Overall Event Sponsor:

TCP/IP for Security AdministratorsTCP/IP for Security Administrators

Steve RileySteve Riley

Security Program ManagerSecurity Program Manager

Microsoft CorporationMicrosoft Corporation

steriley@microsoft.comsteriley@microsoft.com

SEC400SEC400

Why are we here?Why are we here?

Copenhagen in November seems like a Copenhagen in November seems like a good thing to dogood thing to do

Better than cold cloudy wet SeattleBetter than cold cloudy wet SeattleOh, um, er…Oh, um, er…

You’re a conference junkie and living high You’re a conference junkie and living high on what’s left of your expense accounton what’s left of your expense account

The venerable Mark Russinovich is here, so The venerable Mark Russinovich is here, so shouldn’t we be here, too?shouldn’t we be here, too?

For some of us that’s a disincentive!For some of us that’s a disincentive!

You are a Microsoft groupieYou are a Microsoft groupieWell now, just who isn’t? Off with their heads!Well now, just who isn’t? Off with their heads!

Now be serious!Now be serious!

Security is (or will be) your job. Security is your Security is (or will be) your job. Security is your life. You life. You areare securitysecurity for your org. for your org.If you wanna be good, there are things you If you wanna be good, there are things you have gotta know—have gotta know—

How to say “I don’t know”How to say “I don’t know”How to say “That’s not allowed” without giving How to say “That’s not allowed” without giving away the fact that you really don’t knowaway the fact that you really don’t knowHow to look innocent—or mean—really, it’s How to look innocent—or mean—really, it’s situationalsituationalHow to say “It’s not my fault” even though you How to say “It’s not my fault” even though you screwed up the configuration really goodscrewed up the configuration really goodHow to deflect blame toward othersHow to deflect blame toward othersHow to speak the language of network How to speak the language of network communicationscommunications

Protocols? IANAG!Protocols? IANAG!

Ah but yes you are Ah but yes you are Acknowledgement is the first step toward Acknowledgement is the first step toward recoveryrecoveryYou’re in a room filled with like-minded GsYou’re in a room filled with like-minded Gs

““How do I become a security expert?”How do I become a security expert?”Learn everything you can about how network Learn everything you can about how network devices talk to each otherdevices talk to each otherAttend more conferences like this oneAttend more conferences like this oneDream in TCP/IP (lucid/IP?)Dream in TCP/IP (lucid/IP?)

ImportanceImportance

Our goal today: to thoroughly understand Our goal today: to thoroughly understand important network protocols important network protocols (and to boldly split (and to boldly split infinitives)infinitives)

We will explore—We will explore—How the protocols workHow the protocols workHow attackers abuse themHow attackers abuse themHow to defend themHow to defend them

We will not—We will not—Have any marketing contentHave any marketing contentPrepare you for passing some examPrepare you for passing some examBe entirely actionable todayBe entirely actionable today

But you’ll thank me later! But you’ll thank me later!

The OSI modelThe OSI model

1. physical

2. link

3. network

4. transport

5. session

6. presentation

7. application

ARP, RARP

The real worldThe real world

Four layers are sufficiently representativeFour layers are sufficiently representative

1. interface

2. network

3. transport

4. application

IP, ICMP, IGMP

TCP, UDP, IPsec

HTTP, FTP, TFTP, telnet, ping, SMTP,POP3, IMAP4, RPC, SMB, NTP, DNS, …

Presentation conventionsPresentation conventions

““A” and “B” represent networked hostsA” and “B” represent networked hostsProtocol format diagrams look like this:Protocol format diagrams look like this:

Some protocol dump examplesSome protocol dump examples

element element

0 8 16 24 31

element

Interface Layer ProtocolsInterface Layer Protocols

ARPARP

MAC addresses are 48 bits. IP addresses MAC addresses are 48 bits. IP addresses are 32 bits. How to encode MAC in IP?are 32 bits. How to encode MAC in IP?ARP to the rescue: resolves IP to MACARP to the rescue: resolves IP to MACSimple two-frame conversationSimple two-frame conversation

Broadcast question; unicast responseBroadcast question; unicast response

Replies kept in a cache to reduce number Replies kept in a cache to reduce number of broadcastsof broadcasts

Cache implements timeout because addresses Cache implements timeout because addresses do change (default 20 minutes)do change (default 20 minutes)

Address Resolution Protocol RFC 826

ARP formatARP format

hardware type protocol type

HA length PA length operation

sender MAC address (bytes 0-3)

sender MAC address (bytes 4-5)sender IP address (bytes 0-1)

sender IP address (bytes 2-3)target MAC address (bytes 0-1)

target MAC address (bytes 2-5)

target IP address (bytes 0-3)

0 8 16 24 31

operation: 1 = ARP request, 2 = ARP reply

ARP operationARP operation

who-has

1.1.1.2?

