1 / 35

Slides for Today July 14 are not Quite Complete; but close enough to post

Slides for Today July 14 are not Quite Complete; but close enough to post Test 2 will be returned and …. Lecture UDP, Traceroute, DNS etc. . CSCE 517 Forensic Computing. Topics Unix File systems one more time UDP Traceroute Domain Name Service. July 14, 2003.

feivel
Download Presentation

Slides for Today July 14 are not Quite Complete; but close enough to post

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Slides for Today July 14 are not Quite Complete; but close enough to post • Test 2 will be returned and …

  2. Lecture UDP, Traceroute, DNS etc. CSCE 517 Forensic Computing • Topics • Unix File systems one more time • UDP • Traceroute • Domain Name Service July 14, 2003

  3. Unix File System Structure Encore!

  4. User Datagram Protocol (UDP) • Main connectionless protocol of the TCP/IP suite • Built on top of IP • Connectionless • No “guarantees” on delivery as in TCP • If TCP analogous to “telephone call” UDP analogous to telegram • Maximum size of IP datagram is 65535 • Maxiumum size of UDP datagram 8192 • Reference for UDP material “TCP/IP Illustrated Volume1 The Protocols” by W. Richard Stevens 1992

  5. TCP/IP Suite (modified) TCP/IP Layers Modified** smtp … ssh http snmp DNS… bootp Application Layer TCP UDP Transport Layer ICMP IGMP Network Layer IP ARP RARP Data Link Layer** Ethernet Driver Physical Ethernet or Other LAN Physical Layer

  6. User Datagram Header Format • 0 7 8 15 16 23 24 31 • Source port • Destination port • Length – length of header + length of data • Checksum • One’s complement sum of the 16-bit words • If length is odd pad with ‘\0’, a byte of zeroes • Include 12-byte pseudo-header from the IP header • Source IP address, Destination IP address, zero, protocol

  7. User Datagram Header Checksum • Checksum • One’s complement sum of the 16-bit words • If length is odd pad with ‘\0’, a byte of zeroes • Include 12-byte pseudo-header from the IP header • Source IP address, Destination IP address, zero, protocol, length • 0 7 8 15 16 23 24 31

  8. Last Time • IP Fragmentation • ICMP Unreachable Error (Fragmentation Required) • Determining the Path MTU using traceroute

  9. Interaction of UDP and ARP

  10. ICMP Source Quench Error

  11. UDP Server Design

  12. UDP Programming in Java • Java Tutorial - All about Datagrams http://java.sun.com/docs/books/tutorial/networking/datagrams/ • What is a UDP datagram? • A datagram is an independent, self-contained message sent over the network whose arrival, arrival time, and content are not guaranteed. [Java Tutorial] • import java.io.*; • public class QuoteServer { • public static void main(String[] args) • throws IOException { • new QuoteServerThread().start(); • } • }

  13. UDP Programming in Java • public QuoteServerThread() throws IOException { this("QuoteServer"); • } • public QuoteServerThread(String name) throws IOException { • super(name); • socket = new DatagramSocket(4445); • try { in = new BufferedReader( new FileReader("one-liners.txt")); } • catch (FileNotFoundException e) System.err.println("Couldn't open quote file. " + "Serving time instead."); • } }

  14. Java UDP Client • … • int port; • InetAddress address; • DatagramSocket socket = null; • DatagramPacket packet; • byte[] sendBuf = new byte[256]; • if (args.length != 1) { System.out.println("Usage: java QuoteClient <hostname>"); return; } • DatagramSocket socket = new DatagramSocket(); • byte[] buf = new byte[256]; • InetAddress address = InetAddress.getByName(args[0]); • DatagramPacket packet = new DatagramPacket(buf, buf.length, address, 4445); • socket.send(packet); • packet = new DatagramPacket(buf, buf.length); • socket.receive(packet); • String received = new String(packet.getData()); • System.out.println("Quote of the Moment: " + received); • …

