Slide #1 CIT 380: Securing Computer Systems TCP/IP.
-
Upload
kerry-young -
Category
Documents
-
view
218 -
download
1
Transcript of Slide #1 CIT 380: Securing Computer Systems TCP/IP.
![Page 1: Slide #1 CIT 380: Securing Computer Systems TCP/IP.](https://reader036.fdocuments.us/reader036/viewer/2022081515/56649ed05503460f94bde6a1/html5/thumbnails/1.jpg)
Slide #1
CIT 380: Securing Computer Systems
TCP/IP
![Page 2: Slide #1 CIT 380: Securing Computer Systems TCP/IP.](https://reader036.fdocuments.us/reader036/viewer/2022081515/56649ed05503460f94bde6a1/html5/thumbnails/2.jpg)
Slide #2
Topics
1. TCP/IP Layering
2. Encapsulation
3. Internet Addresses
4. Link Layer Protocols
5. IP
6. Routing
7. TCP and UDP
8. Application Layer Protocols
![Page 3: Slide #1 CIT 380: Securing Computer Systems TCP/IP.](https://reader036.fdocuments.us/reader036/viewer/2022081515/56649ed05503460f94bde6a1/html5/thumbnails/3.jpg)
Slide #3
Network Example
A1 A2 A3
B1 B2 B3
Router External Router
![Page 4: Slide #1 CIT 380: Securing Computer Systems TCP/IP.](https://reader036.fdocuments.us/reader036/viewer/2022081515/56649ed05503460f94bde6a1/html5/thumbnails/4.jpg)
Slide #4
TCP/IP Layering
Application
Transport
Network
Data Link
Physical
HTTP, FTP, telnet
TCP, UDP
IP, ICMP, IGMP
PPP, 802.11
Ethernet
![Page 5: Slide #1 CIT 380: Securing Computer Systems TCP/IP.](https://reader036.fdocuments.us/reader036/viewer/2022081515/56649ed05503460f94bde6a1/html5/thumbnails/5.jpg)
Slide #5
TCP/IP Layers
1. Physical– NIC, cabling, electrical signaling.
2. Data Link– Single hop transport of packets.– Wired protocols (ethernet, FDDI, PPP)– Wireless protocols (802.11)
3. Network– End to end delivery of packets.– IP: Internet Protocol
![Page 6: Slide #1 CIT 380: Securing Computer Systems TCP/IP.](https://reader036.fdocuments.us/reader036/viewer/2022081515/56649ed05503460f94bde6a1/html5/thumbnails/6.jpg)
Slide #6
TCP/IP Layers
4. Transport– Flow of data between two hosts for
application layer.– TCP: reliable data flow with
acknowledgements, retransmission, and timeouts.
– UDP: simpler service with no guarantees.
5. Application– Protocols for particular applications.– ex: FTP, HTTP, SMTP
![Page 7: Slide #1 CIT 380: Securing Computer Systems TCP/IP.](https://reader036.fdocuments.us/reader036/viewer/2022081515/56649ed05503460f94bde6a1/html5/thumbnails/7.jpg)
Slide #7
Encapsulation/De-multiplexing
Sending: data sent down protocol stack– Each layer prepends a header to data– Ethernet frame sent as bit stream across wire
Receiving: data moves up protocol stack– NIC moves bits into memory as ethernet frame– Each layer removes its header from packet
![Page 8: Slide #1 CIT 380: Securing Computer Systems TCP/IP.](https://reader036.fdocuments.us/reader036/viewer/2022081515/56649ed05503460f94bde6a1/html5/thumbnails/8.jpg)
Slide #8
Encapsulation
![Page 9: Slide #1 CIT 380: Securing Computer Systems TCP/IP.](https://reader036.fdocuments.us/reader036/viewer/2022081515/56649ed05503460f94bde6a1/html5/thumbnails/9.jpg)
Slide #9
De-multiplexing
![Page 10: Slide #1 CIT 380: Securing Computer Systems TCP/IP.](https://reader036.fdocuments.us/reader036/viewer/2022081515/56649ed05503460f94bde6a1/html5/thumbnails/10.jpg)
Slide #10
TCP/IP Security
TCP/IP has no built-in strong security.– No confidentiality features.– Minimal availability features (ToS options).– Insecure CRC checksums for integrity.– IPsec protocol extension adds security.
