1 / 48

Intro to Cyber Crime and Computer Forensics CS 4273/6273 August 25, 2004

Intro to Cyber Crime and Computer Forensics CS 4273/6273 August 25, 2004. MISSISSIPPI STATE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE. Investigating Internet Clues Kruse, Chapter 2. MISSISSIPPI STATE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE. Review of TCP/IP Internetworking.

halla-baker
Download Presentation

Intro to Cyber Crime and Computer Forensics CS 4273/6273 August 25, 2004

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Intro to Cyber Crime and Computer Forensics CS 4273/6273 August 25, 2004 MISSISSIPPI STATE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE

  2. Investigating Internet CluesKruse, Chapter 2 MISSISSIPPI STATE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE

  3. Review of TCP/IP Internetworking The following slides are borrowed from Raymond Panko, author of Corporate Computer and Network Security

  4. Single Network: Applications, Client and Server Hosts, Switches, Access Links, Trunk Links, Frames, Path Path Frame Server Host Client Host Trunk Link Access Link Server Host Mobile Client Host

  5. Frame Organization Frame Trailer Data Field Header Other Header Field Destination Address Field Message Structure

  6. 1 2 3 4 5 6 Station A Station B Station C Station D Switching Decision Switch receives A frame, sends It back out Based on Destination Address Switch Frame with Station C In the destination Address field

  7. Figure 3-1: Internet • An internet is two or more individual switched networks connected by routers Switched Network 1 Router Switched Network 3 Switched Network 2

  8. Figure 1.11: An Internet Multiple Networks Connected by Routers Path of a Packet is its Route Single Network Routers Packet Route Single Network

  9. The global Internet has thousands of networks The Internet Network Webserver Software Browser Packet Packet Router Route Router Router Packet

  10. Figure 3-6: Frames and Packets Frame 1 Carrying Packet in Network 1 Packet Router A Frame 2 Carrying Packet in Network 2 Switch Client PC Frame 3 Carrying Packet in Network 3 Packet Switch Router B Server

  11. Figure 1.12: Frames and Packets • Like passing a shipment (the packet) from a truck (frame) to an airplane (frame) at an airport. Shipper Receiver Same Shipment Airport Airport Truck Truck Airplane

  12. TCP/IP Standards • Origins • Defense Advanced Research Projects Agency (DARPA) created the ARPANET • An internet connects multiple individual networks • Global Internet is capitalized • Internet Engineering Task Force (IETF) • Most IETF documents are requests for comments (RFCs) • Internet Official Protocol Standards: List of RFCs that are official standards

  13. TCP/IP Standards • Hybrid TCP/IP-OSI Architecture • Combines TCP/IP standards at layers 3-5 with • OSI standards at layers 1-2 TCP/IP OSI Hybrid TCP/IP-OSI Application Application Application Presentation Session Transport Transport Transport Internet Network Internet Subnet Access: Use OSI Standards Here Data Link Data Link Physical Physical

  14. TCP/IP Standards • OSI Layers • Physical (Layer 1): defines electrical signaling and media between adjacent devices • Data link (Layer 2): control of a frame through a single network, across multiple switches Physical Link Frame Switched Network 1 Data Link

  15. TCP/IP Standards • Internet Layer • Governs the transmission of a packet across an entire internet. Path of the packet is its route Packet Switched Network 1 Router Switched Network 3 Route Switched Network 2

  16. TCP/IP Standards • Frames and Packets • Frames are messages at the data link layer • Packets are messages at the internet layer • Packets are carried (encapsulated) in frames • There is only a single packet that is delivered from source to destination host • This packet is carried in a separate frame in each network

  17. Router 1 Router 2 Router 3 Internet and Transport Layers Transport Layer End-to-End (Host-to-Host) TCP is Connection-Oriented, Reliable UDP is Connectionless Unreliable Client PC Server Internet Layer (Usually IP) Hop-by-Hop (Host-Router or Router-Router) Connectionless, Unreliable

