Upload
mahmoud-eladawi
View
94
Download
4
Embed Size (px)
DESCRIPTION
ECSAv4 Module 03 TCP IP Packet Analysis_NoRestriction
Citation preview
Advanced P t ti T ti Penetration Testing
and Security Analysis
Module 033TCP/IP Packet
Analysis
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Module Objective
This module will familiarize you with:
• TCP/IP Model• Comparing OSI and TCP/IP
This module will familiarize you with:
Comparing OSI and TCP/IP• Addressing• Subnetting• IPv4 and IPv6• Windowing• TCP/IP Protocols• TCP and UDP Port Numbers
i• TCP Operation• Sequencing Numbers• UDP Operation• ICMP and ICMP Control Messages
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
• ICMP and ICMP Control Messages
As a Security Analyst, you must have complete mastery over TCP/IP protocol.
This module covers the technical aspects of TCP/IP protocol. This module covers the technical aspects of TCP/IP protocol.
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
TCP/IP Model
The TCP/IP model has four layers:
Application layer
Transport layer
Internet layer
Network Access layer
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Application Layer
The application layer of the TCP/IP model handles high-level protocols, i f t ti di d di l t lissues of representation, encoding, and dialog control.
Application Layer
File Transfer EmailRemote Login
Network Management
Name Management
TFTP SMTP Telnet SNMP DNS
FTP rlogin
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
NFS
Transport Layer
The transport layer provides transport services from the source host to the destination hostdestination host.
The transport layer constitutes a logical connection between the endpoints of the network, the sending host and the receiving host.
End-to-end control is the primary duty of the transport layer when using TCP.
Transport Layer
Transmission Control User Datagram Protocol
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Transmission Control Protocol (TCP)
User Datagram Protocol (UDP)
Internet Layer
The purpose of the Internet layer is to select the best path through the The purpose of the Internet layer is to select the best path through the network for packets to travel.
Internet Layer
I t t P t l Internet Control Address Reverse Address Internet Protocol (IP)
Internet Control Message Protocol
(ICMP)
Address Resolution
Protocol (ARP)
Reverse Address Resolution
Protocol (RARP)
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Network Access Layer
The network access layer is also called the host-to-network layer. y y
It includes the LAN and WAN technology details.
Network
Address
EthernetFast
EthernetSLIP & PPP FDDI
ATM, Frame Relay & SMDS
ARP Proxy ARP RARP
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Comparing OSI and TCP/IP
OSI MODEL TCP/IP MODEL
PRESENTATION LAYER
APPLCATION LAYER
APPLICATION LAYERLAYER LAYER
SESSION LAYER
TRANSPORT LAYER
NETWORK LAYER
TRANSPORT LAYER
INTERNET LAYERNETWORK LAYER
Data Link LAYER
INTERNET LAYER
NETWORK
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
PHYSICAL LAYER
NETWORK ACCESS LAYER
Comparing OSI and TCP/IP (cont’d)(cont d)
Both have application layers, •TCP/IP combines the presentation though they include very different services.
and session layer into its application layer.
•Combines the data link and physical layer into the network access layer.
Both have comparable transport TCP/IP appears simpler because it Both have comparable transport and network layers.
TCP/IP appears simpler because it has fewer layers.
Packet switched not circuit TCP/IP transport layer using UDP Packet-switched, not circuit-switched, technology is assumed.
TCP/IP transport layer using UDP does not always guarantee reliable delivery of packets as the transport layer in the OSI model does.
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
layer in the OSI model does.
TCP
Transmission Control Protocol (TCP) is a connection oriented four layer Transmission Control Protocol (TCP) is a connection-oriented four layer protocol.
It is responsible for breaking messages into segments, reassembling them at the destination station, resending.
The protocols that use TCP include:
FTP (File Transfer Protocol)• FTP (File Transfer Protocol).• HTTP (Hypertext Transfer Protocol).• SMTP (Simple Mail Transfer Protocol). • Telnet.
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
TCP Header
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
IP Header
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Protocol Field
IP Header: Protocol Field
C ti C tiConnection-oriented
Connectionless
Connectionless
The IP packet has a protocol field that specifies whether the segment is TCP or UDP.
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
UDP
User Datagram Protocol (UDP) is the connectionless transport protocol. g ( ) p p
It is a simple protocol that exchanges datagrams, without acknowledgments or guaranteed delivery.g g y
It uses no windowing or acknowledgments, so reliability if needed, is provided by application layer protocols.
