TCP/IP For TCP/IP For Security Security AdministratorsAdministratorsSteve RileySteve RileySecurity Program ManagerSecurity Program ManagerMicrosoft CorporationMicrosoft Corporation

steriley@microsoft.comsteriley@microsoft.com

ses. ses. codecode

Why are we here?Why are we here?Security is (or will be) your job. Security is Security is (or will be) your job. Security is your life. You your life. You areare securitysecurity for your org. for your org.If you wanna be good, there are some things If you wanna be good, there are some things you gotta know—you gotta know—

How to say “I don’t know”How to say “I don’t know”How to say “That’s not allowed” without giving How to say “That’s not allowed” without giving away the fact that you really don’t knowaway the fact that you really don’t knowHow to say “It’s not my fault” even though you How to say “It’s not my fault” even though you screwed up the configuration really goodscrewed up the configuration really goodHow to deflect blame toward othersHow to deflect blame toward othersHow to speak the language of network How to speak the language of network communicationscommunications

Protocols? IANAG!Protocols? IANAG!Ah but yes you are Ah but yes you are

Acknowledgement is the first step toward recoveryAcknowledgement is the first step toward recoveryYou’re in a room filled with like-minded GsYou’re in a room filled with like-minded Gs

““How do I become a security expert?”How do I become a security expert?”Learn everything you can about how network Learn everything you can about how network devices talk to each otherdevices talk to each otherAttend more conferencesAttend more conferencesDream in TCP/IP (lucid/IP?)Dream in TCP/IP (lucid/IP?)

ImportanceImportanceOur goal today: to thoroughly understand Our goal today: to thoroughly understand important network protocols important network protocols (and to boldly split infinitives)(and to boldly split infinitives)

We will explore—We will explore—How the protocols workHow the protocols workHow attackers abuse themHow attackers abuse themHow to defend themHow to defend them

We will not—We will not—Have any marketing contentHave any marketing contentPrepare you for passing some Prepare you for passing some (hugely bogus and useless)(hugely bogus and useless) examexamBe entirely actionable todayBe entirely actionable today

But you’ll thank me later! But you’ll thank me later!

The OSI modelThe OSI model

1. physical

2. link

3. network

4. transport

5. session

6. presentation

7. application

ARP, RARP

The real worldThe real worldFour layers are sufficiently representativeFour layers are sufficiently representative

1. interface

2. network

3. transport

4. application

IP, ICMP, IGMP

TCP, UDP, IPsec

HTTP, FTP, TFTP, telnet, ping, SMTP,POP3, IMAP4, RPC, SMB, NTP, DNS, …

Presentation conventionsPresentation conventions““A” and “B” represent networked hostsA” and “B” represent networked hostsProtocol format diagrams look like this:Protocol format diagrams look like this:

Some protocol dump examplesSome protocol dump examples

element element

0 8 16 24 31

element

Interface LayerInterface LayerProtocolsProtocols

ARPARP

MAC addresses are 48 bits. IP addresses are MAC addresses are 48 bits. IP addresses are 32 bits. How to encode MAC in IP?32 bits. How to encode MAC in IP?ARP to the rescue: resolves IP to MACARP to the rescue: resolves IP to MACSimple two-frame conversationSimple two-frame conversation

Broadcast question; unicast responseBroadcast question; unicast response

Replies kept in a cache to reduce number of Replies kept in a cache to reduce number of broadcastsbroadcasts

Cache implements timeout because addresses do Cache implements timeout because addresses do change (default 20 minutes)change (default 20 minutes)

Address Resolution Protocol RFC 826

ARP formatARP format

hardware type protocol type

HA length PA length operation

sender MAC address (bytes 0-3)

sender MAC address (bytes 4-5)sender IP address (bytes 0-1)

sender IP address (bytes 2-3)target MAC address (bytes 0-1)

target MAC address (bytes 2-5)

target IP address (bytes 0-3)

0 8 16 24 31

operation: 1 = ARP request, 2 = ARP reply

ARP operationARP operation

who-has

1.1.1.2?

