Presentation is loading. Please wait.

Presentation is loading. Please wait.

Lecture 20: Network Primer 7/8/2003 CSCE 590 Summer 2003.

Similar presentations


Presentation on theme: "Lecture 20: Network Primer 7/8/2003 CSCE 590 Summer 2003."— Presentation transcript:

1 Lecture 20: Network Primer 7/8/2003 CSCE 590 Summer 2003

2 Obligatory 7 Layer OSI Model Open Systems Interconnection Model –End to End Layers: 7 – Application: interfaces directly with the user 6 – Presentation: provides data independence (different representation of numbers, network byte order) 5 – Session: establishes, manages and terminates connections between applications 4 – Transport: end-to-end error recovery and flow control –Point to Point Layers: 3 – Network: creating logical paths for transmitting data from node to node; i.e. routing, switching 2 – Link: logical organization of data bits transmitted on a particular medium 1 – Physical: physical properties of communications media

3 4 (5) Layer IP Model IP is older than OSI Model, so IP doesn’t exactly fit it –Application – SSH, DNS –Transport – TCP, UDP –Network - IP –Link/Physical – device drivers/wires and electricity

4 Packets and Frames Like envelopes within envelopes Frames = hardware layers –Ethernet –ATM –Tokenring Packets = software layers –IP –IPX

5 Frames Has header and trailer –Trailer 4 bytes –Cyclic Redundancy Check (CRC) Frame header used for synchronization –Tells NIC where frame begins so it can start pulling data –14 bytes Frame data is packet for next layer Max 1518 bytes, min 64 bytes

6 Ethernet Frame Header IEEE 802.3 Ethernet frame Layer 2 Start Delimiter Destination MAC Address Preamble Length Source MAC Address Data Field Frame CRC Pad Field 101010… 10101011 7 bytes 1 byte 6 bytes 2 bytes 4 bytes Min: 64 bytes Max: 1518 bytes MAC Header Layer 3+

7 Ethernet Frame Fields Alternating 0’s and 1’s in preamble to synchronize Start delimiter has last 2 bits as 11 Length of data field does not include any padding to get minimum size –In Ethernet II, is the Type field, value > 1500 represents which memory buffer on dst it stored in = protocol of data field (IP = hex 0800) MAC addresses –48 bit hardware address of Network Interface Card –First 3 bytes are the Organizationally Unique Identifier (OUI) of NIC manufacturer –All ones signifies broadcast address CRC does not include preamble and start delimiter

8 Trace of Ethernet Header tcpdump –en –XX –s 1518 –i eth0 |more Ethernet II: Protocol=IP; Not packet length

9 Encapsulation and Decapsulation One layer’s header is part of another layer’s data Frame Header DATA TCP Header IP Header DATA TCP Header DATA IP Header DATA Frame Header DATA Frame Footer

10 Bridging the Layers How do we get from hardware MAC address at Layer 2 to IP address at Layer 3? Address Resolution Protocol (ARP) –We don’t want a permanent mapping between MAC address and IP address, needs to be dynamic –ARP allows us, given an IP address, to find the physical address of the host with that IP address

11 ARP IP addresses are used to route a packet to its final destination MAC addresses are used to travel from intermediate hop to intermediate hop MAC Addresses are stripped and replaced from the frame at each hop. –Next hop becomes new destination –Current hop becomes new source IP routing provides which hop is next, MAC addresses and ARP get the frame there

12 ARP Packet Format Opcode Source Protocol Address Hardware Type 161718192021222324252627282930310123456789101112131415 0123 4567 891011 12131415 16171819 20212223 Target Protocol Address Protocol Type Source Hardware Address Target Hardware Address (cont) Hardware LengthProtocl Addr Len Source Hardware Address (cont) Target Hardware AddressSource Protocol Address (cont) 24252627

13 ARP Packet Fields Hardware Type: –Ethernet = 1 –ATM = 16 Protocol Address Type –IP = 0x0800 Hardware Address Length: length of hardware address in bytes Protocol Address Length: length of hardware address in bytes Operation Code: 1 = Request, 2 = Reply

14 ARP Request Each machine keeps a local ARP cache of IP address-MAC address mappings for about 120 seconds each If an IP address is not in its cache, it broadcasts an ARP Request to all machines on the local network Non-target machines receiving broadcast may cache sender’s MAC and IP addresses to help reduce broadcast traffic Destination MAC address is all 1’s arp who-has 10.252.49.4 tell 10.252.49.5

15 ARP Reply The machine that has that IP address, issues an ARP Reply It also caches the requestor’s IP and MAC addresses Requestor gets response and caches it arp reply 10.252.49.5 is-at 00:06:de:ad:be:ef Many machines will cache an unsolicited arp reply which can enable ARP spoofing and sniffing on switched networks

16 Malicious ARP Spoofing Unsolicited ARP reply Man-in-the-Middle arp reply 10.10.32.100 is-at 00:00:de:ad:be:ef 10.10.32.50 00:00:de:ad:be:ef 10.10.32.100 10.10.32.200 ARP Cache Contents Afterwards: 10.10.32.100 = 00:00:de:ad:be:ef