( l l f l)
The protocols that use UDP include:
• TFTP (Trivial File Transfer Protocol). • SNMP (Simple Network Management Protocol). • DHCP (Dynamic Host Control Protocol). • DNS (Domain Name System)
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
• DNS (Domain Name System).
TCP and UDP Port Numbers
Both TCP and UDP use port (socket) numbers to pass information to the p ( ) pupper layers.
Port numbers are used to keep track of different conversations crossing the network at the same timethe network at the same time.
Port numbers have the following assigned ranges:
• Numbers below 1024 are considered well-known port numbers.• Numbers above 1024 are dynamically assigned port numbers.• Registered port numbers are those registered for vendor-specific • Registered port numbers are those registered for vendor specific
applications, most of these are above 1024.
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Port Numbers
Conversations that do not involve an application with a well-known port number are, instead, assigned port numbers that are randomly selected from within a specific range.instead, assigned port numbers that are randomly selected from within a specific range.
These port numbers are used as source and destination addresses in the TCP segment.
Some ports are reserved in both TCP and UDP, although applications might not be written to support them.
Port numbers have the following assigned ranges:
Numbers below 255 are reserved for public applications.
Numbers from 255-1023 are assigned to companies for marketable applications.
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Numbers above 1023 are unregulated.
Port Numbers
0 15 16 31
TCP Header
16-bit Source Port Number
16-bit Destination Port Number
32-bit Sequence Number
32 bit Acknowledgement Number
4-bit Header Length
6-bit (Reserved)
URG
ACK
PSH
RST
SYN
FIN
16-bit Window Size
16-bit TCP Checksum
16-bit Urgent Pointer
Options (if any)
Data (if any)
• Originating source port numbers, usually a value larger than 1023, are dynamically assigned by the source host.
End systems use port numbers to select the proper
application:
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
pp
IANA
The well-known ports are assigned by the IANA and on most systems can l b d b ( ) b d b only be used by system (or root) processes or by programs executed by
privileged users.
The registered ports are listed by the IANA and on most systems can be used by ordinary user processes or programs executed by ordinary users.
The IANA registers uses of these ports as a convenience to the community.
The range for assigned ports managed by the IANA is 0-1023.
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
g g p g y
Source and Destination Port NumbersPort Numbers
Notice the difference in how source and destination port numbers are used with clients and servers:
Cli tClient:
Destination Port = 23 (telnet)
Source Port = 1028 (dynamically assigned)
Server:
Destination Port = 1028 (source port of client)
S P t (t l t)
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Source Port = 23 (telnet)
What Makes Each Connection Unique?Unique?
A connection is defined by the pair of numbers:numbers:
• Source IP address, source porti i dd d i i• Destination IP address, destination
port
Different connections can use the same Different connections can use the same destination port on server host as long as the source ports or source IPs are different.
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Source IPTCP or UDP Source Port
Destination IPDestination P t
Connection State
Port
www.google.com
www.cisco.com
netstat command
Note: In actuality, when you open up a single web page, there are usually several TCP sessions created, not just one.
netstat command
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Example of multiple TCP connections for a single HTTP session is as follows:
Application Header + data
Application Header + data
Port numbers are used to know which application the receiving pp ghost should pass the “Data” to.
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
TCP Operation
IP is a best effort deliveryIP is a best effort delivery.
The transport layer (TCP) is responsible for reliability and flow control p y ( ) p yfrom source to destination.
• Sliding windows (flow control).• Sequencing numbers and acknowledgments This is accomplished
(reliability).• Synchronization (establish a virtual circuit).
using:
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Three-Way Handshake
TCP requires connection establishment before data transfer begins.
For a connection to be established or initialized, the two hosts must synchronize.
The synchronization requires each side to send its own initial sequence number and to receive a confirmation of
This exchange is called athree-way handshake.
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
exchange in an acknowledgment (ACK) from the other side.
y
Application Header + data
IP Protocol Field = 17
Application Header + data
IP Protocol Field = 6
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Flow Control
Flow control avoids the problem of a transmitting host overflowing the buffers in the receiving host.
TCP provides the mechanism for flow control by allowing the sending p y g gand receiving host to communicate.
The two hosts then establish a data-transfer rate that is agreeable to both.
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Windowing
Windowing is a flow-control mechanism.
Windowing requires that the source device
i receive an acknowledgment from the destination after transmitting a certain
f d
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
amount of data.
Windowing and Window Sizes
This is an example of simple windowingThis is an example of simple windowing.
Th i d i f t th b f b t The window size refers to the number of bytes that are transmitted before receiving an acknowledgment.