![Page 11: Slide #1 CIT 380: Securing Computer Systems TCP/IP.](https://reader036.fdocuments.us/reader036/viewer/2022081515/56649ed05503460f94bde6a1/html5/thumbnails/11.jpg)
Slide #11
Data Link Layer
IEEE Standards– Ethernet (802.3)– Token Ring (802.5)– Wireless (802.11)
Serial Protocols– SLIP and CSLIP– PPP
![Page 12: Slide #1 CIT 380: Securing Computer Systems TCP/IP.](https://reader036.fdocuments.us/reader036/viewer/2022081515/56649ed05503460f94bde6a1/html5/thumbnails/12.jpg)
Slide #12
Hubs and Switches
Hubs– Broadcast packets received to all interfaces.
Switches– Associates MAC addresses with physical
interfaces.– Sends packets only to specified interface.– May have SPAN port for network monitoring.
![Page 13: Slide #1 CIT 380: Securing Computer Systems TCP/IP.](https://reader036.fdocuments.us/reader036/viewer/2022081515/56649ed05503460f94bde6a1/html5/thumbnails/13.jpg)
Slide #13
Data Link Layer
Loopback– Looks like any other link layer device.– Full network processing is performed.– Sends packets to localhost for testing.
48-bit MAC address
Maximum Transmission Unit (MTU)– 1492 or 1500 bytes, depending on ethernet std
![Page 14: Slide #1 CIT 380: Securing Computer Systems TCP/IP.](https://reader036.fdocuments.us/reader036/viewer/2022081515/56649ed05503460f94bde6a1/html5/thumbnails/14.jpg)
Slide #14
Promiscuous Mode
• All ethernet frames to or from any locally connected host are seen by all hosts.
• NIC normally filters out frames that are not addressed to its MAC address.
• In promiscuous mode, NIC processes all ethernet frames, not just ones addressed to it.– Requires administrative access on most OSes.
![Page 15: Slide #1 CIT 380: Securing Computer Systems TCP/IP.](https://reader036.fdocuments.us/reader036/viewer/2022081515/56649ed05503460f94bde6a1/html5/thumbnails/15.jpg)
Slide #15
IP: Internet Protocol
Unreliable, connectionless datagram service– Packets may arrived damaged, out of order,
duplicated or not at all.– Transport/Application layers provide reliability.
IPv4 underlies Internet.– 32-bit addresses in dotted-quad: 10.17.0.90.– IPv6 is successor with 128-bit addresses.
Complexities: addressing, routing
![Page 16: Slide #1 CIT 380: Securing Computer Systems TCP/IP.](https://reader036.fdocuments.us/reader036/viewer/2022081515/56649ed05503460f94bde6a1/html5/thumbnails/16.jpg)
Slide #16
IP Header
![Page 17: Slide #1 CIT 380: Securing Computer Systems TCP/IP.](https://reader036.fdocuments.us/reader036/viewer/2022081515/56649ed05503460f94bde6a1/html5/thumbnails/17.jpg)
Slide #17
IP Header
Protocol version: IPv4
Header length: 5-60 32-bit words
Type of service (TOS):– 3-bit precedence (ignored today)– 4 TOS bits (min delay (telnet), max throughput
(ftp), max reliability, min monetary cost)– unused 0 bit
![Page 18: Slide #1 CIT 380: Securing Computer Systems TCP/IP.](https://reader036.fdocuments.us/reader036/viewer/2022081515/56649ed05503460f94bde6a1/html5/thumbnails/18.jpg)
Slide #18
IP Header
Total length: length of IP datagram (bytes)– maximum size: 65535 bytes– large packets fragmented at data link layer.– small packets may be padded to minimum length.
TTL: upper limit on number of router hops.Protocol: which protocol supplied packet data.Header checksum: IP header checksum
![Page 19: Slide #1 CIT 380: Securing Computer Systems TCP/IP.](https://reader036.fdocuments.us/reader036/viewer/2022081515/56649ed05503460f94bde6a1/html5/thumbnails/19.jpg)
Slide #19
IP Fragments
IP packets may be fragmented by routers for transmission across different media.– Max IP packet size: 65536– Max Ethernet packet size: 1500
IP headers contain fragment data:– Don’t Fragment Flag: 0=allowed, 1=don’t– More Fragments Flag: 0=last, 1=more fragments– Identification: identifies single packet for
reassembly.– Fragment Offset: where contents of fragment go.
