Network Security CS 478/CIS 678 Intro to TCP/IP
Mar 18, 2016
Network Security CS 478/CIS 678
Intro to TCP/IP
Objectives
Reading: Computer Security Principles and Practice, W Stallings, L Brown
• Appendix EThe student should be able to:• Interpret output for ARP, IP, TCP, UDP, ICMP
on a sniffer: Wireshark (sufficient as shown in this PowerPoint).
Internet Architecture
TCP/IP Packet
L2 L3 L4 Application CRCEthernet IP TCP
What physicalnode to send to?
Source &Destinationlogical addr.
Which appdoes this go to?
What data is actuallybeing sent?
Packetcheckcode
Addressing Requirements
• two levels of addressing required• each host on a subnet needs a unique global
network address– its IP address
• each application on a (multi-tasking) host needs a unique address within the host– known as a port
TCP/IP Packet
L2 L3 L4 Application CRCEthernet IP TCP
What physicalnode to send to?
Source &Destinationlogical addr.
Which appdoes this go to?
What data is actuallybeing sent?
Packetcheckcode
Address on LAN:00:0c:29:80:ec:29
Ginger.cs.uwp.edu124.36.92.81
Port 80 =web
Hi Alice, Are you comingto the party on Friday?
Operation of TCP and IP
Operation of TCP/IP
Some TCP/IP Protocols
Protocols used at each LayerL5 = Application
L4 = Transport:• TCP: Transport Control Protocol (End-to-End Error control:
Retransmission)• UDP: User Datagram Protocol (Only Port Addressing) L3 = Network:• IP: Internet Protocol (Routing)• ICMP: Internet Control Message Protocol (Reports errors, performs tests
for IP) L2 = Data Link Layer - Medium Access Control (MAC):• Ethernet Protocol• ARP: Address Resolution Protocol (Translates IP to MAC addresses)
Physical Layer: Layer 1
• Basic Function: Concerned with physical interface between computer and network
• concerned with issues like:– characteristics of transmission medium– signal levels– data rates– other related matters
Network Access Layer: Layer 2
• Basic Function: Coordinate multiple access on LAN• exchange of data between an end system and
attached network• concerned with issues like :– destination address provision– invoking specific services like priority– access to & routing data across a network link between
two attached systems• allows layers above to ignore link specifics• Example protocol: Ethernet
Internet Layer (IP): Layer 3
• Basic Function: Routing packets across network(s)
• for systems attached to different networks• implemented in end systems and routers• routers connect two networks and relays data
between them# Time Source IP Dest IP App Packet Type152 001559 10.1.1.165 10.1.1.128 IP Fragmented IP protocol (proto=ICMP 0x01, off=0,
ID=19d9)
Internet Protocol (IP)
• Performs routing• Addresses hosts• Performs fragmentation/reassembly• Security problem: Spoofed fragments replace
or confuse real data• Security problem: Fragmented attacks may
not be noticed by firewalls, IDS (depending on their sophistication)
IP Header
IP Header FormatFirst 8 nibbles:• 0-3: IP Version (V4 or V6)• 4-7: Header length (in 32-bit words)• 8-15: Type of service (relates to quality of service - ignore for this class)• 16-31: Total lengthSecond 8 nibbles:• 0-15: Identification (used with fragmentation)• 16-18: Flags: More bit, Don’t Fragment• 19-31: Fragment offsetThird 8 nibbles:• 0-7: Time to live• 8-15: Next Protocol (e.g. TCP, ICMP)• 16-31: Header Checksum Fourth 8 nibbles: Source IP AddressFifth 8 nibbles: Destination IP Address
Transmission Control Protocol (TCP): Layer 4
• Transport protocols are TCP (most common) and UDP
• Basic Function (TCP): Provides a reliable connection for transfer of data between applications– Reliable = Packets delivered in order and no packets are
missing– Reliability provided by sequencing and retransmission
• a TCP segment is the basic protocol unit• TCP tracks segments between end-to-end (source,
destination) entities for duration of each connection
Transport Control Protocol (TCP) • TCP is responsible for end-to-end retransmission,
and reordering of packets received out-of-order. • Addresses applications via 16-bit Port number• Performs error control on an end-to-end basis:– Reorders out-of-sequence segments– Retransmits segments when acknowledgements are
not received– Performs flow control to ensure destination is not
overwhelmed with data (using a window)– Performs congestion control to ensure network is not
overwhelmed
TCP Header Fields• Source Port: Source port (application) address• Dest Port: Destination port (application) address• Flag: S=SYN, F=FIN, P=PUSH, R=RESET, A=ACK• Sequence #: Beginning Sequence number (byte #)• AckNr: Acknowledgment sequence number (=next
expected seq #)• WindowSize: Size of empty space in receive buffer (in
bytes)• Checksum: Verifies no change in segment and parts of
IP header• Urgent Pointer: index to urgent data (rarely used)
TCP
• TCP is connection-oriented, which means that it must explicitly establish and break down a connection before transmission occurs.
