Lecture 21: Network Primer

1
Lecture 21 Network Primer

• 7/9/2003
• CSCE 590
• Summer 2003

2
IP Header
3
IP Header Fields TTL

• TTL Time To Live, 8 bits, maximum number of hops
  a packet can take.
• Each router along the way decrements it
• If it reaches zero, that router returns an ICMP
  time-exceeded packet to the source
• This keeps lost and looping packets from
  wandering the Internet forever
• Can be used for evasion and reconnaissance
• Insert a packet with a TTL that expires into a
  stream to break up signature an IDS may see, but
  it times out before it ever gets to the host

4
TTL Example

• 10/01-124507.501646
• 210.181.246.2011310 -gt 129.252.243.17380
• TCP TTL111 TOS0x0 ID51149 IpLen20 DgmLen48
  DF
• S Seq 0xDAE61E12 Ack 0x0 Win 0x4000
• TcpLen 28 TCP Options (4) gt MSS 1460 NOP NOP
  SackOK
• 
  
• 10/01-124507.501804
• 210.181.246.2011310 -gt 129.252.243.17380
• TCP TTL109 TOS0x0 ID51149 IpLen20 DgmLen48
  DF
• S Seq 0xDAE61E12 Ack 0x0 Win 0x4000
• TcpLen 28 TCP Options (4) gt MSS 1460 NOP NOP
  SackOK
• 
  
• 10/01-124507.502067
• 210.181.246.2011310 -gt 129.252.243.17380
• TCP TTL107 TOS0x0 ID51149 IpLen20 DgmLen48
  DF
• S Seq 0xDAE61E12 Ack 0x0 Win 0x4000
• TcpLen 28 TCP Options (4) gt MSS 1460 NOP NOP
  SackOK
• 
  
• 10/01-124507.502089

5
TTL Example

• 10/01-124507.502751
• 210.181.246.2011310 -gt 129.252.243.17380
• TCP TTL3 TOS0x0 ID51149 IpLen20 DgmLen48 DF
• S Seq 0xDAE61E12 Ack 0x0 Win 0x4000
• TcpLen 28 TCP Options (4) gt MSS 1460 NOP NOP
  SackOK
• 
  
• 10/01-124507.502757
• 210.181.246.2011310 -gt 129.252.243.17380
• TCP TTL1 TOS0x0 ID51149 IpLen20 DgmLen48 DF
• S Seq 0xDAE61E12 Ack 0x0 Win 0x4000
• TcpLen 28 TCP Options (4) gt MSS 1460 NOP NOP
  SackOK
• 
  
• 10/01-124510.467907
• 210.181.246.2011310 -gt 129.252.243.17380
• TCP TTL111 TOS0x0 ID51332 IpLen20 DgmLen48
  DF
• S Seq 0xDAE61E12 Ack 0x0 Win 0x4000
• TcpLen 28 TCP Options (4) gt MSS 1460 NOP NOP
  SackOK
• 
  
• 10/01-124510.467940

6
IP Header Fields

• IP Protocol 8 bits, what type of header follow
  the IP header (which IP protocol is being used)
• ICMP 1
• TCP 6
• UDP 17
• And others
• Header Checksum 16 bits, checksum of the IP
  header

7
IP Header Fields Addresses

• Source IP address 32 bits, IP address of the
  sending system can be spoofed (faked)
• Destination IP address 32 bits, IP address of
  the destination machine
• Addresses typically represented in dotted decimal
  notation
• A decimal number between 0-255 for each byte of
  the 4 byte address
• 0 and 255 are broadcast addresses (0 is legacy)
• Ex 129.252.49.4

8
IP Addressing

• Classes of addresses
• Splits an address into a network ID and a host ID
• Class A (24 bits for the host ID) gt16 million
  hosts. 0.0.0.0 -gt 127.255.255.255
• Class B (16 bits for the host ID) 65535 hosts,
  128.0.0.0 -gt 191.255.255.255
• Class C (8 bits for the host ID) 255 hosts,
  192.0.0.0 223.255.255.255
• USC has a Class B network
• Network ID 129.252.0.0
• Host IDs range from 129.252.0.0 -gt 129.252.255.255

9
Network Masks

• We dont want to just enumerate all of the 65535
  hosts of 129.252.0.0
• Use netmasks (subnet masks) to carve it up into
  smaller networks
• Netmasks tell hosts how much of the address to
  mask off as the Network ID
• Ex. 255.255.255.0 first 24 bits are 1s. Given
  129.252.49.0, it masks off 129.252.49 and leaves
  the last byte for host Ids between 0-255 (really
  1-254)

10
Variable Length Network Masks

• Common masks are 16 (255.255.0.0) and 24
  (255.255.255.0) bits
• Variable length masks are like 25 bits
  255.255.255.128 and splits a Class C in half.
• For a network ID of 129.252.49.0/25, addresses
  range from 129.252.49.0-129.252.49.127. Broadcast
  addresses 129.252.49.0 and 129.252.49.127
• The other half is represented 129.252.49.128/25
  and addresses range from 129.252.49.128-129.252.49
  .255. Broadcast addresses 129.252.49.128 and
  129.252.49.255
• The more you split it, the more addresses you
  lose to broadcast and network addresses.

