1 Module10 – Intermediate TCP/IP NIIT-ICT Hanoi info@niithanoi.vn 2 Overview Students completing this module should be able to: • Describe TCP and its function • Describe TCP synchronization and flow control • Describe UDP operation and processes • Identify common port numbers • Describe multiple conversations between hosts • Identify ports used for services and clients • Describe port numbering and well known ports • Understand the differences and the relationship between MAC addresses, IP addresses, and port numbers 2 NIIT-ICT Hanoi info@niithanoi.vn 3 TCP Operation • IP is best effort delivery. • The transport layer (TCP) is responsible reliability and flow control from source to destination. • This is accomplished using: – sliding windows (flow control) – sequencing numbers and acknowledgments (reliability) – synchronization (establish a virtual circuit) • Note: Although straight-forward in its operation, TCP can be a very complicated protocol in its operation. Most of the details regarding TCP are beyond the scope of this module and presentation. NIIT-ICT Hanoi info@niithanoi.vn 4 • IP Packet has a Protocol field that specifies whether the segment is TCP or UDP. Connection- oriented Connectionless Connectionless TCP Operation IP Header 0 15 16 31 4-bit Version 4-bit Header Length 8-bit Type Of Service (TOS) 16-bit Total Length (in bytes) 16-bit Identification 3-bit Flags 13-bit Fragment Offset 8 bit Time To Live TTL 8-bit Protocol 16-bit Header Checksum 32-bit Source IP Address 32-bit Destination IP Address Options (if any) Data 3 NIIT-ICT Hanoi info@niithanoi.vn 5 Application Header + data Application Header + data IP Protocol Field = 17 IP Protocol Field = 6 NIIT-ICT Hanoi info@niithanoi.vn 6 TCP • TCP a connection-oriented, reliable protocol; provides flow control by providing sliding windows, and reliability by providing sequence numbers and acknowledgments. • TCP re-sends anything that is not received and supplies a virtual circuit between end-user applications. • The advantage of TCP is that it provides guaranteed delivery of the segments. 4 NIIT-ICT Hanoi info@niithanoi.vn 7 Synchronization or 3-way handshake • For a connection to be established, the two end stations must synchronize on each other's initial TCP sequence numbers (ISNs). • Sequence numbers are used to track the order of packets and to ensure that no packets are lost in transmission. • The initial sequence number is the starting number used when a TCP connection is established. • Exchanging beginning sequence numbers during the connection sequence ensures that lost data can be recovered. 0 15 16 31 16-bit Source Port Number 16-bit Destination Port Number 32-bit Sequence Number 32 bit Acknowledgement Number 4-bit Header Length 6-bit (Reserved) U R G A C K P S H R S T S Y N F I N 16-bit Window Size 16-bit TCP Checksum 16-bit Urgent Pointer Options (if any) Data (if any) TCP Header NIIT-ICT Hanoi info@niithanoi.vn 8 • Only part of the TCP headers are displayed. Packet 1: source: 130.57.20.10 dest.:130.57.20.1 TCP: TCP header TCP: Source port = 1026 TCP: Destination port = 524 TCP: Initial sequence number = 12952 TCP: Next expected Seq number= 12953 TCP: 1. = SYN TCP: Window = 8192 TCP: Checksum = 1303 (correct) TCP: Maximum segment size = 1460 (TCP Option) Packet 2: source: 130.57.20.1 dest: 130.57.20.10 TCP: TCP header TCP: Source port = 524 TCP: Destination port = 1026 TCP: Initial sequence number = 2744080 TCP: Next expected Seq number= 2744081 TCP: Acknowledgment number = 12953 TCP: 1. = SYN TCP: Window = 32768 TCP: Checksum = D3B7 (correct) TCP: Maximum segment size = 1460 (TCP Option) Packet 3: source: 130.57.20.10 dest: 130.57.20.1 TCP: TCP header TCP: Source port = 1026 TCP: Destination port = 524 TCP: Sequence number = 12953 TCP: Next expected Seq number= 12954 TCP: Acknowledgment number = 2744081 TCP: 1 = Acknowledgment TCP: Window = 8760 TCP: Checksum = 493D (correct) TCP: No TCP options 5 NIIT-ICT Hanoi info@niithanoi.vn 9 Denial of Service (DoS) Attacks • DoS attacks are a common method that hackers utilize to halt system response. • One type of DoS is known as SYN flooding. • SYN flooding exploits the normal three-way handshake and causes targeted devices to ACK to source addresses that will not complete the handshake. NIIT-ICT Hanoi info@niithanoi.vn 10 DoS Syn Flooding Attack • Hacker initiates a synchronization but spoofing the source IP address. – Spoofing: using another’s IP address, real or not (one meaning) • The receiving device replies to the non-existent, (SYN ACK) • Receiving device place process in a wait state while waiting to receive the final ACK from the initiator. • The waiting request is placed in a connection queue or a holding area in memory. • This waiting state requires the attacked device to commit system resources, such as memory, to the waiting process until the connection timer times out. • Hackers will flood the attacked host with these false SYN requests utilizing all of its connection resources to respond and wait for false connections, preventing it from responding to legitimate connection requests. 6 NIIT-ICT Hanoi info@niithanoi.vn 11 DoS Syn Flooding Attack • To defend against these attacks, system administrators may decrease the connection timeout period and increase the connection queue size (not recommended). • Software also exists that can detect these types of attacks and initiate defensive measures. NIIT-ICT Hanoi info@niithanoi.vn 12 • If a flood of incoming request packets have invalid source IP addresses, sessions never get established and remain as half-open connections. Many TCP implementations are only able to handle a small number of outstanding connections per port therefore these ports are effectively unavailable until the half-open connections time-out (typically 75 seconds). Additionally this attack may also cause the server to exhaust its memory or waste processor cycles in maintaining state information on these connections. • Firewall vendors such as Checkpoint, Cisco, and Raptor have incorporated features into their products to shield your downstream systems from SYN attacks. The Cisco IOS TM TCP Intercept • http://www.cisco.com/warp/public/cc/pd/iosw/iore/prodlit/576_pp.htm TCP Intercept Commands • http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/secur_r/srprt3/ srdenl.htm For more information… (Cisco) 7 NIIT-ICT Hanoi info@niithanoi.vn 13 Windowing and Window Sizes • Both of these are example of simple windowing. • This is not an example of sliding windows. • Window size refers to the number of bytes that are transmitted before receiving an acknowledgment. • After a host transmits the window-size number of bytes, it must receive an acknowledgment before any more data can be sent. • The window size determines how much data the receiving station can accept at one time NIIT-ICT Hanoi info@niithanoi.vn 14 Simple Windowing • TCP is responsible for breaking data into segments. • With a window size of 1, each segment carries only one byte of data and must be acknowledged before another segment is transmitted. This results in inefficient host use of bandwidth. • The purpose of windowing is to improve flow control and reliability. • Unfortunately, with a window size of 1, you see a very inefficient use of bandwidth. 