– 1 – csce 517 sum 03 slides for today july 14 are not quite complete; but close enough to post...
Post on 19-Dec-2015
215 views
TRANSCRIPT
– 1 – CSCE 517 Sum 03
Slides for Today July 14 are not Quite Complete; but Slides for Today July 14 are not Quite Complete; but close enough to postclose enough to post
Test 2 will be returned and …Test 2 will be returned and …
Lecture UDP, Traceroute, DNS etc.
Lecture UDP, Traceroute, DNS etc.
TopicsTopics Unix File systems one more time UDP Traceroute Domain Name Service
July 14, 2003
CSCE 517 Forensic Computing
– 3 – CSCE 517 Sum 03
Unix File System Structure Encore!Unix File System Structure Encore!InodeInode Disk AddressesDisk Addresses
22 1K1K
AddrAddr I#I# NameName
1K1K
2K2K
3K3K
4K4K
5K5K
6K6K
7K7K
8K8K
9K9K
10K10K
AddrAddr I#I# NameName
11K11K
12K12K
13K13K
14K14K
15K15K
16K16K
17K17K
18K18K
19K19K
20K20K
21K21K
– 4 – CSCE 517 Sum 03
User Datagram Protocol (UDP)User Datagram Protocol (UDP)Main connectionless protocol of the TCP/IP suiteMain connectionless protocol of the TCP/IP suite
Built on top of IP Connectionless No “guarantees” on delivery as in TCP If TCP analogous to “telephone call” UDP analogous to
telegram
Maximum size of IP datagram is 65535Maximum size of IP datagram is 65535
Maxiumum size of UDP datagram 8192 Maxiumum size of UDP datagram 8192
Reference for UDP material “TCP/IP Illustrated Volume1 Reference for UDP material “TCP/IP Illustrated Volume1 The Protocols” by W. Richard Stevens 1992The Protocols” by W. Richard Stevens 1992
– 5 – CSCE 517 Sum 03
TCP/IP Suite (modified)TCP/IP Suite (modified)
TCP UDP
ICMP
IP
Ethernet Driver
IGMP
ssh
Physical Ethernet or Other LAN
ARP RARP
DNS…http snmpsmtp … Application Layer
Transport Layer
Network Layer
Data Link Layer**
Physical Layer
TCP/IP Layers Modified**
bootp
– 6 – CSCE 517 Sum 03
User Datagram Header Format User Datagram Header Format
0 7 8 15 16 23 24 310 7 8 15 16 23 24 31
Source PortSource Port Destination PortDestination Port
LengthLength ChecksumChecksum
Data octets (if any)Data octets (if any)
Source port
Destination port
Length – length of header + length of data
Checksum
•One’s complement sum of the 16-bit words
•If length is odd pad with ‘\0’, a byte of zeroes
•Include 12-byte pseudo-header from the IP header
•Source IP address, Destination IP address, zero, protocol
– 7 – CSCE 517 Sum 03
User Datagram Header Checksum User Datagram Header Checksum
0 7 8 15 16 23 24 310 7 8 15 16 23 24 31
Source PortSource Port Destination PortDestination Port
16-bit UDP length16-bit UDP length 16-bit Checksum16-bit Checksum
Data octets (if any)Data octets (if any)
Checksum
•One’s complement sum of the 16-bit words
•If length is odd pad with ‘\0’, a byte of zeroes
•Include 12-byte pseudo-header from the IP header
•Source IP address, Destination IP address, zero, protocol, length
32 bit source IP address32 bit source IP address
32 bit destination IP address32 bit destination IP address
ZeroZero 8-bit protocol8-bit protocol 16-bit UDP length16-bit UDP length
– 8 – CSCE 517 Sum 03
Last TimeLast TimeIP FragmentationIP Fragmentation
ICMP Unreachable Error (Fragmentation Required)ICMP Unreachable Error (Fragmentation Required)
Determining the Path MTU using tracerouteDetermining the Path MTU using traceroute
– 9 – CSCE 517 Sum 03
Interaction of UDP and ARPInteraction of UDP and ARP
– 10 – CSCE 517 Sum 03
ICMP Source Quench ErrorICMP Source Quench Error
– 11 – CSCE 517 Sum 03
UDP Server DesignUDP Server Design
– 12 – CSCE 517 Sum 03
UDP Programming in JavaUDP Programming in JavaJava Tutorial - All about Datagrams Java Tutorial - All about Datagrams http://http://
java.sun.com/docs/books/tutorial/networking/datagramsjava.sun.com/docs/books/tutorial/networking/datagrams//
What is a UDP datagram?What is a UDP datagram?