• Establishes a connection• Sends data• Each side gracefully disconnects
TCP Flags
The flags within segments that TCP uses includes:S=SYN: Request to establish a connectionP=PUSH: Request from application to flush (or
force) transmission.F=FIN: Request to close a transmission - gracefulR=RESET: Notification of aborting of a connectionack: Contains an ack for previous data
Initiate a TCP Connection
• Establishes a connection via a 3-way handshake.
• SYN=Synchronization, establishes send and receive sequence numbers
SYN SYN,ACK
ACK
Send TCP Data• Each byte of TCP data has a sequence number associated with it, which
indicates the byte number of the first byte sent.• The acknowledgment indicates the sequence number of the byte # of
data expected next
(PUSH) ACK
# Time Source IP Dest IP App Port 2 Port [Packet Type] SendSeq AckSeq45 1037.608722 10.1.1.3 10.1.1.165 TCP 3128 > 1270 [ACK] Seq=86244 Ack=6584
Win=19220 Len=046 1037.751240 10.1.1.3 10.1.1.165 TCP [TCP segment of a reassembled PDU]47 1037.751279 10.1.1.3 10.1.1.165 TCP [TCP segment of a reassembled PDU]
Terminate TCP Connection• Graceful Disconnect: Both sides must disconnect• FIN = Finish• Sending FIN indicates no more data to transmit
FIN ACK FIN
ACK
Session Abort
• I don’t want to participate in this connection• Uses Reset
RST
TCP Connect – Data - Disconnect# Time Source IP Dest IP App Port 2 Port [Packet Type] SendSeq AckSeq1 0.000000 10.1.1.165 10.1.1.3 TCP 1179 > 3128 [SYN] Seq=0 Win=64240 Len=0
MSS=14602 0.000623 10.1.1.3 10.1.1.165 TCP 3128 > 1179 [SYN, ACK] Seq=0 Ack=1
Win=5840 Len=0 MSS=14603 0.000667 10.1.1.165 10.1.1.3 TCP 1179 > 3128 [ACK] Seq=1 Ack=1 Win=64240
Len=0…
7 0.029386 10.1.1.165 10.1.1.3 TCP 1179 > 3128 [ACK] Seq=860 Ack=3691 Win=64240 Len=0
…8 0.160003 10.1.1.3 10.1.1.165 TCP 80 > 1190 [FIN, ACK] Seq=341 Ack=436
Win=6432 Len=09 0.160598 10.1.1.165 10.1.1.3 TCP 1190 > 80 [ACK] Seq=436 Ack=342
Win=63900 Len=010 0.161706 10.1.1.165 10.1.1.3 TCP 1190 > 80 [FIN, ACK] Seq=436 Ack=342
Win=63900 Len=011 0.163407 10.1.1.3 10.1.1.165 TCP 80 > 1190 [ACK] Seq=342 Ack=437
Win=6432 Len=0
TCP WiresharkShowing Connection, Data, Disconnect
TCP Header
User Datagram Protocol (UDP)• UDP can be used instead of TCP to address an application• Does NOT support end-to-end retransmission, reorder out-of-order packets,
or perform flow control or congestion control. • Addresses applications via 16-bit Port number
Protocol:• UDP is connectionless, which means it sends packets without establishing a
connection first. If packets cannot be successfully sent, there may be no indication of failure.
