email or call for office visit, 404 894-5177 ECE-6612 http://www.csc.gatech.edu/copeland/jac/6612/ Prof. John A. Copeland john.copeland@ece.gatech.edu 404 894-5177 fax 404 894-0035 Office: Klaus 3362 email or call for office visit, 404 894-5177 Slides 11 - Fun with TCP/IP 4/18/2011

Ethernet Header (MAC or Link Layer) Ethernet Hdr - 14 bytes (little-endian) IP Header - 20 bytes (big-endian) TCP Header - 20 bytes (big-endian) App. Hdr & Data 31 bits Bytes 0 - 3 Destination Address - 6 bytes Bytes 4 - 7 Bytes 8 - 11 Source Address - 6 bytes Bytes 12 - 13 Next Protocol # LSB MSB Next Level Protocol Header (08 00 -> x8000 ->IP) 2

Next Protocol # 1=ICMP 6=TCP 17=UDP IP Header (Network Layer) Ethernet Hdr - 20 bytes (little-endian) IP Header - 20 bytes (big-endian) TCP Header - 20 bytes (big-endian) App. Hdr & Data Length Frag. Flags Fragment Offset Next Protocol Next Protocol # 1=ICMP 6=TCP 17=UDP Frag. Flags: 010 = Do Not Fragment, DNF 001 = More Fragments, MF 3

IP Fragment ID number is the same for each fragment. Fragmented Packet Ethernet Hdr - 20 bytes IP Header - 20 bytes (MF: 1, offset: 0) TCP Header - 20 bytes (big-endian) App. Hdr & Data 20 bytes 20 + 1260 bytes Ethernet Hdr - 20 bytes IP Header - 20 bytes (MF: 1, offset:1280) More Data 20 bytes 1280 bytes Ethernet Hdr - 20 bytes IP Header - 20 bytes (MF: 0, offset:2560) Last Data 20 bytes 760 bytes Data Packet from Token Ring has TCP header (20 bytes) plus App. Header and Data (3300 bytes) = 20 +1280 + 1280 + 760 bytes. IP Fragment ID number is the same for each fragment. 4

Ping of Death Packet Buffer 65,535 bytes Packet Buffer 65,535 bytes Ethernet Hdr - 20 bytes IP Header - 20 bytes (MF: 1, offset:65,500) Any Data 20 bytes 1000 bytes Packet Buffer 65,535 bytes Packet Buffer 65,535 bytes Fragments are assembled in a buffer in memory. Ping of Death fragment causes a buffer overflow, corrupting the next buffer causing an older version of Windows to crash. “Ping” was used because #ping -s 66500 used to work. “fragrouter” is a hacker program that generates bad fragments. 5

Fragmented Packets as seen by “tcpdump” # tcpdump -nnvli eth3 'tcp and ((ip[6:2]&0x3fff) != 0)’ Filter for seeing frag.s 22:10:48 128.61.60.143.3472 > 217.98.230.192.6881: . 3041158335:3041158379(44) ack 829468732 win 65535 (frag 43660:64@0+) (ttl 127, len 84) Very small fragments 22:10:48 128.61.60.143 > 217.98.230.192: tcp (frag 43660:44@64) (ttl 127, len 64) ) Very small fragments 22:10:49 219.115.56.223 > 199.77.145.106: tcp (frag 0:20@16384) (ttl 237, len 40) Very small, isolated fragment 22:10:50 217.232.26.184 > 128.61.104.27: tcp Note close times, different IPs (frag 0:20@16384) (ttl 240, len 40) Very small, isolated fragment ------- 43660:64@0+ = ID : Data-Length (without IP hdr) @ Offset/8, “+” means More Fragments bit set. 6

Protocols over IP 80 161 <- Listening Port No. (Well-Known?) 6 17 <- IP Next Protocol Numbers 1 2 89 46 IPsec ESP 50 ARP x0800 <- Ethernet “Next Protocol” Number Data Link and Physical Layers (e.g., Ethernet, WiFi, Point-to-Point, …) 7

UDP Header (big endian) 8

ICMP Header 31 bits Bytes 0 - 3 Type Code Checksum Bytes 4 - 7 (big endian) 31 bits Bytes 0 - 3 Type Code Checksum Bytes 4 - 7 Identifier Sequence Number Bytes 8 - Optional Data Type Field 0 - Echo Reply (Code=0) 3 - Destination Unreachable 5 - Redirect (change route) 8 - Echo Request (Ping) 11 - Timeout (traceroute) Type 3 - Codes 0 - Network Unreachable 1 - Host Unreachable 3 - Port Unreachable (UDP Reset-old hdr in data) 7 - Destination Host Unknown 12 - Host Unreachable for Type of Service 9 9

Network Broadcast Address = 222.45.6.255 Smurf Attack Attacker 23.45.67.89 Victim 130.207.225.23 ICMP Echo Request (Ping) To: 222.45.6.255 (Broadcast) From: 130.207.225.23 (spoofed) ICMP Echo Responses To: 130.207.225.23 Network 222.45.6.0/24 Network Broadcast Address = 222.45.6.255 (How is this prevented?) 10

