103
Summary
Solutions Fast Track
Frequently Asked Questions
Introduction
The network layer is key to the operation of the stack. Some of the protocols and services that reside here include Internet Protocol (IP), Internet Control Message Protocol (ICMP), and routing protocols. IP provides the ability for global communication, as well as a unique address scheme that is not found in Ethernet. It does an amazing job for a connectionless protocol, and has the ability to handle fragmentation, Quality of Service, and IP header error checking. However, there are potential problems. Since IP is a connectionless service, it can only make a best effort at delivery. It’s also subject to spoofing and can be manipulated to aid in a variety of attacks such as a Denial of Service (DoS). Our concerns don’t end there though. ICMP is another of the protocols that resides at the network layer. It’s different than many other protocols and applications in that it is not typically directed by network applica- tions. It is used for logical errors and diagnostics. It’s alsoused by attackers for such acts of mischief as the Smurf attack and can aid in port scanning. Even routing protocols are not completely secure from stack attacks. Many routing protocols can be used to redirect traffic, or can be employed for DoS attacks.
The preceding are just some of the topics that will be discussed in this chapter. As in previous chapters, this one will start off with a review of the protocols. Next, we will take an in-depth look at the types of attacks you’ll need to be aware of at this layer. Finally, we will discuss what types of controls can be implemented to secure the network layer. Let’s get started now with a review of IP and its packet structure.
The IP Packet Structure
In 1974, Vinton Cerf and Robert Kahn published a paper titled “A Protocol for Packet Network Interconnection,” which became the foundation for the IP protocol we use today. IP is the foundation of the TCP/IP suite and is used by Transmission Control Protocol (TCP), User Datagram Protocol (UDP), Internet Message Control Protocol (ICMP), and other higher-layer protocols. What’s even more amazing is that IP is a connectionless pro- tocol. Just as with UDP, IP packets are referred to as datagrams. As a connectionless protocol, IP has a simple way to deal with problems: discard the data and let another service such as TCP or ICMP work it out. In this first section, we will take an in-depth look at IP and how it functions. As a key protocol of the TCP/IP protocol suite, it is important that you under- stand how it works, what its strengths are, and how it can be attacked.
This section will progress through each of the IP headers fields. Just like all of the other protocols discussed in this book, IP has a field format, which is detailed in RFC 791. A normal IP header is 20 bytes long but can be extended to include options. Some of the better known fields include
■ ID
■ Data length
104 Chapter 4 • Layer 3: The Network Layer
■ TTL
■ IP addresses
■ QOS
■ Fragmentation
The current version of IP in use is IPv4, which is actually the first version deployed on a wide scale. Figure 4.1 shows the format of an IPv4 datagram. Notice that the first two sec- tions contain the version and the header length.
Figure 4.1
IP Header FormatWe will be using one Ethereal capture for most of the IP header sections below to make the analysis a little simpler.This Ethereal capture is shown in Figure 4.2. We will then step through each field and discuss its purpose and design.
Figure 4.2
IP Ethereal CaptureLayer 3: The Network Layer • Chapter 4 105 408_Hack_the_Stack_04.qxd 9/22/06 3:48 PM Page 105
Identifying IP’s Version
The first byte in the IP header is the version and length field. A quick look at Figure 4.3 can be used to verify the version we are examining by the hex number “4” in the first field. IPv4 has been in use since 1981; therefore, it has been around for a while.The value of this field will become more important as more systems start to move to IPv6.This is because the values found in the IP version field will need to match if the two systems are to establish communication.This move has so far been delayed, perhaps because of cost or because of the increased complexity of IPv6 addresses.
Figure 4.3
The IP VersionN
OTEMaybe you are wondering what happened to IPv5? It was assigned to Internet Streaming Protocol. This experimental protocol was defined in 1979 and was envisioned to be a complement to IPv4 but was never fully realized or released for public usage. By the time the industry was ready to move onto the next ver- sion of IP, items like security and larger IP addresses were being discussed; thus, IPv6 was created.
While the first four bits designate the version field, the second four bits set the IP header length.This hex number defines the length of the header in 32-bit words and is important since it tells the system where to stop parsing the IP header. Each 32-bit word is made up of four bytes and since the default length of an IP header is five 32-bit words, a
106 Chapter 4 • Layer 3: The Network Layer
normal header is 20 bytes long. Common values for the IP header Length are shown in Table 4.1.
Table 4.1
IP Length OptionsValue Description
<5 Illegal since the minimum length is 5 =5 Default IP header length (20 bytes)
>5 Options are present; highest possible value is 0x F or decimal 15
T
IPIt’s not hard to calculate the number of bytes of options that an IP header may be carrying. Just remember that the length field is measured in 32-bit words so there are four bytes in each. As an example, if the length field in the IP header has a hex value 0xF, which is 15 decimal, we would calculate total length as follows:
Total Length 4 *15 = 60 Normal Length 4 *5 = 20
60 bytes (total length) – 20 (normal header) = 40 bytes of options
Type of Service
The second byte from the start of the IP header is used to specify the type of service.You can see this field in Figure 4.4.There are actually two parts: the first three bits are reserved for precedence, while the last five bits are used for type of service. While many vendors do not recognize the use of these fields, the idea was that they would support priority of service so VoIP, Real Audio, or other similar services that need to reach their destination much faster can get priority over something like a file download or data transfer. Let’s look more at how quality of service was designed to be used.
