17.1 TCPIP

17.1 TCP/IP

TCP/IP is a combination of protocols that includes the Internet Protocol (IP), Transport Control Protocol (TCP), and User Datagram Protocol (UDP). IP functions at the network layer, addressing and routing data. TCP operates on the transport layer - acknowledging receipt of information and resending information when necessary. UDP is a very simple protocol that some applications use instead of TCP when an acknowledgement of receipt is not desired or when acknowledgements are handled by the application. These transport layer protocols are designed to ameliorate the common problems that arise on a network, including hardware failure, network congestion, and data delay, loss, and corruption and sequencing errors (Figure 17.1).

Figure 17.1: TCP/IP diagram with OSI layers superimposed.

When a large number of hosts are competing to use the same wires and hardware on a network, some fair method of sharing these resources is necessary. To enable equal sharing of the network, TCP and UDP break data into small packets (a.k.a. datagrams) before they are transmitted.

Breaking data into packets prevents large messages from monopolizing the network and enables two hosts to open multiple lines of communication on a single physical wire. For example, two hosts can exchange e-mail, Web pages, and Usenet messages simultaneously by breaking the information into packets and putting the packets on the network, entrusting routers to direct packets to their destination where they are reconstituted. This type of network is called a packet-switched network to differentiate it from the more expensive and reliable circuit-switched networks.

Circuit-switched networks operate by forming a dedicated connection (circuit) between two points. The US telephone system uses circuit switching technology — a telephone call establishes a circuit from the originating phone through the local switching office, across trunk lines, to a remote switching office, and finally to the destination telephone ... The advantage of circuit switching lies in its guaranteed capacity: once a circuit is established, no other network activity will decrease the capacity of the circuit. One disadvantage of circuit switching is cost: circuit costs are fixed, independent of traffic. For example, one pays a fixed rate for a phone call, even when the two parties do not talk.

Packet-switched networks, the type used to connect computers, take an entirely different approach ... The network hardware delivers the packets to the specified destination, where software reassembles them into a single file again. The chief advantage of packet-switching is that multiple communications among computers can proceed concurrently, with intermachine connections shared by all pairs of machines that are communicating. The disadvantage, of course, is that as activity increases, a given pair of communicating computers receives less of the network capacity. That is, whenever a packet-switched network becomes overloaded, computers using the network must wait before they can send additional packets. (Comer 1995)

17.1.1 Internet Protocol and Cellular Data Networks

On the network layer, the Internet Protocol (IP) is primarily responsible for addressing and routing information. After TCP breaks data into packets, IP addresses each packet and adds some other information (recall Table 16.2). Cellular digital packet networks use network layer protocols like IP to address packets. Although GPRS does not quite follow the OSI model, it supports TCP/IP using a tunneling protocol. The following scenario describes the potential of wireless packet-switched networking if you were traveling between Los Angeles and Las Vegas:

You boot up your notebook computer with its CDPD wireless modem enroute to your office in Los Angeles. The ride from Las Vegas to Los Angeles will take several hours, but you can't wait. You've got to check your e-mail for an important message regarding your biggest client. Let's look at the concepts that allow you to do this.

When your wireless modem initiates a connection, a registration process is started that provides your remote device with access to your home carrier's wireless network. Your wireless modem is homed to a specific router that will keep track of your location and all messages intended for you will be forwarded to that router.

When you move out of your home [region], this home router will forward your packets to another router, which in turn directs traffic within the group of [neighboring regions] you are in at that particular time. This method keeps routing updates to a minimum and allows you to roam freely, from [region] to [region] or city to city. (Henry and DeLibero 1996)

17.1.2 IP Addresses

Each computer attached to the Internet has a unique address, called an IP address. Each IP address comprises of two parts, the network number and the host number. The network number is a unique number that identifies a computer network attached to the Internet and the host number is a unique number that identifies a computer on that network. This is conceptually the same as a telephone number that has an area code and a local number (Figure 17.2).

Figure 17.2: IP addresses are conceptually the same as telephone numbers.

To accommodate networks of different sizes, three classes of addresses were agreed upon (Table 17.1).

