Layer 4: UDP, TCP, and others

Transcription

1 Layer 4: UDP, TCP, and others based on Chapter 9 of CompTIA Network+ Exam Guide, 4th ed., Mike Meyers Concepts application set transport set High-level, "Application Set" protocols deal only with how handled by processes on each node Low-level, or "Transport Set", protocols are concerned only with moving packets from source node to destination node The Transport layer lies at the junction of these - TCP is the most popular protocol for use with IP, hence the name "TCP/IP" - Other protocols are in use as well Some protocols occupy a niche between layer 3 and layer 4 1

2 Model Layers and Applications OSI Application Presentation TCP/IP Application HTTP FTP SMTP SSH NFS DNS DHCP Session Ping Transport Transport TCP TCP SCTP TCP TCP UDP UDP UDP Network Internet IPSec IP ICMP IGMP Datalink Link Ethernet ARP WiFi Frame Relay Token Ring Physical Physical TCP Transport Layer - Connection-oriented, Reliable UDP Transport Layer - Connectionless, "Best-Effort" ICMP part of Network Layer - Very simple format - Between protocol utilities, not application processes IGMP part of Network Layer - Communications between multicast destinations and routers/switches (look for icmp, igmp packets using Wireshark) Layer 3.5?: IP Management 2

3 ICMP Internet Control Message Protocol For communication between IP layers on network nodes - Ping application can use ICMP "Layer 3.5" ICMP messages are carried in IP packets Constant-size header - Varying field meanings based on the message Data often absent - ping data field padded with arbitrary contents - some error messages include portions of a failed IP packet (headers, etc.) The ICMP Protocol Data Unit 1 st byte 2 nd byte 3 rd byte 4 th byte bit numbers st word 2 nd word Type Code Rest of header depends on type, code Checksum Payload (optional, 0..64KB) a.k.a. Protocol Data Unit, PDU Types include - Echo Request (ping request) - Echo Reply (ping reply) - Destination Unreachable» Code explains why - TTL exceeded Payload often includes the beginning of the packet that caused the ICMP response - IPv4 header - 8 bytes of layer-3 PDU 3

4 ICMP packet reporting an error In this Wireshark session a machine has requested a TCP connection. - by sending a SYN packet. The ICMP packet is reporting that the connection has been refused. - Its payload is the IP and TCP headers of the packet that made the request. ICMP "Smurf Attack" Attacker broadcasts ICMP packets - Source addresses are spoofed to be the victim's address Network hosts all respond to the ICMP packets - Doesn't matter what they send Victim is overwhelmed with response packets that it never asked for - Victim falls over This is a DDOS Distributed Denial Of Service 4

5 ICMP as a Phishing Tool 2006 phishing Trojan captures account/password information, transmits to a host using encrypted ping packets carries encrypted account info :-) This "innocent" ping packet IGMP Internet Group Management Protocol Very simple protocol between routers, multicast members - Version 1: 8-byte header (1 unused), no data - Version 2: Max-response-time, query / report / leave options 5

6 an IGMP packet, in Wireshark :53 am (look for http, ssh, netcat packets using Wireshark) Layer 4: Ports; UDP, TCP 6

7 Transport layer requirements Process identity multiple (application) processes on a node - All communicating processes have the same source IP address (and MAC address) Transport layer establishes a socket" that identifies each process Establishes sessions for processes needing steady communication - Some processes want a steady communication channel - some use individual transmissions» cf. phone conversations versus mail Process Identities Processes that need to communicate with other processes establish a reference to that process - IP address what node the process is on - Port the process's "ID number" on that node IP address plus port number is a socket Some server processes use Well-Known Port assignments See /etc/services Client process also needs its own port number Randomly chosen FTP 20, 21 POP3 110 SSH 22 NetBIOS Name Service 137 SMTP 25 SNMP 161 HTTP 80 HTTPS 443 Kerberos 88 rsync 873 7

8 Ports and netstat Unix netstat --inet -n command shows network connections - the --inet option restricts report to TCP and UDP ports over the network interface - this display shows four client sessions, three TCP server processes, and six UDP servers - Use -n to turn off name resolution Windows netstat -a shows comparable information UDP User Datagram Protocol Connectionless protocol Unreliable Simpler, less overhead required than for TCP - Good for broadcasts, other uses that may or may not create replies» DHCP, BOOTP» DNS» SNMP Applications can implement reliability themselves: - TFTP for lightweight, local file transfers 8