  18. TCP/IP Standards • Internet and Transport Layers • Purposes • Internet layer governs hop-by-hop transmission between routers to achieve end-to-end delivery • Transport layer is end-to-end (host-to-host) protocol involving only the two hosts

  19. TCP/IP Standards • Internet and Transport Layers • Internet Protocol (IP) • IP at the internet layer is unreliable—does not correct errors in each hop between routers • This is good: reduces the work each router along the route must do

  20. TCP/IP Standards • Transport Layer Standards • Transmission Control Protocol (TCP) • Reliable and connection-oriented service at the transport layer • Corrects errors • User Datagram Protocol (UDP) • Unreliable and connectionless service at the transport layer • Lightweight protocol good when catching errors is not important

  21. HTML and HTTP at the Application Layer Hypertext Transfer Protocol (HTTP) Requests and Responses Webserver 60.168.47.47 Client PC with Browser 123.34.150.37 Hypertext Markup Language (HTML) Document or Other File (jpeg, etc.)

  22. TCP/IP Standards • Application Layer • To govern communication between application programs, which may be written by different vendors • Document transfer versus document format standards • HTTP / HTML for WWW service • SMTP / RFC 822 (or RFC 2822) in e-mail • Many application standards exist because there are many applications

  23. TCP/IP and OSI Architectures: Recap TCP/IP OSI Hybrid TCP/IP-OSI Application Application Application Presentation Session Transport Transport Transport Internet Network Internet Subnet Access: Use OSI Standards Here Data Link Data Link Physical Physical Note: The Hybrid TCP/IP-OSI Architecture is used on the Internet and dominates internal corporate networks.

  24. Layer Cooperation Through Encapsulation on the Source Host Application Process HTTP Message Encapsulation of HTTP message in data field of a TCP segment Transport Process HTTP Message TCP Hdr Encapsulation of TCP segment in data field of an IP packet Internet Process HTTP Message TCP Hdr IP Hdr

  25. Layer Cooperation Through Encapsulation on the Source Host Internet Process HTTP Message TCP Hdr IP Hdr Encapsulation of IP packet in data field of a frame Data Link Process DL Trlr HTTP Message TCP Hdr IP Hdr DL Hdr Physical Process Converts Bits of Frame into Signals

  26. Layer Cooperation Through Encapsulation on the Source Host Note: The following is the final frame for supervisory TCP segments: DL Trlr Msg TCP Hdr IP Hdr DL Hdr

  27. HTTP Message TCP Hdr IP Hdr DL Hdr HTTP Message TCP Hdr IP Hdr DL Hdr Layer Cooperation Through Decapsulation on the Destination Host Internet Process Decapsulation of IP packet from data field of a frame Data Link Process Data Link Process Converts Signals into the Bits of the Frame

  28. Layer Cooperation Through Decapsulation on the Destination Host Application Process HTTP Message Decapsulation of HTTP message from data field of a TCP segment Transport Process HTTP Message TCP Hdr Decapsulation of TCP segment from data field of an IP packet Internet Process HTTP Message TCP Hdr IP Hdr

  29. Internet Protocol (IP) • Basic Characteristics • There were already single networks, and many more would come in the future • Developers needed to make a few assumptions about underlying networks • So they kept IP simple

  30. Internet Protocol (IP) • Connection-Oriented Service and Connectionless Service • Connection-oriented services have distinct starts and closes (telephone calls) • Connectionless services merely send messages (postal letters) • IP is connectionless

  31. IP Packet PC Internet Process First Router Internet Process IP Packet Connectionless Packets Sent in Isolation Like Postal Letters Unreliable No Error Correction Discarded by Receiver if Error is Detected Leaves Error Correction to Transport Layer Reduces the Cost of Routers

  32. Internet Protocol (IP) • IP is Unreliable (Checks for Errors but does not Correct Errors) • Not doing error correction at each hop between switches reduces switch work and also switch cost • Does not even guarantee packets will arrive in order

