Menu
Home
Log in / Register
 
Home arrow Computer Science arrow Understanding Network Hacks
< Prev   CONTENTS   Next >

2.8 ICMP

ICMP (Internet Control Message Protocol) is used by IP for error handling. Therefore it sets a type and a code field in its header to define the error. The header looks like in Fig. 2.10.

Most readers know the protocol for the famous ICMP echo-request packet sent by the program ping, that hopes to receive an echo-response to test if a computer is reachable and measures the network latency. Other ICMP messages include redirect-host for telling a host that there is a better router to reach his destination. The Table 2.2 lists all type and code combinations.

2.9 TCP

TCP (Transmission Control Protocol) provides session management. A new TCP session is initialized by the famous Three-Way-Handshake (see Fig. 2.13). TCP numbers all packets to ensure that they are processed in the same order they were transmitted by the source system. The destination host sends an acknowledgment to let the source know that the packet was received correctly after checking a checksum otherwise the source retransmits the packet. Last but not, least TCP addresses programs on a host by the use of ports. The port of the sending instance is called source port the receiving destination port. Commonly used application protocols

Table 2.2 ICMP codes/types

Code

Type

Name

0

0

Echo-reply

3

0

Net-unreachable

3

1

Host-unreachable

3

2

Protocol-unreachable

3

3

Port-unreachable

3

4

Fragmentation-needed

3

5

Source-route-failed

3

6

Dest-network-unknown

3

7

Dest-port-unknown

3

8

Source-host-isolated

3

9

Network-admin

3

10

Host-admin

3

11

Network-service

3

12

Host-service

3

13

Com-admin-prohibited

3

14

Host-precedence-violation

3

15

Precedence-cuttof-in-effect

4

0

Source-quench

5

0

Redirect-network

5

1

Redirect-host

5

2

Redirect-service-network

5

3

Redirect-service-host

6

0

Alternate-host-address

8

0

Echo-request

9

0

Router-advertisement

10

0

Router-selection

11

0

ttl-exceeded

11

1

Fragment-reassembly-exceeded

12

0

Pointer-error

12

1

Missing-option

12

2

Bad-length

13

0

Timestamp-request

14

0

Timestamp-reply

15

0

Info-request

16

0

Info-reply

17

0

Mask-request

18

0

Mask-reply

30

0

Traceroute-forwarded

30

1

Packet-discarded

31

0

Datagram-conversion-error

32

0

Mobile-host-redirect

(continued)

Table 2.2 (continued)

Code

Type

Name

33

0

ipv6-where-are-you

34

0

ipv6-here-I-am

35

0

Mobile-registration-request

36

0

Mobile-registration-reply

37

0

Domain-name-request

38

0

Domain-name-reply

40

0

Bad-spi

40

1

Authentication-failed

40

2

Decompression-failed

40

3

Decryption-failed

40

4

Need-authentication

40

5

Need-authorization

Fig. 2.11 TCP-header

like HTTP, FTP, IRC etc. have default port under 1024 e.g. a HTTP server normally listens on port 80.

A typical TCP looks like Fig. 2.11.

Beside ports one also needs to know about TCP flags (see Table 2.3), sequenceand acknowledgment-number and windowsize. Flags are used for session management to create or destroy a connection and to bid the destination to handle a packet with a higher priority.

The Sequence-Number is used to sort the received packets into the same order as they were send by the origin and to detect lost packets. Each packet gets an individual number that is incremented by one for every transmitted byte.

The Acknowledgment-Number as the name suggests acknowledges the counterpart that a packet with a certain sequence number has been received correctly. Therefore it uses the sequence number and adds one. The Acknowledgmentnumber contains the next expected Sequence-Number.

The window size defines the size of the operating systems cache of received, but not yet processed packets. A window size of zero indicates the sending station is under pressure and asks to be friendly and to slow down or even stop sending more packets until a bigger window size is received.

Table 2.3 TCp-flags

Flag

Function

SYN

Ask for a new connection

ACK

Acknowledge the receipt of a packet

RST

Cancel a connection attempt (is usually send when a host tries to connect to a closed port)

FIN

Cleanly close an established connection (must be acknowledged by the counterpart)

URG

Mark a packet as urgent

PSH

Bid the receiver to handle packet with higher priority

Fig. 2.12 Interaction of sequenceand acknowledgment-number

Fig. 2.13 Three-way-handshake

Beside that the window size defines the receive window. A host accepts all packets lower than Acknowledgment-Number C Windowsize (Fig. 2.12).

The establishment of a TCP connection is divided into three actions the ThreeWay-Handshake (see Fig. 2.13): First of all the initiating computer sends a packet with the SYN-Flag set and to stay by our example an Initial-Sequence-Number of 1000. The Initial-Sequence-Number must be as random as possible to avoid BlindIP-Spoofing attacks, where the attacker guesses a sequence number without being able to read the network traffic.

Fig. 2.14 UDP-header

The destination host responds with a packet where the SYNand ACK-Flag are set. As Initial-Sequence-Number it chooses 5000 and the Acknowledgment-Number contains the Sequence-Number of the source host incremented by one (1001).

Last but not least the source host sends a final packet with set ACK(but not SYN) flag set and uses the acknowledgment number of the SYN/ACK packet as sequence number as well as the sequence number of the previous packet plus one as acknowledgment number. This completes the Three-Way-Handshake. From now on both parties send packets with the ACK flag set.send ACK packets.

If a packets hits a closed port the destination must send a RST-Packet to be conform to RFC793. This signals the source host that the request was invalid. Lot of firewalls (see Sect. 2.18) nowadays violate this standard by either simply silently dropping the packet or even generating a bogus ICMP message. This behavior is only useful for the attacker to determine the vendor and maybe even the version of the firewall precious information for an attack.

 
Found a mistake? Please highlight the word and press Shift + Enter  
< Prev   CONTENTS   Next >

Related Topics

ICMP-Redirection
 
Subjects
Accounting
Business & Finance
Communication
Computer Science
Economics
Education
Engineering
Environment
Geography
Health
History
Language & Literature
Law
Management
Marketing
Philosophy
Political science
Psychology
Religion
Sociology
Travel