![Page 20: Slide #1 CIT 380: Securing Computer Systems TCP/IP.](https://reader036.fdocuments.us/reader036/viewer/2022081515/56649ed05503460f94bde6a1/html5/thumbnails/20.jpg)
Slide #20
Internet Addresses
32-bit IPv4 addresses– Dotted decimal notation: ii.jj.kk.ll
Divided into two parts– Network ID– Host ID– XOR address with netmask to get Network ID.
Network ID Host ID
![Page 21: Slide #1 CIT 380: Securing Computer Systems TCP/IP.](https://reader036.fdocuments.us/reader036/viewer/2022081515/56649ed05503460f94bde6a1/html5/thumbnails/21.jpg)
Slide #21
Address ClassesClass A: 0.0.0.0-127.255.255.255
8-bit net ID, 24-bit host IDClass B: 128.0.0.0-191.255.255.255
16-bit net ID, 16-bit host IDClass C: 192.0.0.0-223.255.255.255
24-bit net ID, 8-bit host IDClass D: 224.0.0.0-239.255.255.255
28-bit multicast group IDClass E: 240.0.0.0-255.255.255.255
Reserved for future use
![Page 22: Slide #1 CIT 380: Securing Computer Systems TCP/IP.](https://reader036.fdocuments.us/reader036/viewer/2022081515/56649ed05503460f94bde6a1/html5/thumbnails/22.jpg)
Slide #22
CIDR
Class addressing too inefficient– Still need to aggregate routes to limit routing table size.
Example:196.1.1.0/24– 24-bits of Net ID: 196.1.1
– Remaining 8-bits are host ID
Not limited to network class sizes– Example: 192.168.128.0/22
– 4 class C networks: 192.168.{128,129,130,131}.0
![Page 23: Slide #1 CIT 380: Securing Computer Systems TCP/IP.](https://reader036.fdocuments.us/reader036/viewer/2022081515/56649ed05503460f94bde6a1/html5/thumbnails/23.jpg)
Slide #23
Network Address TranslationLocal network uses IETF reserved addresses.
– Non-routable: no router knows how to send packets to.
– RFC 1918: 10.x.y.z, 192.168.y.z, 172.16-31.y.z
Gateway translates reserved addresses to unique, routable IP addresses.
NATGateway
Src = 10.0.0.1
Dst = 10.0.0.1
Src = 2.3.4.5
Dst = 2.3.4.5
Internal Network Internet
![Page 24: Slide #1 CIT 380: Securing Computer Systems TCP/IP.](https://reader036.fdocuments.us/reader036/viewer/2022081515/56649ed05503460f94bde6a1/html5/thumbnails/24.jpg)
Slide #24
NAT Techniques
One-to-one Mapping– Map each internal IP address to a single external IP addr.
– Need as many external IP addresses as have simultaneous connections to Internet.
Many-to-one Mapping– Port Address Translation (PAT)
– Map all internal IP addresses to a single external IP addr.
– NAT device encodes state by rewriting the source port and keeping a state table of the mappings.
![Page 25: Slide #1 CIT 380: Securing Computer Systems TCP/IP.](https://reader036.fdocuments.us/reader036/viewer/2022081515/56649ed05503460f94bde6a1/html5/thumbnails/25.jpg)
Slide #25
ARP: Address Resolution Protocol
MAC address determines packet destination.
How does network layer supply the link layer with a MAC address?