11
Directed Broadcasts

• Ping either the network (.0) or broadcast address
  (.255) and a router amplifies (broadcasts) the
  ping out to every machine on that network
• Pinging 129.252.49.255 will send a ping to all
  the hosts in 129.2522.49.0-129.252.49.255
• This capability should be turned off on routers
• Smurf (ICMP)
• Spoof your source address to be your victims
  address, send an ICMP echo request to a bunch of
  broadcast addresses, and the victim is flooded
  with the echo replies
• Fraggle (UDP)
• Same idea, but with UDP port 7 (echo port)
• http//www.netscan.org/

12
IP Header Fields Options

• Rarely used
• Security - IPSec
• Stream identification
• Internet Timestamp (records timestamp at each
  hop)
• Record Route
• Loose Source Routing
• Strict Source Routing

13
IP Route Options

• Codes
• 0x07 Record Route Option
• 0x83 Loose Source Routing
• 0x89 Strict Source Routing
• Length determone of IP addresses in list
• Pointer (ptr) pointer to current IP address in
  option list

14
Record Route Option

• Like a one packet traceroute except it really
  does say the route it took
• Records addresses of all routers packet travels
  through
• Source must set the option, and destination must
  process the list to extract the data
• Source makes an empty list of IP addresses, so it
  must allocated enough space for the entire path
• Could be used for reconnaissance

15
Loose Source Routing

• Gives a list of required nodes a packet must
  travel through in its route
• It is loose because it can go through other nodes
  than the ones in the list
• Example Loose Source Route through 4.

16
Strict Source Routing

• Specifies the exact path a packet must go for up
  to the first 9 hops
• It is strict because it must go through this path
  or not at all.
• Ex Strict Source Route through 1,4,3

A
B
1
2
3
4
17
Source Routing Bad?

• Could redirect packets to an eavesdroppers
  machine
• Could be used to bypass ACL (Access Control
  Lists), firewalls, or IDSs

18
Internet Control Message Protocol

• ICMP used to relay problems and for testing
• No port number like TCP or UDP
• Message Types and Codes instead
• No concept of client or server (no ICMP services
  listening on a machine)
• Like UDP, delivery isnt guaranteed
• Most ICMP messages do not expect a response
• Broadcast ICMP traffic possible

19
ICMP Queries

• Ping
• Echo Request (8,0) (type,code)
• Echo Reply (0,0)
• Timestamp
• Timestamp request (13,0)
• Timestamp reply (14,0)
• Information Obsoleted by bootp, RARP, DHCP
• Information Request (15,0)
• Information Reply (16,0)
• Address Mask
• Address Mask Request (17,0)
• Address Mask Reply (18,0)

20
ICMP Error Messages

• Destination Unreachables (Type 3)
• Network Unreachable (Code 0) routers return
  this when a machine tries to access a network
  that isnt available
• Host Unreachable (Code 1) - routers return this
  when a machine tries to access a host that isnt
  available
• Protocol Unreachable (Code 2) host can return
  this when a remote machine tries to access a
  protocol that isnt active
• Port Unreachable (Code 3) - host can return this
  when a remote machine tries to access a port that
  isnt active
• Fragmentation Required, DF flag set (Code 4)
  router sends this when fragmentation is needed
  and DF bit is set

21
ICMP Error Messages

• More Destination Unreachables (Type 3)
• Source Route Failed (Code 5) - router sends this
  router when a packet cant be forwarded to the
  next hop specified in the its Source Route option
  
• Destination Network Unknown (Code 6) - Should
  use Network Unreachable instead
• Destination Host Unknown (Code 7) if router can
  verify destination host does not exist, else use
  Host Unreachable
• Source Host Isolated (Code 8) Use Network
  Unreachable or Host Unreachable instead

22
ICMP Error Messages

• More Destination Unreachables (Type 3)
• Network Administratively Prohibited (Code 9)
  routers, firewalls may send if packets arent
  allowed to that network
• Host Administratively Prohibited (Code 10)
  routers, firewalls may send if packets arent
  allowed to that host
• Network Unreachable for TOS (Code 11) if route
  to a destination network is not available for the
  Type of Service specified in packet
• Host Unreachable for TOS (Code 12) - if route to
  the destination host is not available for the
  Type of Service specified in the packet
• Communication Administratively Prohibited (Code
  13) - routers, firewalls may (optional) send if
  packets arent allowed by filtering policy

23
ICMP Error Messages

• Source Quench (4,0) If a router or host does
  not have enough resources to handle packets,
  sends this to get sender to back off a bit
• Time Exceeded (Type 11)
• Time to Live Exceeded in Transit (Code 0) the
  TTL field has reached zero
• Fragment Reassembly Time Exceeded (Code 1)
  took too long getting all fragments
• Parameter Problem (Type 12) - problem with the
  parameters of a packet header
• Pointer Indicates the Error (Code 0) pointer to
  problem byte
• Missing a Required Option (Type 1)
• Bad Length (Type 2)

24
ICMP Error Messages

• Redirect (type 5)
• Redirect Datagram for the Network (Code 0)
• Redirect Datagram for the Host (Code 1)
• Redirect Datagram for the TOS Network (Code 2)
• Redirect Datagram for the TOS Host (Code 3)
• A router receives a packet from a host and it
  identifies from its routing tables that the next
  hop to the packets destination is on the same
  network that the packet just came from, then a
  redirect message is sent to the source host
• Router forwards packet to the correct next hop
• When source gets the redirect, it modifies its
  route table accordingly

25
ICMP Routing

• Router Advertisement (9,0) routers can
  advertise their interfaces for hosts updating
  their route tables dynamically
• Router Solicitation (10,0) hosts broadcasting,
  looking for routers on their subnet

26
ICMP Header
27
References

• Chapter 6