1 1 IP Behavior – SANS GIAC LevelOne ©2000, 2001 IP Behavior SANS GIAC LevelOne Security Essentials This webcast presentation entitled IP Behavior is a sequel to the July webcast, which discussed IP Concepts. In this webcast, we introduce some more detail to topics discussed in the previous webcast as well as introduce some new concepts altogether. Technical editors: William Ralph Stephen Northcutt Alan Paller 2 2 IP Behavior – SANS GIAC LevelOne ©2000, 2001 Objectives • Introduction to tcpdump and tcpdump output •TCP concepts • Fragmentation • Stimulus and Normal Response Specifically, we will present an introduction to tcpdump and tcpdump output. We will cover tcp concepts that are the foundations of how tcp communicates. We will look at fragmentation in IP datagrams to see what is happening at the datagram level. Finally, we will examine stimulus and response. How does a host respond to certain traffic under varying circumstances? This will assist you in understanding what normal responses look like. 3 3 IP Behavior – SANS GIAC LevelOne ©2000, 2001 tcpdump Section 1 tcpdump is a program that will dump traffic on a network. It is available from http://ee.lbl.gov or from www.tcpdump.org. You will also need to download the libpcap packet capture library. tcpdumpp has also been ported to Windows as windump. Windump and winpcap can be downloaded from http://netgroup-serv.polito.it/netgroup/tools.html . In section 1, we will explore tcpdump. 4 4 IP Behavior – SANS GIAC LevelOne ©2000, 2001 0101001110 111010010011000 00100011011 Network packets tcpdump running on a host “sniffing” network packets tcpdump output tcpdump 07:00:48.036746 ping.net > myhost.com: icmp: echo request (DF) 07:00:48.036776 myhost.com > ping.net: icmp: echo reply (DF) 07:02:12.622460 log.net.3155 > syslog.com.514: udp 101 07:03:01.132414 send.net.32938 > mail.com.25: S 248631:248631(0) win 8760 On slide “tcpdump”, we mean that tcpdump is a program that will read traffic on the network. By default, it will collect and print, in a standard format, all the traffic passing on the network. There are command line options for tcpdump that will alter the default behavior. We can specify that we want to collect only certain types of packets, print the records of these packets in verbose mode (-v), print the packets in hexadecimal (-x) or actually write the records to a file as “raw packets”(-w) instead of printing them as standard output. tcpdump filters can be used to specify records to be collected. Rather than gather all traffic passing on the network on which the host resides, tcpdump can be instructed to record packets with a specific trait. Examples of filters would be to record only tcp packets, or record packets to a given port, say telnet, port 23, for instance. You can limit the purview of what is collected to a specific IP or host. Combinations of traits can be used to get more restrictive in what is collected. Just about any field in an IP datagram, including the actual data payload, can be used to select the records that are collected. On this slide, we see a host running tcpdump and gathering records from the network interface. We see the records that tcpdump has collected at the bottom of the slide. tcpdump has a default standard output based on the protocol (tcp, udp, icmp) of the record that is displayed. While each of the various protocols has a similar format to the other, they are also distinct in what is displayed. 5 5 IP Behavior – SANS GIAC LevelOne ©2000, 2001 timestamp source.port dest.port : udp bytes timestamp: hour:minutes:seconds.fractions of seconds source.port: source IP/hostname.source port dest.port: destination IP/host.destination port udp: may or may not expressly label the udp protocol bytes: number of bytes of udp data (payload) 09:39:19.470000 nmap.edu.728 > dns.net.111: udp 56 Sample tcpdump udp output If we examine a line of tcpdump udp output on slide “Sample tcpdump udp output”, we first see a timestamp or the record of the time when the tcpdump host read the packet. The timestamp is in the format of hour, colon, minutes, colon, seconds, period, followed by fractions of a second. As you can see, tcpdump allows for 6 fractional digits or millionths of a second. The record we see with the value 470000 has a precision of hundredths of a second. This is a limitation of the Linux operating system on which this tcpdump record was collected, but this