Previous Section  < Day Day Up >  Next Section

2.1 The TCP/IP Suite of Protocols

TCP/IP (Transmission Control Protocol/Internet Protocol) is a suite of network protocols. TCP and IP are only two of the protocols within the suite but arguably the most important. The TCP/IP protocols were designed to allow different applications on dissimilar operating systems to communicate across a network. I'll talk about some (certainly not all) of the TCP/IP protocols in the context of intrusion detection.

2.1.1 TCP

TCP (Transmission Control Protocol) is a connection-oriented transport layer protocol designed to provide a reliable connection for data exchange between two systems. TCP ensures that all packets are properly sequenced and acknowledged, and that a conversation is established before data is sent. This ensures that both machines are ready to have a conversation and that the information moving from one system to another makes it without anything being lost. Services using TCP as their communication mechanism listen on specific port numbers for clients to make requests. Some applications that make use of TCP as their method of communication are:

Virtual Terminal Protocol (Telnet port 23)
File Transfer Protocol (FTP ports 20 and 21)
Simple Mail Transfer Protocol (SMTP port 25)
Secure Shell (SSH port 23)

TCP provides its reliability through the use of an acknowledgment (network geeks call this an ACK). An ACK is returned by a receiving machine to a sending machine to tell the sender that the message that was sent was received without error. If the sender does not receive an ACK, it resends the message.

If a receiving machine needed to send an ACK for every packet, it would result in incredible overhead for the system and the network. To reduce the overhead, a mechanism called windowing is used. The receiving system advertises a certain number of packets it can receive at a time (essentially an input buffer size). The sending system watches for an ACK after the designated number of packets is sent. If an ACK is not received, data will be retransmitted from the point of the last ACK. If the receiving machine has trouble keeping up with the inflow of packets, it reduces the window size. If the machine is really getting hammered, it advertises a window size of zero and the sender stops transmission until an ACK with a nonzero window value is received. The three-way handshake

To establish a TCP conversation, a three-way handshake is exchanged between a sending machine and a receiving machine. This establishes a communications link between the two systems. To start things, the sending machine sends a synchronize sequence numbers (SYN) packet to the receiving machine, which informs the receiving machine that a new conversation is requested and establishes a starting point for the sequence numbers that will number the packets being sent. These sequence numbers ensure that data is received and processed in the order that it was sent.

The receiving machine must acknowledge the SYN packet and tell the sending machine the initial sequence number that it will be using. In order to do this, the receiving machine transmits a packet with both a SYN and an ACK packet to the sending machine. Finally, the sending machine sends an ACK to the receiving machine, along with the first batch of data (Figure 2-1).

Figure 2-1. Three-way handshake

This entire process ensures that the receiving machine is alive and ready to accept data. To end the conversation, a similar three-step process takes place, wrapping things up with a FIN packet. Some applications choose to ignore the standard and simply send a RST packet that ends the conversation instead of performing a graceful close.

2.1.2 UDP

UDP (User Datagram Protocol) provides an unreliable, connectionless system to deliver packets. Instead of providing mechanisms to guarantee delivery and sequencing, UDP lets upper-level applications worry about lost or out-of-sequence data. This protocol allows messages (called datagrams with UDP) to be sent without the overhead involved with ACKs and the establishment of a communications link. UDP is mostly used for broadcast communications or network-aware computer games. Services using UDP listen on specific port numbers—similar to TCP. Upper-level applications that use UDP as their communications mechanism include:

Trivial File Transfer Protocol (TFTP port 79)
Network File System (NFS port 2049)
Unreal Tournament 2004 (port 7777)

2.1.3 IP

The Internet Protocol (IP) is used to handle datagram services between hosts. It handles the addressing, routing, fragmentation, and reassembly of packets. IP addresses are 32 bits long and are organized into 4 octets separated by periods. Here's an example:

2.1.4 ICMP

The Internet Control Message Protocol (ICMP) performs four main functions:

Flow control

When a system is too busy to handle incoming streams of data, ICMP sends a Source Quench message to stop the stream.

Unreachable destination alerts

If a system is unreachable, due to an address not matching an system on the network, or due to a link failure, a router will send a Destination Unreachable message to the sending machine.

Redirecting routes

A gateway machine can direct a sending machine to another gateway if it knows that there exists a preferential route to the network that the destination system resides on. It does this by sending an ICMP Redirect message.

Checking remote hosts

ICMP echo messages are used to check the connectivity to a target system. These are commonly called pings.

Many network administrators restrict the types of ICMP packets allowed to traverse their networks. There are a number of network discovery tools that use ICMP to find information about the type and version of operating system running on a system.

That said, there is an argument against blocking ICMP in general. A ping of death is an oversized ICMP packet that causes a system to lock up. The days of systems being vulnerable to these sorts of things are past. Most firewalls discard such malformed packets automatically. In addition, ICMP is one of the most useful troubleshooting tools for network administrators. Blocking ICMP takes this useful tool out of your administrator's hands.

2.1.5 ARP

Every network interface card has a unique serial number associated with it (called a MAC address). At the lowest levels, this serial number is used to direct network packets to specific hosts on the local network. To send a packet to another network, an IP address is required. Mapping IP addresses to these MAC addresses is handled with the Address Resolution Protocol (ARP). A system will build an address resolution table dynamically as it learns of hosts on the local network.

    Previous Section  < Day Day Up >  Next Section