0 15 16 31 16-bit Source Port Number 16-bit Destination Port Number 32-bit Sequence Number 32 bit Acknowledgement Number 4-bit Header Length 6-bit (Reserved) U R G A C K P S H R S T S Y N F I N 16-bit Window Size 16-bit TCP Checksum 16-bit Urgent Pointer Options (if any) Data (if any) TCP Header 8 NIIT-ICT Hanoi info@niithanoi.vn 15 Simple Windowing TCP Window Size • TCP uses a window size, number of bytes, that the receiver is willing to accept, and is usually controlled by the receiving process. • TCP uses expectational acknowledgments, meaning that the acknowledgment number refers to the next byte that the sender of the acknowledgement expects to receive. • A larger window size allows more data to be transmitted pending acknowledgment. • Note: The sequence number being sent identifies the first byte of data in that segment. NIIT-ICT Hanoi info@niithanoi.vn 16 Simple Windowing TCP Full-duplex service: Independent Data Flows • TCP provides full-duplex service, which means data can be flowing in each direction, independent of the other direction. • Window sizes, sequence numbers and acknowledgment numbers are independent of each other’s data flow. • Receiver sends acceptable window size to sender during each segment transmission (flow control) – if too much data being sent, acceptable window size is reduced – if more data can be handled, acceptable window size is increased • This is known as a Stop-and-Wait windowing protocol. 9 NIIT-ICT Hanoi info@niithanoi.vn 17 Sliding Windows • Note: The following slides on Sliding Windows contains corrections to the on-line curriculum followed by my slides on Sliding Windows. NIIT-ICT Hanoi info@niithanoi.vn 18 Sliding Window Protocol • Sliding window algorithms are a method of flow control for network data transfers using the receivers Window size. • The sender computes its usable window, which is how much data it can immediately send. • Over time, this sliding window moves to the rights, as the receiver acknowledges data. • The receiver sends acknowledgements as its TCP receive buffer empties. • The terms used to describe the movement of the left and right edges of this sliding window are: (These will be demonstrated in the following slides.) 1. The left edge closes (moves to the right) when data is sent and acknowledged. 2. The right edge opens (moves to the right) allowing more data to be sent. This happens when the receiver acknowledges a certain number of bytes received. 3. The middle edge open (moves to the right) as data is sent, but not yet acknowledged. Octets sent Not ACKed Usable Window Can send ASAP Working Window size Usable Window Can send ASAP Initial Window size Sliding Windows 10 NIIT-ICT Hanoi info@niithanoi.vn 19 13121110987654321 13121110987654321 13121110987654321 13121110987654321 1 2 3 Host A - Sender Host B - Receiver  Host B gives Host A a window size of 6 (octets or bytes).  Host A begins by sending octets to Host B: octets 1, 2, and 3 and slides it’s window over showing it has sent those 3 octets.  Host A will not increase its usable window size by 3, until it receives an ACKnowldegement from Host B that it has received some or all of the octets.  Host B, not waiting for all of the 6 octets to arrive, after receiving the third octet sends an expectational ACKnowledgement of “4” to Host A. ACK 4 Octets sent Not ACKed Usable Window Can send ASAP Window size = 6 Octets received NIIT-ICT Hanoi info@niithanoi.vn 20 13121110987654321 13121110987654321 13121110987654321 13121110987654321 13121110987654321 1 2 3 ACK 4  Host A does not have to wait for an acknowldegement from Host B to keep sending data, not until the window size reaches the window size of 6, so it sends octets 4 and 5.  Host A receives the acknowledgement of ACK 4 and can now slide its window over to equal 6 octets, 3 octets sent – not ACKed plus 3 octets which can be sent asap. 4 5 13121110987654321 13121110987654321 ACK 6 Host B - ReceiverHost A - Sender Octets sent Not ACKed Usable Window Can send ASAP Window size = 6 [...]