1.1.1.2 is-at 00:11:22:33:44:55

1.1.1.1

1.1.1.2

ARP conversationsARP conversationsNormal:Normal: BB saves saves AA’s ARP info in cache, ready for ’s ARP info in cache, ready for repliesreplies

Other machines on same subnet also save Other machines on same subnet also save AA’s ARP’s ARP00:80:c8:f8:4a:51 ff:ff:ff:ff:ff:ff: arp who-has 192.168.99.254 tell 192.168.99.3500:80:c8:f8:4a:51 ff:ff:ff:ff:ff:ff: arp who-has 192.168.99.254 tell 192.168.99.35

00:80:c8:f8:5c:73 00:80:c8:f8:4a:51: arp reply 192.168.99.254 is-at 00:80:c8:f8:5c:7300:80:c8:f8:5c:73 00:80:c8:f8:4a:51: arp reply 192.168.99.254 is-at 00:80:c8:f8:5c:73

Gratuitous:Gratuitous: reply sent before a host is asked reply sent before a host is askedOften addressed to an upstream router or LB deviceOften addressed to an upstream router or LB device

arp reply 192.168.99.35 is-at 0:80:c8:f8:4a:51 (0:80:c8:f8:4a:51)arp reply 192.168.99.35 is-at 0:80:c8:f8:4a:51 (0:80:c8:f8:4a:51)

Unsolicited:Unsolicited: broadcast by host owning an IP address; broadcast by host owning an IP address; usually at boot timeusually at boot time

Also good for detecting duplicate IP addressesAlso good for detecting duplicate IP addresses00:80:c8:f8:4a:51 ff:ff:ff:ff:ff:ff: arp who-has 192.168.99.35 tell 192.168.99.3500:80:c8:f8:4a:51 ff:ff:ff:ff:ff:ff: arp who-has 192.168.99.35 tell 192.168.99.35

ARP security issuesARP security issuesARP spoofingARP spoofing

ARP replies are honored and cached, whether ARP replies are honored and cached, whether normal or gratuitousnormal or gratuitousCan poison a host’s ARP cache with spoofed Can poison a host’s ARP cache with spoofed entries to force redirectionentries to force redirectionProxy ARP (routers) does this legitimatelyProxy ARP (routers) does this legitimately

ARP flooding ARP flooding (how to turn a switch into a hub)(how to turn a switch into a hub)

Fill a switch’s memory with bogus mappingsFill a switch’s memory with bogus mappingsSwitch will flood all ports with all traffic since it Switch will flood all ports with all traffic since it doesn’t know where hosts aredoesn’t know where hosts are

ARP MARP Man an IIn n TThe he MMiddleiddle attack attack

who-has

1.1.1.2?

1.1.

1.2

is-a

t

99:8

8:77

:66:

5

5:44

1.1.1.2 is-at 00:11:22:33:44:55

1.1.1.1

1.1.1.2

1.1

.1.1

is-at

99:8

8:7

7:6

6:5

5:4

4

ARP defensesARP defensesNone built into protocolNone built into protocolarpwatch: Monitoring toolarpwatch: Monitoring tool

Must mirror all traffic on one switch portMust mirror all traffic on one switch port

Switch featuresSwitch featuresAllow only one MAC address per portAllow only one MAC address per port

Stops people from using hubsStops people from using hubsUnless they steal MAC+IP from another machine…Unless they steal MAC+IP from another machine…

Compare requests and replies to other mapping Compare requests and replies to other mapping informationinformationAcquired from DHCP servers, DHCP snooping, Acquired from DHCP servers, DHCP snooping, manual configuration (avoid)manual configuration (avoid)

Network LayerNetwork LayerProtocolsProtocols

IPIP

IP is a lousy network protocol!IP is a lousy network protocol!Unreliable:Unreliable: no delivery guarantees no delivery guarantees

Send ICMP message to source if delivery failsSend ICMP message to source if delivery fails

Connectionless:Connectionless: no state maintained no state maintainedDatagrams routed independently and in no orderDatagrams routed independently and in no order

Best-effort:Best-effort: packets not dropped capriciously packets not dropped capriciously

Has one job: to route datagramsHas one job: to route datagramsRelies on transport layer for improvementsRelies on transport layer for improvementsHosts must implement error detection and Hosts must implement error detection and correction and recoverycorrection and recovery

Internet Protocol RFC 791

IP formatIP format

version datagram length

identification flags fragment offset

header checksum

source IP address

destination IP address

options, if any (variable length)

