Network Security - Research Paper Example

Introduction: This trace contains 7 packets exchanged between two end points. One end point is a client machine while other end point is a server with host name "linux-server". The client machine attempted to establish 3 tcp sessions with the server on port 80, port 135 and port 139 The server which is apparently a web server acknowledged and accepted the request on port 80 while terminated the sessions on port 135 and 139 by sending RST messages. The detailed interpretation of every byte transferred is populated in the tables below Problems: I have following observations on the data which may be plugged in at appropriate stages Packet 1: 1. Source IP address mentioned in the description block 10.63.129.199 does not match with the IP address actually communicated in the packet ie 192.168.246.1 2. Destination port no mentioned in the description block is SSH while destination port no conveyed in the data block is 80 Packet 2: 1. Destination IP address mentioned in the description block 10.63.129.199 does not match with the IP address actually communicated in the packet ie 192.168.246.1 2. Source port no mentioned in the description block is SSH while source port no conveyed in the data block is 80 Packet 3 1. Source IP address mentioned in the description block 10.63.129.199 does not match with the IP address actually communicated in the packet ie 192.168.246.1 2. Destination port no mentioned in the description block is http while destination port no conveyed in the data block is 135 (MS-RPC) 3. Packet length mentioned in the description block is 44 while actual bytes mentioned are 46 Packet 4 1. Destination IP address mentioned in the description block 10.63.129.199 does not match with the IP address actually communicated in the packet ie 192.168.246.1 2. Source port no mentioned in the description block is http while source port no conveyed in the data block is 135 (MS-RPC) 3. The host rejected the connection by sending RST flag instead of sending SYN, ACK flag. This indicates the destination host is not willing to initiate inbound connection on port 135. Packet 5 1. Source IP address mentioned in the description block 10.63.129.199 does not match with the IP address actually communicated in the packet ie 192.168.246.1 2. Packet length mentioned in the description block is 44 while actual bytes mentioned are 46 Packet 6 1. Destination IP address mentioned in the description block 10.63.129.199 does not match with the IP address actually communicated in the packet ie 192.168.246.1 2. The host rejected the connection by sending RST flag instead of sending SYN, ACK flag. This indicates the destination host is not willing to initiate inbound connection on port 139. Packet 7 1. Source IP address mentioned in the description block 10.63.129.199 does not match with the IP address actually communicated in the packet ie 192.168.246.1 2. Packet length mentioned in the description block is 40 while actual bytes mentioned are 46 Detailed Description of Packets: Packet # 1 20:52:50.764815 IP (tos 0x0, ttl 46, id 18251, offset 0, flags [none], length: 44) 10.63.129.199.49206 > linux-server.ssh: S [tcp sum ok] 1304132321:1304132321(0) win 3072 0x0000: 4500 002c 474b 0000 2e06 d821 c0a8 f601 E..,GK.....!.... 0x0010: c0a8 f60c c036 0050 4dbb 7ae1 0000 0000 .....6.PM.z..... 0x0020: 6002 0c00 95a3 0000 0204 05b4 0000 ............. Bytes of the trace Breakdown in bits where necessary Description and significance 45 0100 0101 1st 4 bits represent IPv4; next 4 bits represent 5 double words long IP header (ie 20 bytes header). 00 Differentiated Services Field is not set. This byte was originally called the Type of Service (ToS) byte, but was redefined by RFC 2474 as the DS Field. It is used for marking packets for the purpose of applying different quality of service (QoS) levels to different packets 002c Length of the Layer 3 packet is 44 bytes 474b Identification value is 18251. This value helps in assembling fragmented packets 0000 IP header flags are not set 2e TTL (Time to Live) is 46 06 Layer 4 (transport layer)protocol is TCP d821 IP header checksum is 55329 C0a8 f601 Source IP address is 192.168.246.01 c0a8 f60c Destination IP address is 192.168.246.12 C036 TCP layer source port no is 49206 0050 TCP layer destination port no is 80 which is represents http or web application 4dbb 7ae1 TCP sequence no is 1304132321 0000 0000 Ack No is Nil as this is