------------------------- Week 06 Notes for CST8165 ------------------------- -Ian! D. Allen - idallen@idallen.ca - www.idallen.com Remember - knowing how to find out an answer is more important than memorizing the answer. Learn to fish! RTFM! (Read The Fine Manual) Keep up on your readings (Course Outline: average 4 hours/week homework) Review: ------ - RFC documents, IETF, "MUST", ABNF - Internet Protocol (layer 2) - ICMP - Internet Control Message Protocol (layer 2) - Layer Three: TCP and UDP - port numbers - two major types: UDP (SOCK_DGRAM) or TCP (SOCK_STREAM) - common port numbers: 20/21, 22, 23, 25, 53, 67/68, 80, 110, 137/139, 443 - UDP (layer three) - only three pages on top of IP - the TCP/UDP "pseudo header" IETF Talk - Friday March 28 - Michael Richardson (Ottawa) will be here to talk about what it's like to be part of the IETF and author RFC documents ---------------------------------------------------------------------------- Understanding TCP ----------------- Ref: http://tools.ietf.org/html/rfc793 (85 pages!) http://www.ssfnet.org/Exchange/tcp/tcpTutorialNotes.html http://www4.informatik.uni-erlangen.de/Projects/JX/Projects/TCP/tcpstate.html The TCP header is much more complex than the UDP header http://www.ssfnet.org/Exchange/tcp/tcpTutorialNotes.html#TH - much of the TCP header is used to support the identification of datagrams so that they can be retransmitted if necessary - has to handle issues dealing with reliability, flow control, congestion - TCP uses a "pseudo-header" for the checksum; see description above "TCP provides a connection oriented, reliable, byte stream service. The term connection-oriented means the two applications using TCP must establish a TCP connection with each other before they can exchange data. It is a full duplex protocol, meaning that each TCP connection supports a pair of byte streams, one flowing in each direction. TCP includes a flow-control mechanism for each of these byte streams that allows the receiver to limit how much data the sender can transmit. TCP also implements a congestion-control mechanism." * The Three Way Handshake - indicates the start of a TCP connection Handshaking: 3 way open, 4 way close including SYN, ACK, FIN etc - http://www.garykessler.net/library/tcpip.html#connect "This three-way handshake is sometimes referred to as an exchange of "syn, syn/ack, and ack" segments. It is important for a number of reasons. For individuals looking at packet traces, recognition of the three-way handshake is how to find the start of a connection. For firewalls, proxy severs, intrusion detectors, and other systems, it provides a way of knowing the direction of a TCP connection setup since rules may differ for outbound and inbound connections." You can attack some servers by doing many partial ("half-open") handshakes and exhausting TCP resources: - syn flood attack: http://www.vijaymukhi.com/vmis/tcp.htm You can sometimes port-scan a machine undetected by failing to complete the full 3-way handshake: - a stealth scan is possible using nmap (requires root permissions on Unix) - uses half-open TCP connections (never completes the 3-way handshake) ---------------------------------------------------------------------------- TCP state transition diagram ---------------------------- http://www4.informatik.uni-erlangen.de/Projects/JX/Projects/TCP/tcpstate.html http://www.ssfnet.org/Exchange/tcp/tcpTutorialNotes.html#ST - client and server both start in the CLOSED state (top of diagram) - graph arrows are labelled with transitions [/] where indicates either an incoming packet with a flag set, (e.g. ACK, FIN) or a deliberate change to another state (e.g. "Passive Open", "Close", "Send"). * The "three-way handshake" for a non-simultaneous connection opening: - a server is sitting in the LISTEN state - a client does an "active open" 1. client sends: SYN, moves to SYN_SENT 2. server sends: SYN,ACK, moves to SYN_RCVD 3. client sends: ACK, moves to ESTABLISHED 4. server receives ACK and moves to ESTABLISHED Now both processes are in the "ESTABLISHED" state. * A *simultaneous* TCP connection opening: 1. both systems send SYN and move to SYN_SENT 2. both send SYN,ACK (RFC793 diagram has an error) and move to SYN_RCVD 3. both systems receive SYN,ACK and move to ESTABLISHED - RFC1122 4.2.2.7 says RFC793 has an error on what is sent on the transition from SYN_SENT directly to SYN_RCVD: should be sending SYN,ACK, not SYN http://tools.ietf.org/html/rfc1122 - the corrections suggested by RFC1122 appear to break the simultaneous open; one has to interpret the "ACK" transition as "ACK or SYN,ACK" - be familar with interpreting a TCP state diagram in RFC793 - three-way handshake for an asymmetric (non-simultaneous) open - trace a simultaneous open in RFC793 - the corrections suggested by RFC1122 appear to break simultaneous open; one has to interpret the "ACK" transition as "ACK or SYN,ACK" - RFC1122 section 4.2.2.10 says: http://tools.ietf.org/html/rfc1122 "It sometimes surprises implementors that if two applications attempt to simultaneously connect to each other, only one connection is generated instead of two. This was an intentional design decision; don't try to "fix" it." * after the three-way handshake, an open TCP connection communicates with ACK always set - ACK bit says highest byte received is in the 32-bit ACK field - the ACK packet contains the highest contiguous byte number that was received so far - in plain TCP, ACKs are cumulative - the one number indicates the highest *contiguous* set of successfully received bytes - basic TCP/IP cannot issue out-of-sequence or selective ACKs (ACK ranges) - cumulative ACK says *all* previous bytes received OK; cannot selectively ACK ranges of bytes received (in plain vanilla TCP without extensions) * TCP buffering is possible; use PSH to "push" (flush) data out at either end - interactive programs need to do this to get good response times * TCP connections can be terminated with "Reset" (RST) packets. ---------------------------------------------------------------------------- Q: Does TCP include flow-control and/or congestion control? Q: Can a TCP connection be one-way or must it always be two way? Q: What purpose is the "pseudo header" used in calculating a checksum? Q: T/F TCP and UDP include the IP layer packet source and destination addresses in their checksum calculations. Q: Describe the TCP 3-way handshake that begins a session. Q: Outline the TCP flags used in the basic TCP three-way handshake. Clearly indicate which is server and which is client. Q: How does a syn-flood attack work? Q: How does a TCP stealth scan work? Q: Looking at the TCP state transition diagram, into which state will a program move if it is currently in state SYN_SENT and it receives a TCP packet with just the SYN flag set? When it makes that state transition, what flags will it set in the next outgoing packet? Q: T/F The single 32-bit TCP header Acknowledgement number lets you know the sequence number of the last successfully received byte of data Q: T/F When two systems attempt simultaneous connections with each other, you end up with two separate TCP streams. Q: What is the purpose of the TCP "PSH" flag? Which kind of programs use it?