After a host transmits the window-size number of bytes, it must receive an acknowledgment before any more data can be sent.y
The window size determines how much data the i i i i
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
receiving station can accept at one time.
Simple Windowing
TCP is responsible for breaking data into TCP HeaderTCP is responsible for breaking data into segments.
0 15 16 31
16-bit Source Port Number
16-bit Destination Port Number
32 bit Sequence Number
With a window size of 1, each segment carries only one byte of data and must be acknowledged before another segment is transmitted.
32-bit Sequence Number
32 bit Acknowledgement Number
4-bit Header Length
6-bit (Reserved)
URG
ACK
PSH
RST
SYN
FIN
16-bit Window Size
The purpose of windowing is to improve flow control and reliability.
16-bit TCP Checksum
16-bit Urgent Pointer
Options (if any)
Data (if any)
With a window size of 1, there is very inefficient f b d idth
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
use of bandwidth.
Simple Windowing (cont’d)(cont d)
TCP window size:
TCP uses a window size, number of bytes, that the receiver is willing to accept, and is usually controlled by the receiving process.
C i l k l d hi h h h k l d TCP uses expectational acknowledgments, which means that the acknowledgment number refers to the next byte that the sender of the acknowledgement expects to receive.
A larger window size allows more data to be transmitted pending acknowledgment.A larger window size allows more data to be transmitted pending acknowledgment.
N tNote:The sequence number being sent identifies the first byte of data in that segment.
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Simple Windowing (cont’d)
TCP full-duplex service: independent data flows
TCP provides full-duplex service, which means data can be flowing in each direction, independent of the other direction.
Window sizes, sequence numbers, and acknowledgment numbers are independent of each other’s data flow.
Receiver sends acceptable window size to sender during each segment transmission (flow control):
• If too much data is sent, the acceptable window size is reduced. If too much data is sent, the acceptable window size is reduced. • If more data can be handled, the acceptable window size is increased.
This is known as a Stop-and-Wait windowing protocol.
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Acknowledgement
Positive acknowledgment with retransmission is one technique that guarantees reliable delivery of data.
It requires a recipient to communicate with the source and send back an
k l d h h dacknowledgment message when the data is received.
Segments that are not acknowledged within a given time period will result in a retransmission.
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Sliding Windows
Usable WindowOctets sentWorking Window size
Usable WindowInitial Window size
Sliding window algorithms are a method of flow control for network data
Can send ASAPNot ACKedCan send ASAP
transfers using the receiver’s window size.
The sender computes its usable window, or up to how much data it can immediately send.
Over time, this sliding window moves to the right, as the receiver , g g ,acknowledges data.
Th i d k l d t it TCP i i b ff ti
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
The receiver sends acknowledgements as its TCP receiving buffer empties.
Sliding Windows (cont’d)
The terms used to describe the movement of the left and right edges of thisThe terms used to describe the movement of the left and right edges of thissliding window are:
The left edge closes (moves to the right) when data is sent andacknowledged.
The right edge opens (moves to the right) allowing more data tobe sent. This happens when the receiver acknowledges a certainnumber of bytes received.
The middle edge opens (moves to the right) as data is sent, but notyet acknowledged.
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
yet acknowledged.
1 2 3 4 5 6 7 8 9 10 11 12 13
Host A - Sender
Host B - Receiver
1 2 3 4 5 6 7 8 9 10 11 12 131 2 3 4 5 6 7 8 9 10 11 12 13
1
2
Host B - Receiver
Octets received
1 2 3 4 5 6 7 8 9 10 11 12 13
3
ACK 4
Octets sent
Not ACKed
Usable Window
Can send ASAP
Window size = 6 Octets received
Host B gives Host A a window size of 6 (octets or bytes).
Host A begins by sending octets to Host B: octets 1, 2, and 3 and slides its window over showing it has sent those 3 octets.
Host A will not increase its usable window size by 3, until it receives an acknowledgment y 3, gfrom Host B that it has received some or all of the octets.
Host B, not waiting for all of the 6 octets to arrive, after receiving the third octet sends an expectational acknowledgement of “4” to Host A.
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Note: The left edge closes (moves to the right) when data is sent and acknowledged.
1 2 3 4 5 6 7 8 9 10 11 12 13
Host B - Receiver
Host A - Sender
1 2 3 4 5 6 7 8 9 10 11 12 13
1 2 3 4 5 6 7 8 9 10 11 12 13
123
Octets sent Usable Window
Window size = 6
1 2 3 4 5 6 7 8 9 10 11 12 13
3
ACK 4
45
1 2 3 4 5 6 7 8 9 10 11 12 13
Not ACKed Can send ASAP
1 2 3 4 5 6 7 8 9 10 11 12 13
5
1 2 3 4 5 6 7 8 9 10 11 12 13
ACK 6
Host A does not have to wait for an acknowledgement from Host B to keep sending data, not until the window size reaches the window size of 6, so it sends octets 4 and 5.