the first packet of the session 60 1010 0000 TCP header length is 6 double words ie 24 bytes. Next 4 bits are reserved for future use 02 0000 0010 TCP Flag byte showing SYN flag is set. This is connection initiation request 0c00 TCP window size is set to 3072 95a3 TCP checksum value is 38307 0000 Urgent Pointer field value is Nil. In the TCP flag field, Urgent code bit (URG flag) was also not set 0204 05b4 Optional parameter Maximum Segment Size value is 0x05b4 = 1460 bytes Packet # 2 20:52:50.764815 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], length: 44) linux-server.ssh > 10.63.129.199.49206: S [tcp sum ok] 826334583:826334583(0) ack 1304132322 win 5840 0x0000: 4500 002c 0000 4000 4006 cd6c c0a8 f60c E..,..@.@..l.... 0x0010: c0a8 f601 0050 c036 3140 dd77 4dbb 7ae2 .....P.61@.wM.z. 0x0020: 6012 16d0 7c0a 0000 0204 05b4 Bytes of the trace Breakdown in bits where necessary Description and significance 45 0100 0101 1st 4 bits represent IPv4; next 4 bits represent 5 double words long IP header (ie 20 bytes header) 00 Differentiated Services Field is not set. This byte was originally called the Type of Service (ToS) byte, but was redefined by RFC 2474 as the DS Field. It is used for marking packets for the purpose of applying different quality of service QoS) levels to different packets 002c Length of the Layer 3 packet is 44 bytes 0000 Identification value is 0. This value helps in assembling fragmented packets 4000 Don't fragment flag is ON. Next hop devices would either forward the packet without fragmenting or if their MTU is less, those will drop this packet 40 TTL (Time to Live) is 64 06 Layer 4 (transport layer)protocol is TCP Cd6c IP header checksum is 0xcd6c C0a8 f60c Source IP address is 192.168.246.12 c0a8 f601 Destination IP address is 192.168.246.1 0050 TCP layer source port no is 80 C036 TCP layer destination port no is 49206 3140 dd77 TCP sequence no is 826334583 4dbb 7ae2 Ack field is 1304132322. This is the packet expected next from the other end; which means that n-1 receipt is acknowledged 60 1010 0000 TCP header length is 6 double words ie 24 bytes. Next 4 bits are reserved for future use 12 0001 0010 TCP Flag byte showing ACK & SYN flags are set. This is willingness from the host to continue establishment of this TCP session. 16d0 TCP window size is set to 5840 7c0a TCP checksum value is 0x7c0a 0000 Urgent Pointer field value is Nil. In the TCP flag field, Urgent code bit (URG flag) was also not set 0204 05b4 Optional parameter Maximum Segment Size value is 0x05b4 = 1460 bytes Packet # 3 20:52:50.764815 IP (tos 0x0, ttl 46, id 28683, offset 0, flags [none], length: 44) 10.63.129.199.49206 > linux-server.http: S [tcp sum ok] 1304132321:1304132321(0) win 3072 0x0000: 4500 002c 700b 0000 2e06 af61 c0a8 f601 E..,p......a.... 0x0010: c0a8 f60c c036 0087 4dbb 7ae1 0000 0000 .....6..M.z..... 0x0020: 6002 0c00 956c 0000 0204 05b4 0000 ....l........ Bytes of the trace Breakdown in bits where necessary Description and significance 45 0100 0101 1st 4 bits represent IPv4; next 4 bits represent 5 double words long IP header (ie 20 bytes header) 00 Differentiated Services Field is not set. This byte was originally called the Type of Service (ToS) byte, but was redefined by RFC 2474 as the DS Field. It is used for marking packets for the purpose of applying different quality of service (QoS) levels to different packets 002c Length of the Layer 3 packet is 44 bytes 700b Identification value is 28683. This value helps in assembling fragmented packets 0000 IP header flags are not set 2e TTL (Time to Live) is 46 06 Layer 4 (transport layer)protocol is TCP af61 IP header checksum is 0xaf61 C0a8 f601 Source IP address is 192.168.246.01 c0a8 f60c Destination IP address is 192.168.246.12 C036 TCP layer source port no is 49206 0087 TCP layer destination port no is 135 which is for MS-RPC 4dbb 7ae1 TCP sequence no is 1304132321 0000 0000 Ack No is Nil as this is the first packet of the session 60 1010 0000 TCP header length is 6 double words ie 24 bytes. Next 4 bits are reserved for future use 02 0000 0010 TCP Flag byte showing SYN flag is set. This is connection initiation request 0c00 TCP window size is set to 3072 956c This is TCP checksum value 0000 Urgent Pointer field value is Nil. In the TCP flag field, Urgent code bit (URG flag) was also not set 0204 05b4 Optional parameter Maximum Segment Size value is 0x05b4 = 1460 bytes Packet # 4 20:52:50.764815 IP (tos 0x0, ttl 255, id 0, offset 0, flags [DF], length: 40) linux-server.http > 10.63.129.199.49206: R [tcp sum ok] 0:0(0) ack 1304132322 win 0 0x0000: 4500 0028 0000 4000 ff06 0e70 c0a8 f60c E..