0 8 16 24 31

version: 4TOS: differentiated services codepoints (no guarantee of honoring)dg length, ID, flags, offset: for fragmentation (will examine later)TTL: max. hops through network (decremented by routers); usually 32next protocol: TCP, 6 | UDP, 17 | ICMP, 1 | IPsec AH, 51 | IPsec ESP, 50header checksum: 16-bit one’s compliment of sumoptions: restrictions, record route, record timestamp, source-routing

headerlengthtype of service

time to live next protocol

(padding)

IP routingIP routingTwo types of network nodes—Two types of network nodes—

HostsHostsDon’t forward datagrams between interfacesDon’t forward datagrams between interfaces

RoutersRoutersDo forward datagrams between interfacesDo forward datagrams between interfaces

Hosts can be routers if appropriate software Hosts can be routers if appropriate software is installed and enabledis installed and enabled

Presents security risksPresents security risks

IP routing operationIP routing operation

1.1.1.1

1.1.1.2

1.1.1.3

1.1.1.4

1.1.1.5

Datagramfor

1.1.1.5

1.1.1.254

Datagramfor

9.8.7.6network1.1.1.0/

24

search routing tableand decrement TTL

Is it tomy IP?

Is it tomy IP?

Basic routing algorithmBasic routing algorithmExtract destination address D from datagram

Compute network prefix NIf N matches any directly-connected network address

Deliver datagram to D over that networkElse if routing table contains a host-specific route for D

Send datagram to next hop specified in tableElse if routing table contains a route for N

Send datagram to next hop specified in tableElse if routing table contains a default route

Send datagram to default router specified in tableElse declare a routing error

Route processingRoute processingroutingdaemon

routecommand

netstatcommand

routingtable

IP output:calculate next

hop router(if necessary)

ICMP

our packet(one of our IPaddresses orbroadcast)?

IP input queue

process IP options

UDP TCP

network interfaces

redire

cts

yes

no

forward

source routing

IP layer

IP security issuesIP security issuesMostly involve spoofed addressesMostly involve spoofed addresses

Unsigned and unencrypted in the headersUnsigned and unencrypted in the headersTherefore: they are unreliable identifiersTherefore: they are unreliable identifiers

Not useful for hiding IP addressesNot useful for hiding IP addressesIs useful for:Is useful for:

Misdirecting connections (“MITM”)Misdirecting connections (“MITM”)Source routingSource routingDenial-of-service attacks (“flooding”)Denial-of-service attacks (“flooding”)Network attacks that don’t need to see responses Network attacks that don’t need to see responses (“blind spoofing”)(“blind spoofing”)

IP checksum is not securityIP checksum is not securityAttacker:Attacker:

Intercepts datagramIntercepts datagramSpoofs addressesSpoofs addressesComputes new checksumComputes new checksum

Intended for error detection onlyIntended for error detection onlyA computes and adds to headerA computes and adds to headerB computes and compares to included sumB computes and compares to included sumIf mismatch: B silently dropsIf mismatch: B silently drops

Denial-of-service attacksDenial-of-service attacksLet’s wait until we talk about ICMP…Let’s wait until we talk about ICMP…

Source routingSource routing

10.0.0.254

131.107.0.254

10.0.0.1

SA: <doesn’t matter>DA: 10.0.0.1SR: via 131.107.0.254

IP fragmentationIP fragmentationSome payloads might exceed physical frame Some payloads might exceed physical frame size (MTU)size (MTU)IP will fragment data if necessaryIP will fragment data if necessaryReassembled only at destinationReassembled only at destination

Transparent to transport layerTransparent to transport layer

Each fragment is separate datagramEach fragment is separate datagram(Possibly) independently routed(Possibly) independently routedNo delivery order guaranteeNo delivery order guaranteeOne could get lostOne could get lost

All fragments must then be retransmittedAll fragments must then be retransmitted

IP format—fragmentationIP format—fragmentation

version datagram length

identification flags fragment offset

header checksum

source IP address

destination IP address

options, if any (variable length)

0 8 16 24 31

ID: unique for each datagram; copied into each fragmentflag1: one bit for “more fragments”; off in final fragmentflag2: one bit for “don’t fragment”; if set, IP discards datagram and returns ICMP erroroffset: from beginning of original datagram (8-byte multiples)length: of this fragment only

headerlengthtype of service

time to live next protocol

(padding)

Fragmentation exampleFragmentation example

IP header(20 bytes)

next hdr(20 bytes)

payload(1473 bytes)

IP header(20 bytes)

next hdr(20 bytes)

payload(1472 bytes)

IP header(20 bytes)

payload(1 byte)

Note no TCP/UDP header!Many firewalls will allow fragments through…hmm!