ARP: Address Resolution Protocol– Maps 32-bit IP addresses to 48-bit MAC addrs– Data link layer protocol above ethernet– RARP: Reverse ARP
![Page 26: Slide #1 CIT 380: Securing Computer Systems TCP/IP.](https://reader036.fdocuments.us/reader036/viewer/2022081515/56649ed05503460f94bde6a1/html5/thumbnails/26.jpg)
Slide #26
ARP Example
sftp zappa.nku.edu
1. Obtains IP address via gethostbyname() 2. sftp asks TCP to connect to IP address3. TCP sends connection request to zappa using an IP
datagram4. Sending host emits ARP broadcast, asking for MAC
address of given IP address5. Destination host’s ARP layer receives broadcast, answers
with an ARP reply w/ IP->MAC mapping6. Sending host constructs ethernet frame with destination
MAC address containing IP datagram7. Sending host sends IP datagram
![Page 27: Slide #1 CIT 380: Securing Computer Systems TCP/IP.](https://reader036.fdocuments.us/reader036/viewer/2022081515/56649ed05503460f94bde6a1/html5/thumbnails/27.jpg)
Slide #27
ARP Cachest361m13 (10.1.0.90) > arp -a
Net to Media Table: IPv4Device IP Address Phys Addr ------ -------------------- ------------------hme0 at_elan.lc3net 00:00:a2:cb:28:5ehme0 10.1.0.79 00:e0:cf:00:0e:92hme0 st361m13 08:00:20:d8:e0:07hme0 10.1.7.103 00:90:27:b6:b5:e5hme0 10.1.0.139 00:e0:cf:00:15:bd
![Page 28: Slide #1 CIT 380: Securing Computer Systems TCP/IP.](https://reader036.fdocuments.us/reader036/viewer/2022081515/56649ed05503460f94bde6a1/html5/thumbnails/28.jpg)
Slide #28
ARP Features
Proxy ARP– Router can answer ARP requests on network B
for a host on network A that doesn’t see broadcast.
Gratuitous ARP– Host sends ARP for own IP address at boot.– No reply should be received.– Network misconfiguration if reply received.
![Page 29: Slide #1 CIT 380: Securing Computer Systems TCP/IP.](https://reader036.fdocuments.us/reader036/viewer/2022081515/56649ed05503460f94bde6a1/html5/thumbnails/29.jpg)
Slide #29
IP Connectivity
No Network– loopback only
Single LAN– direct connectivity to hosts
Single Router– Direct connectivity to local LAN– Other networks reachable through one router
Multiple Routes to Other Networks
![Page 30: Slide #1 CIT 380: Securing Computer Systems TCP/IP.](https://reader036.fdocuments.us/reader036/viewer/2022081515/56649ed05503460f94bde6a1/html5/thumbnails/30.jpg)
Slide #30
IP Routing
![Page 31: Slide #1 CIT 380: Securing Computer Systems TCP/IP.](https://reader036.fdocuments.us/reader036/viewer/2022081515/56649ed05503460f94bde6a1/html5/thumbnails/31.jpg)
Slide #31
Routing Table
Where to send an IP packet to?Use a table lookup: routing tableSearch Process:
1. Search for a matching host address.2. Search for a matching network address.3. Search for a default route.
No route to destination: Host or network unreachable error if search fails.
![Page 32: Slide #1 CIT 380: Securing Computer Systems TCP/IP.](https://reader036.fdocuments.us/reader036/viewer/2022081515/56649ed05503460f94bde6a1/html5/thumbnails/32.jpg)
Slide #32
Routing Tablest361m13 (10.1.0.90) > netstat –rn
Routing Table: IPv4Destination Gateway Flags Ref Use Int------------- -------------------- ----- -----10.1.0.0 10.1.0.90 U 1 4977 hme0224.0.0.0 10.1.0.90 U 1 0 hme0default 10.1.0.1 UG 1 66480 127.0.0.1 127.0.0.1 UH 6 798905 lo0
![Page 33: Slide #1 CIT 380: Securing Computer Systems TCP/IP.](https://reader036.fdocuments.us/reader036/viewer/2022081515/56649ed05503460f94bde6a1/html5/thumbnails/33.jpg)
Slide #33
Routing Table
Destination: final destination host/networkGateway: next host in route to destinationFlags
U: Route is upG: Route is to a gateway (router)H: Route destination is a host (not a network)D: Route created by a redirectM: Route modified by a redirect
![Page 34: Slide #1 CIT 380: Securing Computer Systems TCP/IP.](https://reader036.fdocuments.us/reader036/viewer/2022081515/56649ed05503460f94bde6a1/html5/thumbnails/34.jpg)
Slide #34
Routing Table
10.1.0.0direct access to local subnet
224.0.0.0multicast route
defaultforward packets to router at IP 10.1.0.1
127.0.0.1loopback
![Page 35: Slide #1 CIT 380: Securing Computer Systems TCP/IP.](https://reader036.fdocuments.us/reader036/viewer/2022081515/56649ed05503460f94bde6a1/html5/thumbnails/35.jpg)
Slide #35
IP RoutingManual (static) routes
Added with the route command.
ICMP redirects can alter routesRouter sends ICMP redirect when packet should’ve been
sent to another router.
