140 likes | 255 Views
CIT 380: Securing Computer Systems. TCP/IP. TCP Header. TCP Header. Sequence Number: 32-bit segment identifier. Acknowledgment: next sequence number expected by sender of ACK TCP is full duplex so both sides of connection have own set of sequence numbers
E N D
TCP Header • Sequence Number: 32-bit segment identifier. • Acknowledgment: next sequence number expected by sender of ACK • TCP is full duplex so both sides of connection have own set of sequence numbers • Header length: length of header in 32-bit words (20bytes default–60bytes w/ options) • Window size: number of bytes receiver is willing to accept (flow control)
TCP Header Flags (Code Bits) URG: urgent pointer is valid ACK: acknowledgement number is valid PSH: rcvr should pass data to app asap RST: reset connection SYN: synchronize sequence numbers to initiate a connection FIN: sender is finished sending data
TCP Connections Establishment 3-way handshake Connection Trace Termination Normal Termination Connection Trace Reset
Connection Establishment Protocol • Requester (client) sends a SYN segment, specifying the port number of the server to which it wants to connect and the client’s initial sequence number (ISN). • Server responds with SYN segment containing server’s ISN. Server acknowledges client’s SYN by ACKing the client’s ISN+1. • Client acknowledges server SYN by ACKing server’s ISN+1.
Connection Establishment Test at204m02> /usr/sbin/snoop sun09 at204m02> nc sun09 22 SSH-1.99-OpenSSH_3.7.1p2 ^C If no services running, start your own: at204m02> nc -l -p 8192
Connection Termination Protocol As TCP is full duplex, each side must terminate half of the connection as follows: Send FIN segment (active close) Other side ACKs w/ FIN sequence number +1 Half-closed connections Side that sent FIN can still receive data. Example: ssh fasthost sort < words.txt
TCP Reset Connection Refused > telnet at204m02 8192 Trying 10.1.0.90... telnet: Unable to connect to remote host: Connection refused Packet Trace sun09 -> at204m02 TCP D=8192 S=33048 Syn Seq=3848454475 Len=0 Win=24820 Options=<nop,nop,sackOK,mss 1460> at204m02 -> sun09 TCP D=33048 S=8192 Rst Ack=3848454476 Win=0
TCP Reset (cont.) Connection Abort Any queued data is thrown away. Other side is informed of abnormal close. Packet Detail: One side sends RST. Other side aborts connection. There is no ACK sent in response.
Half-Open Connections Connections where one side has aborted or closed connection w/o knowledge of other. • Client or server host has crashed. • DOS attack: requester sends SYN, doesn’t respond to SYN+ACK.
References • K. Egevang and P. Francis, “The IP Network Address Translator (NAT),” RFC 1631, http://www.ietf.org/rfc/rfc1631.txt, 1994. • J.B. Postel, “Internet Protocol,” RFC 791, “http://www.ietf.org/rfc/rfc0791.txt, 1981. • J.B. Postel, “Internet Control Message Protocol,” RFC 792, “http://www.ietf.org/rfc/rfc0792.txt, 1981. • J.B. Postel, “Transmission Control Protocol,” RFC 793, http://www.ietf.org/rfc/rfc0793.txt, 1981. • Ed Skoudis, Counter Hack, Prentice Hall, 2002. • Richard Stevens, TCP/IP Illustrated, Vol. 1, Addison-Wesley, 1994. • Richard Stevens, UNIX Network Programming, Vol. 1, Prentice-Hall, 1998. • Andrew Tannenbaum, Computer Networks, 4th edition, Prentice-Hall, 2002.