Application and principle of TCP three-times handshake

Source: Internet
Author: User
Tags ack end header include socket variable valid window
TCP/IP is a large number of different protocol components, is actually a protocol group, TCP User Data reporting Protocol (also known as TCP Transmission Control Protocol, transport control Protocol. Reliable host to host layer protocol. The first point to emphasize here is that Transmission Control protocol is the fourth layer of the OSI network, and TCP Transmission Control protocol is one of the 6 basic protocols for TCP/IP transmission. Two TCP meanings are not the same. )。 TCP is a reliable, connection-oriented delivery service. It is segmented when transferring data, and the host Exchange data must establish a session. It uses a bit-flow letter, that is, data to be used as an unstructured byte stream. The order number is specified by the field of each TCP transport to obtain reliability. is the fourth layer in the OSI Reference Model, TCP is the use of IP network interconnection function and provide reliable data transmission, IP keep the message on the network, and TCP is responsible for the confidence message arrived. In the operation of cooperative IP TCP is responsible for: handshake process, message management, flow control, error detection and processing (control), can be in a certain number sequence to the abnormal sequence of the message given a new order. The RFC documentation for TCP is RFC793, RFC791, RFC1700.

At the beginning of a TCP session, there is a so-called "three handshake": how the amount of data sent each time to negotiate the data section to send and receive synchronization, according to the amount of data received to determine the number of data and data sent, received after the cancellation of contact, and establish a virtual connection. To provide reliable delivery, TCP sends the sequence number of packets in a particular order before sending new data, and requires those packets to be sent to a confirmation message after the target machine. TCP is always used to send large amounts of data. TCP is also used when an application has to make a confirmation when it receives data. Because TCP requires constant tracking, this requires extra overhead, making TCP's format somewhat complex. Let's look at a classic example of TCP, which was later called the Mitnick attack in which Kevin pioneered two attack techniques:

TCP Session Hijacking
SYN FLOOD (synchronous torrent)

Here we discuss the problem of TCP session hijacking.

Let us first understand the basic simple process of TCP establishing a connection. In order to build a small imitation environment, we assume that there are 3 machines connected to the Internet. A an attacker-operated attack aircraft. B is the intermediary springboard machine (trusted server). C Machines for victims (mostly servers), where the C machine is locked as the target machine. A machine sends a SYN packet to B machine, requests to establish a connection, then the B machine that has responded to the request will respond to a machine syn/ack indicate agree to establish the connection, when a machine receives the syn/ack response that the B machine sends, sends the reply ACK to establish the network connection of a machine and B machine. The TCP communication channel between such a two machines was established successfully.

B Terminal trusted server to the C machine to initiate a TCP connection, a machine to the server to initiate SYN information, so that C machine can not respond to B machine. At the same time a machine also sends a false C-machine response to B machine to the SYN Packet, receives the SYN packet's B machine (is trusted by the C machine) starts to send the reply connection to establish the Syn/ack packet, then the C machine is busy responding to the previously sent SYN data and is not busy responding to B And the attacker of a machine predicted the serial number of the B machine package (now the TCP serial number is more difficult to predict) fake C machine to send the answer ACK to B machine. At this time the attackers cheated B machine trust, counterfeit C machine and B machine set up a TCP protocol dialog connection. This time the C machine is still responding to the SYN data sent by the attacker a machine.

The weakness of TCP protocol stack: the resource consumption of TCP connection, including: packet information, condition State, serial number, etc. By deliberately not completing the three handshake process required to establish the connection, the resource of the connection is exhausted.

The resource exhaustion of the C machine is caused by the attacker's intention not to complete the three handshake required to establish the connection. The predictability of the serial number, which is predictable when the target host answers the Syn/ack serial number returned when the connection request is answered. (Early TCP protocol stack, specifically, see the 1981 RFC793 document on the prototype of TCP)

TCP Header Structure

The TCP protocol header is at least 20 bytes, including the following areas (because the translation can not help the same, the article gives the corresponding English words):

TCP Source Port: A 16-bit source port that contains the port on which the communication is initialized. The function of the source port and the source IP address is to indicate the return address of the newspaper question.