was corrected in a later Redhat release. Next, we see the source information for the tcpdump record. This includes the source host name, nmap.edu, or IP number depending upon whether the IP can be resolved. If you do not want names resolved, tcpdump can be run with the -n paramter. At the end of the source host name, we see a period and the source port, in this case 728. Immediately following the greater than sign, you see the destination host or IP address, “dns.net”, followed by a period, followed by the destination port, in this case port 111 or what is more commonly known as the portmapper or sunrpc port. In this record, you see the word “udp” to help identify this protocol. Not all udp records will be labeled expressly “udp”. DNS, or port 53, is a notable exception. The final field is the number of bytes found of the udp data. Recall that udp data is wrapped in a udp header first and encapsulated in an IP header before it is sent out on the network. 6 6 IP Behavior – SANS GIAC LevelOne ©2000, 2001 Sample tcpdump tcp output timestamp source.port dest.port flags beginning: ending bytes options seq # seq # 09:32:43.910000 nmap.edu.1173 > dns.net.21: S 62697789:62697789(0) win 512 flags: tcp flags ( P SH, RST, SYN, FIN) beginning seq #: for the initial connection, this is the initial sequence number (ISN) from the source IP ending seq #: this is the beginning sequence number + data bytes bytes: data bytes (payload) in the tcp packet options: options that the source host advertises to the destination host Our next slide is titled “Sample tcpdump tcp output”. The tcpdump tcp record is identical to the udp record as far as timestamp, source and destination host and port. What distinguishes the tcp format from the others are the tcp flags, sequence numbers, acknowledgements, acknowledgement numbers, and tcp options. In this record, we see the flag of SYN or S set following the destination port of 21 which, by the way, is the port for ftp. The SYN flag indicates a request to begin a tcp session. Other possible flag values are P for PUSH that sends data, R for RESET that aborts a connection and F for FIN, which terminates a connection more gracefully. While not an actual flag bit like the others, if you see a period in the flag field, it simply means that none of the PUSH, RESET, SYN or FIN flags is set. In a way, this is an informative placeholder. Next is the beginning sequence number. One of the mechanisms that tcp uses to guarantee reliable packet delivery is keeping track of the data it has received; this is partially done by using sequence numbers. In this case, since this is an initial connection, it is known as the Initial Sequence Number or ISN. The ending sequence number is the sum of the initial sequence number plus the number of tcp data bytes sent in this tcp segment. A SYN connection sends no data bytes, as represented by the zero in parentheses. Data should not be sent until the client and server actually establish the connection. Finally, there is a tcp options field. In this record, we see nmap.edu advertising a window size of 512 bytes. It is informing dns.net that it has an incoming buffer size of 512 bytes. If dns.net is a larger faster host, it will have to slow itself and pace the data sent so it doesn’t overwhelm the buffer size of nmap.edu. 7 7 IP Behavior – SANS GIAC LevelOne ©2000, 2001 Absolute and relative sequence client.com.38060 > telnet.com.telnet: S 3774957990:3774957990(0) win 8760 <mss 1460> (DF) telnet.com.telnet > client.com.38060: S 2009600000:2009600000(0) ack 3774957991 win 1024 <mss 1460> client.com.38060 > telnet.com.telnet: .ack 1 win 8760 (DF) client.com.38060 > telnet.com.telnet: P 1:28(27) ack 1 win 8760 (DF) On the next slide titled “Absolute and relative sequence” we show a handy feature of tcpdump. Notice the top line, we have the number 3774957990 in bold. That is an absolute sequence number. The absolute sequence number keeps track of how much data has been sent by a connection. However, these numbers get pretty ugly. So tcpdump can provide the information as relative sequence numbers as well. On the third line of your slide, after the ack you see a 1 in bold. That means one byte has been transferred. When we look more closely at tcp, we will see our friends absolute and relative sequence again. 