Fragmentation exampleFragmentation example

A.1234 > B.500: udp 1473A.1234 > B.500: udp 1473 (frag 26304:1480@0+) (frag 26304:1480@0+)

A > B: (frag 26304:1@1480)A > B: (frag 26304:1@1480)

frame size = 1501; must fragmentidentification field1472 (payload) + 8 (UDP header)0 offset = beginning; + = more fragmentsno port infofragment number @ byte offset

IP defensesIP defensesCan block nearly all attacks at borderCan block nearly all attacks at borderNeed five rulesNeed five rules

Block all inbound where SA in internal netsBlock all inbound where SA in internal nets

Block all outbound where SA not in internal Block all outbound where SA not in internal netsnets

Block all in/out where SA | DA in RFC1918 or Block all in/out where SA | DA in RFC1918 or APIPAAPIPA

Block all source-routed datagramsBlock all source-routed datagrams

Block all datagram fragmentsBlock all datagram fragments

ICMPICMP

IP’s “message delivery” serviceIP’s “message delivery” serviceReports errorsReports errorsAsks and answers questionsAsks and answers questions

Encapsulated in IPEncapsulated in IPMessages might need to be routedMessages might need to be routedConsidered a network layer protocolConsidered a network layer protocol

Error reports always include first 64 bits of Error reports always include first 64 bits of error-causing datagramerror-causing datagram

Helps determine which protocol and application Helps determine which protocol and application caused the errorcaused the error

Internet Control Message Protocol RFC 792

ICMP formatICMP format

type checksum

content (variable length; depends on type and code)

0 8 16 24 31

type: message typecode: sub-message type

code

ICMP messagesICMP messagesTypeType CodeCode DescriptionDescription CodeCode DescriptionDescription QueryQuery ErrorError

00 00 echo replyecho reply 33 destination unreachabledestination unreachable

00 network unreachablenetwork unreachable 88 source host isolated (obsolete)source host isolated (obsolete)

11 host unreachablehost unreachable 99 destination network administratively prohibiteddestination network administratively prohibited

22 protocol unreachableprotocol unreachable 1010 destination host administratively prohibiteddestination host administratively prohibited

33 port unreachableport unreachable 1111 network unreachable for DiffServnetwork unreachable for DiffServ

44 fragmentation needed butfragmentation needed butdon’t-fragment bit is setdon’t-fragment bit is set

1212 host unreachable for DiffServhost unreachable for DiffServ

55 source route failedsource route failed 1313 communication administrativelycommunication administrativelyprohibited by filteringprohibited by filtering

66 destination network unknowndestination network unknown 1414 host precedence violationhost precedence violation

77 destination host unknowndestination host unknown 1515 precedence cutoff in effectprecedence cutoff in effect

44 00 source quenchsource quench 55 redirectredirect

00 for networkfor network 22 for DiffServ and networkfor DiffServ and network

11 for hostfor host 33 for DiffServ and hostfor DiffServ and host

88 00 echo requestecho request 99 00 router advertisementrouter advertisement

1010 00 router solicitationrouter solicitation 1111 time exceededtime exceeded

00 TTL = 0 during transitTTL = 0 during transit 11 TTL = 0 during reassemblyTTL = 0 during reassembly

1212 parameter problemparameter problem 00 IP header bad (catchall error)IP header bad (catchall error) 11 required option missingrequired option missing

1313 00 timestamp requesttimestamp request 1414 00 timestamp replytimestamp reply 1515 00 information request (obsolete)information request (obsolete) 1616 00 information reply (obsolete)information reply (obsolete) 1717 00 address mask requestaddress mask request

1818 00 address mask replyaddress mask reply

ICMP echoICMP echo

type checksum

optional data (variable length)