9 Encapsulation in UDP Datagrams traceroute application (random UDP ports) (no layer 7 header) UDP header some data some data some data data message datagram DNS application (UDP port 53) (no data) DNS headers (no data) UDP header DNS headers (no data) data message datagram UDP Header Fields 1 st byte 2 nd byte 3 rd byte 4 th byte bit numbers st word Source Port number (optional) Destination Port number 2 nd word Datagram length (minimum value 8) Checksum Payload (optional, 0..64KB) Header is always two words (eight bytes) in size Source port can be set to all 0s if no reply is needed Checksum includes data, UDP header, and a pseudo-ip header

10 TCP Transmission Control Protocol Connection-oriented protocol establishes endto-end session before sending application messages - "3-way handshake" establishes connection» SYN / SYN-ACK / ACK sequence - FIN sequence closes connection - Reset packet demands immediate disconnection TCP Encapsulation TCP header HTTP headers HTTP headers some file some file some file data message segment TCP payload (Protocol Data Unit, PDU) TCP header identifies server and client applications Supports breaking large files into manageable-sized segments Flow control prevents sender from overwhelming receiver with too many segments 10

11 TCP Header Fields 1 st byte 2 nd byte 3 rd byte 4 th byte bit numbers st word 2 nd word 3 rd word 4 th word Reserved - Data offset NS CWR ECE Urg Ack Psh Rst Syn Fin 5 th word 0-10 optional words Source Port number Checksum Sequence number Acknowledgement number Destination Port number Window size Urgent pointer Payload (optional, 0..64KB) TCP Header Fields Detail Source and port numbers - Both required Sequence, Acknowledgement numbers - provide reliable, in-order delivery Data offset counts length of TCP header in 4-byte words - minimum value is 5 Reserved bits - must be 0's Flags bits indicate various conditions - Syn, Fin are used to start, finish connections - Ack supports reliable delivery 1 st byte 2 nd byte 3 rd byte 4 th byte bit numbers st word 2 nd word 3 rd word 4 th Reserved - word Data offset NS CWR ECE Urg Ack Psh Rst Syn Fin th word 0-10 optional words Source Port number Checksum Sequence number Acknowledgement number Data bytes (optional, 0..64KB) Destination Port number Window size Urgent pointer Window size supports flow control Checksum includes header fields, data, and a pseudo-ip header Urgent pointer allows data to "cut in front" of earlier packets in the stream Optional fields support various values 11

12 TCP and Reliability Sender Receiver Sender splits arbitrary-length application messages into segments - MSS Maximum Segment Size is negotiated as part of the 3-way handshake - Sequence number identifies segment's position within overall message Receiver buffers incoming segments - Out-of-order packet delivery requires that segments be put into proper order - Last-received in-order packet is acknowledged» (actually, the next-expected-position is sent) Stop-and-Wait: each segment must be acknowledged before the next can be sent Unacknowledged segments must be re-sent timeout TCP and Performance Sender Receiver 200-byte window Client and server negotiate a Sliding Window for each - # of bytes sent before receiving an ACK - Separate window for each direction Sender may send packets until it has "filled the window" Receiver acknowledges packets and reports remaining window space When the receiving application takes bytes from receive buffer, the window "opens up" some more timeout 12

13 Sliding Window Detailed Example Client C sends SYN, Server S sends SYN/ACK, C sends ACK - S offers 500-byte window C sends 100-byte segment followed by 250- byte segment, gets ACK of first segment - ACK shows 400 bytes of window following first segment C sends 150 more bytes, then waits S processes 220 bytes, offers more window C sends 200 bytes S processes entire buffer, offers more window the process is symmetric: - C offers a window, S sets a first sequence number - C sets a window, S sends segments and C acknowledges them - as C process takes data, C s window slides forward Attacks on TCP Connections Most TCP attacks involve invalid or falsified ("spoofed") header values that disrupt a session or the protocol stack itself SYN Flood - Attacker sends many SYN packets to initiate connections, but never ACKs the server's responses - Server reserves resources for each connection until it runs out, resulting in Denial of Service (DoS) - Spoofed sender IP conceals the attacker SYN/FIN attack - SYN flag combined with FIN flag disrupted older TCP software RST attack, SYN attack - Spoofed packet with RST or SYN flag set will terminate victim's connection another DoS Session hijacking - Sophisticated packet spoofing can intercept data, inject false data, etc. 13

14 done 14