Routing protocolsRouters exchange routes with each other using special
routing protocols.
Full internet router tables contain ~30,000 routes.
Source routingSender includes routing info in packet header.
![Page 36: Slide #1 CIT 380: Securing Computer Systems TCP/IP.](https://reader036.fdocuments.us/reader036/viewer/2022081515/56649ed05503460f94bde6a1/html5/thumbnails/36.jpg)
Slide #36
ICMP (Internet Control Message Protocol)
Network layer protocol encapsulated in IP– Communicates error messages and exceptions.– Messages handled by either IP or TCP/UDP.
IP Header (20 bytes) ICMP Message
8-bit type 8-bit code 16-bit checksum
Contents (always
depend contains
on type and code
IP header + 8 data bytes)
![Page 37: Slide #1 CIT 380: Securing Computer Systems TCP/IP.](https://reader036.fdocuments.us/reader036/viewer/2022081515/56649ed05503460f94bde6a1/html5/thumbnails/37.jpg)
Slide #37
ICMP Message TypesType 0: echo (ping) replyType 3: destination unreachableType 4: source quenchType 5: redirectType 8: echo (ping) requestType 9, 10: router advertisement, solicitationType 11: time (TTL) exceededType 12: parameter (header) problemType 13: timestampType 14: timestamp replyType 15, 16: information request, reply
![Page 38: Slide #1 CIT 380: Securing Computer Systems TCP/IP.](https://reader036.fdocuments.us/reader036/viewer/2022081515/56649ed05503460f94bde6a1/html5/thumbnails/38.jpg)
Slide #38
UDP: User Datagram Protocol
Simple datagram transport layer protocol.Each application output generates one UDP
datagram, which produces one IP datagram.Trades reliability for speed
Sends datagrams directly to unreliable IP layer.
16-bit port numbersIdentify sending and receiving processes.
ApplicationsDNS, SNMP, TFTP, streaming audio/video
![Page 39: Slide #1 CIT 380: Securing Computer Systems TCP/IP.](https://reader036.fdocuments.us/reader036/viewer/2022081515/56649ed05503460f94bde6a1/html5/thumbnails/39.jpg)
Slide #39
UDP Header
![Page 40: Slide #1 CIT 380: Securing Computer Systems TCP/IP.](https://reader036.fdocuments.us/reader036/viewer/2022081515/56649ed05503460f94bde6a1/html5/thumbnails/40.jpg)
Slide #40
UDP Example: TFTP
Trivial File Transfer ProtocolNo authentication
TFTP Session:
sun16 > tftp at204m02tftp> get readme.txtReceived 1024 bytes in 0.2 seconds.tftp> quit
![Page 41: Slide #1 CIT 380: Securing Computer Systems TCP/IP.](https://reader036.fdocuments.us/reader036/viewer/2022081515/56649ed05503460f94bde6a1/html5/thumbnails/41.jpg)
Slide #41
TFTP Packet Types
Packet types1) read a file (filename, ascii/binary)
2) write a file (filename, ascii/binary)
3) file data block
4) ACK
5) error
![Page 42: Slide #1 CIT 380: Securing Computer Systems TCP/IP.](https://reader036.fdocuments.us/reader036/viewer/2022081515/56649ed05503460f94bde6a1/html5/thumbnails/42.jpg)
Slide #42
TFTP Packet Diagram
![Page 43: Slide #1 CIT 380: Securing Computer Systems TCP/IP.](https://reader036.fdocuments.us/reader036/viewer/2022081515/56649ed05503460f94bde6a1/html5/thumbnails/43.jpg)
Slide #43
TFTP Session Traceat204m02 > snoop udp sun16 1 0.00000 sun16 -> at204m02 TFTP Read "2sun"
(netascii)
2 0.00498 at204m02 -> sun16 TFTP Data block 1 (512 bytes)
3 0.00136 sun16 -> at204m02 TFTP Ack block 1
4 0.00010 at204m02 -> sun16 TFTP Data block 2 (300 bytes) (last block)
5 0.00119 sun16 -> at204m02 TFTP Ack block 2
![Page 44: Slide #1 CIT 380: Securing Computer Systems TCP/IP.](https://reader036.fdocuments.us/reader036/viewer/2022081515/56649ed05503460f94bde6a1/html5/thumbnails/44.jpg)
Slide #44
TFTP Security
Feature: no username/password requiredTFTP used for diskless hosts to boot.