TCP Destination port (destination port): A 16-bit destination port domain defines the purpose of the transport. This port indicates the application address interface on the message receiving computer.

TCP Serial Number (sequence code, Sequence number): 32-bit serial numbers are used by the receiving computer, and the Wencheng is the original form of the segmented report. When Syn appears, the sequence code is actually the initial sequence code (ISN), and the first byte of data is isn+1. This serial number (sequence code) is able to compensate for inconsistencies in the transmission.

TCP Answer number: The 32-bit serial number is used by the receiving computer, and the acknowledgment Wencheng the initial form. , if the ACK control bit is set, this value represents a sequence code for the package to be received.

Data offset (Hlen): 4 bits include the TCP header size, indicating where data starts.

Reserved (Reserved): 6-bit domain, these bits must be 0. reserved for the future definition of new uses.

Flag (Code Bits): 6-bit flag domain. Express as: Emergency signs, meaningful response signs, push, reset connection flag, sync serial number flag, complete send data flag. Arranged in order are: URG, ACK, PSH, RST, SYN, FIN.

window: 16 bits that represent the size of each TCP data segment that you want to receive.

Check digit (Checksum): 16-bit TCP header. The source machine calculates a numerical value based on the data content, and the receiving information is exactly the same as the numerical result of the source machine, thus proving the validity of the data.

Priority pointers (emergency, Urgent pointer): 16 bits, which point to the byte following the priority data, which is valid when the URG flag is set. If the URG flag is not set, the emergency field is populated. Speed up processing of data segments marked as urgent.

Option: indefinite length, but must be in bytes in length. If there is no option, the field of this byte is equal to 0.

Fill: Indefinite length, the contents of the fill must be 0, it is for mathematical purposes. The aim is to ensure the predictability of space. To ensure that the packet header and the beginning of the data offset can be divisible by 32, the general additional 0 to ensure that the TCP header is 32-bit integer times.

Flag control function

URG: Emergency Signs
The emergency (the urgent pointer) flag is valid. Emergency sign Placement,

ACK: Confirmation Flag
The confirmation number (acknowledgement) column is valid. In most cases, the flag bit is placed. The confirmation number (w+1,figure:1) contained in the Acknowledgment number column within the TCP header is the next expected sequence number, and the remote system is prompted to receive all data successfully.

PSH: Push Sign
When the flag is set, the receiving end does not queue the data, but instead transfers the data to the application processing as quickly as possible. This flag is always placed when handling connections in interactive mode such as Telnet or rlogin.

The reset flag is valid. Used to reset the corresponding TCP connection.

SYN: Sync Flag
The Sync sequence number (Synchronize Sequence Numbers) column is valid. This flag is valid only when a TCP connection is established with a three handshake. It prompts the server side of the TCP connection to check the sequence number, which is the initial sequence number of the TCP connection's initial end (typically the client). Here, you can think of a TCP sequence number as a 32-bit counter that ranges from 0 to 4,294,967,295. Each byte in the data exchanged over a TCP connection is numbered in sequence. The Sequence numbering column in the TCP header includes the sequence number of the first byte in the TCP fragment.

FIN: End Flag
A packet with this flag position is used to end a TCP reply, but the corresponding port is still open and ready to receive subsequent data.

The server is in a listening state, and the packet (IP packet) that the client uses to establish the connection request becomes the TCP processing segment (segment) According to the TCP/IP protocol stack combination.

Parsing header information: The TCP layer receives the appropriate TCP and IP headers and stores the information in memory.

Check the TCP checksum (checksum): The standard checksum is in the segment (Figure:2). If the validation fails, no acknowledgement is returned, the fragment is discarded, and the client is sent for retransmission.