1.1.1.2 is-at 00:11:22:33:44:55:66

1.1.1.1

1.1.1.2

ARP conversationsARP conversations

Normal:Normal: BB saves saves AA’s ARP info in cache, ready for ’s ARP info in cache, ready for repliesreplies

Other machines on same subnet also save Other machines on same subnet also save AA’s ARP’s ARP00:80:c8:f8:4a:51 ff:ff:ff:ff:ff:ff: arp who-has 192.168.99.254 tell 192.168.99.3500:80:c8:f8:4a:51 ff:ff:ff:ff:ff:ff: arp who-has 192.168.99.254 tell 192.168.99.35

00:80:c8:f8:5c:73 00:80:c8:f8:4a:51: arp reply 192.168.99.254 is-at 00:80:c8:f8:5c:7300:80:c8:f8:5c:73 00:80:c8:f8:4a:51: arp reply 192.168.99.254 is-at 00:80:c8:f8:5c:73

Gratuitous:Gratuitous: reply sent before a host is asked reply sent before a host is askedOften addressed to an upstream router or LB deviceOften addressed to an upstream router or LB device

arp reply 192.168.99.35 is-at 0:80:c8:f8:4a:51 (0:80:c8:f8:4a:51)arp reply 192.168.99.35 is-at 0:80:c8:f8:4a:51 (0:80:c8:f8:4a:51)

Unsolicited:Unsolicited: broadcast by host owning an IP address; broadcast by host owning an IP address; usually at boot timeusually at boot time

Also good for detecting duplicate IP addressesAlso good for detecting duplicate IP addresses00:80:c8:f8:4a:51 ff:ff:ff:ff:ff:ff: arp who-has 192.168.99.35 tell 192.168.99.3500:80:c8:f8:4a:51 ff:ff:ff:ff:ff:ff: arp who-has 192.168.99.35 tell 192.168.99.35

ARP operationARP operation

who-has

1.1.1.2?

1.1.1.2 is-at 00:11:22:33:44:55:66

1.1.1.1

1.1.1.2

ARP conversationsARP conversations

Normal:Normal: BB saves saves AA’s ARP info in cache, ready for ’s ARP info in cache, ready for repliesreplies

Other machines on same subnet also save Other machines on same subnet also save AA’s ARP’s ARP00:80:c8:f8:4a:51 ff:ff:ff:ff:ff:ff: arp who-has 192.168.99.254 tell 192.168.99.3500:80:c8:f8:4a:51 ff:ff:ff:ff:ff:ff: arp who-has 192.168.99.254 tell 192.168.99.35

00:80:c8:f8:5c:73 00:80:c8:f8:4a:51: arp reply 192.168.99.254 is-at 00:80:c8:f8:5c:7300:80:c8:f8:5c:73 00:80:c8:f8:4a:51: arp reply 192.168.99.254 is-at 00:80:c8:f8:5c:73

Gratuitous:Gratuitous: reply sent before a host is asked reply sent before a host is askedOften addressed to an upstream router or LB deviceOften addressed to an upstream router or LB device

arp reply 192.168.99.35 is-at 0:80:c8:f8:4a:51 (0:80:c8:f8:4a:51)arp reply 192.168.99.35 is-at 0:80:c8:f8:4a:51 (0:80:c8:f8:4a:51)

Unsolicited:Unsolicited: broadcast by host owning an IP address; broadcast by host owning an IP address; usually at boot timeusually at boot time

Also good for detecting duplicate IP addressesAlso good for detecting duplicate IP addresses00:80:c8:f8:4a:51 ff:ff:ff:ff:ff:ff: arp who-has 192.168.99.35 tell 192.168.99.3500:80:c8:f8:4a:51 ff:ff:ff:ff:ff:ff: arp who-has 192.168.99.35 tell 192.168.99.35

