Upload
isabella-mason
View
222
Download
0
Tags:
Embed Size (px)
Citation preview
The Transmission Control Protocol (TCP)
• TCP is a protocol that specifies:
– How to distinguish among multiple destinations on a given machine
– How to initiate and terminate a stream transfer
– Format of the data and acknowledgments that two computers exchange to achieve a reliable transfer
– Procedures the computers use to ensure that the data arrives correctly
Establishing a TCP Connection
• The 3-way handshake– Guarantee that both sides are ready for connection– Allows both sides to agree on initial sequence numbers
Receive SYN
Site 1 Network Site 2Send SYN seq=x
Send SYN seq=y, ACK x+1
Send ACK y+1
Receive SYN&ACK
Receive ACK
SYN Flood
• After the second message has been sent but before the third message has been received the connection is “half opened”– Most hosts store these half-opened connections in a
fixed-size table while they await the third message
– Half-opened connections are timed out after after half a minute or so
SYN Flood (cont)
• Attacker attempts to:– Fill up the half-opened connection table
• Attacker sends the victim machine a large number of SYN segments with spoofed source addresses (to nonexistent or unreachable hosts)
• Produces a large number of half-opened connections at the victim’s machine that will never become fully open
• The half-opened connection table fills and no new connections can be accepted until space is available
– Keep it full• Continue sending SYN segments to replace half-open connections as
they time out
• Result: the victim host cannot accept any other, legitimate attempts to open a connection
Land
• Attack tool exploits a vulnerability in certain TCP implementations
• Attacker creates an invalid TCP SYN segment:– Spoofed source address is identical to the destination
address– Source port is identical to the destination port
• Causes some TCP implementations to freeze or crash
• Fixed with software patches
Tribe Flood Network (TFN)
• Distributed denial of service attack tool– Newer versions have been developed (TFN2K, TFN3K,
Stacheldraht)
– Used in February, 2000 to attack several major e-commerce sites on the Web
• Similar to trinoo:– Daemon programs: listen for and execute commands from a
master
– Master programs• Control a number of daemons
• Communicate with an attacker and pass his/her commands on to daemons
TFN (cont)
• “Improvements” over trinoo:– Random protocol (TCP, UDP, or ICMP) for
communication between master and daemons
– Can send out “decoy” packets to random IP addresses to obscure the true target of the attack
– Daemons spoof the source IP address in the attack packets they send
– Daemons can attack multiple targets
– Wider variety of attacks
TFN (cont)
• Daemon attack strategies:– UDP flood (like with trinoo)
– TCP SYN flood
– ICMP ping flood
– ICMP directed broadcast flood (smurf)
– All of the above
Attacks Against Initial Sequence Numbers
• Recall: the 3-way handshake allows two communicating parties to agree on Initial Sequence Numbers (ISNs)
• What if the ISN can be guessed by a third-party?