17 Malicious ARP Sniffing on Switched Networks ARP spoof the default gateway of the subnet sending to the switch Switch will have 2 entries for default gateway in cache, and will send each packet to both Or on older switches, you could flood ARP cache with bogus entries, causing the switch to fail open, like a hub. Sends each packet to all ports

18 Switch Sniffing arp reply 10.10.32.1 is-at 00:00:de:ad:be:ef 10.10.32.50 00:00:de:ad:be:ef 10.10.32.1 10.10.32.200 ARP Cache Contents Afterwards: 10.10.32.1 = 00:00:da:da:be:ee 10.10.32.1 = 11:11:de:ad:be:ef 11:11:da:da:be:ee

19 Packets Packets have positional fields Predefined number of bits allocated to each field Some optional fields vary in size –Other fields describe their length –Example is data field No footers like with frames

20 IP Header Total Length in Bytes Fragment Offset (13 bits) Header Checksum IP Identification Number (Frag ID) Source IP Address Destination IP Address TTLIP Protocol Type of ServiceVersion 161718192021222324252627282930310123456789101112131415 0123 4567 891011 12131415 16171819 20212223 Options (Variable Length 0-40 bytes, padded with 0’s) R DFDF MFMF Hdr Len

21 IP Header Fields Version: 4 bits, version of IP, usually 4, but 6 is becoming more common Header Length: 4 bits, Length of IP header in 32- bit (4 byte) words –Maximum of 60 words –Commonly 5 words (with no IP options) Type of Service (TOS): 8 bits, nominally the type of service the packet should receive Total Length: 16 bits, total length of IP packets in bytes. Max possible 65535 bytes

22 IP Fragmentation Need fragmentation because not all networks’ MTUs (Maximum Transition Units) are the same Occurs when MTU is smaller than datagram Reassembled at destination host Each fragment in encapsulated in an IP datagram Can be used to bypass routers and IDS

23 IP Fragmentation IP fragmentation fields: –Fragmentation ID, Offset, and Flags –Fragments must share a common fragment identification number –Must tell the offset of this data fragment in original unfragmented datagram –Must tell length of data in this fragment –Must tell whether more fragments are to follow

24 Fragment ID Field Each IP packet has a unique IP Identification number Increments by 1 for each datagram in a session In a fragmented packet, each datagram fragment retains the original IP ID Number as a Fragment ID Number. This identifies a fragment as belonging to an original datagram to the reassembling host

25 Fragmentation Flags Three bit flag field Bit 0 is reserved and not used Bit 1: DF – Don’t Fragment when set to 1 –What if fragmentation is needed? A router will send back an ICMP unreachable – need to fragment packet to the source with the size of the maximum MTU Bit 2: MF – More Fragments when set to 1

26 Fragmentation Offset Field 13 bit field Tells the receiving system where the datagram belongs in the original datagram so that it can be reconstructed From the perspective of IP data field: TCP, ICMP, UDP fields are included in the offset

27 Fragmentation Example On Windows: –ping –n 1 –l 3300 10.10.33.1

28 Fragmentation Example The Math Ethernet = 1500 bytes Each IP header takes 20 bytes So 1480 bytes of data in each fragment The total packet size we have to break up is 3300 data bytes + 20 bytes IP header + 8 bytes ICMP header = 3328 bytes First fragment gets IP header and ICMP header and (1500-20-8) 1472 bytes data The rest of the fragments do not have the ICMP header

29 Fragmentation Example 1.20 bytes IP, 8 bytes ICMP, 1472 bytes data fragment ID = 4620, length = 1480 offset = 0, MF = 1 3300 – 1472 = 1828 bytes remaining 2.20 bytes IP, 1480 bytes data fragment ID = 4620, length = 1480 offset = 1480, MF = 1 1828 – 1480 = 348 bytes remaining 3.20 bytes IP, 348 bytes data fragment ID = 4620, length = 348 offset = 2960, MF = 0 0 bytes remaining

30 Malicious Fragmentation Fragmenting to blind IDS –Never sends final piece –Or piece missing in middle –Some IDS reconstruct fragmented packets to ‘normalize’ them and check against signatures –Only so much memory assigned to it –Or a limited number of fragmented packets can be reconstructed at once If IDS does not normalize, split attack up into frags and it won’t match signatures

31 Ping of Death Denial of Service Very large datagram crafted using fragments When reassembled by victim, the maximum IP datagram size of 65535 is exceeded Causes crashes, system hangs, BSOD Is *OLD*, all vendors should have a patch

32 Teardrop Attack What’s wrong with this picture? 1.evilfragger.org.139 > target.edu.139: udp 28 (frag 242:36@0+) 2.evilfragger.org > target.edu: (frag 242:4@24) Remember (frag fragID:length@offset) It reboots or crashes some unpatched machines

33 Teardrop Attack 1.evilfragger.org.139 > target.edu.139: udp 28 (frag 242:36@0+) 2.evilfragger.org > target.edu: (frag 242:4@24) Fragment 2 Fragment 1 Byte 0Byte 24 Byte 27 Byte 35 (frag 242:4@24) (frag 242:36@0+)

34 References Read Chapter 6


Download ppt "Lecture 20: Network Primer 7/8/2003 CSCE 590 Summer 2003."

Similar presentations


Ads by Google