How to protect /etc/passwd?Limit TFTP server filesystem access.
Generally only can access /tftpboot directory.
![Page 45: Slide #1 CIT 380: Securing Computer Systems TCP/IP.](https://reader036.fdocuments.us/reader036/viewer/2022081515/56649ed05503460f94bde6a1/html5/thumbnails/45.jpg)
Slide #45
TCP: Transmission Control Protocol
Connection-orientedMust establish connection before sending data.
3-way handshake.
Reliable byte-streamTCP decides how to divide stream into packets.
ACK, timeout, retransmit, reordering.
16-bit source and destination ports.FTP(21), HTTP(80), POP(110), SMTP(25)
![Page 46: Slide #1 CIT 380: Securing Computer Systems TCP/IP.](https://reader036.fdocuments.us/reader036/viewer/2022081515/56649ed05503460f94bde6a1/html5/thumbnails/46.jpg)
Slide #46
TCP Reliability1. Breaks data into best-sized chunks.2. After sending segment, maintains timer; if no
ACK within time limit, resends segment.3. Sends ACK on receipt of packets.4. Discards pkts on bad checkum of header and
data.5. Receiver resequences TCP segments so data
arrives in order sent.6. Receiver discards duplicate segments.7. Flow control: only sends as much data as
receiver can process.
![Page 47: Slide #1 CIT 380: Securing Computer Systems TCP/IP.](https://reader036.fdocuments.us/reader036/viewer/2022081515/56649ed05503460f94bde6a1/html5/thumbnails/47.jpg)
Slide #47
TCP Header
![Page 48: Slide #1 CIT 380: Securing Computer Systems TCP/IP.](https://reader036.fdocuments.us/reader036/viewer/2022081515/56649ed05503460f94bde6a1/html5/thumbnails/48.jpg)
Slide #48
TCP Header• Sequence Number: 32-bit segment identifier.• Acknowledgment: next sequence number
expected by sender of ACK– TCP is full duplex so both sides of connection
have own set of sequence numbers
• Header length: length of header in 32-bit words (20bytes default–60bytes w/ options)
• Window size: number of bytes receiver is willing to accept (flow control)
![Page 49: Slide #1 CIT 380: Securing Computer Systems TCP/IP.](https://reader036.fdocuments.us/reader036/viewer/2022081515/56649ed05503460f94bde6a1/html5/thumbnails/49.jpg)
Slide #49
TCP Header Flags (Code Bits)
URG: urgent pointer is valid
ACK: acknowledgement number is valid
PSH: rcvr should pass data to app asap
RST: reset connection
SYN: synchronize sequence numbers to initiate a connection
FIN: sender is finished sending data
![Page 50: Slide #1 CIT 380: Securing Computer Systems TCP/IP.](https://reader036.fdocuments.us/reader036/viewer/2022081515/56649ed05503460f94bde6a1/html5/thumbnails/50.jpg)
Slide #50
TCP Options
End of option list (kind=0)NOP (kind=1)
Used to pad fields to 32-bit boundary
Maximum Segment Size (MSS) (kind=2)Len=4 (length includes kind + len bytes)16-bit MSSDefault: 536 data + 20 TCP hdr + 20 IP hdr
Window Scale Factor (kind=3)Timestamp (kind=8)
![Page 51: Slide #1 CIT 380: Securing Computer Systems TCP/IP.](https://reader036.fdocuments.us/reader036/viewer/2022081515/56649ed05503460f94bde6a1/html5/thumbnails/51.jpg)
Slide #51
TCP Connections
Establishment3-way handshake
Connection Trace
TerminationNormal Termination
Connection Trace
Reset
![Page 52: Slide #1 CIT 380: Securing Computer Systems TCP/IP.](https://reader036.fdocuments.us/reader036/viewer/2022081515/56649ed05503460f94bde6a1/html5/thumbnails/52.jpg)
Slide #52
Connection Establishment Protocol
1. Requester (client) sends a SYN segment, specifying the port number of the server to which it wants to connect and the client’s initial sequence number (ISN).
2. Server responds with SYN segment containing server’s ISN. Server acknowledges client’s SYN by ACKing the client’s ISN+1.