ARP security issuesARP security issues

ARP spoofingARP spoofingARP replies are honored and cached, whether ARP replies are honored and cached, whether normal or gratuitousnormal or gratuitousCan poison a host’s ARP cache with spoofed Can poison a host’s ARP cache with spoofed entries to force redirectionentries to force redirectionProxy ARP (routers) does this legitimatelyProxy ARP (routers) does this legitimately

ARP flooding ARP flooding (how to turn a switch into a hub)(how to turn a switch into a hub)

Fill a switch’s memory with bogus mappingsFill a switch’s memory with bogus mappingsSwitch will flood all ports with all traffic since it Switch will flood all ports with all traffic since it doesn’t know where hosts aredoesn’t know where hosts are

ARP MARP Man an IIn n TThe he MMiddleiddle attack attack

who-has

1.1.1.2?

1.1.

1.2

is-a

t

99:8

8:77

:66:

5

5:44

1.1.1.2 is-at 00:11:22:33:44:55:66

1.1.1.1

1.1.1.2

1.1

.1.1

is-at

99:8

8:7

7:6

6:5

5:4

4

ARP defensesARP defenses

None built into protocolNone built into protocolarpwatch: Monitoring toolarpwatch: Monitoring tool

Must mirror all traffic on one switch portMust mirror all traffic on one switch port

Switch featuresSwitch featuresAllow only one MAC address per portAllow only one MAC address per port

Stops people from using hubsStops people from using hubs

Compare requests and replies to other Compare requests and replies to other mapping informationmapping informationAcquired from DHCP servers, DHCP snooping, Acquired from DHCP servers, DHCP snooping, manual configuration (avoid)manual configuration (avoid)

Network Layer ProtocolsNetwork Layer Protocols

IPIP

IP is a lousy network protocol!IP is a lousy network protocol!Unreliable:Unreliable: no delivery guarantees no delivery guarantees

Send ICMP message to source if delivery failsSend ICMP message to source if delivery fails

Connectionless:Connectionless: no state maintained no state maintainedDatagrams routed independently and in no orderDatagrams routed independently and in no order

Best-effort:Best-effort: packets not dropped capriciously packets not dropped capriciously

Has one job: to route datagramsHas one job: to route datagramsRelies on transport layer for improvementsRelies on transport layer for improvementsHosts must implement error detection and Hosts must implement error detection and correction and recoverycorrection and recovery

Internet Protocol RFC 791

IP formatIP format

version datagram length

identification flags fragment offset

header checksum

source IP address

destination IP address

options, if any (variable length)

0 8 16 24 31

version: 4TOS: differentiated services codepoints (no guarantee of honoring)dg length, ID, flags, offset: for fragmentation (will examine later)TTL: max. hops through network (decremented by routers); usually 32next protocol: TCP, 6 | UDP, 17 | ICMP, 1 | IPsec AH, 51 | IPsec ESP, 50header checksum: 16-bit one’s compliment of sumoptions: restrictions, record route, record timestamp, source-routing

headerlengthtype of service

time to live next protocol

(padding)

IP routingIP routing

Two types of network nodes—Two types of network nodes—HostsHosts

Don’t forward datagrams between interfacesDon’t forward datagrams between interfaces

RoutersRoutersDo forward datagrams between interfacesDo forward datagrams between interfaces

Hosts can be routers if appropriate software Hosts can be routers if appropriate software is installed and enabledis installed and enabled

Presents security risksPresents security risks

IP routing operationIP routing operation

1.1.1.1

1.1.1.2

1.1.1.3

1.1.1.4

1.1.1.5

Datagramfor

1.1.1.5

1.1.1.254

Datagramfor

9.8.7.6network1.1.1.0/

24

search routing tableand decrement TTL

Is it tomy IP?

Is it tomy IP?

Basic routing algorithmBasic routing algorithm

Extract destination address D from datagramCompute network prefix N

If N matches any directly-connected network address

Deliver datagram to D over that networkElse if routing table contains a host-specific route for D

Send datagram to next hop specified in tableElse if routing table contains a route for N

Send datagram to next hop specified in tableElse if routing table contains a default route

Send datagram to default router specified in tableElse declare a routing error

Route processingRoute processingroutingdaemon

routecommand

netstatcommand

routingtable

IP output:calculate next

hop router(if necessary)

ICMP

our packet(one of our IPaddresses orbroadcast)?