The first three bits of this field, the precedence field, was designed to allow routers and gateways the ability to tell the precedence of the data that is being handled. Notice this one is set to 111, National Network Control.The values found in this field evolved from those used by Defense Advanced Research Projects Agency (DARPA) and the Telecommunications Service Priority (TSP) Program.The idea was simple: Not all traffic has the same priority, and when there is limited bandwidth or when router queues are full, they provide access to the most critical communications first.Table 4.2 shows the various fields available for the precedence field.
Layer 3: The Network Layer • Chapter 4 107 408_Hack_the_Stack_04.qxd 9/22/06 3:48 PM Page 107
Figure 4.4
Type of ServiceTable 4.2
IP Length OptionsBinary Value Field Meaning
000 Normal 001 Priority 010 Immediate 011 Flash 100 Flash Override 101 Critical 110 International Control
111 National Network Control
The use of this field was really two-fold in that users that needed priority of service required a higher precedence code than existing users. Also, anytime a router’s buffer was almost full, it could flush lower priority traffic, first allowing traffic of the greatest impor- tance to pass. Now, let’s take a look at the last five bits of the type of service field, as shown in Table 4.3.The remaining five bits were designated to establish either:
■ Normal traffic If none of the five low order bits are used, the type of service is designated as normal.
■ Least delay Setting the delay bit to a binary value of one was designed to request a route with the lowest delay.
108 Chapter 4 • Layer 3: The Network Layer
■ Throughput Setting this bit high was designed to specify a route with the greatest throughput.
■ Reliability Setting this bit high was designed to establish that the data should be passed over the most reliable route.
■ Low cost This setting was designed to be used to allow the sender to choose the lowest cost, dollar amount, and path.
N
OTEThe last, single bit is reserved, and should be set to zero.
Table 4.3
IP Length OptionsDelay Throughput Reliability Cost Reserved Hex Value
1 0 0 0 0 0x 10 0 1 0 0 0 0x 08 0 0 1 0 0 0x 04 0 0 0 1 0 0x 02 0 0 0 0 0 0x 00
N
OTEIt’s important to note that these fields are mutually exclusive in that if any one bit is set high, all others must be set to a value of zero.
If type of service was such a good idea, why wasn’t it ever implemented? That might be contributed to the fact that many thought the processing of TOS was too time-consuming and in the search for ever-faster router processing speeds, type of service was ignored. Fortunately, the Internet Engineering Task Force(IETF) has produced RFC 2474, which was developed to provide for true quality of service for IP.
Layer 3: The Network Layer • Chapter 4 109 408_Hack_the_Stack_04.qxd 9/22/06 3:48 PM Page 109
Total Length
The next field in the IP header designates total length.This field is two bytes and specifies the length of the IP header and the data behind it. An example of this can be seen in Figure 4.5 where we see the value is 0x28, which is decimal 40.This means that if we subtract the 20-byte IP header, there is a remaining 20 bytes of data.
Figure 4.5
Total LengthSince there are 16 bits available in this field, it can actually be as great as 0xFFFF, which is decimal 65,535.That’s a little large to actually be usable, so look for smaller values between 576 and 1,500 bytes.That’s a convenient number since it’s the maximum transmission unit (MTU) for Ethernet.
Datagram ID Number
The datagram ID number is a unique two-byte number assigned to each datagram sent by the host.The field can be seen in Figure 4.6, and in this example, it has an ID of 0x028b. The ID number is incremented by one for each datagram created; therefore, if we were to examine the next datagram, we would see that it would have an ID of 0x028c.The datagram ID field plays a central role in idle scanningwhich is discussed later in the chapter.The real purpose of the ID field is to help correct potential errors and is used to help reassemble frag- ments. Fragmentation occurs when the original data exceeds the MTU of the transmission medium. In these instances, having a common ID number gives the system a way to identify which fragments belong together and helps in the reassembly of common datagrams.
110 Chapter 4 • Layer 3: The Network Layer
Figure 4.6
Datagram IDFragmentation
When a datagram is processed from a sending to a receiving device, it may be passed
through many different physical networks. Each of these networks may have their own frame formats and specific limits that determine the maximum amount of data that can be trans- mitted (per datagram). For example, Ethernet limits this amount to 1,500 bytes.That is Ethernet’s MTU. If IP must send data that exceeds a specific network’s MTU, fragmentation can occur.Therefore, fragmentation is simply the process of dividing a datagram into smaller
fragmentswhich are each sent separately. Each of these fragments becomes its own datagram and is sent independent of the other fragments.They can all go their own way and take unique separate paths to the final destination. If even one fragment does not arrive, the receiving device must discard the remaining fragments when the fragmentation timer reaches zero. As IP is a connectionless service, it’s dependent on higher-layer services to force a retransmission of the datagrams. IP is dependent upon several fields to know if datagrams have been fragmented and how to properly reassemble them.These fields include
■ The ID field
■ The more bit
■ Fragmentation offset
To get a better idea how the fragmentation field is laid out, take a look at Figure 4.7. Notice that the high-order bit is reserved, the next bit is used to designate datagrams that cannot be fragmented, the third bit is used to specify if more fragments will follow, and the final 13 are reserved for offset.