Host A receives the acknowledgement of ACK 4 and can now slide its window over to equal 6 octets, 3 octets sent – not ACKed plus 3 octets, which can be sent ASAP.
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Note: The right edge opens (moves to the right) allowing more data to be sent. This happens when the receiver acknowledges a certain number of bytes received.
1 2 3 4 5 6 7 8 9 10 11 12 13 1 2 3 4 5 6 7 8 9 10 11 12 13
Host B - ReceiverHost A - Sender
1 2 3 4 5 6 7 8 9 10 11 12 13
1
2Octets sent Usable Window
Window size = 6
1 2 3 4 5 6 7 8 9 10 11 12 13
3
ACK 4
4
1 2 3 4 5 6 7 8 9 10 11 12 13
Not ACKed Can send ASAP
1 2 3 4 5 6 7 8 9 10 11 12 13
45
1 2 3 4 5 6 7 8 9 10 11 12 13
ACK 61 2 3 4 5 6 7 8 9 10 11 12 13
76
8
1 2 3 4 5 6 7 8 9 10 11 12 13
1 2 3 4 5 6 7 8 9 10 11 12 131 2 3 4 5 6 7 8 9 10 11 12 13
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
98
1 2 3 4 5 6 7 8 9 10 11 12 13
Sequencing Numbers
This is only if one octet was
The transferred data segments must be reassembled at the receiver end after successful transfer of data.
sent at a time.
There is no guarantee that the data will arrive i th d it t itt din the order it was transmitted.
TCP applies sequence numbers to the data segments.
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Sequencing Numbers (cont’d)
The receiver can interpret the arrangement of data segments by following the sequence number from the receiver.
The sequencing number helps the receiver to cross check whether the data transfer is successfultransfer is successful.
Sequencing number helps the sender to retransmit the data in case there is an Sequencing number helps the sender to retransmit the data in case there is an error in the data transfer.
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Packet 1: source: 130.57.20.10 dest.:130.57.20.1TCP: ----- TCP header -----
TCP: Source port = 1026TCP: Destination port = 524TCP: Initial sequence number = 12952
Sequencing Numbers (cont’d)TCP: Initial sequence number = 12952
TCP: Next expected Seq number= 12953TCP: .... ..1. = SYNTCP: Window = 8192TCP: Checksum = 1303 (correct)TCP M i t i 1460 (TCP O ti )
Numbers (cont d)
TCP: Maximum segment size = 1460 (TCP Option)
Packet 2: source: 130.57.20.1 dest: 130.57.20.10TCP: ----- TCP header -----
TCP: Source port = 524TCP: Destination port = 1026TCP: Initial sequence number = 2744080TCP: Next expected Seq number= 2744081TCP: Acknowledgment number = 12953TCP: .... ..1. = SYNTCP: Window = 32768
O l i f h C
TCP: Checksum = D3B7 (correct)TCP: Maximum segment size = 1460 (TCP Option)
Packet 3: source: 130.57.20.10 dest: 130.57.20.1TCP: ----- TCP header -----
Only portions of the TCP headers are displayed.
TCP: Source port = 1026TCP: Destination port = 524TCP: Sequence number = 12953TCP: Next expected Seq number= 12953TCP: Acknowledgment number = 2744081
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
TCP: Acknowledgment number = 2744081TCP: ...1 .... = AcknowledgmentTCP: Window = 8760TCP: Checksum = 493D (correct)TCP: No TCP options
Synchronization
For a connection to be established, the two end stations must synchronize with each other'si iti l TCP b (ISN )initial TCP sequence numbers (ISNs).
Sequence numbers are used to track the order of packets and to ensure that no packets arelost in transmission.
The initial sequence number is the starting number used when a TCP connection isestablished.
h i i i l h f b d i h i
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
The initial exchange of sequence numbers during the connection sequence ensures recoveryof lost data.
Positive Acknowledgment and Retransmission (PAR)Retransmission (PAR)
PAR: The source sends a packet, starts a timer, and waits for an acknowledgment before sending the next packet.
If the timer expires before the source receives an acknowledgment, the t it th k t d t t th tisource retransmits the packet and restarts the timer.
