RST reset signal in TCP
In the TCP protocol, RST represents the reset, which is used to close the exception connection, which is indispensable in TCP design.
When you send an RST package to close a connection, you do not have to wait for the buffer to be sent out and send the RST packet directly to the packet that dropped the cache. After receiving the RST packet, the receiver does not have to send an ACK packet to confirm.
There is an RST flag bit in the TCP message, such as:
Cause of RST 1, port not open
This error may occur when the server program port is not open and the client is connected, such as Telnet to an open TCP port.
For example, host A sends a SYN request to Host B, indicating that it wants to connect to port 40000 of Host B, but the port is not opened at all on Host B, so B sends a RST to host a. This is a common situation. In particular, the case of a sequential rst before restarting after a server program core dump is recurring.
2. Early closure
For example, when host A and Host B are properly connected, a to B sends a FIN packet request off connection, B sends an ACK, the network is broken, a for several reasons abandoned the connection (such as process restart). Netcom, B began to send data packets, a received after the pressure is very large, do not know where the wild connection, sent a RST package to force the connection off, B received after the connect reset by peer error.
3. Receive data on a closed connection
4. Request Timeout
RST attack
A TCP connection was established between Server A and Server B, at which point the server C forged a TCP packet to B, causing the b exception to be disconnected from the TCP connection to a, which is the RST attack.
So what kind of TCP packets can be forged to achieve the goal? We look down to the top:
- Assuming that C is disguised as a pass-through package, if the package is an RST package, there is no doubt that B will discard all data on the buffer with a, forcing the connection to be switched off;
- If the packet sent past is a SYN packet, B will indicate that a has gone crazy (related to the implementation of the OS), the normal connection is to build a new connection, B actively to a a RST package, and on their own side of the force to switch off the connection;
Both of these methods can achieve the effect of the reset attack. It seems scary, but the key is how C can forge a packet to B? Here are two key factors, source port and serial number.
A TCP connection is a four-tuple that uniquely identifies a connection by the source ip+ source port, the destination ip+ destination port. Therefore, if C to forge A to B packets, to the above mentioned IP header and TCP header, the source IP, source port, destination IP, destination port are all filled in. Here B as server, IP and port is public, a is our target, IP certainly know, but the source port of a is not clear, because this may be a randomly generated. Of course, if you can find the common OS such as Windows and Linux to generate the source port law, can still be done.
In addition, the forged TCP packet needs to fill in the serial number (SeqNum), if the value of the serial number is not before a to B to send the sliding window B, B will be actively discarded. So we're going to find the serial number of the AB sliding window that can fall to that time. This can be resolved violently, because a sequence length is 32 bits, the value range is 0-4294967296, if the sliding window size is 65535, then up to 65537 (4294967296/65535= 65537) A package can have a serial number falling into the sliding window. RST packet is very small, IP head +tcp head is only 40 bytes, calculate our bandwidth to know that it really only takes a few seconds to get it done.
Reference Documentation:
http://my.oschina.net/costaxu/blog/127394
Http://www.cnblogs.com/lulu/p/4149562.html
RST reset signal in TCP