IP input queue

process IP options

UDP TCP

network interfaces

redire

cts

yes

no

forward

source routing

IP layer

IP security issuesIP security issues

Mostly involve spoofed addressesMostly involve spoofed addressesUnsigned and unencrypted in the headersUnsigned and unencrypted in the headers

Therefore: they are unreliable identifiersTherefore: they are unreliable identifiers

Not useful for hiding IP addressesNot useful for hiding IP addressesIs useful for:Is useful for:

Misdirecting connections (“MITM”)Misdirecting connections (“MITM”)Source routingSource routingDenial-of-service attacks (“flooding”)Denial-of-service attacks (“flooding”)Network attacks that don’t need to see Network attacks that don’t need to see responses (“blind spoofing”)responses (“blind spoofing”)

IP checksum is not securityIP checksum is not security

Attacker:Attacker:Intercepts datagramIntercepts datagramSpoofs addressesSpoofs addressesComputes new checksumComputes new checksum

Intended for error detection onlyIntended for error detection onlyA computes and adds to headerA computes and adds to headerB computes and compares to included sumB computes and compares to included sumIf mismatch: B silently dropsIf mismatch: B silently drops

Denial-of-service attacksDenial-of-service attacks

Let’s wait until we talk about ICMP…Let’s wait until we talk about ICMP…

Source routingSource routing

10.0.0.254

131.107.0.254

10.0.0.1

SA: <doesn’t matter>DA: 10.0.0.1SR: via 131.107.0.254

IP fragmentationIP fragmentation

Some payloads might exceed physical Some payloads might exceed physical frame size (MTU)frame size (MTU)IP will fragment data if necessaryIP will fragment data if necessaryReassembled only at destinationReassembled only at destination

Transparent to transport layerTransparent to transport layer

Each fragment is separate datagramEach fragment is separate datagram(Possibly) independently routed(Possibly) independently routedNo delivery order guaranteeNo delivery order guaranteeOne could get lostOne could get lost

All fragments must then be retransmittedAll fragments must then be retransmitted

IP format—fragmentationIP format—fragmentation

version datagram length

identification flags fragment offset

header checksum

source IP address

destination IP address

options, if any (variable length)

0 8 16 24 31

ID: unique for each datagram; copied into each fragmentflag1: one bit for “more fragments”; off in final fragmentflag2: one bit for “don’t fragment”; if set, IP discards datagram and returns ICMP erroroffset: from beginning of original datagram (8-byte multiples)length: of this fragment only

headerlengthtype of service

time to live next protocol

(padding)

Fragmentation exampleFragmentation example

IP header(20 bytes)

next hdr(20 bytes)

payload(1473 bytes)

IP header(20 bytes)

next hdr(20 bytes)

payload(1472 bytes)

IP header(20 bytes)

payload(1 byte)

Note no TCP/UDP header!Many firewalls will allow fragments through…hmm!

Fragmentation exampleFragmentation example

A.1234 > B.500: udp 1473A.1234 > B.500: udp 1473 (frag 26304:1480@0+) (frag 26304:1480@0+)

A > B: (frag 26304:1@1480)A > B: (frag 26304:1@1480)

frame size = 1501; must fragmentidentification field1472 (payload) + 8 (UDP header)0 offset = beginning; + = more fragmentsno port infofragment number @ byte offset

IP defensesIP defenses

Can block nearly all attacks at borderCan block nearly all attacks at borderNeed five rulesNeed five rules

Block all inbound where SA in internal netsBlock all inbound where SA in internal nets

Block all outbound where SA not in internal netsBlock all outbound where SA not in internal nets

Block all in/out where SA | DA in RFC1918 or APIPABlock all in/out where SA | DA in RFC1918 or APIPA

Block all source-routed datagramsBlock all source-routed datagrams

Block all datagram fragmentsBlock all datagram fragments

ICMPICMP

IP’s “message delivery” serviceIP’s “message delivery” serviceReports errorsReports errorsAsks and answers questionsAsks and answers questions

Encapsulated in IPEncapsulated in IPMessages might need to be routedMessages might need to be routedConsidered a network layer protocolConsidered a network layer protocol

Error reports always include first 64 bits of Error reports always include first 64 bits of error-causing datagramerror-causing datagram

Helps determine which protocol and Helps determine which protocol and application caused the errorapplication caused the error

Internet Control Message Protocol RFC 792

ICMP formatICMP format

type checksum

content (variable length; depends on type and code)