A datagram is an independent, self-contained message sent over A datagram is an independent, self-contained message sent over the network whose arrival, arrival time, and content are not the network whose arrival, arrival time, and content are not guaranteed. [Java Tutorial]guaranteed. [Java Tutorial]
import java.io.*; import java.io.*;
public class QuoteServer { public class QuoteServer {
public static void main(String[] args) public static void main(String[] args)
throws IOException { throws IOException {
new QuoteServerThread().start(); new QuoteServerThread().start();
}}
} }
– 13 – CSCE 517 Sum 03
UDP Programming in JavaUDP Programming in Javapublic QuoteServerThread() throws IOException public QuoteServerThread() throws IOException
{ this("QuoteServer"); { this("QuoteServer");
} }
public QuoteServerThread(String name) throws public QuoteServerThread(String name) throws IOException { IOException {
super(name); super(name);
socket = new DatagramSocket(4445); socket = new DatagramSocket(4445);
try { in = new BufferedReader( new FileReader("one-try { in = new BufferedReader( new FileReader("one-liners.txt")); } liners.txt")); }
catch (FileNotFoundException e) catch (FileNotFoundException e) System.err.println("Couldn't open quote file. " + System.err.println("Couldn't open quote file. " + "Serving time instead."); "Serving time instead.");
} } } }
– 14 – CSCE 517 Sum 03
Java UDP ClientJava UDP Client……
int port; int port;
InetAddress address; InetAddress address;
DatagramSocket socket = null; DatagramSocket socket = null;
DatagramPacket packet; DatagramPacket packet;
byte[] sendBuf = new byte[256]; byte[] sendBuf = new byte[256];
if (args.length != 1) { System.out.println("Usage: java QuoteClient if (args.length != 1) { System.out.println("Usage: java QuoteClient <hostname>"); return; } <hostname>"); return; }
DatagramSocket socket = new DatagramSocket();DatagramSocket socket = new DatagramSocket();
byte[] buf = new byte[256]; byte[] buf = new byte[256];
InetAddress address = InetAddress.getByName(args[0]);InetAddress address = InetAddress.getByName(args[0]);
DatagramPacket packet = new DatagramPacket(buf, buf.length, address, DatagramPacket packet = new DatagramPacket(buf, buf.length, address, 4445); 4445);
socket.send(packet); socket.send(packet);
packet = new DatagramPacket(buf, buf.length); packet = new DatagramPacket(buf, buf.length);
socket.receive(packet); socket.receive(packet);
String received = new String(packet.getData()); String received = new String(packet.getData());
System.out.println("Quote of the Moment: " + received); System.out.println("Quote of the Moment: " + received);
… …
– 15 – CSCE 517 Sum 03
RFCs – Request for CommentsRFCs – Request for CommentsRFCs initially; now standardsRFCs initially; now standards
1980 TCP/IP version 1 RFC 7611980 TCP/IP version 1 RFC 761
1980 UDP - RFC 768 1980 UDP - RFC 768 http://www.faqs.org/rfcs/rfc768.htmlhttp://www.faqs.org/rfcs/rfc768.html
1981 IP - RFC 791 1981 IP - RFC 791 http://www.faqs.org/rfcs/rfc791.htmlhttp://www.faqs.org/rfcs/rfc791.html
1981 TCP – RFC 1981 TCP – RFC
1995 SSH – RFC 793 1995 SSH – RFC 793 http://http://www.free.lp.se/fish/rfc.txtwww.free.lp.se/fish/rfc.txt (SSH 1) (SSH 1) http://dmoz.org/Computers/Security/Products_and_Tools/Crypthttp://dmoz.org/Computers/Security/Products_and_Tools/Cryptography/SSH/Documentation/ography/SSH/Documentation/
– 16 – CSCE 517 Sum 03
TracerouteTracerouteTraceroute traces the route a packet would take if sent Traceroute traces the route a packet would take if sent
to a destination.to a destination.