Lookup Protocol control block (pcb{}): TCP looks up the protocol control block associated with this connection. If it is not found, TCP discards the fragment and returns the RST. (This is the mechanism of TCP processing without port sniffing) if the protocol control block exists, but the state is closed, the server does not invoke connect () or listen (). The fragment is discarded, but the RST is not returned. The client will attempt to re-establish the connection request.

Create a new socket: when the socket in the listening state receives the segment, a child socket is created, along with socket{},tcpcb{} and pub{. If an error occurs, the corresponding socket is removed by the flag bit and the memory is freed, and the TCP connection fails. If the cache queue is filled, TCP considers an error to occur and all subsequent connection requests are rejected. Here you can see how the SYN flood attack works.

Discard: If the flag in the paragraph is a RST or ACK, or if there is no SYN flag, the fragment is discarded. and releases the corresponding memory.

Send sequence variable

Snd. UNA: Send unacknowledged

Snd. NXT: Send Next

Snd. WND: Send Window

Snd. Up: Send priority pointers

Snd. WL1: Segment serial number for last window update

Snd. WL2: Segment confirmation number for last window update

ISS: Initial Send sequence number


Receive serial number

Rcv. NXT: Receive Next

Rcv. WND: Receive Next

Rcv. Up: Receive priority pointers

IRS: Initial receive serial number

Current segment variable

SEG. SEQ: Segment Serial number

SEG. ACK: Segment Confirmation mark

SEG. LEN: Duan

SEG. WND: Segment Window

SEG. UP: Segment Emergency pointer

SEG. PRC: Segment Priority

Closed indicates no connection, and the meanings of each state are as follows:

LISTEN: Listens for connection requests from a remote TCP port.

Syn-sent: Waits for a matching connection request after sending a connection request.

Syn-received: Waits for confirmation of connection requests after receiving and sending a connection request.

Established: Represents an open connection in which data can be transmitted to the user.

Fin-wait-1: Waits for a remote TCP connection interrupt request, or confirmation of a previous connection interrupt request.

Fin-wait-2: Wait for connection interrupt request from remote TCP.

Close-wait: Waits for a connection interrupt request from a local user.

CLOSING: Waits for confirmation that remote TCP is disconnected from the connection.

Last-ack: Waits for confirmation that the connection interrupt request originally sent to remote TCP.

Time-wait: Wait enough time to ensure that remote TCP receives confirmation of a connection interrupt request.

CLOSED: There is no connection status.

The TCP connection process is a state conversion, prompting the user to invoke the state transition: Open,send,receive,close,abort and status. The transmitted data segments, particularly those that include the following marker data segments Syn,ack,rst and Fin. There is also a time-out, and the TCP state changes when all of the above is said to occur.

Serial number

Note that the bytes we send in the TCP connection have a serial number. Because of the number, we can confirm their receipt. The confirmation of the serial number is cumulative. The types of serial number comparisons that TCP must perform include the following:

① determines some of the sent but unacknowledged serial numbers.

② decided that all the serial numbers had been received.

③ determines which serial number should be included in the next paragraph.

For TCP to receive confirmation for the sent data, the acknowledgement must be made:

Snd. UNA = oldest confirmed serial number.

Snd. NXT = Next serial number to send.

SEG. ACK = receives TCP acknowledgement and receives TCP expected next sequence number.

SEG. SEQ = The first sequence number of a data segment.

SEG. LEN = number of bytes included in the data segment.

SEG. Seq+seg. LEN-1 = Last serial number of the data segment.

If the serial number of a data segment is less than the value of the confirmation number, then the entire data segment is confirmed. The following comparison is required when receiving data:

Rcv. NXT = The expected serial number and the lowest edge of the receive window.

Rcv. Nxt+rcv. Wnd:1 = The last serial number and the highest edge of the receive window.

SEG. SEQ = The first serial number received.

SEG. Seq+seg. Len:1 = Last serial number received

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.