• 1 Packet type: Send data
# Time Source IP Dest IP App Port 2 Port [Packet Type] 1 0.000000 131.210.13.7 10.1.1.165 UDP Source port: 1060
Dest port: 8881
User Datagram Protocol(UDP)
• an alternative to TCP• no guaranteed delivery• no preservation of sequence• no protection against duplication• minimum overhead• adds port addressing to IP
Application Layer: Layer 5 (Internet)
• Basic Function: User applications• need a separate module for each type of
application: File transfer, web, ssh, email, etc.
# Time Source IP Dest IP App Packet Type4 0.001151 10.1.1.165 10.1.1.3 HTTP GET
http://www.cs.uwp.edu/Classes/Cs475 HTTP/1.190 80.40513 10.1.1.165 10.1.1.10 SNMP get-request RFC1213-
MIB::mib-2.25.3.2.1.5.1 RFC1213-MIB::mib-2.25.3.5.1.1.1 RFC1213-MIB::mib-2.25.3.5.1.2.1
Application ProtocolsApplication & Port • SMTP: Simple Mail Transfer Protocol (Email): 25• HTTP: HyperText Transfer Protocol (Web): 80• FTP: File Transfer Protocol: 20/21• SNMP: Simple Network Management Protocol:
161• DNS: Domain Name Server: 53• NBNS: NetBios Name Service (Microsoft Internal,
similar to DNS): 137• SSL: Secure Socket Layer: 443
Some TCP/IP Protocols
Internet Control Message Protocol (ICMP)
• Reports errors from IP (e.g. Destination not reachable)
• Replies to requests (routing info) • Test connectivity (ping)
# Time Source IP Dest IP App Packet Type71 16.725008 10.1.1.165 207.46.170.123 ICMP Echo (ping) request76 17.813662 207.231.240.7 10.1.1.165 ICMP Time-to-live exceeded (Time to live
exceeded in transit)73 13.696159 10.1.1.1 10.1.1.165 ICMP Destination unreachable
(Communication administratively filtered)
Address Resolution Protocol (ARP)• Converts an IP Address (192.164.53.25) to a MAC Address (e.g.
0:90:27:1c:50:d0)
Protocol:• Requester broadcasts to all nodes on subnet: ARP Request
(IP_Address)• Replier (Me) sends: ARP Response (IP_Address, MAC Address)
3 8.617021 00:0c:29:80:ec:29 ff:ff:ff:ff:ff:ff ARP Who has 10.1.1.3? Tell 10.1.1.165
4 8.617825 00:0e:0c:3d:f7:7d 00:0c:29:80:ec:29 ARP 10.1.1.3 is at 00:0e:0c:3d:f7:7d
Domain Name Server (DNS)• Converts a IP address name (e.g. www.cs.uwp.edu) to a numeric IP
address, or vice versa. Protocol:• Request describes a name or numeric IP address to transfer• Reply provides information about that IP address.
# Time Source IP Dest IP App Packet Type53 55.927059 10.1.1.165 10.1.1.3 DNS Standard query A
www.mozilla.org54 55.946341 10.1.1.3 10.1.1.165 DNS Standard query response
CNAME groups.l.google.com A 74.125.95.138 A 74.125.95.139 A 74.125.95.100 A 74.125.95.101 A 74.125.95.102 A 74.125.95.113
IGMP: Internet Group Management Protocol Sets up multicast for streaming and gaming
NTP: Network Time ProtocolSynchronizes Clocks
LDAP: Lightweight Directory Access Protocol
• Used with Microsoft’s Active Directory & Novell’s eDirectory
• Enables clients to connect to query LDAP directory for user account info, printers, similar to DNS.
• Uses default port 389
WIRESHARK DEMOAnd now for a …