides more control than IP Same header format as IP, except . . . protocol field holds the value 1 (= ICMP) data component holds an ICMP type field 0 3 4 5 8 — — — — — echo reply destination unreachable source quench redirect echo 11 12 13 14 15 16 — — — — — — time exceeded parameter problem timestamp timestamp reply information request information reply IP Addresses 232 (= 4,294,967,296) dotted-quad addresses binary: 32 bits decimal: 4 groups of 3 digits (0-255) min: 0.0.0.0 max: 255.255.255.255 Not all addresses are available some set aside for private networks (“unroutable”) min: 00000000000000000000000000000000 max: 11111111111111111111111111111111 10.x.y.z, 172.16.y.z, 192.168.y.z 127.0.0.1 connects any machine back to itself! MAC Addresses Medium Access Control (MAC) addresses Data link layer 48 bits Globally unique each card manufacturer has a range of addresses to assign each card has its own MAC address Address Resolution Protocol (ARP) table contains MAC-to-IP mappings Types of Network Connection Points Hub Bridge connects several networks, can look up best route Switch connects 2+ networks, sends packet to destination Router dumb, broadcasts all packets to everybody additional intelligence, sends packets to one specific MAC address [Personal] firewall [Stallings, Chp. 10] hardware/software passes only authorized packets Network Address Translation (NAT) Mapping to a single external IP address every inbound packet appears to come from the NAT device’s IP address connect large, IP-address-poor network to Internet One-to-one mapping each machine on the internal network is mapped to a valid IP address map user requests to a perimeter network NAT Example Traditional Packet Filters v. Can filter based on . . . Stateful Packet Filters source IP address destination IP address source TCP/UDP port destination TCP/UDP port TCP code bits protocol in use direction interface Can also filter using a state table which . . . remembers previous packets outgoing SYN should be followed by an incoming ACK from the appropriate address has timeouts (10-90 secs.) remove entry if no further packets associated with the entry after interval Adding Security via Protocols Application-layer security Secure Socket Layer (SSL) Transport Layer Security (TLS) [Stallings, §7.2] Pretty Good Privacy (PGP) [Stallings, §5.1] Secure/Multipurpose Internet Mail Extension (S/MIME) [Stallings, §5.2] Secure Shell (SSH) HTTPS is HTTP running over SSL (on Port 443) Internet Protocol Security (IPSec) [Stallings, Chp. 6] Authentication Header (AH) Encapsulating Security Payload (ESP)