Network Security CS 478/CIS 678

Intro to TCP/IP

Objectives

Reading: Computer Security Principles and Practice, W Stallings, L Brown

• Appendix EThe student should be able to:• Interpret output for ARP, IP, TCP, UDP, ICMP

on a sniffer: Wireshark (sufficient as shown in this PowerPoint).

Internet Architecture

TCP/IP Packet

L2 L3 L4 Application CRCEthernet IP TCP

What physicalnode to send to?

Source &Destinationlogical addr.

Which appdoes this go to?

What data is actuallybeing sent?

Packetcheckcode

Addressing Requirements

• two levels of addressing required• each host on a subnet needs a unique global

network address– its IP address

• each application on a (multi-tasking) host needs a unique address within the host– known as a port

TCP/IP Packet

L2 L3 L4 Application CRCEthernet IP TCP

What physicalnode to send to?

Source &Destinationlogical addr.

Which appdoes this go to?

What data is actuallybeing sent?

Packetcheckcode

Address on LAN:00:0c:29:80:ec:29

Ginger.cs.uwp.edu124.36.92.81

Port 80 =web

Hi Alice, Are you comingto the party on Friday?

Operation of TCP and IP

Operation of TCP/IP

Some TCP/IP Protocols

Protocols used at each LayerL5 = Application

L4 = Transport:• TCP: Transport Control Protocol (End-to-End Error control:

Retransmission)• UDP: User Datagram Protocol (Only Port Addressing) L3 = Network:• IP: Internet Protocol (Routing)• ICMP: Internet Control Message Protocol (Reports errors, performs tests

for IP) L2 = Data Link Layer - Medium Access Control (MAC):• Ethernet Protocol• ARP: Address Resolution Protocol (Translates IP to MAC addresses)

Physical Layer: Layer 1

• Basic Function: Concerned with physical interface between computer and network

• concerned with issues like:– characteristics of transmission medium– signal levels– data rates– other related matters

Network Access Layer: Layer 2

• Basic Function: Coordinate multiple access on LAN• exchange of data between an end system and

attached network• concerned with issues like :– destination address provision– invoking specific services like priority– access to & routing data across a network link between

two attached systems• allows layers above to ignore link specifics• Example protocol: Ethernet

Internet Layer (IP): Layer 3

• Basic Function: Routing packets across network(s)

• for systems attached to different networks• implemented in end systems and routers• routers connect two networks and relays data

between them# Time Source IP Dest IP App Packet Type152 001559 10.1.1.165 10.1.1.128 IP Fragmented IP protocol (proto=ICMP 0x01, off=0,

ID=19d9)

Internet Protocol (IP)

• Performs routing• Addresses hosts• Performs fragmentation/reassembly• Security problem: Spoofed fragments replace

or confuse real data• Security problem: Fragmented attacks may

not be noticed by firewalls, IDS (depending on their sophistication)

IP Header

IP Header FormatFirst 8 nibbles:• 0-3: IP Version (V4 or V6)• 4-7: Header length (in 32-bit words)• 8-15: Type of service (relates to quality of service - ignore for this class)• 16-31: Total lengthSecond 8 nibbles:• 0-15: Identification (used with fragmentation)• 16-18: Flags: More bit, Don’t Fragment• 19-31: Fragment offsetThird 8 nibbles:• 0-7: Time to live• 8-15: Next Protocol (e.g. TCP, ICMP)• 16-31: Header Checksum Fourth 8 nibbles: Source IP AddressFifth 8 nibbles: Destination IP Address