0 8 16 24 31

type: message typecode: sub-message type

code

ICMP messagesICMP messagesTypeType CodeCode DescriptionDescription CodeCode DescriptionDescription QueryQuery ErrorError

00 00 echo replyecho reply 33 destination unreachabledestination unreachable

00 network unreachablenetwork unreachable 88 source host isolated (obsolete)source host isolated (obsolete)

11 host unreachablehost unreachable 99 destination network administratively prohibiteddestination network administratively prohibited

22 protocol unreachableprotocol unreachable 1010 destination host administratively prohibiteddestination host administratively prohibited

33 port unreachableport unreachable 1111 network unreachable for DiffServnetwork unreachable for DiffServ

44 fragmentation needed butfragmentation needed butdon’t-fragment bit is setdon’t-fragment bit is set

1212 host unreachable for DiffServhost unreachable for DiffServ

55 source route failedsource route failed 1313 communication administrativelycommunication administrativelyprohibited by filteringprohibited by filtering

66 destination network unknowndestination network unknown 1414 host precedence violationhost precedence violation

77 destination host unknowndestination host unknown 1515 precedence cutoff in effectprecedence cutoff in effect

44 00 source quenchsource quench 55 redirectredirect

00 for networkfor network 22 for DiffServ and networkfor DiffServ and network

11 for hostfor host 33 for DiffServ and hostfor DiffServ and host

88 00 echo requestecho request 99 00 router advertisementrouter advertisement

1010 00 router solicitationrouter solicitation 1111 time exceededtime exceeded

00 TTL = 0 during transitTTL = 0 during transit 11 TTL = 0 during reassemblyTTL = 0 during reassembly

1212 parameter problemparameter problem 00 IP header bad (catchall error)IP header bad (catchall error) 11 required option missingrequired option missing

1313 00 timestamp requesttimestamp request 1414 00 timestamp replytimestamp reply 1515 00 information request (obsolete)information request (obsolete) 1616 00 information reply (obsolete)information reply (obsolete) 1717 00 address mask requestaddress mask request

1818 00 address mask replyaddress mask reply

ICMP echoICMP echo

type checksum

optional data (variable length)

0 8 16 24 31

type: 8 = request, 0 = replycode: 0identifier, sequence number: for matching replies to requestsdata: returned to sender

code

identifier sequence number

ICMP reconnaissance attacksICMP reconnaissance attacks

““Port unreachable” = port closedPort unreachable” = port closed““Host unreachable” = host doesn’t existHost unreachable” = host doesn’t exist

ICMP redirect attacksICMP redirect attacks

Advise hosts of better routesAdvise hosts of better routesDifficult to spoofDifficult to spoof

Can come only from host’s existing DGCan come only from host’s existing DGMust be tied to an existing connectionMust be tied to an existing connection

Can’t be used for unsolicited route table updatesCan’t be used for unsolicited route table updates

Redirects generally aren’t usedRedirects generally aren’t usedBest to block themBest to block themUseful only on LANs with multiple gateways to Useful only on LANs with multiple gateways to the Internetthe Internet

ICMP DoS attacksICMP DoS attacks

Ping attacksPing attacksForged source address can create havoc when Forged source address can create havoc when replies arrivereplies arrive

Unreachable attacksUnreachable attacksForged messages can be used to reset existing Forged messages can be used to reset existing connectionsconnectionsnetstat gives the attacker everything netstat gives the attacker everything necessary to generate messagesnecessary to generate messages

DDoS constellationDDoS constellation (“smurf” var.) (“smurf” var.)

Wake up!

Ping!

Reply!

ICMP scanningICMP scanning

ICMP’s implementation-specific responses to ICMP’s implementation-specific responses to certain queries helps attackers learn about certain queries helps attackers learn about a networka networkOfir Arkin’s workOfir Arkin’s workhttp://www.sys-security.com/html/projects/icmp.htmlhttp://www.sys-security.com/html/projects/icmp.htmlhttp://www.sys-security.com/html/projects/X.htmlhttp://www.sys-security.com/html/projects/X.html

ICMP defensesICMP defenses

Limit which ICMP types and codes you allow Limit which ICMP types and codes you allow into your networkinto your networkAvoid those which are little used and have Avoid those which are little used and have better alternativesbetter alternatives