Table 17.1: IP address classes.^[a]

	IP ADDRESS RANGE	EXAMPLE NETWORK # (N) AND HOST # (H)
Class A	1.0.0.0-126.0.0.0	124.11.12.13 is network 124, host 11.12.13
Class B	128.0.0.0-191.0.0.0	156.134.15.16 is network 156.134, host 15.16
Class C	192.0.0.0-223.0.0.0	192.132.12.13 is network 192.132.12, host 13
[a]Several IP address ranges (10.0.0.0-10.255.255.255, 172.16.0.0-172.31.0.0, and 192.168.1.0-192.168.1.255) are set aside for private use and are not used in the same way as other IP addresses.

These classes of IP addresses are like real estate on the Internet. Class A is prime Internet real estate because it can accommodate up to 16,777,214 hosts, whereas a Class C network can only fit 254 hosts. The larger Class A and Class B networks are usually divided into subnets to make them more manageable. The most common subnet size is 254 hosts but subnet masks permit few hosts per subnet.

Although each computer on the Internet has a unique IP address, computers can be reconfigured with a different IP address quite easily, enabling criminals to misdirect investigators. What prevents an offender from changing the IP address of his computer prior to committing a crime, making it appear to come from another host on the network? The answer depends on the circumstances. For instance, when a dial-up connection is used (e.g. PPP), the ISP assigns an IP address to the connection. Under these circumstances, it is not possible for the offender to reconfigure his computer with another IP address. When a computer is connected to an Ethernet network, it can be configured with any IP address. However, routers segregate networks into subnets, and the offender can only reconfigure his computer with another IP address on the same subnet.^[1]

17.1.3 Domain Name System

Although computers work well with numbers, people are more comfortable with names. For convenience, the Domain Name System (DNS) was created to assign names to IP addresses. For example, the canonical name for 64.39.2.185 is "cirrus.rackspace.com" as shown here using nslookup - a command that comes with Windows and UNIX for querying the DNS:

    C:\> nslookup 64.39.2.185    Name:      cirrus.rackspace.corn    Address:   64.39.2.185    Aliases:   www.rackspace.com 

Notably, this IP address also has a secondary "alias" entry in DNS (www.rackspace.com). Whenever a name is used to refer to a computer (e.g. typing the name of a Web site into a browser), the DNS works behind the scenes to determine the associated numerical IP address.

Another useful tool for querying DNS is called dig (Domain Information Groper), available on UNIX systems and in the NetScanTools Pro for Windows.^[2] The following dig results for the above IP address show its name and authoritative DNS servers. Authoritative DNS servers are the servers that all other servers in DNS rely on for the correct information relating to a given host:

    dig -x 64.39.2.185    ; <<>> DiG 921 <<>> -x 64.39.2.185    ;; global options: printcmd    ;; Got answer:    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64879    ;; flags: qr rd ra, QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0,    ;; QUESTION SECTION:    ;185.2.39.64.in-addr.arpa.       IN        PTR    ;; ANSWER SECTION:    185.2.39.64.in-addr.arpa. 86400  IN        PTR      cirrus.rackspace.com.    ;; AUTHORITY SECTION:    2.39.64.in-addr.arpa.    86400   IN        NS       ns2.rackspace.com.    2.39.64.in-addr.arpa.    86400   IN        NS       ns.rackspace.com.    ;; Query time: 89 msec    ;; SERVER: 192.168.0.1#53(192.168.0.1)    ;; WHEN: Mon Apr 7 18:21:38 2003    ;; MSG SIZE rcvd: 111 

It is sometimes possible to obtain a list of all machines in the DNS belonging to a specific organization (a.k.a. domain or zone) by performing a zone transfer as shown in Figure 17.3 using NetScanTools Pro.

Figure 17.3: A zone transfer using NetScanTools Pro requires the DNS server to be set to one of the target system's DNS servers under Advanced Query Options (accesses using the "Adv Qry Setup" button).

A zone transfer can be obtained on UNIX using the command dig @ns.domain.com domain.com AXFR. However, because computer intruders can use information in a zone transfer to plan an attack on a network, some DNS servers do not permit this type of query.

17.1.4 IP Routing

Once addressed, a packet is ready to venture out onto the Internet where it will be directed to the destination specified in the IP header. For example, when a computer in Baltimore sends information to yale.edu in New Haven, the information must pass through several intermediate routers. The IP software on each router contains a routing table that it uses to determine where to send information (Figure 17.4).