Layer 3: The Network Layer • Chapter 4 111 408_Hack_the_Stack_04.qxd 9/22/06 3:49 PM Page 111
Figure 4.7
Fragmentation Field LayoutThe best way to understand fragmentation is to just see it in action.To create some frag- mented datagrams, we generated a ping using the –l option and then captured the frag- mented datagrams using Ethereal.The result of this ping can be seen in Figure 4.8.
Figure 4.8
Fragmented DataLet’s start by looking at the Total Length and ID fields. Notice that while both share a common ID, one has a total length of 1500 while the second has a length of 548. Next, observe the Flag field.The datagram to the left has the more fragments set to one and the offset at zero.That’s because it is the first datagram and there is more to follow. Now look at the datagram on the right.This one is the last datagram, the more bit flag is set to zero and the offset is 1480.That is the offset in bytes, minus the 20-byte IP header. When combined, these two datagrams make up the slightly oversized ping that we initially sent. Finally, if you’re wondering what the “don’t fragment flag” is used for, it gives the application a method to specify that data not be fragmented. It can also be used to overcome the redundancies induced when fragmented. By this method, a sender can send an initial datagram with the “don’t fragment flag” set.This is referred to as Path MTU(PMTU). PMTU allows a sender to determine the lowest MTU between the source and destination. If a router cannot forward a datagram with the DF flag set, an ICMP message is generated, allowing the sender to reduce its data size and retry the transmission, adjusting to the optimum data transmission rate.
Time to Live (TTL)
The TTL field is used as a time control mechanism to prevent IP datagrams from looping indefinitely. As an analogy, it’s much like getting on a turnpike with a pocket full of tokens
112 Chapter 4 • Layer 3: The Network Layer
where you’re required to deposit one at each toll gate. When you run out, you can go no farther.TTLs work the same way, as each gateway that processes a datagram decreases the TTL value by one. If the destination is not reached before the value is decremented to zero, the datagram is discarded.The router or gateway that discards the datagram will create an ICMP message that will be returned to the sender to notify that there was a problem. A TTL of 0x20 (0x28 is equal to 40; the value in the image is 20) can be seen in Figure 4.9.
Figure 4.9
TTL FieldThe default TTL used is dependent upon the OS. Most systems use default TTLs of 32, 60, 64, 128, or 255. Some common OSes and their TTLs are shown here in Table 4.4.
Table 4.4
Default TTL ValuesOperating System Default TTL
Windows 9x 32 Windows NT 4.0 128 Windows 2000 128 Windows 2003 128 Solaris 2.x 255 Linux 2.x 64
The TTL field is also used by the traceroute application.Traceroute owes its function- ality to the IP header time-to-live (TTL) field.Traceroute is a utility that is used to deter- mine the path to a target computer.Traceroute was originally developed by Van Jacobson to view the path a packet follows from its source to its destination. Linux traceroute is based on UDP, while Windows uses ICMP.
To get a better idea of how this works, let’s take a look at how Windows would process a traceroute. For this example, let’s say that the target is three hops away. Windows would send out a packet with a TTL of one. Upon reaching the first router, this packet would expire and return a TTL failure message to the host. Receipt of the message would inform Windows that it had yet to reach its destination, and the IP of the device in which the datagram timed out would be displayed. Next, Windows would increase the TTL to a value of two.This datagram would make it to the second router, at which time the TTL would expire.Thus, the second
Layer 3: The Network Layer • Chapter 4 113 408_Hack_the_Stack_04.qxd 9/22/06 3:49 PM Page 113
router would create a TTL failure message and forward it to the original source.The IP address of this device would next be displayed on a user’s computer. Finally, the TTL would be increased to three.This datagram would easily make it past the first and second hop and arrive at the third hop. Because the third hop is the last hop before the target, the router would for- ward the packet to the destination, and the target would issue a normal ICMP ping response. The output of this type of traceroute can be seen in Figure 4.10.
Figure 4.10
Traceroute CaptureNotes from the Underground…
When Traceroutes Appear
to End in the Atlantic Ocean
You have probably used traceroute to pinpoint one or more paths and find a source location. But if you have ever performed a traceroute that ended at Sealand, you may not have known what to think. While it is not quite in the middle of the Atlantic Ocean, it is located about 12 miles off the coast of England. It’s really nothing more than a platform made of concrete and steel that was designed to be used as an anti-aircraft platform during World War II. After