8 8 IP Behavior – SANS GIAC LevelOne ©2000, 2001 Sample tcpdump icmp output icmp format 1 timestamp source dest icmp: icmp message 14:59:30.220000 ping.net > hosta.mysite.com: icmp: echo request 14:59:38.140000 hosta.mysite.com > ping.net: icmp: echo reply icmp format 2 timestamp router source icmp: dest icmp message 02:09:47.600000 foreign.router > tryinghost.com: icmp: host desired.com unreachable In slide “Sample tcpdump icmp output”, we see icmp output generated by tcpdump. icmp is the protocol used for error control and message handling. There are many different types of icmp records that have different messages. We display two of the basic formats on this slide. The first two icmp records have a similar format. In the first icmp record, we have a timestamp followed by a source host – ping.net in the first record. Following the greater than sign, we see the destination host – in this record hosta.mysite.com. Remember, icmp doesn’t use ports to communicate like tcp and udp do. The icmp message type follows the destination host; in the first record we see an icmp echo request which is generated by a commonly used program known as ping. The second record is a response from the ping from hosta.mysite.com to ping.net – this is known as an icmp echo reply. The third record shows a slightly different format. Often times a router will be involved when some kind of error is detected. In this record, foreign.router delivers a message to tryinghost.com that host desired.com is not reachable. This implies that tryinghost.com first attempted to send some kind of traffic to desired.com and foreign.router intervened to inform tryinghost.com when it discovered a problem. 9 9 IP Behavior – SANS GIAC LevelOne ©2000, 2001 tcpdump output in hex • The tcpdump command comes with a command line option -x that will display the records in hexadecimal • Hexadecimal output is more difficult to read and decrypt, however it will show you the entire IP datagram, even fields that tcpdump doesn’t display in its standard output • The “entire” packet is shown only if you’ve told tcpdump to dump the entire packet via the -s (snaplen) calling parameter . Slide “tcpdump output in hex” reiterates what we discussed earlier. tcpdump output can be displayed in hexadecimal. As you become more advanced in analyzing records, you'll want to be able to look for the protocol and the only sure way to do that is in the hexadecimal information. We'll go over that, but don't worry if you don't understand it all. Over time, the cumulative discussions of binary and hexadecimal arithmetic will begin to look familiar and almost friendly. This is done using the –x command line option of tcpdump. Hexadecimal output is indeed more difficult to read or decipher. But, if the snaplen, the -s parameter is as large or larger than the datagram, the -x parameter will show the entire datagram, something that the standard tcpdump output doesn’t do. This can be used as a tool to investigate a particular field or value. Additionally, it can be used to uncover any kind of anomalies in the datagram such as length values that may not be accurate. Fields in a datagram can be “crafted” by a program instead of using normal system calls to create a number of very interesting, illegal datagrams. tcpdump hexadecimal output gives us all the data to look for signs of this kind of tampering. 10 10 IP Behavior – SANS GIAC LevelOne ©2000, 2001 04:19:31.800000 1.2.3.4 > 192.168.5.5: icmp: echo reply (DF) 4500 0028 b5cb 4000 fe01 b229 0102 0304 IP Header c0a8 0505 0000 bc9c bf3c 51ff 0018 f81b 000d d5f0 000d 63e8 0000 0000 0000 Sample hexadecimal output ICMP message Turning to slide “Sample hexadecimal output”, we see the output of a datagram displayed in hexadecimal. The record is first displayed as you would see it in normal tcpdump output. In this slide, we are looking at the bowels of an icmp echo reply packet. Each character in the hex output represents 4 bits, two consecutive 4 bit values with no intervening spaces represent a byte. The IP header in this datagram has 20 bytes. The IP header is displayed between the first and second arrows. This is followed by an icmp message that is found between the second and third arrows. What do these hex value represent? Well, you’ll have to get a standard layout of what an IP header looks like and similarly, you’ll need to acquire a layout of an icmp message format. One of the best sources for this and understanding TCP/IP, in general, is TCP/IP Illustrated, Volume 1 by Richard Stevens. [...]