Figure 17.4: IP Routing.

An analogy might clarify how routing tables work. Imagine someone driving a car from Baltimore to New Haven and reaching a junction with three signs. One sign indicates that Philadelphia is straight ahead, another sign indicates that Atlantic City is to the right, and a third sign indicates that all other locations are to the left. Therefore, the driver goes right and continues until reaching another junction. The driver repeatedly follows the road signs until finding one that says "New Haven," indicating that the destination city has been reached. All that remains is for the driver to find the specific building that he/she is looking for. Routing tables are the road signs on the information superhighway. When a packet is traveling from Baltimore to New Haven, the routers that it passes through are like junctions and the routing tables are used to determine where the packet should go next to reach its destination. When the packet finally reaches the network that it is destined for, all that remains is for a router to direct the packet to the correct host. To extend the analogy, networks use different protocols for short and long distance routing just as people use different road signs when travelling short and long distances.

A program called traceroute provides a list of routers that information passes through to reach a specific host. For instance, the route that a packet takes between a host in Baltimore and yale.edu is shown here:^[3]

    % traceroute yale.edu    traceroute to yale.edu (130.132.59.127), 30 hops max, 40 byte packets     1 a6-0-0-1710.q-esr1.balt.verizon-gni.net (151.196.4.194) 126.933 ms 17.403 ms       18.702 ms     2 dca-edge-04.inet.qwest.net (63.238.58.233) 18.934 ms 39.274 ms 24.343 ms     3 dca-core-02.inet.qwest.net (205.171.9.65) 20.827 ms 85.062 ms 19.051 ms     4 ewr-core-03.inet.qwest.net (205.171.8.182) 24.504 ms 95.07 ms 25.54 ms     5 ewr-core-02.inet.qwest.net (205.171.17.33) 24.121 ms 23.582 ms 22.059 ms     6 bos-core-01.inet.qwest.net (205.171.8.28) 31.766 ms 27.12 ms 27.171 ms     7 bos-edge-02.inet.qwest.net (205.171.28.14) 28.826 ms 28.482 ms 29.089 ms     8 63.145.0.14 (63.145.0.14) 32.776 ms 32.485 ms 31.323 ms     9 greed.net.yale.edu (130.132.1.39) 109.16 ms 37.569 ms 36.242 ms    10 yale.edu (130.132.59.127) 112.104 ms 32.962 ms 53.772 ms 

The traceroute program is useful for getting a rough idea of which routers were involved in the transport of information on the Internet. Intermediate routers may have relevant digital evidence in log files as discussed in later chapters. Also, the path that the data took can clarify which borders and boundaries were crossed during the perpetration of a crime. Special purpose programs like Visual Route attempt to superimpose traceroute results on a map to provide related geographical information. However, this geographical information is usually quite general and can be incorrect. Therefore, when seeking digital evidence from a specific router, use Whois databases, described in Chapter 18, to obtain contact information for the people responsible for that router and contact them directly to determine exactly where the desired data are located.

It is a common misconception that routers are more intelligent, finding the "best" route between hosts. Although this is technically possible it is rarely practised at present. Similarly, many people make the mistake of thinking that two packets will take different routes traveling between the same two hosts on the Internet. As can be seen when using traceroute, the route between two hosts remains the same even though the Internet was designed to be flexible. Packets can be forced to take a different path by changing the routing table on one of the intermediate routers, effectively creating a detour. This type of detour can be created manually (e.g. by a network administrator or computer intruder) or using protocols such as BGP and OSPF. However, network administrators only make such changes once in a while and once such a change is made, all packets will follow the same detoured path. Therefore, it is safe to assume that all packets traveling between the host in Baltimore and Yale University take the same route, making it much easier to establish the continuity of offense and locate digital evidence relating to a limited number of intermediate routers. Over longer periods of time, routes change as network administrators make improvements.

17.1.5 Servers and Ports

When a computer receives packets of an e-mail message, a Web page, and a Usenet message at the same time, how does it distinguish between the different types of data? How does the host know which packets contain pieces of the e-mail and which packets contain pieces of the Web page? Computers use numbers, called ports, to distinguish between different types of data.