TCP uses expectational acknowledgments in which the acknowledgment number refers to the next octet that is expected.
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
What is Internet Protocol v6 (IPv6)?(IPv6)?
IPv6 provides a base for enhanced Internet functionalitiesIPv6 provides a base for enhanced Internet functionalities.
Also called as IPng or next generation protocolAlso called as IPng, or next generation protocol.
• Expandable address space
Purpose of IPv6:
Expandable address space• Overcomes the issues in IPV4• Scalable to new users and new services
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Why IPv6?
IPV6 provides flexibility for further growth and expansion of IT IPV6 provides flexibility for further growth and expansion of IT development.
Th f ll i h f h id f b
• Address space (large and diverse)
The following are the factors that provide a stage for above growth:
Address space (large and diverse)• Auto configuration ability (plug-n-play)• Mobility (improves mobility model)• End-to-end security (high comfort factor)• Extension headers (offer enormous potential)
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
IPv6 Header
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Features of IPv6
Expanded addressing and routing capabilities
Simplified header format
E t i h dExtension headers
Security
Authentication and privacy
Auto-configurationg
Support for source demand routing protocol
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Quality of Service (QoS)
IPv4/IPv6 Transition MechanismsMechanisms
There are three transition mechanisms available to deploy IPv6 on k
Th t iti b d i bi ti
IPv4 networks.
The transitions can be used in any combination:
D l t k B d th DNS l it IPV4 IPV6Dual stacks: Based on the DNS value, it uses IPV4 or IPV6.
Tunneling: It encapsulates IPv6 packets in IPv4 packetsTunneling: It encapsulates IPv6 packets in IPv4 packets.
Translation: NAT-PT and SIIT are used to enable IPv6 host to i t ith IP h t
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
communicate with an IPv4 host.
IPv4/IPv6 Transition Mechanisms (cont’d)Mechanisms (cont d)
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
IPv6 Security Issues
• IPv6-IPv4 dual stacks increase the potential for security vulnerabilities.
Dual-stack related issues:
• Using extension headers and IPsec can deter Header manipulation Using extension headers and IPsec can deter some header manipulation-based attacks.
pissues:
• Scanning in IPv6 networks for valid host addresses is difficult.Flooding issues:
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Security Flaws in IPv6
• With the advanced network discovery of IPv6, it becomes easy for an attacker to get information from any remote networks.
Trespassing:
• There are chances of attackers hiding traffic due to the variation in DMZ protection for
Bypassing filtering d i
due to the variation in DMZ protection for IPv6 traffic.devices:
• There are possibilities of DoS attacks while using the same links for sending and receiving IPv6 packets.
Denial-of-service (DoS)
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Security Flaws in IPv6 (cont’d)
• The routing header 0 (zero) feature of IPv6 can single out all instances of anycast services that works with the same IP on the Internet
Anycast (no longer safe): that works with the same IP on the Internet.)
• Enabling IPv6 may be vulnerable to:• The IPv4 network and devices.• Security devices.IPv6 puts IPv4 at risk:• Operating systems.• Applications.
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
IPv6 Infrastructure Security
DNS issues: Mobile IP:
Performance may be affected due to the IPv6’s improper
Need for authenticated, d i i t ti
p pconfiguration and use
dynamic registration
IPv6 has less impact on DNS Security
Firewalls need to control use of routing and home address headers
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
IPsec
IP security, or IPsec, is a framework of open standards developed by the Internet Engineering Task Force (IETF)Engineering Task Force (IETF).
IPsec provides secure transmission of sensitive data over unprotected medium, like the Internet.
From the network layer, IPsec protects and authenticates IP packets.
• Data confidentiality
Network security services that IPsec provides are:
• Data confidentiality.• Data integrity.• Data origin authentication.• Anti-replay.
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Firewalls and Packet Filtering
Packet filtering:
• Is a process of controlling network traffic by checking every transmitting packet against a predefined security policy.
• Uses rules based on source and destination addresses but there is a • Uses rules based on source and destination addresses, but there is a restricted scope for some of the IPv6 addresses.
• Basic IP filtering is still in wide use at the border of networks.
• Firewall is an IP packet filter that enforces filtering and security
IPv6 firewalling:
policies to the flowing network traffic.• Using firewalls in IPv6 is still a best way of protection from low level
attacks at network and transport layers.
