1	TCP/IP Problems The need for Security
2	Review of Network Models
3	IP Packet Format
4	IP Packet Fields Version—Indicates the version of IP currently used. • IP Header Length (IHL)—Indicates the datagram header length in 32-bit words. • Type-of-Service—Specifies how an upper-layer protocol would like a current datagram to be handled, and assigns datagrams various levels of importance. • Total Length—Specifies the length, in bytes, of the entire IP packet, including the data and header. • Identification—Contains an integer that identifies the current datagram. This field is used to help piece together datagram fragments. • Flags—Consists of a 3-bit field of which the two low-order (least-significant) bits control fragmentation. The low-order bit specifies whether the packet can be fragmented. The middle bit specifies whether the packet is the last fragment in a series of fragmented packets. The third or high-order bit is not used. • Fragment Offset—Indicates the position of the fragment's data relative to the beginning of the data in the original datagram, which allows the destination IP process to properly reconstruct the original datagram. • Time-to-Live—Maintains a counter that gradually decrements down to zero, at which point the datagram is discarded. This keeps packets from looping endlessly. • Protocol—Indicates which upper-layer protocol receives incoming packets after IP processing is complete. • Header Checksum—Helps ensure IP header integrity. • Source Address—Specifies the sending node. • Destination Address—Specifies the receiving node. • Options—Allows IP to support various options, such as security. • Data—Contains upper-layer information.
5	IP Address Format
6	TCP Packet Format
7	TCP Packet Description • Source Port and Destination Port—Identifies points at which upper-layer source and destination processes receive TCP services. • Sequence Number—Usually specifies the number assigned to the first byte of data in the current message. In the connection-establishment phase, this field also can be used to identify an initial sequence number to be used in an upcoming transmission. • Acknowledgment Number—Contains the sequence number of the next byte of data the sender of the packet expects to receive. • Data Offset—Indicates the number of 32-bit words in the TCP header. • Reserved—Remains reserved for future use. • Flags—Carries a variety of control information, including the SYN and ACK bits used for connection establishment, and the FIN bit used for connection termination. • Window—Specifies the size of the sender's receive window (that is, the buffer space available for incoming data). • Checksum—Indicates whether the header was damaged in transit. • Urgent Pointer—Points to the first urgent data byte in the packet. • Options—Specifies various TCP options. • Data—Contains upper-layer information.
8	TCP/IP Flags
9	TCP Communications
10	TCP/IP Problems initiation
11	TCP/IP termination
12	TCP/IP Application Protocols File Transfer Protocol (FTP)—Moves files between devices • Simple Network-Management Protocol (SNMP)—Primarily reports anomalous network conditions and sets network threshold values • Telnet—Serves as a terminal emulation protocol • X Windows—Serves as a distributed windowing and graphics system used for communication between X terminals and UNIX workstations • Network File System (NFS), External Data Representation (XDR), and Remote Procedure Call (RPC)—Work together to enable transparent access to remote network resources • Simple Mail Transfer Protocol (SMTP)—Provides electronic mail services • Domain Name System (DNS)—Translates the names of network nodes into network addresses
13	IP Spoofing
14	IP Spoofing and Denial of Service DoS Attacks Attacker doesn’t care about receiving any response from the targeted host. The denial of service occurs because the system receiving the requests becomes busy trying to establish a return communications path with the initiator (which may or may not be using a valid IP address). The targeted host receives a TCP SYN and returns a SYN-ACK. It then remains in a wait state, anticipating the completion of the TCP handshake that never happens. Each wait state uses system resources until eventually, the host cannot respond to other legitimate requests.
15	Denial of Service (DoS) Attacks Destructive – Attacks which destroy the ability of the device (e.g. router, server) to function correctly (e.g. Registry change, file change, virus, shutdown, etc.) Resource Consumption – Attacks degrade the ability of the device to function (e.g. exceed maximum number of connections) Bandwidth consumption – overwhelm bandwidth capacity of device or connection
16	Distributed Denial of Service (DDoS) Attacks A coordinated combination of DoS attacks carried out by many hosts. DDoS cannot be easily stopped since it is coming from multiple points (IP Addresses) Hard to Do? Hard to Get? Absolutely not! ftp://ftp.ntua.gr/pub/security/technotronic/denial/
17	TCP/IP Flow
18	No timers or long times for Some States SYN_RCVD CLOSE_WAIT SYN /SYN+ACK – 75 seconds
19	TCP/IP Problems Accepting Multiple Connections with long time period for reply No authentication No encryption Predictable Sequence Numbers