Note two IP datagrams sent to same address are not Note two IP datagrams sent to same address are not guaranteed to go the same way, but usually do.guaranteed to go the same way, but usually do.
““Implemented by Van Jacobson from a suggestion by Implemented by Van Jacobson from a suggestion by Steve Deering. Debugged by a cast of thousands …”Steve Deering. Debugged by a cast of thousands …”
IP record record option records route taken by IP IP record record option records route taken by IP datagram.datagram.
Traceroute is implemented using UDP, IP (TTL) and Traceroute is implemented using UDP, IP (TTL) and ICMP.ICMP.
– 17 – CSCE 517 Sum 03
TracerouteTracerouteIP record record optionIP record record option
Why not just use this?Why not just use this?1. At the time not all routers supported Record Route option.
2. One way option. The receiver gets the route, but then must return it to the sender.
3. The size of the field for recording the path is not long enough to record many current paths (16-18 hops).
– 18 – CSCE 517 Sum 03
Traceroute ImplementationTraceroute Implementationtraceroute destinationtraceroute destination
Send UDP packet to a weird port at a destination with TTL = 1. Send UDP packet to a weird port at a destination with TTL = 1. When the packet reaches the first router it decrements the TTL When the packet reaches the first router it decrements the TTL which becomes 0. So the router discards the packet and sends which becomes 0. So the router discards the packet and sends the ICMP message “time exceeded” back. This identifies the the ICMP message “time exceeded” back. This identifies the first router.first router.
Send UDP packet to destination with TTL = 2. The packet goes Send UDP packet to destination with TTL = 2. The packet goes through the first router and TTL is decremented to 1. It is through the first router and TTL is decremented to 1. It is passed to the second router on the route which decrements passed to the second router on the route which decrements the TTL to zero and sends an ICMP response that identifies the TTL to zero and sends an ICMP response that identifies the second router.the second router.
… …
Until the packet reaches destination. When it reaches there is Until the packet reaches destination. When it reaches there is the weird port number, so there is no server waiting and this the weird port number, so there is no server waiting and this causes the destination to send ICMP “unreachable” and this causes the destination to send ICMP “unreachable” and this identifies the destination and that it is the last hop.identifies the destination and that it is the last hop.
– 19 – CSCE 517 Sum 03
Traceroute Implementation PictureTraceroute Implementation Picture
CB
A
DE
F G
$ Traceroute G
B
C
D
E
F
G
– 20 – CSCE 517 Sum 03
IP Source Routing OptionIP Source Routing Option
– 21 – CSCE 517 Sum 03
Traceroute with loose source routingTraceroute with loose source routingTraceroute –g 129.252.44.1 yahoo.comTraceroute –g 129.252.44.1 yahoo.com
Traceroute to yahoo.com through 129.252.44.1Traceroute to yahoo.com through 129.252.44.1
This can be repeated up to eight timesThis can be repeated up to eight times
– 22 – CSCE 517 Sum 03
IP RoutingIP RoutingRouting Table – each router “knows” the next hop not Routing Table – each router “knows” the next hop not
the entire paththe entire path
Unix/Windows: netstat -rnUnix/Windows: netstat -rn
– 23 – CSCE 517 Sum 03
IP Addresses, Dotted Decimals, NamesIP Addresses, Dotted Decimals, NamesIP addresses are 32bit integersIP addresses are 32bit integers
A workstation has IP address of 9490592 (as unsigned) A workstation has IP address of 9490592 (as unsigned) or 0x81FC0B5A in hexor 0x81FC0B5A in hex
Any ideas?Any ideas?