RedirectsRedirectsRouter solicitations and advertisementsRouter solicitations and advertisementsTimestampsTimestamps

Don’t permit “unreachable” messages Don’t permit “unreachable” messages outside your borderoutside your border

Let the absence of a reply imply a problemLet the absence of a reply imply a problem

Transport LayerProtocolsTransport LayerProtocols

UDPUDP

Datagram-orientedDatagram-orientedvs. TCP’s stream orientation (later)vs. TCP’s stream orientation (later)

No transport reliabilityNo transport reliabilityNo delivery guaranteesNo delivery guaranteesSome applications work better with app-level Some applications work better with app-level error handlingerror handling

User Datagram Protocol RFC 768

UDP formatUDP format

source port

data (variable length)

0 8 16 24 31

checksum: computed over source and destination IP addresses, protocol number, length, and entire UDP packet (header and data)

destination port

length checksum

UDP app responsibilitiesUDP app responsibilities

Handle all error detection and correctionHandle all error detection and correctionUnderstand size of underlying MTU to avoid Understand size of underlying MTU to avoid packet fragmentationpacket fragmentationRecover from out-of-order deliveryRecover from out-of-order deliveryTrack communications state between peersTrack communications state between peers

UDP security issuesUDP security issues

Streaming media and VoIP often use Streaming media and VoIP often use dynamic portsdynamic portsLack of a connection makes it difficult to Lack of a connection makes it difficult to determine flowsdetermine flows

Port loopback attack Port loopback attack (“pingpong”)(“pingpong”)

Spoof!from A:19/udp (chargen)to B:7/udp (echo)

UDP defensesUDP defenses

Use application-aware proxies to improve Use application-aware proxies to improve securitysecurityDon’t expose applications that you don’t Don’t expose applications that you don’t needneed

echoechodaytimedaytimechargenchargen

TCPTCP

Connection-oriented, reliable, full-duplex Connection-oriented, reliable, full-duplex byte stream transport servicebyte stream transport serviceMany decisions are made by the protocol, Many decisions are made by the protocol, not the applicationsnot the applications

Segment size (amount of data per packet)Segment size (amount of data per packet)Acknowledgement of packet receiptAcknowledgement of packet receiptRetransmittal of unacknowledged packetsRetransmittal of unacknowledged packetsResequencing of out-of-order packetsResequencing of out-of-order packetsFlow controlFlow control

Transmission Control Protocol RFC 793

TCP formatTCP format

source port

0 8 16 24 31

seq/ack numbers: track session state; indicate which byte we’re onflags: urgent | acknowledge | push | reset | synchronize | finishwindow size: flow controlchecksum: computed over source and destination IP addresses, protocol number, length, and entire TCP packet (header and data)

destination port

sequence number

acknowledgement numberheaderlength reserved flags window size

checksum urgent pointer

options (if any) (variable length)

data (variable length)

TCP connection establishmentTCP connection establishment(“three-way handshake”)(“three-way handshake”)

A sends packet to B with:• SYN set• Destination port number• A’s ISN (initial sequence number)

B sends packet to A with:• SYN set• B’s ISN• ACK with A’s SYN+1

A sends packet to B with:•ACK with B’s SYN+1

TCP connection establishmentTCP connection establishment

A.1037 > B.23: S 1415531521:1415531521 A.1037 > B.23: S 1415531521:1415531521 (0)(0) win 4096 <mss 1024> win 4096 <mss 1024>

B.23 > A.1037: S 1823083521:1823083521 B.23 > A.1037: S 1823083521:1823083521 (0)(0) ack 1415531522 ack 1415531522 win 4096 <mss 1024> win 4096 <mss 1024>

A.1037 > B.23: . ack 1823083522 win 4096A.1037 > B.23: . ack 1823083522 win 4096

A’s sequence number + 1 B’s sequence

number + 1

TCP connection terminationTCP connection termination(“four-way close”)(“four-way close”)

A sends packet to B with:• FIN set•A’s next sequence number

B sends packet to A with:•ACK with A’s SYN+1

A sends packet to B with:•ACK with B’s SYN+1

B sends packet to A with:• FIN set•B’s next sequence number

TCP connection terminationTCP connection termination

A.1037 > B.23: F 1415531522:1415531522 A.1037 > B.23: F 1415531522:1415531522 (0)(0) ack 1823083522 win 4096 ack 1823083522 win 4096