3. Client acknowledges server SYN by ACKing server’s ISN+1.
![Page 53: Slide #1 CIT 380: Securing Computer Systems TCP/IP.](https://reader036.fdocuments.us/reader036/viewer/2022081515/56649ed05503460f94bde6a1/html5/thumbnails/53.jpg)
Slide #53
TCP 3-way Handshake
![Page 54: Slide #1 CIT 380: Securing Computer Systems TCP/IP.](https://reader036.fdocuments.us/reader036/viewer/2022081515/56649ed05503460f94bde6a1/html5/thumbnails/54.jpg)
Slide #54
Connection Establishment Test
at204m02> /usr/sbin/snoop sun09
at204m02> nc sun09 22SSH-1.99-OpenSSH_3.7.1p2^C
If no services running, start your own:at204m02> nc -l -p 8192
![Page 55: Slide #1 CIT 380: Securing Computer Systems TCP/IP.](https://reader036.fdocuments.us/reader036/viewer/2022081515/56649ed05503460f94bde6a1/html5/thumbnails/55.jpg)
Slide #55
TCP Connection Trace
at204m02 -> sun09 TCP D=22 S=37519 Syn Seq=477982308 Len=0 Win=24820 Options=<nop,nop,sackOK,mss 1460>
sun09 -> at204m02 TCP D=37519 S=22 Syn Ack=477982309 Seq=3227257622 Len=0 Win=24820 Options=<nop,nop,sackOK,mss 1460>
at204m02 -> sun09 TCP D=22 S=37519 Ack=3227257623 Seq=477982309 Len=0 Win=24820
![Page 56: Slide #1 CIT 380: Securing Computer Systems TCP/IP.](https://reader036.fdocuments.us/reader036/viewer/2022081515/56649ed05503460f94bde6a1/html5/thumbnails/56.jpg)
Slide #56
Connection Termination Protocol
As TCP is full duplex, each side must terminate half of the connection as follows:
Send FIN segment (active close)
Other side ACKs w/ FIN sequence number +1
Half-closed connectionsSide that sent FIN can still receive data.
Example: ssh fasthost sort < words.txt
![Page 57: Slide #1 CIT 380: Securing Computer Systems TCP/IP.](https://reader036.fdocuments.us/reader036/viewer/2022081515/56649ed05503460f94bde6a1/html5/thumbnails/57.jpg)
Slide #57
TCP Disconnection
![Page 58: Slide #1 CIT 380: Securing Computer Systems TCP/IP.](https://reader036.fdocuments.us/reader036/viewer/2022081515/56649ed05503460f94bde6a1/html5/thumbnails/58.jpg)
Slide #58
Connection Termination Test
at204m02> /usr/lib/sendmail -bdat204m02> /usr/sbin/snoop port 25sun09>nc at204m02 25
220 at204m02.lc3net ESMTP Sendmail 8.11.7+Sun/8.11.7; Mon, 29 Mar 2004 14:09:40 -0500 (EST)
quit
![Page 59: Slide #1 CIT 380: Securing Computer Systems TCP/IP.](https://reader036.fdocuments.us/reader036/viewer/2022081515/56649ed05503460f94bde6a1/html5/thumbnails/59.jpg)
Slide #59
TCP Disconnection Trace at204m02 -> sun09 TCP D=33042 S=25 Fin Ack=3597541820 Seq=872479258 Len=0 Win=24820
sun09 -> at204m02 TCP D=25 S=33042 Ack=872479259 Seq=3597541820 Len=0 Win=24820
sun09 -> at204m02 TCP D=25 S=33042 Fin Ack=872479259 Seq=3597541820 Len=0 Win=24820
at204m02 -> sun09 TCP D=33042 S=25 Ack=3597541821 Seq=872479259 Len=0 Win=24820
![Page 60: Slide #1 CIT 380: Securing Computer Systems TCP/IP.](https://reader036.fdocuments.us/reader036/viewer/2022081515/56649ed05503460f94bde6a1/html5/thumbnails/60.jpg)
Slide #60
TCP Reset
Connection Refused> telnet at204m02 8192Trying 10.1.0.90...telnet: Unable to connect to remote host: Connection refused
Packet Trace sun09 -> at204m02 TCP D=8192 S=33048 Syn Seq=3848454475 Len=0 Win=24820 Options=<nop,nop,sackOK,mss 1460>
at204m02 -> sun09 TCP D=33048 S=8192 Rst Ack=3848454476 Win=0
![Page 61: Slide #1 CIT 380: Securing Computer Systems TCP/IP.](https://reader036.fdocuments.us/reader036/viewer/2022081515/56649ed05503460f94bde6a1/html5/thumbnails/61.jpg)
Slide #61
TCP Reset (cont.)