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Firewalls and Packet Filtering (cont’d)(cont d)
• “Internet-router-firewall-net hi ” hi d i ibl if h IP 6 fi ll architecture”: This order is compatible if the
firewall is ready for distinguishing IPv6.IPv6 firewall usage 1:
Firewall
Internet
Router
Protected Network
• “Internet-firewall-router-net architecture”: This order cannot handle routing protocols properly.IPv6 firewall usage 2:
Firewall
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Internet
Router
Protected Network
Firewalls and Packet Filtering (cont’d)(cont d)
“Internet firewall/router(edge device) net • “Internet-firewall/router(edge device)-net architecture”: This order can be powerful for routing and security policy.
IPv6 firewall usage 3:
Firewall + Router
Internet Protected Network
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Denial-of-Service (DoS) Attacks
A DoS attack is a common method used by attackers to disrupt system response.
SYN flooding is a type of DoS attack.
SYN flooding exploits the normal three-way handshake.
Malicious flooding by large volumes of TCP SYN packets to the victim’s system with spoofed
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Malicious flooding by large volumes of TCP SYN packets to the victim s system with spoofed source IP addresses can cause a DoS.
DoS SYN Flooding Attack
A DoS SYN flooding attack takes advantage of a flaw in how most hosts implement the TCP three-way handshake.
B Aimplement the TCP three way handshake.
When Host B receives the SYN request from A, it must keep track of the partially-opened connection in a "listen queue" for at least 75 seconds.
Normal connectionestablishment
When Host B receives the SYN request from A, it must keep track of the partially-opened connection in a "listen queue" for at least 75 seconds.
A malicious host can exploit the small size of the listen queue by sending multiple SYN requests to a host, but never replying to the SYN&ACK.
SYN Flooding
The victim’s listen queue is quickly filled up.
hi bili f i h f h k f l d
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
This ability of removing a host from the network for at least 75 seconds can be used as a DoS attack.
UDP Operation
UDP does not use windowing or acknowledgments so application layer protocols must provide error detectionprovide error detection.
The Source Port field is an optional field used only if information needs to return to the sending host.
When a destination router receives a routing update, the source router is not requesting anything so nothing needs to return to the source.
This is regarding only RIP updates:BGP uses TCP, IGRP is sent directly G uses C , G s se t d ect y over IP.EIGRP and OSPF are also sent directly over IP with their own way of handling reliability
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
reliability.
UDP Operation (cont’d)
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
IP Header Protocol Field
IP Header 0 15 16 31
4-bit Version
4-bit Header Length
8-bit Type Of Service (TOS)
16-bit Total Length (in bytes)
16 bit Identification
3-bit Flags
13 bit Fragment Offset16-bit Identification
Flags 13-bit Fragment Offset
8 bit Time To Live
TTL
8-bit Protocol
16-bit Header Checksum
32-bit Source IP Address
32-bit Destination IP Address
Options (if any)
Data
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Internet Control Message Protocol (ICMP)Protocol (ICMP)
IP is an unreliable method for delivery of network dataIP is an unreliable method for delivery of network data.
IP does not notify the sender for failed data transmissionIP does not notify the sender for failed data transmission.
Internet Control Message Protocol (ICMP) is the component of the TCP/IP l k h dd hi b i li i i f IPprotocol stack that addresses this basic limitation of IP.
ICMP does not overcome the unreliability issues in IP.ICMP does not overcome the unreliability issues in IP.
Reliability must be provided by upper layer protocols (TCP or the application) if it i i d
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
is required.
Error Reporting and Error CorrectionCorrection
When datagram delivery errors occur, ICMP reports the following errors back to the source of the datagram:
Workstation 1 sends a datagram to Workstation 6
back to the source of the datagram:
Router C then utilizes ICMP to send a message back to Workstation
Fa0/0 on Router C goes down
X
ICMP does not correct the encountered network problem
Router C then utilizes ICMP to send a message back to Workstation 1 indicating that the datagram could not be delivered
X
sourcedestination
ICMP msg
Router C knows only the source and destination IP addresses of the datagram
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
ICMP reports on the status of the delivered packet only to the source device
ICMP Message Delivery
ICMP messages are encapsulated into datagram.
It follows the same technique used by IP to deliver data. Subject to the same delivery failures as any IP k tpacket.
This creates a scenario where error reports could generate more error reports.
This causes increased congestion on an already ailing networkThis causes increased congestion on an already ailing network.
Errors created by ICMP messages do not generate their own ICMP messages.
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Thus, it is possible to have a datagram delivery error that is never reported back to the sender of the data.