(..@....p.... 0x0010: c0a8 f601 0087 c036 0000 0000 4dbb 7ae2 .......6....M.z. 0x0020: 5014 0000 b915 0000 P....... Bytes of the trace Breakdown in bits where necessary Description and significance 45 0100 0101 1st 4 bits represent IPv4; next 4 bits represent 5 double words long IP header (ie 20 bytes header) 00 Differentiated Services Field is not set. This byte was originally called the Type of Service (ToS) byte, but was redefined by RFC 2474 as the DS Field. It is used for marking packets for the purpose of applying different quality of service QoS) levels to different packets 0028 Length of the Layer 3 packet is 40 bytes 0000 Identification value is 0. This value helps in assembling fragmented packets 4000 Don't fragment flag is ON. Next hop devices would either forward the packet without fragmenting or if their MTU is less, those will drop this packet ff TTL (Time to Live) is 255 06 Layer 4 (transport layer)protocol is TCP 0e70 This is IP header checksum C0a8 f60c Source IP address is 192.168.246.12 c0a8 f601 Destination IP address is 192.168.246.1 0087 TCP layer source port no is 135 C036 TCP layer destination port no is 49206 0000 0000 TCP sequence no is 0 4dbb 7ae2 Ack field is 1304132322. This is the packet expected next from the other end; which means that n-1 receipt is acknowledged 50 0101 0000 TCP header length is 5 double words ie 20 bytes. Next 4 bits are reserved for future use 14 0001 0100 TCP Flag byte showing ACK and RST flags are set. This is a message that the host is not going to entertain the inbound connection on TCP port 135 0000 TCP window size is not set b915 This is the TCP checksum value 0000 Urgent Pointer field value is Nil. In the TCP flag field, Urgent code bit (URG flag) was also not set Packet # 5 20:52:50.764815 IP (tos 0x0, ttl 37, id 43574, offset 0, flags [none], length: 44) 10.63.129.199.49206 > linux-server.netbios-ssn: S [tcp sum ok] 1304132321:1304132321(0) win 2048 0x0000: 4500 002c aa36 0000 2506 7e36 c0a8 f601 E..,.6..%.6.... 0x0010: c0a8 f60c c036 008b 4dbb 7ae1 0000 0000 .....6..M.z..... 0x0020: 6002 0800 9968 0000 0204 05b4 0000 ....h........ Bytes of the trace Breakdown in bits where necessary Description and significance 45 0100 0101 1st 4 bits represent IPv4; next 4 bits represent 5 double words long IP header (ie 20 bytes header) 00 Differentiated Services Field is not set. This byte was originally called the Type of Service (ToS) byte, but was redefined by RFC 2474 as the DS Field. It is used for marking packets for the purpose of applying different quality of service (QoS) levels to different packets 002c Length of the Layer 3 packet is 44 bytes aa36 Identification value is 43574 . This value helps in assembling fragmented packets 0000 IP header flags are not set 25 TTL (Time to Live) is 37 06 Layer 4 (transport layer)protocol is TCP 7d36 IP header checksum is 0x7e36 C0a8 f601 Source IP address is 192.168.246.1 c0a8 f60c Destination IP address is 192.168.246.12 C036 TCP layer source port no is 49206 008b TCP layer destination port no is 139 which is for netbios-ssn 4dbb 7ae1 TCP sequence no is 1304132321 0000 0000 Ack No is Nil as this is the first packet of the session 60 1010 0000 TCP header length is 6 double words ie 24 bytes. Next 4 bits are reserved for future use 02 0000 0010 TCP Flag byte showing SYN flag is set. This is connection initiation request from the host on a new port no 139 0800 TCP window size is set to 2048 9968 This is TCP checksum value 0000 Urgent Pointer field value is Nil. In the TCP flag field, Urgent code bit (URG flag) was also not set 0204 05b4 Optional parameter Maximum Segment Size value is 0x05b4 = 1460 bytes Packet # 6 20:52:50.764815 IP (tos 0x0, ttl 255, id 0, offset 0, flags [DF], length: 40) linux-server.netbios-ssn > 10.63.129.199.49206: R [tcp sum ok] 0:0(0) ack 1304132322 win 0 0x0000: 4500 0028 0000 4000 ff06 0e70 c0a8 f60c E..(..