ECE-6612 http://www.csc.gatech.edu/copeland/jac/6612/ Prof. John A. Copeland john.

copeland@ece.gatech.edu 404 894-5177 fax 404 894-0035 Office: Klaus 3362 email or call for office visit, 404 894-5177 Slides 11 - Fun with TCP/IP

4/18/2011

Ethernet Header (MAC or Link Layer)

Ethernet Hdr - 14 bytes IP Header - 20 bytes TCP Header - 20 bytes (little-endian) (big-endian) (big-endian)

App. Hdr & Data

0 Bytes 0 - 3 Bytes 4 - 7 Bytes 8 - 11 Source Address - 6 bytes Destination Address - 6 bytes

31 bits

Bytes 12 - 13

Next Protocol #
LSB MSB

Next Level Protocol Header (08 00 -> x8000 ->IP)
2

20 bytes TCP Header . Flags: 1=ICMP 6=TCP 17=UDP 001 = More Fragments.20 bytes (little-endian) (big-endian) (big-endian) App. DNF .20 bytes IP Header . Hdr & Data Length Frag. MF 3 010 = Do Not Fragment. Flags Fragment Offset Next Protocol Next Protocol # Frag.IP Header (Network Layer) Ethernet Hdr .

20 bytes (MF: 1.20 bytes IP Header . offset:2560) 1280 bytes Last Data 20 bytes 760 bytes Data Packet from Token Ring has TCP header (20 bytes) plus App. IP Fragment ID number is the same for each fragment. Header and Data (3300 bytes) = 20 +1280 + 1280 + 760 bytes.20 bytes TCP Header .20 bytes (MF: 0.20 bytes (MF: 1. offset: 0) (big-endian) App. 4 . Hdr & Data 20 bytes Ethernet Hdr . offset:1280) 20 + 1260 bytes More Data 20 bytes Ethernet Hdr .Fragmented Packet Ethernet Hdr .20 bytes IP Header .20 bytes IP Header .

500) Any Data 20 bytes 1000 bytes Packet Buffer 65. 5 . “Ping” was used because #ping -s 66500 used to work.Ping of Death Ethernet Hdr .20 bytes IP Header .20 bytes (MF: 1. corrupting the next buffer causing an older version of Windows to crash. offset:65. “fragrouter” is a hacker program that generates bad fragments. Ping of Death fragment causes a buffer overflow.535 bytes Packet Buffer 65.535 bytes Fragments are assembled in a buffer in memory.

56.60.192: tcp (frag 43660:44@64) (ttl 127. different IPs (frag 0:20@16384) (ttl 240.223 > 199.26.61.106: tcp (frag 0:20@16384) (ttl 237.184 > 128.143.230.60.27: tcp Note close times. “+” means More Fragments bit set.143 > 217.232. len 40) Very small. 3041158335:3041158379(44) ack 829468732 win 65535 (frag 43660:64@0+) (ttl 127.3472 > 217.61.s 22:10:48 128.104.192. 6 .77.115. len 64) ) Very small fragments 22:10:49 219.61.145. isolated fragment ------43660:64@0+ = ID : Data-Length (without IP hdr) @ Offset/8.98.Fragmented Packets as seen by “tcpdump” # tcpdump -nnvli eth3 'tcp and ((ip[6:2]&0x3fff) != 0)’ Filter for seeing frag.6881: . len 84) Very small fragments 22:10:48 128.230. len 40) Very small. isolated fragment 22:10:50 217.98.

g.Listening Port No..IP Next Protocol Numbers 1 2 89 46 IPsec ESP 50 ARP x0800 <. …) 7 .Protocols over IP 80 6 161 <.Ethernet “Next Protocol” Number Data Link and Physical Layers (e. Ethernet. WiFi. Point-to-Point. (Well-Known?) 17 <.

UDP Header (big endian) 8 .

Codes 0 .Timeout (traceroute) Type 3 .Destination Host Unknown 12 .0 Bytes 0 .Destination Unreachable 5 .Network Unreachable 1 .3 Type ICMP Header (big endian) 31 bits Code Checksum Bytes 4 .Echo Reply (Code=0) 3 .7 Bytes 8 - Identifier Sequence Number Optional Data Type Field 0 .Port Unreachable (UDP Reset-old hdr in data) 7 .Redirect (change route) 8 .Host Unreachable for Type of Service 9 .Host Unreachable 3 .Echo Request (Ping) 11 .

6.23 Victim 130.225.6.45.255 (How is this prevented?) 10 .23 Network 222.Smurf Attack Attacker 23.6.45.207.45.23 (spoofed) ICMP Echo Responses To: 130.89 ICMP Echo Request (Ping) To: 222.207.0/24 Network Broadcast Address = 222.225.45.67.225.207.255 (Broadcast) From: 130.

20 bytes (little-endian) (big-endian) (big-endian) App.20 bytes IP Header .20 bytes TCP Header . Hdr & Data * * Length of TCP Header in bytes /4 TCP Flags: U A P R S F 11 .TCP Header Ethernet Hdr .

Urgent) Ack( Push.TCP Three-Way Handshake Syn (only) Syn + Ack Ack Ack( Push. Urgent) Client Server 12 .