  33. Internet Protocol (IP) • Hierarchical IP Addresses • Postal addresses are hierarchical (state, city, postal zone, specific address) • Most post offices have to look only at state and city • Only the final post offices have to be concerned with specific addresses

  34. Hierarchical IP Address Network Part (not always 16 bits) Subnet Part (not always 8 bits) Host Part (not always 8 bits) Total always is 32 bits. 128.171.17.13 The Internet UH Network (128.171) CBA Subnet (17) Host 13 126.171.17.13

  35. IP Address Spoofing 1. Trust Relationship 3. Server Accepts Attack Packet Trusted Server 60.168.4.6 Victim Server 60.168.47.47 2. Attack Packet Spoofed Source IP Address 60.168.4.6 Attacker’s Identity is Not Revealed Attacker’s Client PC 1.34.150.37

  36. Internet Protocol (IP) • IP Addresses and Security • IP address spoofing: Sending a message with a false IP address • Gives sender anonymity so that attacker cannot be identified • Can exploit trust between hosts if spoofed IP address is that of a host the victim host trusts

  37. Internet Protocol (IP) • IP Addresses and Security • LAND attack: send victim a packet with victim’s IP address in both source and destination address fields and the same port number for the source and destination. In 1997, many computers, switches, routers, and even printers, crashed when they received such a packet.

  38. Figure 3-18: LAND Attack Based on IP Address Spoofing From: 60.168.47.47:23 To: 60.168.47.47:23 Attacker 1.34.150.37 Victim 60.168.47.47 Port 23 Open Crashes Source and Destination IP Addresses are the Same Source and Destination Port Numbers are the Same

  39. tracert Program in Windows

  40. Internet Control Message Protocol (ICMP) • ICMP is for Supervisory Messages at the Internet Layer • ICMP and IP • An ICMP message is delivered (encapsulated) in the data field of an IP packet • Types and Codes (Figure 3-2) • Type: General category of supervisory message • Code: Subcategory of type (set to zero if there is no code)

  41. Figure 8.13: Internet Control Message Protocol (ICMP) for Supervisory Messages Router “Host Unreachable” Error Message ICMP Message IP Header “Echo” “Echo Reply”

  42. IP Packet with an ICMP Message Data Field Bit 0 Bit 31 IP Header (Usually 20 Bytes) Type (8 bits) Code (8 bits) Depends on Type and Code Depends on Type and Code

  43. Internet Control Message Protocol (ICMP) • Network Analysis Messages • Echo (Type 8, no code) asks target host if it is operational and available • Echo reply (Type 0, no code). Target host responds to echo sender • Ping program implements Echo and Echo Reply. Like submarine pinging a target • Ping is useful for network managers to diagnose problems based on failures to reply • Ping is useful for hackers to identify potential targets: live ones reply

  44. Internet control Message Protocol (ICMP) • Error Advisement Messages • Advise sender of error but there is no error correction • Host Unreachable (Type 3, multiple codes) • Many codes for specific reasons for host being unreachable • Host unreachable packet’s source IP address confirms to hackers that the IP address is live and therefore a potential victim • Usually sent by a router

  45. Internet control Message Protocol (ICMP) • Error Advisement Messages • Time Exceeded (Type 11, no codes) • Router decrementing TTL to 0 discards packet, sends time exceeded message • IP header containing error message reveals router’s IP address • By progressively incrementing TTL values by 1 in successive packets, attacker can scan progressively deeper into the network, mapping the network • Also usually sent by a router

  46. Internet control Message Protocol (ICMP) • Control Codes • Control network/host operation • Source Quench (Type=4, no code) • Tells destination host to slow down its transmission rate • Legitimate use: Flow control if host sending source quench is overloaded • Attackers can use for denial-of-service attack

  47. Internet control Message Protocol (ICMP) • Control Codes • Redirect (Type 5, multiple codes) • Tells host or router to send packets in different way than they have • Attackers can disrupt network operations, for example, by sending packets down black holes • Many Other ICMP Messages

  48. ? ? ? ? ? Questions? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?

More Related