@....p.... 0x0010: c0a8 f601 008b c036 0000 0000 4dbb 7ae2 .......6....M.z. 0x0020: 5014 0000 b911 0000 P....... Bytes of the trace Breakdown in bits where necessary Description and significance 45 0100 0101 1st 4 bits represent IPv4; next 4 bits represent 5 double words long IP header (ie 20 bytes header) 00 Differentiated Services Field is not set. This byte was originally called the Type of Service (ToS) byte, but was redefined by RFC 2474 as the DS Field. It is used for marking packets for the purpose of applying different quality of service QoS) levels to different packets 0028 Length of the Layer 3 packet is 40 bytes 0000 Identification value is 0. This value helps in assembling fragmented packets 4000 Don't fragment flag is ON. Next hop devices would either forward the packet without fragmenting or if their MTU is less, those will drop this packet ff TTL (Time to Live) is 255 06 Layer 4 (transport layer)protocol is TCP 0e70 This is IP header checksum C0a8 f60c Source IP address is 192.168.246.12 c0a8 f601 Destination IP address is 192.168.246.1 008b TCP layer source port no is 139 C036 TCP layer destination port no is 49206 0000 0000 TCP sequence no is 0 4dbb 7ae2 Ack field is 1304132322. This is the packet expected next from the other end; which means that n-1 receipt is acknowledged 50 0101 0000 TCP header length is 5 double words ie 20 bytes. Next 4 bits are reserved for future use 14 0001 0100 TCP Flag byte showing RST & ACK flags are set. This is a message that the host is not going to entertain the inbound connection on port 139 0000 TCP window size is not set b911 This is the TCP checksum value 0000 Urgent Pointer field value is Nil. In the TCP flag field, Urgent code bit (URG flag) was also not set Packet # 7 20:52:50.764815 IP (tos 0x0, ttl 128, id 32061, offset 0, flags [none], length: 40) 10.63.129.199.49206 > linux-server.ssh: R [tcp sum ok] 1304132322:1304132322(0) win 0 0x0000: 4500 0028 7d3d 0000 8006 5033 c0a8 f601 E..(}=....P3.... 0x0010: c0a8 f60c c036 0050 4dbb 7ae2 4dbb 7ae2 .....6.PM.z.M.z. 0x0020: 5004 0000 f0be 0000 0000 0000 0000 P............. Bytes of the trace Breakdown in bits where necessary Description and significance 45 0100 0101 1st 4 bits represent IPv4; next 4 bits represent 5 double words long IP header (ie 20 bytes header) 00 Differentiated Services Field is not set. This byte was originally called the Type of Service (ToS) byte, but was redefined by RFC 2474 as the DS Field. It is used for marking packets for the purpose of applying different quality of service (QoS) levels to different packets 0028 Length of the Layer 3 packet is 40 bytes 7d3d Identification value is 32061. This value helps in assembling fragmented packets 0000 IP header flags are not set 80 TTL (Time to Live) is 128 06 Layer 4 (transport layer)protocol is TCP 5033 IP header checksum is 0x5033 C0a8 f601 Source IP address is 192.168.246.1 c0a8 f60c Destination IP address is 192.168.246.12 C036 TCP layer source port no is 49206 0050 TCP layer destination port no is 80 which is for http 4dbb 7ae2 TCP sequence no is 1304132322. This is the second packet for the first session which was initiated by the host on destination port 80 4dbb 7ae2 This is TCP ack no. calculated by adding the last received ack no (which is this packet's sequence no) and its segment length 50 0101 0000 TCP header length is 5 double words ie 20 bytes. Next 4 bits are reserved for future use 04 0000 0100 TCP Flag byte showing RST flag is set. This signifies that the initiator wants to reset the TCP connection 0000 TCP window size is set to Nil. Ack is required before further packets can be sent f0be This is TCP checksum value 0000 Urgent Pointer field value is Nil. In the TCP flag field, Urgent code bit (URG flag) was also not set Conclusion: This is not clear why description block is showing wrong IP addresses. - How come on same time stamp accurate upto micro second level, all communication took place. I have not seen such thing in practical environment + Two connections were reset by the server might be due to reason that it is not configured to listen on these ports. + One http connection was reset by the client itself even after getting SYN,ACK from the server. This can be due to the reason that on socket layer IP bound is 10.63.129.199 while the reply is received on 192.168.246.1 for which it is not expecting anything and thus the client itself sends out a RST message to the server References: 1. Douglas E. Comer, Internetworking with TCP/IP: Volume 1 - Principles, Protocols and Architecture, 3rd Edition, Prentice Hall, 1995, ISBN 0-13-216987-8. 2. Dan Farmer and Wietse Venema, Internet Security, Addison Wesley Longman, 1996, ISBN 0-201-63497-X 3. Chris McNab, Network Security Assessment: Know Your Network, Second Edition, O'Reilly, 2007, ISBN: 0-596-51030-6 Read More