Security of the Transport layer

Security issues for 1.TCP and UDP protocols

TCP is a very important protocol in the Internet, and the attacker's attack on it is naturally of considerable concern. Suddenly remember to hear the word TCP data stream service frequently, why is it called data flow? This is where the application layer sends the data to the TCP layer in the form of a stream of bytes. TCP maintains a TCP send buffer and a receive buffer, and all the byte streams sent by the application layer are stored in the send buffer, and the TCP data uploaded by the network layer is stored in the receive buffer. The security of TCP protocol will be analyzed from four aspects, namely head, protocol, traffic and authentication.

Head-based attacks can be divided into 2 categories: one is that attackers can send invalid header information, which can disrupt the operation of the TCP layer, and the attacker can detect some information about the target host by receiving TCP response data. The most common attack in the TCP header is the Identity field, which is the URG (the packet contains emergency data), the ACK (response number is valid), the PSH (need to push the data to the app), the RST (reset packet), the SYN (synchronous packet), FIN (end packet). For example, we can disguise a packet to modify the combination of these identities, and some systems will disconnect from the unknown combination, which will cause the attacker to disconnect from the connection. This attack, which corresponds to the first category of the above classification, interrupts a single connection, but now the system has been improved in this place. In the second category of probing attacks, these identities are still exploited. Because the TCP standard does not specify all combinations, different operating systems respond differently to a particular identity combination, so the probe package can be sent to obtain the operating system type or other specific information of the target host. Probing attacks are difficult to eliminate because the operating system implements the TCP protocol with different standards, unless these standards are harmonized.

TCP protocol is one of the most complex protocols in the Internet, because of its complexity, the attack on TCP protocol is endless. Attacks are still divided into 2 categories, one of which is an attacker's improper communication with the target, and one in which an attacker inserts a packet into the TCP protocol stream. A classic attack in the first type of attack becomes a SYN avalanche, where an attacker sends a connection request with his own IP address and multiple port numbers, and the victim responds to the ACK packet and enters a semi-connected state, apparently at this time the victim holds the session data in memory. When the victim occupies a large number of semi-connected sessions in memory, it will consume a lot of performance, which can cause the host to fall out of line and ignore other host connection requests. For this scenario, the target host can be filtered, that is, only a limited number of source IP connection requests are allowed when the connection request is accepted. However, it is clear that an attacker could also use a distributed host to attack a host at the same time, so that the target host could be dropped in a single swoop. The second type of attack requires an attacker to see traffic, such as disconnecting a connection attack, as shown in.

Here's another point to consider, masquerading packets are not just changing the source IP address, there are MAC addresses and some flags to be modified, of course, if we can sniff the packet for forgery. If the attacker also modifies the source MAC address of the packet, it will be difficult to eliminate the attack because it is not possible to know which host the attacker is. Let's look at a second class attack example, called session hijacking, which requires an attacker to see the traffic between the victim and the server. Unlike disconnecting a connection attack, it is a steal connection, where an attacker would replace the victim with the server or communicate with the victim instead of the server. As shown in.

In terms of traffic, from disconnecting and stealing connections, you can see that they are based on the ability to see traffic, and Syn avalanches are also the basis for other attacks because of the volume of traffic that degrades service performance.

the TCP protocol does not support authentication, so there is no representative attack. However, the 1th and 2 fields in the TCP header are the source and destination ports, and the operating system can actually limit the range of port numbers to play a protective role in authentication. because the UDP protocol header is simple, attacks based on headers and protocols are uncommon, and attacks based on authentication and traffic are similar to TCP. But also to see the difference between TCP and UDP, UDP does not need to reply to confirm and keep the connection, so the avalanche for UDP to launch a higher cost.

2. Solution for Transport Layer Security

Transport Layer Security TLS and Secure Sockets Layer SSL is a layer of security between the application layer and the transport layer. The TLS (Transport layer Security) protocol can be thought of as a new layer, between the application layer and TCP. It provides authentication between the server and the client, provides confidentiality and data integrity between applications, and TLS includes the TLS record protocol with the TLS handshake protocol. SSL (Security Socket Layer) is similar to TLS and is certified for mutual authentication, and it uses digital signatures to ensure integrity and privacy with encryption, which consists of an SSL logging protocol and an SSL handshake protocol. TLS is an improved version based on SSL, but the difference between TLS and SSL is large and the encryption algorithms are different, which makes interoperability between them impossible. because TSL is an enhanced version of SSL, first to study SSL, it has been widely used in the browser and server authentication and information encryption. As mentioned above, SSL is divided into SSL record protocol and SSL handshake Protocol, and the recording protocol mainly provides data encapsulation, compression and encryption for application layer protocol. The handshake protocol is used on the basis of the recording protocol for the identity authentication, the negotiation of the encryption algorithm and the Exchange key of the communication parties. By logging protocols and handshake protocols, SSL ensures that the data between the client and the server is not stolen and that the data is not altered during transmission. Next I draw a diagram to illustrate the SSL protocol transfer process.

TLS and SSL are similar to the communication mechanism, but now we are basically using the TLS protocol. In addition, the TLS key allocation is a very important part of the TLS protocol, for this piece I just know a little bit interested in Baidu can own. For the TLS protocol from the middleman point of view is also possible to attack, such as a and B communication, C can see the traffic between A and B. At this point C can forge a certificate to a, pretend to be a server, and a real server to establish a valid connection, so that C can arbitrarily view the modification of this information. However, the cost should be quite high, because the attackers need to know the encryption and decryption algorithms as well as various keys in addition to the data traffic in the following layer of TLS.

Security of the Transport layer