TCP and ICMP - PowerPoint PPT Presentation

About This Presentation
Title:

TCP and ICMP

Description:

Repacketization - TCP sends a bigger segment ( less than MSS ) ... Mitnik breaks in from toad.com. Issues finger command for user/host information ... – PowerPoint PPT presentation

Number of Views:62
Avg rating:3.0/5.0
Slides: 25
Provided by: jeehy
Category:
Tags: icmp | tcp | toad

less

Transcript and Presenter's Notes

Title: TCP and ICMP


1
TCP and ICMP
  • TCP and ICMP source quench Will modify window
    size
  • TCP and host/network unreachable is ingored

2
Repacketization
  • Repacketization - TCP sends a bigger segment (
    less than MSS )
  • Occurs when TCP timers out and retransmits

3
Applicatios over UDP
  • DNS
  • NFS ( TCP Implementations also )
  • NIS ( Yellow Pages )
  • TFTP
  • BOOTP
  • NTP ( TCP Implementations also )
  • NNTP

4
UDP
  • User Datagram Protocol
  • UDP sends messages as datagrams
  • UDP is a connectionless, unreliable protocol

5
UDP/IP
  • IP carries out fragmentation
  • IP performs datagram re-assembly at destination
  • If the IP DF flag is set and ICMP error occurs
    the datagram is discarded
  • Each fragmented IP datagram becomes its own IP
    packet
  • Fragmentation causes performance loss

6
UDP and ARP
  • Example of UDP/IP vulnerability
  • ARP is the address resolution protocol
  • ARP flooding can occur because of the way
    ARPresponds to requests and its interaction
    between IP fragments
  • NFS times out if it sends UDP datagrams greater
    that a certain size

7
UDP Datagram
  • The maximum size of a datagram is 65535 bytes
  • The datagram size may be limited by the
    application program
  • The datagram size may be limited by the IP
    implementation
  • Depending on the implementation, the datagram
    size may be limited by receivers application
    program

8
UDP and ICMP
  • Example of unreliable delivery
  • UDP cna generate ICMP Source Quench Error
  • Datagrams can be queued for output
  • Senders application may never receive ICMP error

9
Mitnik-Shimomura Case Study
  • Multi-phased tracking of attacker via Shimomura
  • Sequence of Events
  • Initial Break-in and Detection
  • Data Analysis of Attack
  • Cooperating with other sites with similar
    problems
  • Cooperating with ISP that Mitnik used
  • Coordinating with Sprint to locate Mitnik via
    cellular phone use
  • Eventual Warrant and Arrest

10
Initial Network Attack by Mitnik
  • Mitnik used weaknesses in the TCP/IP
    implementation
  • IP Spoofing
  • TCP Sequence Prediction
  • Steps taken by the attacker
  • Information gathering phase
  • Examining trust relationships
  • Gagging trusted host
  • Spoofing trusted host
  • Sequence Prediction
  • Data Exchange
  • Host Level Attacks

11
Information Gathering
  • Mitnik breaks in from toad.com
  • Issues finger command for user/host information
  • Other UNIX commands - showmount, rpcinfo used to
    determine trust relationships
  • Note Mitnik does not use a scanner
  • Deduces relationships
  • Determines that Shimomuras workstation trusts
    another host

12
Actual Break-In
  • Mitnik decides to wait for Christmas Day
  • Mitnik gags the host Shimomuras machine trusts
  • Mitnik sends spoofed IP packets
  • Begins TCP sequence number attack from luc.edu
  • Establishes connection from luc.edu
  • Exchanges Data to open Shimomuras host
  • Mitnik closes connection

13
Shimomuras Lack of Prevention
  • Enabled finger protocol
  • Enabled BSD-r protocol
  • Allowed IP source routing
  • Allowed weak host level trust relationships

14
Shimomuras Analysis
  • Shimomura receives a report of intrusion
  • Notices inconsistencies in logs
  • Checks the host for last accessed files,
    libraries and suid programs
  • Uses tcpdump for traffic analysis
  • Detects IP Spoofing
  • Detects that the attacker is searching for trust
    relationship
  • Detects Sequence Guessing attack

15
Shimomuras Analysis (2)
  • Detects data exchange from foreign host
  • Detects closed connection
  • Examines host files on the system
  • The attacker leaves a calling card
  • Shimomura informs CERT

16
Shimomuras Best Defenses
  • Secondary logging to a secure external host
  • Using tcpdump
  • Excellent investigative skills
  • Coordinating with other sites

17
Minimal Prevention of Attacks
  • Authentication and Encryption should be used
  • TCP/IP implementation should be addressed
  • Current Methods
  • Firewalls/Packet Filtering
  • External Logging
  • Disable non-essential or buggy services
  • Install host checks

18
Panix Case Study
  • In late 1996 Panix.com suffered a loss of service
    for two days
  • Other ISP and sites around the Internet suffered
    slowdowns and similar problems
  • One of the first cases of SYN flood attacks
  • ISPs were the most vulnerable
  • No way to discover origin of attack because of
    source IP spoofing

19
Panix Administrators
  • What did they notice?
  • Servers were unresponsive and approximately 6000
    ISP customers had sporadic or non-existent
    connectivity
  • Check servers state
  • Resource Usage Up
  • netstat showed connections in SYN_RCVD state
  • netstat -a -f inet
  • netstat -s grep listen_queue overflows
  • Received help from Cheswick
  • What did they do?
  • Reduce IP Spoofing
  • Increase listen queue and reduce time to wait for
    SYN

20
Why SYN Flood attack works
  • Victim cant respond with SYN-ACK
  • Victim demuxes the packet and stores information
    in memory via socket, inpcb, tcpcb
  • Increasing backlog queue helps minimally since it
    holds incoming and pending connection requests
  • Client remains in SYN_RCVD state until connection
    timer expires and memory allocated to buffers is
    destroyed

21
TCP Queues
  • An incoming segment has a slave socket created
  • Secondary socket, tcpcb, pcb created
  • If backlog queue limit is reached here, then the
    resource allocation takes effect
  • If backlog is not full, socket is in LISTEN state
  • The victim host will be waiting in SYN_RCVD state
    until timer is off

22
Struct/var allowing for attack
  • Struct sockaddr_in sin
  • sin.sin_familyAF_INET
  • sin.sin_portsport
  • sin.sin_saddr.s_addrdadd
  • Creation of a flood loop that works within a good
    window of time, where too many SYNs are not sent
    to quickly. Recall that most implementations use
    5 as the per connection limit

23
Methods for Preventing SYN-Floods
  • These methods at best only REDUCE vulnerability.
    They do not eliminate it
  • Reduce IP Spoofing
  • Install Vendor Patches
  • Install Firewalls/Packet Filters
  • Filter incoming and outgoing IP addresses
  • Stop inbound SYN packets at border and store and
    forward them via a bounded linked list
  • Use Access List at border

24
Methods for Preventing SYN Floods (2)
  • If no border exists
  • Install vendor patches
  • Increase connection queue
  • Decrease the time out state for 3-way handshakes
    (t lt 75 seconds)
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "TCP and ICMP" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!