Transmission Control Protocol (TCP): Layer 4

• Transport protocols are TCP (most common) and UDP

• Basic Function (TCP): Provides a reliable connection for transfer of data between applications– Reliable = Packets delivered in order and no packets are

missing– Reliability provided by sequencing and retransmission

• a TCP segment is the basic protocol unit• TCP tracks segments between end-to-end (source,

destination) entities for duration of each connection

Transport Control Protocol (TCP) • TCP is responsible for end-to-end retransmission,

and reordering of packets received out-of-order. • Addresses applications via 16-bit Port number• Performs error control on an end-to-end basis:– Reorders out-of-sequence segments– Retransmits segments when acknowledgements are

not received– Performs flow control to ensure destination is not

overwhelmed with data (using a window)– Performs congestion control to ensure network is not

overwhelmed

TCP Header Fields• Source Port: Source port (application) address• Dest Port: Destination port (application) address• Flag: S=SYN, F=FIN, P=PUSH, R=RESET, A=ACK• Sequence #: Beginning Sequence number (byte #)• AckNr: Acknowledgment sequence number (=next

expected seq #)• WindowSize: Size of empty space in receive buffer (in

bytes)• Checksum: Verifies no change in segment and parts of

IP header• Urgent Pointer: index to urgent data (rarely used)

TCP

• TCP is connection-oriented, which means that it must explicitly establish and break down a connection before transmission occurs.

• Establishes a connection• Sends data• Each side gracefully disconnects

TCP Flags

The flags within segments that TCP uses includes:S=SYN: Request to establish a connectionP=PUSH: Request from application to flush (or

force) transmission.F=FIN: Request to close a transmission - gracefulR=RESET: Notification of aborting of a connectionack: Contains an ack for previous data

Initiate a TCP Connection

• Establishes a connection via a 3-way handshake.

• SYN=Synchronization, establishes send and receive sequence numbers

SYN SYN,ACK

ACK

Send TCP Data• Each byte of TCP data has a sequence number associated with it, which

indicates the byte number of the first byte sent.• The acknowledgment indicates the sequence number of the byte # of

data expected next

(PUSH) ACK

# Time Source IP Dest IP App Port 2 Port [Packet Type] SendSeq AckSeq45 1037.608722 10.1.1.3 10.1.1.165 TCP 3128 > 1270 [ACK] Seq=86244 Ack=6584

Win=19220 Len=046 1037.751240 10.1.1.3 10.1.1.165 TCP [TCP segment of a reassembled PDU]47 1037.751279 10.1.1.3 10.1.1.165 TCP [TCP segment of a reassembled PDU]

Terminate TCP Connection• Graceful Disconnect: Both sides must disconnect• FIN = Finish• Sending FIN indicates no more data to transmit

FIN ACK FIN

ACK

Session Abort

• I don’t want to participate in this connection• Uses Reset

RST

TCP Connect – Data - Disconnect# Time Source IP Dest IP App Port 2 Port [Packet Type] SendSeq AckSeq1 0.000000 10.1.1.165 10.1.1.3 TCP 1179 > 3128 [SYN] Seq=0 Win=64240 Len=0

MSS=14602 0.000623 10.1.1.3 10.1.1.165 TCP 3128 > 1179 [SYN, ACK] Seq=0 Ack=1

Win=5840 Len=0 MSS=14603 0.000667 10.1.1.165 10.1.1.3 TCP 1179 > 3128 [ACK] Seq=1 Ack=1 Win=64240

Len=0…

7 0.029386 10.1.1.165 10.1.1.3 TCP 1179 > 3128 [ACK] Seq=860 Ack=3691 Win=64240 Len=0

…8 0.160003 10.1.1.3 10.1.1.165 TCP 80 > 1190 [FIN, ACK] Seq=341 Ack=436

Win=6432 Len=09 0.160598 10.1.1.165 10.1.1.3 TCP 1190 > 80 [ACK] Seq=436 Ack=342

Win=63900 Len=010 0.161706 10.1.1.165 10.1.1.3 TCP 1190 > 80 [FIN, ACK] Seq=436 Ack=342

Win=63900 Len=011 0.163407 10.1.1.3 10.1.1.165 TCP 80 > 1190 [ACK] Seq=342 Ack=437

Win=6432 Len=0

TCP WiresharkShowing Connection, Data, Disconnect

TCP Header

User Datagram Protocol (UDP)• UDP can be used instead of TCP to address an application• Does NOT support end-to-end retransmission, reorder out-of-order packets,

or perform flow control or congestion control. • Addresses applications via 16-bit Port number

Protocol:• UDP is connectionless, which means it sends packets without establishing a

connection first. If packets cannot be successfully sent, there may be no indication of failure.