To clarify, imagine a single computer running an e-mail server and a Web server, each listening for network connections on their default ports (25 and 80, respectively). When the computer receives packets with the number 25 in the port field (Figure 17.5), it assumes that they are e-mail related. If the packets are not e-mail related, the e-mail server will not know what to do with the data and will return an error, crash, or do nothing at all. Similarly, the computer receives packets with the number 80 in the port field, it assumes that the packets are intended for the Web server. However, any server can be configured to listen at any port so these port associations are not definitive.^[4]

Figure 17.5: UDP packet with port number in the heading being transmitted to a server.

Any host, even a personal computer in someone's home, can function as a server on the Internet. In fact, Windows desktops come with a server that listens for network connections on port 139 and enables resource sharing over networks using NetBIOS. For instance, using a program like nmap to scan a Windows XP machine remotely for listening ports gives the following results:

    remote-scanning-machine% nmap 192.168.0.4    Starting nmap V. 3.00 (www.insecure.org/nmap)    Interesting ports on    (192.168.0.4):    Port           State    Service    135/tcp        open     loc-srv    139/tcp        open     netbios-ssn    445/tcp        open     microsoft-ds    5000/tcp       open     UpnP    31337/tcp      open     unknown    5800/tcp       open     vnc-http    5900/tcp       open     vncs    Nmap run completed — 1 IP address (1 host up) scanned in 34 seconds 

The above port scan results indicate that another server, called Virtual Network Computer (VNC),^[5] is listening for connections on port 5800 and 5900. The VNC program permits full remote control of a computer and has legitimate uses such as remote system administration. However, computer intruders also use VNC and similar programs (e.g. SubSeven, Back Orifice) to gain full remote control over hosts they have broken into.

Information about listening ports and any associated connections can be obtained using the netstat command. For instance, executing netstat on the same Windows XP host (192.168.0.4) that was just scanned with nmap produces the following output:

    C:\>netstat -ano -p tcp    Active Connections    Proto     Local Addresses        Foreign Address       State          PID    TCP       0.0.0.0:135            0.0.0.0:0             LISTENING      912    TCP       0.0.0.0:445            0.0.0.0:0             LISTENING      4    TCP       0.0.0.0:1028           0.0.0.0:0             LISTENING      4    TCP       0.0.0.0:5000           0.0.0.0:0             LISTENING      1124    TCP       0.0.0.0:5800           0.0.0.0:0             LISTENING      2760    TCP       0.0.0.0:5900           0.0.0.0:0             LISTENING      2760    TCP       192.168.0.4:139        0.0.0.0:0             LISTENING      4    TCP       192.168.0.4:1540       0.0.0.0:0             LISTENING      4    TCP       192.168.0.4:1540       192.168.0.2:139       ESTABLISHED    4    TCP       192.168.0.4:5900       172.16.0.15:2512      ESTABLISHED    2760 

The last connection (in bold) shows that a remote computer (172.16.0.15) is connected to the Windows XP system via VNC on port 5900. Additionally, the second to last line indicates that the Windows XP host is accessing a shared resource on another Windows host (192.168.0.2) using NetBIOS (port 139). Although it is not evident from this information alone whether these connections are legitimate or suspicious, it is clear that someone has full remote control of this Windows XP system via VNC and can access some information on a neighboring host (192.168.0.2) via the NetBIOS connection. This example also demonstrates the importance of correlating data from multiple sources to obtain a more complete picture of what is going on.

17.1.6 Connection Management

Remember that on a packet-switched network, computers are not connected using dedicated circuits. Instead, to make large-scale internetworking more reliable, TCP creates what are called virtual circuits (a.k.a. TCP streams), establishing, maintaining, and terminating connections between hosts. To establish a virtual circuit, TCP performs a three-way handshake (Figure 17.6). First, host A asks host B for a connection by sending what is commonly known as a SYN packet.^[6]

Figure 17.6: TCP establishing a connection using a three-way handshake.

Second, host B acknowledges host A's request by returning a packet containing the special acknowledgment (ACK) bit (this acknowledgment packet also contains a SYN bit to enable the host to synchronize). Third, host A sends a packet containing data (with the ACK bit) to host B thus establishing a connection.

Once a connection is established, TCP has the very important responsibilities of verifying that a packet reaches its destination, reassembling packets into their original form, and controlling the rate at which data are transmitted -making sure that data are not sent faster than the receiver can process it.

