Professional Documents
Culture Documents
edu 404 894-5177 fax 404 894-0035 Office: Klaus 3362 email or call for office visit, 404 894-5177 Slides 11 - Fun with TCP/IP
4/18/2011
Ethernet Hdr - 14 bytes IP Header - 20 bytes TCP Header - 20 bytes (little-endian) (big-endian) (big-endian)
31 bits
Bytes 12 - 13
Next Protocol #
LSB MSB
Next Protocol
Fragmented Packet
Ethernet Hdr - 20 bytes IP Header - 20 bytes TCP Header - 20 bytes (MF: 1, offset: 0) (big-endian) App. Hdr & Data
20 bytes
Ethernet Hdr - 20 bytes IP Header - 20 bytes (MF: 1, offset:1280)
20 + 1260 bytes
More Data
20 bytes
Ethernet Hdr - 20 bytes IP Header - 20 bytes (MF: 0, offset:2560)
1280 bytes
Last Data
20 bytes
760 bytes
Data Packet from Token Ring has TCP header (20 bytes) plus App. Header and Data (3300 bytes) = 20 +1280 + 1280 + 760 bytes.
Ping of Death
Ethernet Hdr - 20 bytes IP Header - 20 bytes (MF: 1, offset:65,500) Any Data
20 bytes
1000 bytes
Packet Buffer 65,535 bytes Packet Buffer 65,535 bytes Fragments are assembled in a buffer in memory. Ping of Death fragment causes a buffer overflow, corrupting the next buffer causing an older version of Windows to crash. Ping was used because #ping -s 66500 used to work. fragrouter is a hacker program that generates bad fragments.
5
22:10:49 219.115.56.223 > 199.77.145.106: tcp (frag 0:20@16384) (ttl 237, len 40) Very small, isolated fragment 22:10:50 217.232.26.184 > 128.61.104.27: tcp Note close times, different IPs (frag 0:20@16384) (ttl 240, len 40) Very small, isolated fragment ------43660:64@0+ = ID : Data-Length (without IP hdr) @ Offset/8, + means More Fragments bit set.
6
Protocols over IP
80 6
89
46
IPsec ESP 50
ARP
UDP Header
(big endian)
0
Bytes 0 - 3 Type
ICMP Header
(big endian)
31 bits
Code
Checksum
Bytes 4 - 7
Bytes 8 -
Identifier
Sequence Number
Optional Data
Type Field 0 - Echo Reply (Code=0) 3 - Destination Unreachable 5 - Redirect (change route) 8 - Echo Request (Ping) 11 - Timeout (traceroute)
Type 3 - Codes 0 - Network Unreachable 1 - Host Unreachable 3 - Port Unreachable (UDP Reset-old hdr in data) 7 - Destination Host Unknown 12 - Host Unreachable for Type of Service
9
Smurf Attack
Attacker 23.45.67.89
ICMP Echo Request (Ping) To: 222.45.6.255 (Broadcast) From: 130.207.225.23 (spoofed) ICMP Echo Responses To: 130.207.225.23
Victim 130.207.225.23
TCP Header
Ethernet Hdr - 20 bytes IP Header - 20 bytes TCP Header - 20 bytes (little-endian) (big-endian) (big-endian) App. Hdr & Data
TCP Flags: U A P R S F
11
Client
Server
12
Host A
or Reset + Ack
Host B
Reset
15
Reset
0
0 0 0
Fin
0
0 0 1
Syn
0
1 1 0
Ack
1
0 1 0
Comment
OK
1st Packet 2nd Packet Needs Ack
0
0 0 1
1
1 1 0
0
1 1 0
1
0 1 0
OK
Illegal Illegal Needs Ack
1
1 1 1
0
0 0 1
0
1 1 0
1
0 1 0
OK
Illegal Illegal Illegal
1
1 1
1
1 1
0
1 1
1
0 1
Illegal
Illegal Illegal
16
DoS Exploits using TCP Packets Land - Source Address = Destination Address Crashes some printers, routers, Windows, UNIX.
Tear Drop - IP Fragments that overlap, have gaps (also Bonk, Newtear, Syndrop) Win 95, Win 98, NT, Linux.
Winnuke - Any garbage data to an open file-sharing port (TCP-139) Crashes Win 95 and NT Blue Screen of Death - Set Urgent Flag, & Urgent Offset Pointer = 3 Older Windows OS would crash.
17
(3) - Highjacks TCP Connection by using correct sequence number (0) - Established TCP Connection
Bob
Alice
Off-LAN Attack (can not sniff) to get by host-based firewall.
1. 2. 3. 4. Open several TCP connections to Bob, to predict next sequence number DoS Alice so it will not send a TCP Reset to Bob.s SYN-ACK. Send Bob a SYN, then an ACK based on predicted Bobs seq. no.(from Alices IP) Send exploit to Bob (assume all packets are Acked).
18
19
20