• 1 Packet type: Send data

# Time Source IP Dest IP App Port 2 Port [Packet Type] 1 0.000000 131.210.13.7 10.1.1.165 UDP Source port: 1060

Dest port: 8881

User Datagram Protocol(UDP)

• an alternative to TCP• no guaranteed delivery• no preservation of sequence• no protection against duplication• minimum overhead• adds port addressing to IP

Application Layer: Layer 5 (Internet)

• Basic Function: User applications• need a separate module for each type of

application: File transfer, web, ssh, email, etc.

# Time Source IP Dest IP App Packet Type4 0.001151 10.1.1.165 10.1.1.3 HTTP GET

http://www.cs.uwp.edu/Classes/Cs475 HTTP/1.190 80.40513 10.1.1.165 10.1.1.10 SNMP get-request RFC1213-

MIB::mib-2.25.3.2.1.5.1 RFC1213-MIB::mib-2.25.3.5.1.1.1 RFC1213-MIB::mib-2.25.3.5.1.2.1

Application ProtocolsApplication & Port • SMTP: Simple Mail Transfer Protocol (Email): 25• HTTP: HyperText Transfer Protocol (Web): 80• FTP: File Transfer Protocol: 20/21• SNMP: Simple Network Management Protocol:

161• DNS: Domain Name Server: 53• NBNS: NetBios Name Service (Microsoft Internal,

similar to DNS): 137• SSL: Secure Socket Layer: 443

Some TCP/IP Protocols

Internet Control Message Protocol (ICMP)

• Reports errors from IP (e.g. Destination not reachable)

• Replies to requests (routing info) • Test connectivity (ping)

# Time Source IP Dest IP App Packet Type71 16.725008 10.1.1.165 207.46.170.123 ICMP Echo (ping) request76 17.813662 207.231.240.7 10.1.1.165 ICMP Time-to-live exceeded (Time to live

exceeded in transit)73 13.696159 10.1.1.1 10.1.1.165 ICMP Destination unreachable

(Communication administratively filtered)

Address Resolution Protocol (ARP)• Converts an IP Address (192.164.53.25) to a MAC Address (e.g.

0:90:27:1c:50:d0)

Protocol:• Requester broadcasts to all nodes on subnet: ARP Request

(IP_Address)• Replier (Me) sends: ARP Response (IP_Address, MAC Address)

3 8.617021 00:0c:29:80:ec:29 ff:ff:ff:ff:ff:ff ARP Who has 10.1.1.3? Tell 10.1.1.165

4 8.617825 00:0e:0c:3d:f7:7d 00:0c:29:80:ec:29 ARP 10.1.1.3 is at 00:0e:0c:3d:f7:7d

Domain Name Server (DNS)• Converts a IP address name (e.g. www.cs.uwp.edu) to a numeric IP

address, or vice versa. Protocol:• Request describes a name or numeric IP address to transfer• Reply provides information about that IP address.

# Time Source IP Dest IP App Packet Type53 55.927059 10.1.1.165 10.1.1.3 DNS Standard query A

www.mozilla.org54 55.946341 10.1.1.3 10.1.1.165 DNS Standard query response

CNAME groups.l.google.com A 74.125.95.138 A 74.125.95.139 A 74.125.95.100 A 74.125.95.101 A 74.125.95.102 A 74.125.95.113

IGMP: Internet Group Management Protocol Sets up multicast for streaming and gaming

NTP: Network Time ProtocolSynchronizes Clocks

LDAP: Lightweight Directory Access Protocol

• Used with Microsoft’s Active Directory & Novell’s eDirectory

• Enables clients to connect to query LDAP directory for user account info, printers, similar to DNS.

• Uses default port 389

WIRESHARK DEMOAnd now for a …