0 8 16 24 31

type: 8 = request, 0 = replycode: 0identifier, sequence number: for matching replies to requestsdata: returned to sender

code

identifier sequence number

ICMP reconnaissance attacksICMP reconnaissance attacks““Port unreachable” = port closedPort unreachable” = port closed““Host unreachable” = host doesn’t existHost unreachable” = host doesn’t exist

ICMP redirect attacksICMP redirect attacksAdvise hosts of better routesAdvise hosts of better routesDifficult to spoofDifficult to spoof

Can come only from host’s existing DGCan come only from host’s existing DGMust be tied to an existing connectionMust be tied to an existing connection

Can’t be used for unsolicited route table updatesCan’t be used for unsolicited route table updates

Redirects generally aren’t usedRedirects generally aren’t usedBest to block themBest to block themUseful only on LANs with multiple gateways to the Useful only on LANs with multiple gateways to the InternetInternet

ICMP DoS attacksICMP DoS attacksPing attacksPing attacks

Forged source address can create havoc when Forged source address can create havoc when replies arrivereplies arrive

Unreachable attacksUnreachable attacksForged messages can be used to reset existing Forged messages can be used to reset existing connectionsconnectionsnetstat gives the attacker everything necessary to netstat gives the attacker everything necessary to generate messagesgenerate messages

DDoS constellationDDoS constellation (“smurf” var.) (“smurf” var.)

Wake up!

Ping!

Reply!

ICMP scanningICMP scanningICMP’s implementation-specific responses to ICMP’s implementation-specific responses to certain queries helps attackers learn about a certain queries helps attackers learn about a networknetworkOfir Arkin’s workOfir Arkin’s workhttp://www.sys-security.com/html/projects/icmp.htmlhttp://www.sys-security.com/html/projects/icmp.htmlhttp://www.sys-security.com/html/projects/X.htmlhttp://www.sys-security.com/html/projects/X.html

ICMP defensesICMP defensesLimit which ICMP types and codes you allow Limit which ICMP types and codes you allow into your networkinto your networkAvoid those which are little used and have Avoid those which are little used and have better alternativesbetter alternatives

RedirectsRedirectsRouter solicitations and advertisementsRouter solicitations and advertisementsTimestampsTimestamps

Don’t permit “unreachable” messages Don’t permit “unreachable” messages outside your borderoutside your border

Let the absence of a reply imply a problemLet the absence of a reply imply a problem

Transport LayerTransport LayerProtocolsProtocols

UDPUDP

Datagram-orientedDatagram-orientedvs. TCP’s stream orientation (later)vs. TCP’s stream orientation (later)

No transport reliabilityNo transport reliabilityNo delivery guaranteesNo delivery guaranteesSome applications work better with app-level error Some applications work better with app-level error handlinghandling

User Datagram Protocol RFC 768

UDP formatUDP format

source port

data (variable length)

0 8 16 24 31

checksum: computed over source and destination IP addresses, protocol number, length, and entire UDP packet (header and data)

destination port

length checksum

UDP app responsibilitiesUDP app responsibilitiesHandle all error detection and correctionHandle all error detection and correctionUnderstand size of underlying MTU to avoid Understand size of underlying MTU to avoid packet fragmentationpacket fragmentationRecover from out-of-order deliveryRecover from out-of-order deliveryTrack communications state between peersTrack communications state between peers

UDP security issuesUDP security issuesStreaming media and VoIP often use dynamic Streaming media and VoIP often use dynamic portsportsLack of a connection makes it difficult to Lack of a connection makes it difficult to determine flowsdetermine flows

Port loopback attack Port loopback attack (“pingpong”)(“pingpong”)

Spoof!from A:19/udp (chargen)to B:7/udp (echo)

UDP defensesUDP defensesUse application-aware proxies to improve Use application-aware proxies to improve securitysecurityDon’t expose applications that you don’t Don’t expose applications that you don’t needneed

echoechodaytimedaytimechargenchargen

TCPTCP

Connection-oriented, reliable, full-duplex Connection-oriented, reliable, full-duplex byte stream transport servicebyte stream transport serviceMany decisions are made by the protocol, Many decisions are made by the protocol, not the applicationsnot the applications