Connection AbortAny queued data is thrown away.
Other side is informed of abnormal close.
Packet Detail:One side sends RST.
Other side aborts connection.
There is no ACK sent in response.
![Page 62: Slide #1 CIT 380: Securing Computer Systems TCP/IP.](https://reader036.fdocuments.us/reader036/viewer/2022081515/56649ed05503460f94bde6a1/html5/thumbnails/62.jpg)
Slide #62
Half-Open Connections
Connections where one side has aborted or closed connection w/o knowledge of other.– Client or server host has crashed.– DOS attack: requester sends SYN, doesn’t
respond to SYN+ACK.
![Page 63: Slide #1 CIT 380: Securing Computer Systems TCP/IP.](https://reader036.fdocuments.us/reader036/viewer/2022081515/56649ed05503460f94bde6a1/html5/thumbnails/63.jpg)
Slide #63
Example List of TCP PortsTCP: IPv4 (netstat –na output)Local Addr Rmt Addr State---------- -------------------- *.111 *.* LISTEN *.32771 *.* LISTEN *.32772 *.* LISTEN *.32773 *.* LISTEN *.32774 *.* LISTEN *.4045 *.* LISTEN *.22 *.* LISTEN *.2049 *.* LISTEN *.515 *.* LISTEN *.80 *.* LISTEN *.6000 *.* LISTEN *.22 10.17.0.23.32827 ESTABLISHED *.2049 10.17.0.23.799 ESTABLISHED
![Page 64: Slide #1 CIT 380: Securing Computer Systems TCP/IP.](https://reader036.fdocuments.us/reader036/viewer/2022081515/56649ed05503460f94bde6a1/html5/thumbnails/64.jpg)
Slide #64
TCP ServersLocal Address
*.80 means that it will accept connections on any network interface on TCP port 80.
Foreign Address*.* means that the server will accept connections from
any source host and port.Conn=(src IP, src port, dst IP, dst port)
All connections to same server will have same dst IP and port, but will have different source IPs and ports
Kernel maintains queue of ~5 incoming connections for each server.
![Page 65: Slide #1 CIT 380: Securing Computer Systems TCP/IP.](https://reader036.fdocuments.us/reader036/viewer/2022081515/56649ed05503460f94bde6a1/html5/thumbnails/65.jpg)
Slide #65
Key Points
1. TCP/IP Layers: encapsulation/de-multiplexing1. Physical/Data Link: ethernet, PPP2. Network: IP, ICMP3. Transport: UDP, TCP4. Application: ftp, http, smtp, telnet, etc.
2. IP 1. Addressing: DNS/IP/MAC, netmasks, CIDR, NAT.2. Routing: tables, hubs/switches/routers.
3. TCP 1. Connection and Termination: 3-way handshake2. Addressing: source and destination ports.
![Page 66: Slide #1 CIT 380: Securing Computer Systems TCP/IP.](https://reader036.fdocuments.us/reader036/viewer/2022081515/56649ed05503460f94bde6a1/html5/thumbnails/66.jpg)
Slide #66
References1. K. Egevang and P. Francis, “The IP Network Address Translator
(NAT),” RFC 1631, http://www.ietf.org/rfc/rfc1631.txt, 1994.2. J.B. Postel, “Internet Protocol,” RFC 791, “
http://www.ietf.org/rfc/rfc0791.txt, 1981.3. J.B. Postel, “Internet Control Message Protocol,” RFC 792, “
http://www.ietf.org/rfc/rfc0792.txt, 1981.4. J.B. Postel, “Transmission Control Protocol,” RFC 793, http
://www.ietf.org/rfc/rfc0793.txt, 1981.5. Ed Skoudis, Counter Hack, Prentice Hall, 2002.6. Richard Stevens, TCP/IP Illustrated, Vol. 1, Addison-Wesley,
1994.7. Richard Stevens, UNIX Network Programming, Vol. 1, Prentice-
Hall, 1998.8. Andrew Tannenbaum, Computer Networks, 4th edition, Prentice-
Hall, 2002.