  15. RFCs – Request for Comments • RFCs initially; now standards • 1980 TCP/IP version 1 RFC 761 • 1980 UDP - RFC 768 http://www.faqs.org/rfcs/rfc768.html • 1981 IP - RFC 791 http://www.faqs.org/rfcs/rfc791.html • 1981 TCP – RFC • 1995 SSH – RFC 793 http://www.free.lp.se/fish/rfc.txt (SSH 1) http://dmoz.org/Computers/Security/Products_and_Tools/Cryptography/SSH/Documentation/

  16. Traceroute • Traceroute traces the route a packet would take if sent to a destination. • Note two IP datagrams sent to same address are not guaranteed to go the same way, but usually do. • “Implemented by Van Jacobson from a suggestion by Steve Deering. Debugged by a cast of thousands …” • IP record record option records route taken by IP datagram. • Traceroute is implemented using UDP, IP (TTL) and ICMP.

  17. Traceroute • IP record record option • Why not just use this? • At the time not all routers supported Record Route option. • One way option. The receiver gets the route, but then must return it to the sender. • The size of the field for recording the path is not long enough to record many current paths (16-18 hops).

  18. Traceroute Implementation • traceroute destination • Send UDP packet to a weird port at a destination with TTL = 1. When the packet reaches the first router it decrements the TTL which becomes 0. So the router discards the packet and sends the ICMP message “time exceeded” back. This identifies the first router. • Send UDP packet to destination with TTL = 2. The packet goes through the first router and TTL is decremented to 1. It is passed to the second router on the route which decrements the TTL to zero and sends an ICMP response that identifies the second router. • … • Until the packet reaches destination. When it reaches there is the weird port number, so there is no server waiting and this causes the destination to send ICMP “unreachable” and this identifies the destination and that it is the last hop.

  19. Traceroute Implementation Picture $ Traceroute G B C D E F G A B C D E F G

  20. IP Source Routing Option

  21. Traceroute with loose source routing • Traceroute –g 129.252.44.1 yahoo.com • Traceroute to yahoo.com through 129.252.44.1 • This can be repeated up to eight times

  22. IP Routing • Routing Table – each router “knows” the next hop not the entire path • Unix/Windows: netstat -rn

  23. IP Addresses, Dotted Decimals, Names • IP addresses are 32bit integers • A workstation has IP address of 9490592 (as unsigned) or 0x81FC0B5A in hex • Any ideas? • Nobody can remember that so we break it up into bytes as a dotted decimal 129.252.11.90 • But the way I really remember this workstation is “erdos.cse.sc.edu”. • This name is easy to remember.

  24. Fully Qualified Domain Names • The Domain Name System DNS name space is hierarchical • Root level = unnamed root • Top level domains • arpa – IP addresses, e.g., 90.11.252.129.in-addr.arpa • com – commercial • edu – educational • gov – government • mil – military • org – organizations • Names are concatenated from the bottom to the root separated by “.”s

  25. Fully Qualified Domain Names Top-level arpa com edu gov mil net org ae … cn in …us Domains 2nd level in-addr yahoo sc … acm va 129 cse reston 252 erdos cnri 11 90 generic domains country domains

  26. Domain Name System • Just as ARP translates from IP addresses to ethernet addresses (or other DLL addresses) • The Domain Name System translates from fully qualified domain names (FQDN) to IP addresses.

  27. Names Servers • Primary and secondary name servers • Root name servers • ftp.rs.internic.net or nic.ddn.mil • DNS Caching – much like ARP caching • Iterative versus sequential

  28. DNS Message Format • Identification made up by client and merely returned by the server.

  29. Flags Field of DNS header • QR – 0 means a query, 1 means a response • Opcode (4 bits): 0 standard query, 1 reverse query, 2  server status request • AA (1 bit) – authoritative answer (responder is THE nameserver for the zone) • TC (1 bit) truncated UDP limited to 512 bytes • RD (1 bit)  recursion desired • RA (1 bit)  recursion available • Zero - 3 bits all zero 000 (padding, synch, expansion?) • Rcode (4 bits) – return code 0 no error, 3name error …

  30. Question Format in DNS Messages

  31. Resource Record Portion of DNS Response

  32. Resource Records

  33. Caching

  34. DNS Spoofing

  35. Summary

More Related