B.23 > A.1037: . ack 1415531523 win 4096B.23 > A.1037: . ack 1415531523 win 4096

B.23 > A.1037: F 1823083522:1823083522 B.23 > A.1037: F 1823083522:1823083522 (0)(0) ack 1415531523 win 4096 ack 1415531523 win 4096

A.1037 > B.23: . ack 1823083523 win 4096A.1037 > B.23: . ack 1823083523 win 4096

TCP connection resetTCP connection reset

B sends packet to A with:• RST set• B’s next sequence number• ACK with A’s SYN+1

An immediate “go away”An immediate “go away”Never acknowledgedNever acknowledged

MSS (maximum segment size)MSS (maximum segment size)

Largest “chunk” of data TCP sendsLargest “chunk” of data TCP sendsEach side announces; lower of two is chosenEach side announces; lower of two is chosenCan go as high as 1460Can go as high as 1460

Ethernet frame payload (IP): 1500 bytes

IP datagram payload (TCP): 1480 bytes

TCP packet payload (data): 1460 bytes

Total length: 1536 bytes

TCP security issuesTCP security issues

SYNSYN flooding floodingConsume memory with many half-opensConsume memory with many half-opens

Session hijackingSession hijackingSource-routed packetsSource-routed packetsSniffingSniffingPredictable sequence numbersPredictable sequence numbers

Sequence number predictionSequence number prediction

SYN setISN A

SYN setISN BACK A

SYN setISN Esource=A

SYN setISN BACK E

Huh? RST

ACK B (predicted!)source=A

TCP defensesTCP defenses

Better sequence number generationBetter sequence number generationRandomRandomCryptographicCryptographic

Changes to implementationsChanges to implementationsDon’t allocate resources until complete openDon’t allocate resources until complete open

Router rules to block spoofed packetsRouter rules to block spoofed packetsTCP attacks are almost always spoofedTCP attacks are almost always spoofed

IPsecIPsec

Big improvementBig improvement

Eliminates conditions that permit attacksEliminates conditions that permit attacksAuthenticates peers firstAuthenticates peers first

Preshared key, digital certificate, KerberosPreshared key, digital certificate, Kerberos

Authenticates and optionally encrypts each Authenticates and optionally encrypts each packet during the security associationpacket during the security association

Community ResourcesCommunity Resources

Community ResourcesCommunity Resources

http://www.microsoft.com/communities/default.mspxhttp://www.microsoft.com/communities/default.mspx

Most Valuable Professional (MVP)Most Valuable Professional (MVP)

http://www.microsoft.com/communities/http://www.microsoft.com/communities/mvpmvp

NewsgroupsNewsgroups

Converse online with Microsoft Newsgroups,Converse online with Microsoft Newsgroups,including Worldwideincluding Worldwide

http://communities2.microsoft.com/communities/newsgroups/enhttp://communities2.microsoft.com/communities/newsgroups/en-us/-us/default.aspxdefault.aspx

User Groups - Meet and learn with your peersUser Groups - Meet and learn with your peers

http://www.microsoft.com/communities/http://www.microsoft.com/communities/usergroupsusergroupsdefault.mspxdefault.mspx

Hands On Labs 2811Applying Microsoft Security

Guidance (1 day)

Microsoft WindowsSecurity

Resource KitISBN: 0-7356-1868-2

Clinic 2801Microsoft Security Guidance

Training I (1 day)

Microsoft Learning Security Resources for IT ProfessionalsMicrosoft Learning Security Resources for IT ProfessionalsFree Online Skills Assessments

Free Self-Paced E-Learning Clinics

Self-Paced Microsoft Press Reference Books

Hands-On Instructor-Led Training

Microsoft Certified Professional Specializations

Managing the Deployment of Service Packs and Security

Updates

Protecting the Perimeter of Networks

Introduction to Microsoft Security Guidance

Course 2823 Implementing and AdministeringSecurity in a Windows Server

2003 Network (5 days)

Course 2830 Designing Security for

MicrosoftNetworks (3 days)

Course 2824 Implementing Internet Securityand Acceleration Server 2004

(4 days)Clinic 2802Microsoft Security Guidance

Training II (1 day)

Assessing NetworkSecurity

ISBN: 0-7356-2033-4

Microsoft WindowsServer 2003 PKI andCertificate Security

ISBN: 0-7356-2021-0

© 2004 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only.© 2004 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only.MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.