... this combination of source IP and source port connected to this destination IP and destination port There may be another user connection from another source IP to this same destination IP and destination port, but that user will have a different source IP and most likely different source port There may even be someone from the same source IP connected to the same destination IP and port But, this user... protocol in the IP header BYTE 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 45 00 00 28 b5 cb 40 00 fe 01 b2 29 01 02 03 04 16 17 18 19 c0 a8 05 05 IP protocol field icmp = 01 tcp = 06 udp = 17 = 11 hexadecimal 161 x 1 + 160 x 1 = 17 IP Behavior – SANS GIAC LevelOne ©2000, 2001 11 We get a feel for how this works by turning to slide “Finding the protocol in the IP header” Here we have displayed the IP header One... of information First, the IP protocol field is 9 bytes into the IP header Counting begins with 0 so if we look at the slide, the byte that has the gray background represents the IP protocol The current value that we see is 01 or the value for icmp Other values that you may see are 06, which is tcp, and 17, which is udp Seventeen is the decimal value of the number, but the IP header is in hexadecimal... distinguishable because of flags, and other fields as the sequence and acknowledgement numbers, to name a few icmp messages will have the icmp message description contained in them 12 tcp Concepts Section 2 tcp is a connection-oriented reliable protocol IP Behavior – SANS GIAC LevelOne ©2000, 2001 13 In section 2 we will examine some tcp concepts Remember tcp is a connection-oriented reliable protocol 13... download.net.39904 > ftp.com.21: ack 1 win 8760 (DF) Server SYN/ACK Client ACK IP Behavior – SANS GIAC LevelOne ©2000, 2001 15 The tcpdump output on slide “tcpdump output of tcp connection establishment” shows the connection establishment There are three TCP segments shown A TCP segment contains the information sent by TCP to IP In the first segment, you see the client, download.net attempt a connection... depending on protocol • udp packets may or may not have “udp” in the output • tcp packets are distinguishable because of flags • icmp packets will have the icmp message description • tcpdump can display records in hexadecimal format IP Behavior – SANS GIAC LevelOne ©2000, 2001 12 Slide “tcpdump review” wraps up what we have learned in section 1 about tcpdump tcpdump can sniff packets off of the network... selects an unused ephemeral port on which to communicate • For most tcp protocols, the client and server communicate the entire session using the client’s ephemeral port and the server’s well-known port IP Behavior – SANS GIAC LevelOne ©2000, 2001 16 Moving ahead to slide “Server and client ports”, we introduce server and client ports In the past, more so than today, well-known server ports generally fell... client and server before a connection can be established and data transferred Client Send SYN Receive SYN/ACK Send ACK Server SYN K SYN + AC Receive SYN Send SYN/ACK ACK Receive ACK Connection Established IP Behavior – SANS GIAC LevelOne ©2000, 2001 14 Turning to slide “Establishing a tcp connection”, you will see that establishing a tcp connection is almost ceremonial in nature involving what is commonly... distinguishing it from the other connection to the same server and destination port For instance, two users on the same host may be connecting to the same web server While this is the same source IP, the same destination IP and port (80), the web server will be able to maintain who gets what by the ephemeral source ports involved 16 tcpdump output of client/server port communication 07:11:01.209928 sendit.net.39905... sendit.net.39905: S 1202779586:1202779586(0) ack 743211992 win 8760 (DF) 07:11:01.211254 sendit.net.39905 > mailserver.com.25: ack 1 win 8760 (DF) = ephemeral port 39905 = server port 25 IP Behavior – SANS GIAC LevelOne ©2000, 2001 17 On slide “tcpdump output of client/server port communication”, you’ll see tcpdump output of the three-way handshake again This time, the emphasis is on the . 1 1 IP Behavior – SANS GIAC LevelOne ©2000, 2001 IP Behavior SANS GIAC LevelOne Security Essentials This webcast presentation entitled IP Behavior. TCP /IP, in general, is TCP /IP Illustrated, Volume 1 by Richard Stevens. 11 11 IP Behavior – SANS GIAC LevelOne ©2000, 2001 Finding the protocol in the IP