Nobody can remember that so we break it up into bytes Nobody can remember that so we break it up into bytes as a dotted decimal 129.252.11.90as a dotted decimal 129.252.11.90
But the way I really remember this workstation is But the way I really remember this workstation is “erdos.cse.sc.edu”.“erdos.cse.sc.edu”.
This name is easy to remember.This name is easy to remember.
– 24 – CSCE 517 Sum 03
Fully Qualified Domain NamesFully Qualified Domain NamesThe Domain Name System DNS name space is The Domain Name System DNS name space is
hierarchicalhierarchical
Root level = unnamed rootRoot level = unnamed root
Top level domainsTop level domains arpa – IP addresses, e.g., 90.11.252.129.in-addr.arpa com – commercial edu – educational gov – government mil – military org – organizations
Names are concatenated from the bottom to the root Names are concatenated from the bottom to the root separated by “.”sseparated by “.”s
– 25 – CSCE 517 Sum 03
Fully Qualified Domain NamesFully Qualified Domain Names
Top-level arpa com edu gov mil net org ae … cn in …us
Domains
2nd level in-addr yahoo sc … acm va
129 cse reston
252 erdos cnri
11
90
generic domains country domains
– 26 – CSCE 517 Sum 03
Domain Name SystemDomain Name SystemJust as ARP translates from IP addresses to ethernet Just as ARP translates from IP addresses to ethernet
addresses (or other DLL addresses)addresses (or other DLL addresses)
The Domain Name System translates from fully The Domain Name System translates from fully qualified domain names (FQDN) to IP addresses.qualified domain names (FQDN) to IP addresses.
– 27 – CSCE 517 Sum 03
Names ServersNames ServersPrimary and secondary name serversPrimary and secondary name servers
Root name serversRoot name servers
ftp.rs.internic.netftp.rs.internic.net or nic.ddn.mil or nic.ddn.mil
DNS Caching – much like ARP caching DNS Caching – much like ARP caching
Iterative versus sequentialIterative versus sequential
– 28 – CSCE 517 Sum 03
DNS Message FormatDNS Message Format
Identification made up by client and merely returned Identification made up by client and merely returned by the server.by the server.
IdentificationIdentification FlagsFlags
number of questionsnumber of questions Number of answer RRsNumber of answer RRs
Number of authority RRsNumber of authority RRs Number of additional RRsNumber of additional RRs
Questions - Questions -
Answers – variable number of resource recordsAnswers – variable number of resource records
Authority – variable number of resource recordsAuthority – variable number of resource records
Additional Information – variable number of recordsAdditional Information – variable number of records
– 29 – CSCE 517 Sum 03
Flags Field of DNS headerFlags Field of DNS header
QR – 0 means a query, 1 means a responseQR – 0 means a query, 1 means a response
Opcode (4 bits): 0Opcode (4 bits): 0 standard query, 1 standard query, 1 reverse query, 2 reverse query, 2 server status request server status request
AA (1 bit) – authoritative answer (responder is THE AA (1 bit) – authoritative answer (responder is THE nameserver for the zone)nameserver for the zone)
TC (1 bit) truncated UDP limited to 512 bytesTC (1 bit) truncated UDP limited to 512 bytes
RD (1 bit) RD (1 bit) recursion desired recursion desired
RA (1 bit) RA (1 bit) recursion available recursion available
Zero - 3 bits all zero 000 (padding, synch, expansion?)Zero - 3 bits all zero 000 (padding, synch, expansion?)
Rcode (4 bits) – return code 0Rcode (4 bits) – return code 0 no error, 3 no error, 3name error …name error …
QRQR opcodeopcode AAAA TCTC RDRD RARA ZeroZero rcodercode
– 30 – CSCE 517 Sum 03
Question Format in DNS MessagesQuestion Format in DNS Messages
– 31 – CSCE 517 Sum 03
Resource Record Portion of DNS ResponseResource Record Portion of DNS Response
– 32 – CSCE 517 Sum 03
Resource RecordsResource Records
– 33 – CSCE 517 Sum 03
CachingCaching
– 34 – CSCE 517 Sum 03
DNS SpoofingDNS Spoofing
– 35 – CSCE 517 Sum 03
SummarySummary