|
|
|
|
IP Overview
Disclaimer: This is only meant as a quick overview with an emphasis on firewall strategies. It is grossly simplified. You are encouraged to see the Resources section for more info.
IP (Internet Protocol)
The IP protocol runs on top of the physical layer (forget OSI). Traffic received by the ethernet card and identified as IP gets passed up to the IP layer. Other typical traffic at the physical layer are ARP or NetBEUI.
Even though most people speak of TCP/IP like it's a single protocol. TCP is actually a protocol running on top of IP (i.e. TCP over IP). It's important to note that IP is capable of carrying various protocols other than the familiar TCP, UDP, ICMP, GRE, etc. For a complete list of the protocols, see page 8 of RFC 1700. You can also find a partial list in /etc/protocols.
TCP (Transmission Control Protocol)
As the name suggests, TCP controls the transmission of packets. This means that it creates a virtual connection between the endpoints of communication. It's virtual because it's not a real connection. The communication endpoints are simply firing packets at each other. However, TCP has provisions for the endpoint to establish a virtual connection and ensure packet arrival and resend if the packet is lost.
Three-way Handshake
A (virtual) connection is established via what is commonly known as a three-way handshake.
1. (B) --> [SYN] --> (A)
Imagine a server (A) and a client (B). If (B) needs to talk to (A), it initiates the first part of the three-way handshake by sending a SYN (Synchronize) packet.
Note: A SYN packet is a TCP packet with the SYN flag set only (see TCP header diagram in Resources). It's important to note that unless a SYN packet is received by A from B, there is no way to establish a TCP connection. Therefore, if your firewall drops all SYN packets to your internal network (and to itself), there is no way for anyone to establish a TCP connection to you.
2. (B) <-- [SYN/ACK] <--(A)
The second part of the three-way handshake is a SYN/ACK response from (A) to (B). It is an acknowledgement of the SYN packet.
Note: A SYN/ACK packet is a TCP packet with the SYN and ACK flag set and no other TCP flags.
3. (B) --> [ACK] --> (A)
When the (B) receives the SYN/ACK packet from (A), it completes the final part of the three-way handshake by returning an acknowledgement and sending it an ACK packet.
Note: An ACK packet is a TCP packet with the ACK flag set only. The important thing to note here is that after the three-way handshake is completed, and the connection is complete, every packet that is part of this TCP connection will always have the ACK bit set.
This is also the reason why connection tracking is so important. Without connection tracking, there is no way for your firewall to know whether an arriving ACK packet is really a part of an established connection. When simple packet filters (and Ipchains) receives a packet with the ACK flag set, it simply allows the packet through (does this sound like a good idea?). When a stateful firewall received an ACK packet, it'll consult a connection table to see if the packet belongs to an established connection. If it does not, the packet is dropped.
Four-way Handshake
What goes up, must come down. A four-way handshake tears down a previously established TCP connection. Again, using the same scheme as above:
1. (B) --> ACK/FIN --> (A)
2. (B) <-- ACK <-- (A)
3. (B) <-- ACK/FIN <-- (A)
4. (B) --> ACK --> (A)
Note: Since a TCP connection is a two way connection, it needs to be torn down in both directions. An ACK/FIN packet (ACK and FIN flags set) is sometimes referred to as a FIN (Finish) packet . However, since the connection is not yet torn down, it is always accompanied by the ACK flag. A packet with only the FIN flag set is NOT legal and is likely maliciously generated.
Resetting a connection
The four-way handshake is not the only way to tear down an established TCP connection. Sometimes, if either hosts need to tear down the connection quickly (timeout, port or host unreachable, etc.), a RST (Reset) packet is sent. Note that since a RST packet is not necessarily always part of a TCP connection, it can be sent by itself. RST packets that are part of a TCP connection is usually accompanied by the ACK flag as well.
Note that RST packets are not acknowledged.
Invalid TCP Flags
By now, you've already seen SYN, ACK, FIN, and RST flags. In addition, there are also PSH (Push) and URG (Urgent).
A SYN/FIN packet is the most well known illegal combination. Note that since a SYN packet is used to initiate a connection, it should never have the FIN or RST flag set in conjunction. It is always an malicious attempt at getting past your firewall.
Most firewalls are now aware of SYN/FIN packets. Other combinations include SYN/FIN/PSH, SYN/FIN/RST, SYN/FIN/RST/PSH, etc. Of course, these are always a sign that your network is under attack.
Other types of well known illegal packets are FIN (without ACK) and "NULL" packet. As discussed earlier, a FIN packet should always be accompanied by an ACK bit, since the only reason why a ACK/FIN packet is sent is to tear down an existing connection. A "NULL" packet is a packet with no TCP flags set. Both of these packets also indicate malicious activity.
No known TCP stack will produce packets with any of the above mentioned TCP flags set for normal activities. If you get a invalid packet as described above, it is always a sign that someone is up to no good.
UDP (User Datagram Protocol)
UDP is connectionless. There are no flags and no acknowledgements of receipt. It is simply up to the application to deal with packet loss (or unexpected arrival).
The important thing to note here is that under normal circumstances when an UDP packet arrives at a closed port, an UDP reset packet is returned. Since UDP is connectionless, if a packet arrives at its destination, no acknowledgement of any kind is sent. Therefore if you drop UDP packets on your firewall, it will appear to have all its UDP ports open.
Since the normal condition on the Internet is that some packets are going to be lost, even some UDP packets to closed (un-filtered) ports will never arrive and therefore not return an UDP reset packet.
For this reason, UDP port scanning is never very accurate or reliable.
It seems that fragmentation of huge UDP packets is a popular form of DOS (Denial of Service) attacks (see http://grc.com/dos/grcdos.htm for an example).
ICMP (Internet Control Message Protocol)
As the name suggests, ICMP is used to communicate control messages on the Internet between hosts/routers. ICMP packets can contain diagnostic (ping, traceroute - note that current unix traceroute actually uses UDP packets and not ICMP), error (network/host/port unreachable), information (timestamp, address mask request, etc.), or control (source quench, redirect, etc.) messages.
A summary of ICMP packet types can be found at http://www.iana.org/assignments/icmp-parameters.
Although ICMP is generally harmless, there are nevertheless some message types that ought to be dropped.
Redirect (5), Alternate Host Address (6), Router Advertisement (9) can be used to redirect traffic from your site.
Echo (8), Timestamp (13) and Address Mask Request (17) can be used to obtain information on whether the host is up, the local time and the address mask used on your network, respectively. Note that they have associated response message types. While these are not exploitable in and of themselves, they do leak information that may be useful to the attacker.
ICMP messages are also sometimes used as part of DOS attacks (e.g. flood ping, ping of death).
A Note About Packet Fragmentation
If a packet is larger than the TCP MSS (Maximum Segment Size) or MTU (Maximum Transmission Unit), the only way for the packet to reach its endpoint is to be fragmented, While there are legitimate reasons why a packet is fragmented, it can also be exploited.
Since only the first fragment of a fragmented packet contains a header, it is impossible to for packet filters to examine additional packet fragments without doing fragment reassembly. Typical attacks involve in overlapping the packet data in which packet header is normal until it is overwritten with different destination IP (or port) thereby bypassing firewall rules. Fragmented packets can also used as part of DOS attacks to crash older IP stacks or by saturating the link/CPU load.
The connection tracking code in Netfilter/Iptables automatically does fragment reassembly. It is however still vulnerable to link/CPU load saturation attacks.