Format of an ICMP Message
Type Field
Type Name---- -------------------------
0 Echo Reply1 Unassigned
Type Name---- -------------------------17 Address Mask Request
2 Unassigned3 Destination Unreachable4 Source Quench5 Redirect6 Alt t H t Add
17 Address Mask Request18 Address Mask Reply19 Reserved (for Security)20-29 Reserved (for Robustness Experiment)30 Traceroute
6 Alternate Host Address7 Unassigned8 Echo9 Router Advertisement
10 Router Solicitation
31 Datagram Conversion Error32 Mobile Host Redirect33 IPv6 Where-Are-You34 IPv6 I-Am-Here35 Mobile Registration Request
11 Time Exceeded12 Parameter Problem13 Timestamp14 Timestamp Reply 15
Information Request
35 Mobile Registration Request36 Mobile Registration Reply37 Domain Name Request38 Domain Name Reply39 SKIP
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Information Request16 Information Reply
40 Photuris41-255 Reserved
Format of an ICMP Message (cont’d)(cont d)
Code Field
Type 3: Destination Unreachable
Codes0 Net Unreachable0 Net Unreachable1 Host Unreachable2 Protocol Unreachable 3 Port Unreachable4 Fragmentation Needed and Don't Fragment was Set 5 Source Route Failed 6 Destination Network Unknown 7 Destination Host Unknown 8 Source Host Isolated 9 Communication with Destination Network is Administratively Prohibited9 Communication with Destination Network is Administratively Prohibited10 Communication with Destination Host is Administratively Prohibited11 Destination Network Unreachable for Type of Service12 Destination Host Unreachable for Type of Service 13 Communication Administratively Prohibited
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
14 Host Precedence Violation 15 Precedence cutoff in effect
Unreachable Networks
Network communication depends upon
S di d i i d i t h th
Network communication depends upon certain basic conditions being met:
• Sending and receiving devices must have the TCP/IP protocol stack properly configured:
• Proper configuration of IP address and subnet mask.
• A default gateway must also be configured if • A default gateway must also be configured if datagrams are to travel outside of the local network.
• A router also must have the TCP/IP protocol properly configured on its interfaces, and it must use an appropriate routing protocol.pp p g p
• If these conditions are not met, then network communication cannot take place.
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Unreachable Networks (cont’d)(cont d)
Sending de ice ma address the datagram to a non e istent IP
Examples of problems:
• Sending device may address the datagram to a non-existent IP address
• Destination device that is disconnected from its network• Router’s connecting interface is down g• Router does not have the information necessary to find the
destination network
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Destination Unreachable MessageMessage
If datagrams cannot always be forwarded to their destinations, ICMP delivers b k h d d i i h bl i di i h d back to the sender a destination unreachable message indicating to the sender that the datagram could not be properly forwarded.
A destination unreachable message may also be sent when packet fragmentation is required in order to forward a packet:
• Fragmentation is usually necessary when a datagram is forwarded from a token-ring network to an Ethernet network.
• If the datagram does not allow fragmentation, the packet cannot be forwarded, so a destination nreachable message ill be sentdestination unreachable message will be sent.
Destination unreachable messages may also be generated if IP-related services such as FTP or web services are unavailable
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
such as FTP or web services are unavailable.
ICMP Echo (Request) and Echo ReplyReply
Echo = Type 8c o ype 8Echo Reply = Type 0
Ethernet Header IP Header ICMP Message EtherEthernet Header (Layer 2)
IP Header(Layer 3)
ICMP Message (Layer 3)
Ether.Tr.
Ethernet Destination Address (MAC)
Ethernet Source Address (MAC)
FrameType
Source IP Add.Dest. IP Add. Protocol field
Type0 or 8
Code0
Check-sum
ID Seq.Num.
Data FCS
IP Protocol Field = 1
Th h t i t i ll i iti t d i th i d
(MAC) (MAC)
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
The echo request message is typically initiated using the ping command
Time Exceeded MessageIP Header 0 15 16 31
4-bit Version
4-bit Header Length
8-bit Type Of Service (TOS)
16-bit Total Length (in bytes)
16-bit Identification
3-bit Flags
13-bit Fragment Offset
8 bit Time To Live
TTL
8-bit Protocol
16-bit Header Checksum
32-bit Source IP Address
32-bit Destination IP Address
Options (if any)
Data
Type = 11
ICMP Time Exceeded
A TTL value is defined in each datagram (IP packet).
A h h d i d h TTL l b
As each router processes the datagram, it decreases the TTL value by one.
When the TTL of the datagram value reaches zero, the packet is discarded.
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
ICMP uses a time exceeded message to notify the source device that the TTL of the datagram has been exceeded.