Urgent) Fin + Ack Ack Fin + Ack Ack Host A or Reset + Ack Host B Either A or B can be the Server 13 .TCP Three-Way Disconnect Ack( Push. Urgent) Ack( Push.

as seen using wireshark 14 . ACK QuickTime™ an d a TIFF (LZW) decomp resso r are need ed to see this picture. TCP Final: FIN. TCP SYN and RES-ACK (no connection) QuickTime™ and a TIFF (LZW) decompressor are neede d to see this picture. SYN-ACK. FIN-ACK.TCP Initial: SYN. ACK. ACK QuickTime™ and a TIFF (LZW) decomp resso r are need ed to see this picture.

TCP State Diagram Reset 15 .

Reset 0 0 0 0 Fin 0 0 0 1 Syn 0 1 1 0 Ack 1 0 1 0 Comment OK 1st Packet 2nd Packet Needs Ack 0 0 0 1 1 1 1 0 0 1 1 0 1 0 1 0 OK Illegal Illegal Needs Ack 1 1 1 1 0 0 0 1 0 1 1 0 1 0 1 0 OK Illegal Illegal Illegal 1 1 1 1 1 1 0 1 1 1 0 1 Illegal Illegal Illegal Illegal flag combinations are used to determine Operating System 16 .

Linux. 17 . UNIX.IP Fragments that overlap. NT. Windows.DoS Exploits using TCP Packets Land . Tear Drop . & Urgent Offset Pointer = 3 Older Windows OS would crash. Newtear.Source Address = Destination Address Crashes some printers.Any garbage data to an open file-sharing port (TCP-139) Crashes Win 95 and NT Blue Screen of Death . routers. Winnuke . Syndrop) Win 95.Set Urgent Flag. Win 98. have gaps (also Bonk.

Open several TCP connections to Bob. to predict next sequence number DoS Alice so it will not send a TCP Reset to Bob. 1. 4. 2. Send Bob a SYN. then an ACK based on predicted Bob’s seq.Highjacks TCP Connection by using correct sequence number (0) .DOS Attack to Silence Alice (Acks and Resets) (3) .(1) sniffs network and watches Alice establish TCP session with Bob (2) .Established TCP Connection Bob Alice Off-LAN Attack (can not sniff) to get by host-based firewall.s SYN-ACK.(from Alice’s IP) Send exploit to Bob (assume all packets are Ack’ed).TCP Session Highjack Attacker . 18 . 3. no.

nop. len 113) 20:43:59 192.168.198.198.27.timestamp 693175946 1015223232.25: P [bad tcp cksum 24f8!] 1:23(22) ack 62 win 33304 <nop.168.1.1.nop.168.49194: S [tcp sum ok] 261524396:261524396(0) ack 2818212181 win 33304 <nop.49194: P 1:62(61) ack 1 win 33304 <nop.198.nop. id 13383. id 16741.132.nop.132.132.timestamp 1015223234 693175946> (DF) (ttl 64. id 16742.132.49194 > 204.25: S [bad tcp cksum e773!] 2818212180:2818212180(0) win 32768 <mss 1460. id 13384.timestamp 1015223232 0> (DF) (ttl 64.25 > 192. len 52) 20:43:59 204.27.127.wscale 0.198.nop.mss 1460> (DF) (ttl 52.25: .1. len 60) 20:43:59 192.27.168.49194 > 204.168.TCP Connect Handshake .timestamp 693175953 1015223234> (DF) (ttl 52.27. len 74) 19 . len 60) <no ack!> 20:43:59 204. id 13382.wscale 1.27.25 > 192.timestamp 1015223234 693175953> (DF) (ttl 64.1.1.nop.127.127.nop.127.49194 > 204.shown by “tcpdump” 20:43:58 192. ack 1 win 33304 <nop.nop.127.132.198.

timestamp 1015223238 693176152> (DF) (ttl 64.127. id 16762.27. [bad tcp cksum 2c51!] ack 2468 win 33304 <nop.198.132.27. id 16760.198. len 52) 20:44:01 204.25 > 192.168.127.25 > 192. [tcp sum ok] ack 3890 win 33304 <nop.timestamp 693176152 1015223238> (DF) (ttl 52.27.timestamp 693176146 1015223238> (DF) (ttl 52.1.1.25: .168.168.nop. id 16761.25: F [bad tcp cksum 2c58!] 3889:3889(0) ack 2467 win 33304 <nop.132.127.27.127. len 52) 20:44:01 192.49194 > 204.25 > 192.198.49194: F [tcp sum ok] 2467:2467(0) ack 3890 win 33304 <nop.49194: .132.1.TCP Finish Handshake .168.1. id 13403.127.nop.1.132.timestamp 1015223238 693176146> (DF) (ttl 64.nop.27.168. len 52) 20 .timestamp 693176152 1015223238> (DF) (ttl 52.shown by “tcpdump” 20:44:01 204.198.49194: P 2425:2467(42) ack 3889 win 33304 <nop.198.nop. len 94) 20:44:01 192. id 13402. len 52) 20:44:01 204.nop.49194 > 204.132.

Sign up to vote on this title
UsefulNot useful