... Receiver 1 2 3 4 5 6 7 8 9 10 11 12 13 1 2 3 4 5 6 7 8 9 10 11 12 13 Octets sent Not ACKed Can send ASAP 3 4 5 6 7 8 9 10 3 4 5 6 7 8 9 10 11 12 13 1 2 3 4 5 6 7 8 9 10 11 12 13 2 Usable Window 2 2 1 Window size = 6 1 1 11 12 3 13 ACK 4 4 5 1 2 3 4 5 6 7 8 9 10 11 12 13 1 2 3 4 5 6 7 8 9 10 11 12 13 1 2 3 4 5 6 7 8 9 10 11 12 13 ACK 6 6 7 1 2 3 4 5 6 7 8 9 10 11 12 13 1 2 3 4 5 6 7 8 9 10 11 12 13 1 2 3 4... Numbers below 25 5 are reserved for public applications – Numbers from 25 5-1 023 are assigned to companies for marketable applications – Numbers above 1 023 are unregulated (RFC) The range for assigned ports managed by the IANA is 0-1 023 .: http://www.iana.org/assignments/port-numbers – The Well Known Ports are those from 0 through 1 023 (This is updated information as of 11-13 -20 02 Before then, 0 – 25 5 were... info@niithanoi.vn 26 13 UDP Operation NIIT-ICT Hanoi info@niithanoi.vn 27 Port Numbers (TCP and UDP) NIIT-ICT Hanoi info@niithanoi.vn 28 14 Port Numbers Application Header + data Port numbers are used to know which application the receiving host should pass the “Data” to Application Header + data NIIT-ICT Hanoi info@niithanoi.vn 29 TCP Header 0 15 16 16-bit Source Port Number 31 16-bit Destination Port Number 32- bit... 25 5 were considered well known ports.) – The Registered Ports are those from 1 024 through 49151 – The Dynamic and/or Private Ports are those from 491 52 through 65535 NIIT-ICT Hanoi info@niithanoi.vn 32 16 Port Numbers TCP Header 0 15 16 16-bit Source Port Number 31 16-bit Destination Port Number 32- bit Sequence Number 32 bit Acknowledgement Number 4-bit Header Length 6-bit (Reserved) U A P R S F R... 11 12 13 1 2 3 4 5 6 7 8 9 10 11 12 13 1 2 3 4 5 6 7 8 9 10 11 12 13 ACK 6 6 7 1 2 3 4 5 6 7 8 9 10 11 12 13 1 2 3 4 5 6 7 8 9 10 11 12 13 1 2 3 4 5 6 7 8 9 10 11 12 13 8 9 1 2 3 4 5 6 7 8 9 10 11 NIIT-ICT Hanoi info@niithanoi.vn 12 13 21 Sequencing numbers This is only if one octet was sent at a time • The data segments being transmitted must be reassembled once all the data is received • No guarantee... Total Length (in bytes) 8-bit Protocol 13-bit Fragment Offset 16-bit Header Checksum 32- bit Source IP Address 32- bit Destination IP Address Options (if any) Data NIIT-ICT Hanoi info@niithanoi.vn 30 15 Port Numbers TCP Header 0 15 16 16-bit Source Port Number 31 16-bit Destination Port Number 32- bit Sequence Number 32 bit Acknowledgement Number 4-bit Header Length 6-bit (Reserved) U A P R S F R C S S... (if any) Notice the difference in how source and destination port numbers are used with clients and servers: Client: • Destination Port = 23 (telnet) • Source Port = 1 028 (dynamically assigned) Server: • Destination Port = 1 028 (source port of client) • Source Port = 23 (telnet) NIIT-ICT Hanoi info@niithanoi.vn 34 17 Second http session from the between the same client and server Same destination port,... port numbers to select the proper application • Originating source port numbers, usually a value larger than 1 023 , are dynamically assigned by the source host NIIT-ICT Hanoi info@niithanoi.vn TCP Header 0 33 15 16 16-bit Source Port Number 31 16-bit Destination Port Number 32- bit Sequence Number 32 bit Acknowledgement Number 4-bit Header Length 6-bit (Reserved) U A P R S F R C S S Y I G K H T N N 16-bit... numbers so that the receiver will know if it has received all of the data • They also identify the missing data pieces to the sender so it can retransmit the missing data NIIT-ICT Hanoi info@niithanoi.vn 22 11 Technical FYI on Sequencing numbers Part of TCP Header • • Sender: The value in the sequence number is the first byte in the data stream Question: How does the receiver know how much data was sent,... retransmits the packet and starts the timer over again TCP uses expectational acknowledgments in which the acknowledgment number refers to the next octet that is expected NIIT-ICT Hanoi info@niithanoi.vn 24 12 UDP UDP Operation • UDP does not use windowing or • • acknowledgments so application layer protocols must provide error detection The Source Port field is an optional field used only if information