IP Parameter Problem
ICMP Parameter Problem
Type = 12
Devices that process datagrams may not be able to forward a datagram due to some type of error in the header.
This error does not relate to the state of the destination host or network, but still prevents the datagram from being processed and delivered.p g g p
An ICMP type 12 parameter problem message is sent to the source of the datagram
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
datagram.
ICMP Control Messages
Unlike error messages, control messages are not the results of lost packets or error conditions which occur during packet transmission.
Instead, they are used to inform hosts of conditions such as:, y
Network congestion.
Existence of a better gateway to a remote network.
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
ICMP Redirects
Type = 5 Code = 0 to 3
ICMP Redirect
Type = 5 Code = 0 to 3
Default gateways only sends ICMP redirect/change request messages if the following conditions are met:
• The interface on which the packet comes into the router is the same interface on which the packet gets routed out.
• The subnet/network of the source IP address is the same subnet/network of the next-hop IP address of the routed packetsubnet/network of the next hop IP address of the routed packet.
• The datagram is not source-routed.• The route for the redirect is not another ICMP redirect or a default
route.
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
• The router is configured to send redirects.
Clock Synchronization and Transit Time EstimationTransit Time Estimation
ICMP Timestamp Request
Replaced by
The TCP/IP protocol suite allows systems to connect to one another over vast distances through multiple
Type = 13 or 14
The TCP/IP protocol suite allows systems to connect to one another over vast distances through multiple networks.
Each of these individual networks provides clock synchronization in its own way.
As a result, hosts on different networks who are trying to communicate using software that requires time synchronization can sometimes encounter problems.
The ICMP timestamp message type is designed to help alleviate this problemThe ICMP timestamp message type is designed to help alleviate this problem.
The ICMP timestamp request message allows a host to ask for the current time according to the remote host.
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
The remote host uses an ICMP timestamp reply message to respond to the request.
Clock Synchronization and Transit Time EstimationTransit Time Estimation
All ICMP timestamp reply messages contain the originate receive and transmit timestampsAll ICMP timestamp reply messages contain the originate, receive, and transmit timestamps.
Using these three timestamps, the host can estimate transit time across the network by subtracting the originate time from the transit time.subtracting the originate time from the transit time.
It is only an estimate however, as true transit time can vary widely based on traffic and congestion on the network.
The host that originated the timestamp request can also estimate the local time on the remote computer.
While ICMP timestamp messages provide a simple way to estimate time on a remote host and total network transit time, this is not the best way to obtain this information.
Instead more robust protocols such as Network Time Protocol (NTP) at the upper layers
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Instead, more robust protocols such as Network Time Protocol (NTP) at the upper layers of the TCP/IP protocol stack perform clock synchronization in a more reliable manner.
Information Requests and Reply Message FormatsReply Message Formats
ICMP Information Request/Reply
The ICMP information requests and reply messages
Type = 15 or 16Replaced by
The ICMP information requests and reply messages were originally intended to allow a host to determine its network number.
This particular ICMP message type is considered obsolete.
Other protocols, such as BOOTP and Dynamic Host Configuration Protocol (DHCP), are now used to allow
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
hosts to obtain their network numbers.
Address Masks
Type = 17 or 18
ICMP Address Mask Request/Reply
This new subnet mask is crucial in identifying network, subnet, and host bits in an IP address.
Type 17 or 18
Replaced by
If a host does not know the subnet mask, it may send an address mask request to the local router.
If the address of the router is known, this request may be sent directly to the router.
Otherwise, the request will be broadcast.
When the router receives the request, it will respond with an address mask reply
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
an address mask reply.
Router Solicitation and AdvertisementAdvertisement
Type = 10
ICMP Router Solicitation
ICMP Router Advertisement
Type = 9Replaced by
When a host on the network boots, and the host has not been manually configured with a default gateway, it can learn of available routers through the process of router discovery.
p y
y
This process begins with the host sending a router solicitation message to all routers, using the multicast address 224.0.0.2 as the destination address (may also be broadcast).
When a router that supports the discovery process receives the router discovery message, a router
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
receives the router discovery message, a router advertisement is sent in return.
Summary
hi d l i d d d h i f / kIn this module, we reviewed advanced techniques for TCP/IP packet analysis.
• Comparing OSI and TCP/IP.We have studied the TCP/IP model of networking by:
We have discussed the addressing, subnetting, and windowing of TCP/IP packets.
We have discussed TCP/IP protocols, TCP and UDP port numbers, TCP and UDP operation, sequencing numbers, and ICMP and ICMP control
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
p , q g ,messages.
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.