Tcp--rst Reset Attack

1.RST identification bit

The rst represents the reset, which is used to close the connection abnormally, which is indispensable in TCP design. When sending an RST package to close the connection, you do not have to wait for the buffer to be sent out (FIN packet) and send the RST packet directly to the packet that dropped the cache. After receiving the RST packet, the receiver does not have to send an ACK packet to confirm.
The TCP handler sends the RST package at the time it deems it to be abnormal.

2 Examples:

1) A to B initiates the connection, but above B does not listen to the corresponding port, the TCP handler on the B operating system will send the RST packet.
2) A and b have established a normal connection, in the communication, A to B sent fin packet request off connection, B sent an ACK, a network is broken, a for several reasons abandoned the connection (such as process restart). After the network recovery, B starts or re-sends the packet, a do not know where the connection came, sent a RST package to force the connection to close, B received after the connect reset by peer error.

2.RST Reset Message Segment

TCP generates the RST reset message segment in the following three scenarios.

1. Connection requests to non-existent ports

A common situation in which a reset occurs is when a connection request arrives and no process is listening on the destination port. For UDP, when a data is reported to the destination port, the port is not in use, it generates an ICMP port unreachable information, and TCP uses the reset.

2. Terminating a connection abnormally

The normal way to terminate a connection is for one party to send Fin, which is also known as ordered release, because Fin is sent after all queued data has been sent, and there is no data loss under normal circumstances. But it is also possible to send a reset message segment instead of fin to release a connection halfway, which is also known as abnormal release. Terminating an exception a connection has two advantages for the application: (1) discarding any outgoing data and immediately sending the reset segment, (2) The receiver of the RST distinguishes between an abnormal shutdown or a graceful shutdown at the other end.

3. Detecting half-closed connections

If a party has closed or abnormally terminated the connection and the other party does not yet know, we will call such a TCP connection semi-open. This can be caused by a host exception at either end. As long as you do not intend to transfer data on a semi-open connection, the side that is still connected does not detect that the other party has an exception. The following describes a scenario for establishing a semi-open connection. Run the Telnet client on BSDI to establish a connection to the drop server on the SVR4. Then disconnect the server host from the Ethernet cable and restart the server host. This can simulate an exception to the server host (disconnecting the ethernet cable before restarting the server is to prevent it from sending fin to the open connection, and some TCP will do so when the shutdown occurs). After the server host restarts, we reconnect the cable and send a line of characters from the customer to the server. Because the server's TCP has been restarted, it loses all the information that was connected before the reset, so it does not know the connection mentioned in the data message segment. The principle of TCP processing is that the receiver responds with a reset.

3.RST Reset Attack
A TCP connection is established between a and Server B, and if C forges a TCP packet to B, the B exception disconnects the TCP connection to a, which is the RST attack.
What can be done to forge such a TCP packet?
1, assume that C disguised as a sent past the package, this package if it is RST packet, flush all the data on the area B will be discarded with A's slow , force the connection off.

2, if the packet sent past is a SYN packet, then, B will indicate that a is a normal connection but to build a new connection, B actively to a a RST package, and on their own side of the force to switch off the connection.
How to forge a package for B?

Here are two key factors, source port and serial number.
A TCP connection is a four-tuple that uniquely identifies a connection by source IP, source port, destination IP, and destination port. Therefore, if C to forge A to B packets, to the above mentioned IP header and TCP header, the source IP, source port, destination IP, destination port are all filled in.

1) Here B as server, IP and port are public;

2) A is our target, IP certainly knows, but the source port of a is not clear, because this may be a randomly generated. Of course, collisions can be made if you can find the rules for generating source ports on common OSes such as Windows and Linux.

3) Serial number problem is corresponding to the sliding window, the forged TCP packet needs to fill in the serial number, if the value of the serial number is not before a to B to send the sliding window B, B will be actively discarded. So we're going to find the serial number of the AB sliding window that can fall to that time. This can be resolved violently, because a sequence length is 32 bits, the value range 0-4294967296, if the window size like in the Windows I caught under the 65535 words, only need to divide, I know the most only need to send 65537 (4294967296/ 65535=65537) A package can have a serial number falling into the sliding window. RST packet is very small, IP header +tcp 40 bytes, calculate our bandwidth to know that it really only takes a few seconds to get it done.
Well, the serial number is not a problem, the source port will be troublesome, if each operating system can not completely randomly generate the source port, or hackers can be obtained by other means to the source Port,rst attack exists.

4. How to Prevent
A feasible way to simply explode: you can simply set it through a firewall. We recommend that you use a firewall to discard packets that come in with the RST bit.

Tcp--rst Reset Attack