The concept behind TCP's connection management is simple - it keeps a record of everything that it sends until it receives an acknowledgment that the information reached its destination. If TCP does not receive an acknowledgment after a set amount of time, it assumes that the information was lost and resends it. So, if one packet is lost or damaged in transit, TCP will resend just that packet, not the entire message.

As simple as this may seem, it is actually quite ingenious. If a major portion of a network is destroyed, TCP assumes that the network will be repaired quickly and continues to retransmit data - patiently waiting for an acknowledgment. If the network is not repaired quickly, TCP will eventually stop trying to resend information. However, if the network is repaired quickly, TCP will resume communication between two hosts despite the interruption. This differs from a telephone call, which is terminated when the connection is broken. When two hosts have finished communicating, TCP terminates the connection by sending a packet containing the FIN or RST bits.^[7]

Keep in mind that TCP streams are bi-directional, enabling a host to both send and receive data. Each TCP stream comprises two flows, one for receiving data and the other for sending data. This aspect of TCP can be clearly seen in router NetFlow logs showing a connection to a Hotmail account from the client (192.168.1.105):

    examiner1 % flow-cat /netflow/2002/2002-08/2002-08-28/ft-v05.2002-08-28.213000-0400 | flow-filter -Skiosk -f./    kiosk.acl | flow-print -f5    Start              End                Sif   SrcIPaddress   Srcp   Dlf   DstIPaddress    DstP   P   FI   Pkts   Octets    0828.21:38:19.94   0828.21:38:19.94   2     192.168.1.105  0      19    66.113.201.11   2048   1   0    1      60    0828.21:38:57.715  0828.21:39:01.339  2     192.168.1.105  1925   13    64.4.53:7       80     6   3    6      609    0828.21:39:01.539  0828.21:39:02.495  2     192.168.1.105  1927   13    64.4.53.7       80     6   3    18     1172    0828.21:39:02:299  0828.21:39:05.439  2     192.168.1.105  1928   13    64.4.53.7       80     6   3    15     1081    0828.21:39:02.323  0828.21:39:05.723  2     192.168.1.105  1929   13    216.33.150.251  80     6   3    8      652    <cut for brevity> 

Corresponding flows to the client are listed here, using the -D (destination) option of the flow-filter^[8] command instead of -S (source).

    examiner1% flow-cat /netflow/2002/2002-08/2002-08-28/ft-v05.2002-08-28.213000-0400 | flow-filter -Dkiosk -f ./kiosk.acl    | flow-print-f5    Start              End                 Sif    SrcIPaddress      SrcP   Dlf   DstIPaddres      Dstf       P   FI   Pkts    Octets    0828.21:38:11.597  0828.21:38:11.597   11     66.113.201.11     0      4     192.168.1.105    0          1   0    1       60    0828.21:38:50.245  0828.21:38:53.869   11     64.4.53.7         80     4     192.168.1.105    1925       6   3    5       514    0828.21:38:54.69   0828.21:38:55.25    11     64.4.53.7         80     4     192.168.1.105    1927       6   3    26      12085    0828.21:38:54.833  0828.21:38.57.969   11     64,4.537          80     4     192.168.1.105    1928       6   3    17      6795    0828.21:38:54,853  0828.21:38:58.257   11     216:33.150.251    80     4     192.168.1.105    1929       6   3    8       3041    <cut for brevity> 

Each NetFlow entry in the above output contains the start and end times of the flow, source and destination, IP addresses, and port numbers, followed by the number of packets in each flow, a number representing the protocol (e.g. 1 for ICMP, 6 for TCP, 17 for UDP), a number representing the combination of TCP flags in each flow, the number of packets, and the number of bytes (a.k.a. octets) transmitted, respectively.

