About rst Reset Attacks Based on the Principle of TCP protocol

Before talking about RST attacks, you must first understand TCP: how to Establish a TCP connection through a three-way handshake, how to close the full-duplex connection, how to transmit data through a sliding window, and under what circumstances does the RST appear in the TCP flag. Below I will draw some simplified figures to express the above points, and then I will understand what the RST attack is like.

1. What is TCP?
 
TCP is a Transport Layer Protocol over the IP network layer. It is used to provide reliable connection-oriented byte stream transmission from port to port. Let me explain the above keywords in a local language:
 
Port to port: the IP layer only transmits data packets from one IP address to another. After the TCP layer on the IP layer is added with the port, it is process-oriented, each port can correspond to a user process.
 
Reliability: TCP will maintain the connection concept in reality, including the Validation Package after packet collection and re-transmission after packet loss to ensure reliability. Because the bandwidth is different from the processing capability of different machines, TCP must be able to control the traffic.
 
Byte stream: TCP will cut the byte stream data sent from the application process into many data packets and send them over the network. The IP packet is out of order or duplicate, and the TCP protocol must be able to restore the original face of the byte stream.
 
 
 
From the TCP protocol diagram I drew in PowerPoint above, we can see that there are a total of six flag bits, of which the RST bit occurs when a TCP exception occurs, which is also the focus of my article.
 
 
 
 
2. Establish a connection through a three-way handshake
 
Next, I will use A to establish A TCP connection to explain how the three handshakes are completed.

 
In order to be clear about the following RST attacks, we need to talk about the SYN flag bit, serial number, and sliding window size.
 
In the request for establishing a connection, the flag SYN must be set to 1. In this request, the MSS segment size is notified, that is, the maximum size of the TCP packet that the Local Machine wants to receive.
 
Each TCP packet sent has a serial number. This is the result: When SYN is first sent, there is an initial sequence number. According to the definition of RFC, the implementation of each operating system is related to the system time. Then, the serial number value will increase constantly. For example, the original serial number is 100. If the data of this TCP packet has 10 bytes, the next TCP packet sequence number will change to 110.
 
The sliding window is used to accelerate transmission. For example, if a packet with seq = 100 is sent, the packet should be confirmed ack = 101 before sending the next packet, but with the sliding window, as long as the gap between the seq of the new package and the minimum seq that has not been confirmed is smaller than the size of the sliding window, you can continue sending.
 
 
 
 
3. Sliding Window
 
Sliding windows are undoubtedly used to accelerate data transmission. To ensure "reliability", TCP needs to ack a packet to indicate that the receiving end receives the packet. With the sliding window, the receiving end can send only one ack packet after receiving many packets and confirm that multiple packets have been received before. With a sliding window, the sender does not have to wait for its ack after sending a data packet. Other data packets can be sent within the sliding window size. Let's take an example.

As you can see, the flag is., indicating that all flags are 0. Flag P indicates a TCP packet whose flag is PSH for fast data transmission.
 
The first three packages are three-way handshakes. The client indicates that the size of the sliding window is 65535 (My XP Machine), and the server side indicates that the sliding window is 5840 (the screen width is not captured ). Starting from the fourth package, the client sends a PSH packet to the server. The data length is 520 bytes, and the server sends an ack validation packet. Note that the windows Windows size has changed. And so on.
 
The server continuously sends packets to the client in a sliding window. The ack 124 packet sent by the client confirms the previous two packets. This is the function of sliding window.
 
When talking about TCP attacks, you should note that in various TCP implementations, seq outside the sliding window will be thrown away! This question will be discussed below.
 
 
 
 
4. The normal TCP connection of the four handshakes is closed.
 
First, draw a simple diagram of normal closed connection status changes.
 
 
 
 
The FIN flag is used to close the connection normally. The left side of the figure is the active disconnect party, and the right side is the passive disconnect party. You can see the marked connection status using the netstat command.
 
FIN is normally disabled and will be sent according to the buffer sequence, that is, the packets before the buffer FIN are sent out and then the FIN packet is sent, which is different from the RST.
 
 
 
 
5. RST flag
 
RST indicates a reset, which is used to close the connection abnormally. It is indispensable in the design of TCP. As mentioned above, when sending an RST package to close the connection, you do not have to wait for the buffer package to be sent out (unlike the above FIN package) and directly discard the cached package to send the RST package. After receiving the RST package, the receiving end does not have to send an ACK package for confirmation.
 
The TCP handler sends the RST packet when it deems the exception. For example, if A initiates A connection to B, but B does not listen to the corresponding port, the TCP processing program on B will issue an RST packet.
 
For example, if AB is normally connected and communication is underway, A sends a fin packet to B, which requires the connection to be closed. After B sends an ACK, the network is disconnected, A gave up the connection for several reasons (for example, process restart ). After Netcom, B began to send data packets again. After receiving the packet, A indicated that the pressure was high. If he did not know where the wild connection came from, he sent an RST package to force the connection to be closed, B will receive the connect reset by peer error.
 
 
 
 
6. RST Attacks
 
A tcp connection is established between server A and server B. At this time, C spoofed a tcp packet and sent it to server B. Thus, the Abnormal TCP connection between server B and server A is disconnected, which is an RST attack. In fact, we can see from the functions of the above RST flag bit how this attack is achieved.
 
So what kind of TCP packet can be forged to achieve the goal? Let's look down at the top.
 
Assume that C is disguised as A package sent by A. If this package is an RST package, B will discard all the data in the buffer zone of A and forcibly close the connection.
 
If the sent packet is a syn packet, B indicates that A has gone crazy (related to the implementation of the OS) and creates A new connection when the connection is normal, B actively sends an RST package to A and forces the connection to be closed on its own side.
 
 
 
 
Both methods can achieve the effect of resetting attacks. It seems terrible, but the key is, how can we forge the Package A sent to B? There are two key factors: source port and serial number.
 
A TCP connection is a four-key connection that uniquely identifies a connection from the source IP address, source port, target IP address, and target port. Therefore, if C wants to forge the packet A sends to B, fill in the source IP address, source port, target IP address, and target port in the IP header and TCP Header mentioned above. Here, B is used as A server, and the IP address and port are public. A is the target for us. The IP address is certainly known, but the source port of A is unclear, this may be generated randomly by. Of course, if you can find out the source port generation rules for common OS such as windows and linux, you can still do it.
 
The serial number problem corresponds to the sliding window. The serial number must be filled in the forged TCP packet. If the serial number value is not in the Sliding Window of B when sent to B before, B will discard it. So we need to find the serial number that can fall into the Sliding Window of AB at that time. This can be solved in a brute force manner, because a sequence is 32-bit in length and the value range is 0-4294967296. If the window size is like 65535 in windows, you only need to divide it, it is known that a serial number can be generated in a sliding window by sending up to 65537 (4294967296/65535 = 65537) packets. The RST package is very small, and the IP header and TCP Header are only 40 bytes. After calculating the bandwidth, we know that it takes only a few seconds to complete.
 
 
 
 
The serial number is not a problem, and the source port will be troublesome. If each operating system cannot generate a source port randomly, or hackers can obtain the source port through other methods, RST attacks will be easy, serious Consequences



From the column russell_tao