TCP Header Ethernet Hdr - 20 bytes (little-endian) IP Header - 20 bytes (big-endian) TCP Header - 20 bytes (big-endian) App. Hdr & Data * * Length of TCP Header in bytes /4 TCP Flags: U A P R S F 11

TCP Three-Way Handshake Syn (only) Syn + Ack Ack Ack( Push, Urgent) Ack( Push, Urgent) Client Server 12

TCP Three-Way Disconnect Ack( Push, Urgent) Ack( Push, Urgent) Fin + Ack Ack Fin + Ack Ack or Reset + Ack Host A Host B Either A or B can be the Server 13

TCP Initial: SYN, SYN-ACK, ACK TCP Final: FIN, ACK, FIN-ACK, ACK TCP SYN and RES-ACK (no connection) as seen using wireshark 14

TCP State Diagram Reset 15

Reset Fin Syn Ack Comment 1 OK 1st Packet 2nd Packet Needs Ack Illegal Illegal flag combinations are used to determine Operating System 16

DoS Exploits using TCP Packets Land - Source Address = Destination Address Crashes some printers, routers, Windows, UNIX. Tear Drop - IP Fragments that overlap, have gaps (also Bonk, Newtear, Syndrop) Win 95, Win 98, NT, Linux. Winnuke - Any garbage data to an open file-sharing port (TCP-139) Crashes Win 95 and NT Blue Screen of Death - Set Urgent Flag, & Urgent Offset Pointer = 3 Older Windows OS would crash. 17

TCP Session Highjack Bob Alice Attacker - (1) sniffs network and watches Alice establish TCP session with Bob (2) - DOS Attack to Silence Alice (Acks and Resets) (3) - Highjacks TCP Connection by using correct sequence number (0) - Established TCP Connection Bob Alice Off-LAN Attack (can not sniff) to get by host-based firewall. Open several TCP connections to Bob, to predict next sequence number DoS Alice so it will not send a TCP Reset to Bob.s SYN-ACK. Send Bob a SYN, then an ACK based on predicted Bob’s seq. no.(from Alice’s IP) Send exploit to Bob (assume all packets are Ack’ed). 18

TCP Connect Handshake - shown by “tcpdump” 20:43:58 192.168.1.132.49194 > 204.127.198.27.25: S [bad tcp cksum e773!] 2818212180:2818212180(0) win 32768 <mss 1460,nop,wscale 0,nop,nop,timestamp 1015223232 0> (DF) (ttl 64, id 13382, len 60) <no ack!> 20:43:59 204.127.198.27.25 > 192.168.1.132.49194: S [tcp sum ok] 261524396:261524396(0) ack 2818212181 win 33304 <nop,nop,timestamp 693175946 1015223232,nop,wscale 1,mss 1460> (DF) (ttl 52, id 16741, len 60) 20:43:59 192.168.1.132.49194 > 204.127.198.27.25: . ack 1 win 33304 <nop,nop,timestamp 1015223234 693175946> (DF) (ttl 64, id 13383, len 52) 20:43:59 204.127.198.27.25 > 192.168.1.132.49194: P 1:62(61) ack 1 win 33304 <nop,nop,timestamp 693175953 1015223234> (DF) (ttl 52, id 16742, len 113) 20:43:59 192.168.1.132.49194 > 204.127.198.27.25: P [bad tcp cksum 24f8!] 1:23(22) ack 62 win 33304 <nop,nop,timestamp 1015223234 693175953> (DF) (ttl 64, id 13384, len 74) 19

TCP Finish Handshake - shown by “tcpdump” 20:44:01 204.127.198.27.25 > 192.168.1.132.49194: P 2425:2467(42) ack 3889 win 33304 <nop,nop,timestamp 693176146 1015223238> (DF) (ttl 52, id 16760, len 94) 20:44:01 192.168.1.132.49194 > 204.127.198.27.25: F [bad tcp cksum 2c58!] 3889:3889(0) ack 2467 win 33304 <nop,nop,timestamp 1015223238 693176146> (DF) (ttl 64, id 13402, len 52) 20:44:01 204.127.198.27.25 > 192.168.1.132.49194: . [tcp sum ok] ack 3890 win 33304 <nop,nop,timestamp 693176152 1015223238> (DF) (ttl 52, id 16761, len 52) 20:44:01 204.127.198.27.25 > 192.168.1.132.49194: F [tcp sum ok] 2467:2467(0) ack 3890 win 33304 <nop,nop,timestamp 693176152 1015223238> (DF) (ttl 52, id 16762, len 52) 20:44:01 192.168.1.132.49194 > 204.127.198.27.25: . [bad tcp cksum 2c51!] ack 2468 win 33304 <nop,nop,timestamp 1015223238 693176152> (DF) (ttl 64, id 13403, len 52) 20