17.1.7 Abuses of TCP/IP

Computer intruders have used their knowledge of TCP to gain unauthorized access to systems. One approach, called IP spoofing, was first described by Robert Morris (Morris 1985), father of Richard Morris Jr. - the creator of the first Internet worm and one of the first individuals to be prosecuted under the Computer Fraud and Abuse Act. IP spoofing takes advantage of the fact that many organizations configure certain hosts on their network to trust other hosts simply based on an IP address. With this kind of host-based authentication, in a computer that receives instructions that appear to come from a trusted IP address the instruction will be accepted without question. This trust arrangement is efficacious when two or more hosts on their network communicate so frequently that it is infeasible to require a password to be entered by a person every time the computers need to exchange data. However, a clever computer intruder can take advantage of this intercomputer trust in the following way to execute a command on the trusting computers without being prompted for a password:

1. The intruder disables the trusted computer using a denial of service attack.

2. The intruder sends a SYN packet to the trusting computer but forges the source IP address so that it appears to come from the trusted computer.

3. The trusting computer will send an ACK packet to the trusted computer and will be expecting an ACK packet in return to finalize the TCP connection. However, the trusted computer is unable to respond because it was disabled in step 1. Instead, the intruder sends an ACK packet with a forged source IP address, making it appear to come from the trusted computer.

4. The trusting computer thinks that it has established a legitimate connection with the trusted computer. The intruder can then send forged packets that appear to be coming from the trusted computer containing commands that the trusting computer will execute.

There is one nuance to IP spoofing that is important to be aware of - the intruder must be able to predict the TCP sequence numbers that the trusting computer is expecting in packets it receives. Newer operating systems use less predictable sequence numbers to make it more difficult to carry out this type of attack.

One of the most highly publicized IP spoofing attacks occurred in December 1994 when Kevin Mitnick broke into Tsutomu Shimomura's computers. Shimomura's description of the subsequent investigation and digital evidence he found hints at how challenging such investigations can be. Shimomura's computers were named "Osiris" and "Ariel." After gaining access to the computers, the intruder bundled the cellular telephone software that he wanted, a compressed file called oki.tar.Z. The intruder deleted the compressed file after transferring a copy to another machine that he had broken into.

One of [the pieces of evidence] was a mysterious program, Tap, that I had seen when I peered into Osiris's memory the day before. It was a transient program that someone had created and placed in my computer's memory for a specific task. When the computer was turned off or rebooted it would vanish forever. And what about the ghost of the file oki.tar.Z, whose creation suggested that someone was after cellular telephone software ... There was another crucial discovery from looking at Ariel's data; the intruder had tried to overwrite our packet logs, the detailed records we keep of various packets of data that had been sent to or from our machines over the Internet. The erased log files revealed that in trying to overwrite them the intruder hadn't completely covered over the original file. It was as if he had tried to hide his footprints in the sand by throwing buckets of more sand on top of them. But here and there, heels and toes and even a whole foot were still visible. (Shimomura and Markoff 1996)

A more active abuse of TCP is session hijacking (a.k.a. man-in-the-middle attack), enabling an individual to take control of someone else's connection to a server. Basically, by monitoring traffic using a sniffer and then manipulating the TCP stream, it is possible to insert commands that will be executed on the server or even take the session over entirely. This attack has been automated by tools like Hunt^[9] and Ettercap^[10] but is made more difficult by using encryption.

^[1]Some routers are configured insecurely to permit outgoing packets from a masquerading host that is configured with an IP address that is not on the same subnet. However, TCP responses to these packets would be sent to the actual network that contains this IP address and not to the masquerading host. Although a bi-directional TCP connection cannot be established, this flaw can be used to launch a denial of service attack, making it appear to originate from a different network.

^[2]http://www.nwpsw.com

^[3]Basically, traceroute obtains this information by sending ICMP echo requests (a.k.a. ping) to each intermediate router and displaying the details of the corresponding ICMP echo replies.

^[4]A more complete list of port associations is available at: Internet Assigned Numbers Authority (http://www.iana.org/assignments/port-numbers) and in the "services" file that comes with nmap.

^[5]http://www.realvnc.com/

^[6]A SYN packet contains the special SYN bit that indicates that host A wants to synchronize sequence numbers with host B. TCP uses sequence numbers to keep packets in order.

^[7]There are some nuances to the way that TCP uses sequence numbers and controls the rate at which data are sent that are beyond the scope of this text. Additional information about TCP can be found in Comer's Internetworking with TCP/IP Vol I (Comer 1995) and Steven's TCP/IP Illustrated (Stevens 1994).

^[8]http://www.splintered.net/sw/flow-tools/

^[9]http://lin.fsid.cvut.cz/~kra/index.html

^[10]http://ettercap.sourceforge.net/