Segment size (amount of data per packet)Segment size (amount of data per packet)Acknowledgement of packet receiptAcknowledgement of packet receiptRetransmittal of unacknowledged packetsRetransmittal of unacknowledged packetsResequencing of out-of-order packetsResequencing of out-of-order packetsFlow controlFlow control

Transmission Control Protocol RFC 793

TCP formatTCP format

source port

0 8 16 24 31

seq/ack numbers: track session state; indicate which byte we’re onflags: urgent | acknowledge | push | reset | synchronize | finishwindow size: flow controlchecksum: computed over source and destination IP addresses, protocol number, length, and entire TCP packet (header and data)

destination port

sequence number

acknowledgement numberheaderlength reserved flags window size

checksum urgent pointer

options (if any) (variable length)

data (variable length)

TCP connection establishmentTCP connection establishment(“three-way handshake”)(“three-way handshake”)

A sends packet to B with:• SYN set• Destination port number• A’s ISN (initial sequence number)

B sends packet to A with:• SYN set• B’s ISN• ACK with A’s SYN+1

A sends packet to B with:•ACK with B’s SYN+1

TCP connection establishmentTCP connection establishment

A.1037 > B.23: S 1415531521:1415531521 (0)A.1037 > B.23: S 1415531521:1415531521 (0) win 4096 <mss 1024> win 4096 <mss 1024>

B.23 > A.1037: S 1823083521:1823083521 (0)B.23 > A.1037: S 1823083521:1823083521 (0) ack 1415531522 ack 1415531522 win 4096 <mss 1024> win 4096 <mss 1024>

A.1037 > B.23: . ack 1823083522 win 4096A.1037 > B.23: . ack 1823083522 win 4096

A’s sequence number + 1 B’s sequence

number + 1

TCP connection terminationTCP connection termination(“four-way close”)(“four-way close”)

A sends packet to B with:• FIN set•A’s next sequence number

B sends packet to A with:•ACK with A’s SYN+1

A sends packet to B with:•ACK with B’s SYN+1

B sends packet to A with:• FIN set•B’s next sequence number

TCP connection terminationTCP connection termination

A.1037 > B.23: F 1415531522:1415531522 (0)A.1037 > B.23: F 1415531522:1415531522 (0) ack 1823083522 win 4096 ack 1823083522 win 4096

B.23 > A.1037: . ack 1415531523 win 4096B.23 > A.1037: . ack 1415531523 win 4096

B.23 > A.1037: F 1823083522:1823083522 (0)B.23 > A.1037: F 1823083522:1823083522 (0) ack 1415531523 win 4096 ack 1415531523 win 4096

A.1037 > B.23: . ack 1823083523 win 4096A.1037 > B.23: . ack 1823083523 win 4096

TCP connection resetTCP connection reset

B sends packet to A with:• RST set• B’s next sequence number• ACK with A’s SYN+1

An immediate “go away”An immediate “go away”Never acknowledgedNever acknowledged

MSS (maximum segment MSS (maximum segment size)size)Largest “chunk” of data TCP sendsLargest “chunk” of data TCP sends

Each side announces; lower of two is chosenEach side announces; lower of two is chosenCan go as high as 1460Can go as high as 1460

Ethernet frame payload (IP): 1500 bytes

IP datagram payload (TCP): 1480 bytes

TCP packet payload (data): 1460 bytes

Total length: 1536 bytes

TCP security issuesTCP security issuesSYNSYN flooding flooding

Consume memory with many half-opensConsume memory with many half-opens

Session hijackingSession hijackingSource-routed packetsSource-routed packetsSniffingSniffingPredictable sequence numbersPredictable sequence numbers

Sequence number predictionSequence number prediction

SYN setISN A

SYN setISN BACK A

SYN setISN Esource=A

SYN setISN BACK E

Huh? RST

ACK B (predicted!)source=A

TCP defensesTCP defensesBetter sequence number generationBetter sequence number generation

RandomRandomCryptographicCryptographic

Changes to implementationsChanges to implementationsDon’t allocate resources until complete openDon’t allocate resources until complete open

Router rules to block spoofed packetsRouter rules to block spoofed packetsTCP attacks are almost always spoofedTCP attacks are almost always spoofed

© 2004 Microsoft Corporation. All rights reserved.© 2004 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

Steve RileySteve Rileysteriley@microsoft.csteriley@microsoft.c

omom