Attacks Against ISNs (cont)
• If the ISN of an existing or future TCP connection can be determined an attacker may be able to:– Complete a 3-way handshake using a spoofed source IP
address
– Close an ongoing connection
– Hijack an ongoing connection
Scans and Probes
• Attackers typically engage in a variety of reconnaissance activities before attacking:– To identify important/interesting hosts– To identify potential vulnerabilities that could be exploited
• A port scanner is a program that tries to determine which ports have programs listening on them
• Example:– Attempts to open a TCP connection to each port in order– If a connection is made then immediately close it and record the
fact that the port is open– If the connection fails then the port is closed
Port Scanning (cont)
• Using fully-open connections to scan is likely to draw a lot of attention to the scan– Most hosts log:
• Each attempt to connect to a closed port• Each time a newly-opened connection is closed with little or no data
having been sent
• Clandestine scanning methods:– SYN scan:
• A SYN segment is sent to each port and any port that responds with a SYN+ACK segment is opened
• Instead of completing the handshake, a RST (reset) segment is sent to close the connection before it is fully opened
• Some hosts do not log half-opened connections
Closing a TCP Connection
• Applications should close a connection when they have no more data to transmit
• Connection can be closed in either one or both directions– Site 1 finishes transmitting data and waits for ACK from site 2– Site 1 transmits a segment with the FIN bit set– Site 2 acknowledges the FIN segment– Site 2 notifies the application that no more data is coming– Data can still be transmitted from site 2 to site 1– Site 1 will still receive and acknowledge data from site 2– Eventually, site 2 will finish transmitting and close its connection– Both endpoints delete record of the connection
Closing a TCP Connection (cont)
Site 1 Network Site 2
Send FIN seq=x
Receive FIN Send ACK x+1
Receive FIN&ACK
Receive ACK
Send FIN seq=y, ACK x+1
Send ACK y+1
Receive ACK
(app closes connection)
(inform application)
(app closes connection)
TCP Connection Reset
• Applications normally close connections• Sometimes abnormal conditions arise that break a
connection• Broken connections can be reset:
– Site 1 sends a segment with the RST bit set– Site 2 receives segment and aborts the connection– Transfers in both directions cease immediately– Resources for the connection are released– Applications programs are informed
Forcing Data Delivery
• TCP divides the stream of octets into segments for transmission
• This improves efficiency since octets can be buffered until a good-sized segment can be sent
• TCP provides a push operation for applications that want to force delivery of octets– Set PSH bit
– Send segment
Reserved TCP Port Numbers
• Like UDP:– Static port bindings for commonly used services
• Ports 0-1024 are reserved
– Dynamic port bindings• Port numbers over 1024
• Port numbers for services accessible by both UDP and TCP usually match– ECHO (7)
– TIME (37)
Reserved TCP Port Numbers
TCP Performance
• Silly Window Syndrome– Sender generates data quickly
– Receiver reads incoming data one octet at a time
Sender Receiver
TCP Performance (cont)
• Silly Window Syndrome– Each ACK advertises a small amount of space
– Each segment carries a small amount of data
• Problems:– Poor use of network bandwidth
– Unnecessary computational overhead
TCP Performance (cont)
• Avoiding Silly Window Syndrome– Use heuristics at sender to avoid transmitting a small
amount of data in each segment– Use heuristics at receiver to avoid sending small
window advisements
• Receive-side silly window avoidance– Monitor receive window size– Delay advertising an increase until a “significant”
increase is possible• “Significant” = min(half the window, maximum segment size)
Receive-Side Silly Window Avoidance Example
Receive 6 octets, send ACK 7 with window advisement of 0
Application reads one octet
Application reads one octet
Application reads one octet
Send window advisement of 3, receive 3 octets
Receive-Side SillyWindow Avoidance
• Two approaches:– Receiver can ACK received octets but does not
advertise an increase in its window until the increase is significant
– Receiver can not send ACKs when the window is not large enough to advertise
• Advantages/disadvantages?
Send-Side SillyWindow Avoidance
• Goal: avoid sending small segments• Application can generate data in small blocks• TCP must collect data sent by application into a
single large segment (clump) for transmission• TCP must delay sending a segment until it
contains a reasonable amount of data• How long should TCP wait before transmitting
data?
Send-Side Silly Window Avoidance (cont)
• The Nagle Algorithm:– Application generates data to be sent over a connection
that has already transmitted some data• If all previous transmissions have been acknowledged send the
data immediately
• If any ACKs are still pending do not transmit until:– Maximum segment size is reached, or
– An ACK arrives
• Self-clocking - does not compute delays• Applies even if the application requests a push
TCP Summary
• Provides reliable stream delivery service– Full duplex– Out-of-band for urgent data
• Makes efficient use of the network– Piggybacking– Sliding windows
• Efficiency• End-to-end flow control
– Acknowledgment and retransmission– Congestion recovery/avoidance