TCP Connection Management (5)

TCP Server operation

In particular, we wish-become familiar with how TCP servers use port numbers and how multiple concurrent C Lients is handled.

TCP Port Numbers

The following output is on a system with no active secure shell connections.

THE-A option reports on all network endpoints, including those in either Lis-tening or non-listening state.

The-n flag Prints IP addresses as Dotted-decimal (or hex) numbers, instead of trying to use the DNS to convert t He address to a name,

and prints numeric port numbers (e.g.) instead of service names (e.g., SSH).

THE-T option selects only TCP endpoints.

The local address (which really means local endpoint) is output as::: +, which is the IPv6-oriented of referring to the All-zeros address,

Also called the wildcard address, along with port number .

This means, the incoming connection request (i.e., a SYN) to port A is accepted on any local interface.

If the host were multihomed (this one was), we could specify a single IP address for the local IP add Ress (one of the host ' s IP addresses),

And only connections received on that interface would be accepted.

Here, the foreign IP address and foreign port number was not known yet, because the local endpoint was in the listen state, waiting for a connection to arrive.

We now start a secure Shell client on the host 10.0.0.3, connects to this server:

The local IP address corresponds to the interface on which the connection request arrived.

Also Notice that the port number for the established connection does isn't change: It's is, the same as the LISTEN Endpoint.

We now initiate another client request from the same system (10.0.0.3) to this server. Here is the relevant netstat output:

TCP cannot determine which process gets an incoming segment by looking at the destination port number (local Addre SS) only.

Also, the only one of the three endpoints at Port all that would receive incoming connection requests is the one in The LISTEN state.

The endpoints in the established state cannot receive SYN segments, and the endpoint in the LISTEN state cannot R Eceive Data Segments.

The host operating system ensures this. (If it does not, the TCP could become quite confused and not work properly.)

Next We initiate a third client connection, from the IP address 169.229.62.97 which is across the DSL PPPoE link F Rom the server 10.0.0.1, and not on the same Ethernet.

The local IP address of the third established connection now corresponds to the interface address of the PPPoE Li NK on the multihomed host (67.125.227.195).

Note that the Send-q status was not 0 and is instead 928 bytes.

This means the server host have sent 928 bytes on the connection for which it had not yet heard an ACKNOWLEDG ment.

Restricting Local IP Addresses

We can see how happens when the server does isn't wildcard the local IP address but instead sets it to one par Ticular Local address.

If We run our sock program as a server and provide it with a particuclar IP address, that address becomes the local addres S of the listening endpoint.

For example:

linux% sock-s 10.0.0.1 8888

This restricts this server to using connections, that arrive-only on the local IPV4 address 10.0.0.1.

If We now connect to this server from the local network, from the host 10.0.0.3, it works fine

If we instead try to connect to the this server from a host using a destination address other than 10.0.0.1 (even Inc Luding the local address 127.0.0.1),

The connection request is a accepteD by the TCP module.

If we watch with Tcp-dump, the SYN elicits an RST segment

The server application never sees the connection request-the rejection is done by the operating system ' s TCP ModulE,

Based on the local address specified by the application and the destination address contained in the arriving SYN seg-menT.

We see this capability of restricting local IP addresses is quite strict.

Restricting Foreign endpoints

The abstract interface functions for TCP given in [RFC0793] allow a server doing a passive open to has either a fully spe Cified foreign endpoint (to-wait for a particular client-to-issue an active open)

Or an unspecified foreign end-point (to-wait for any client).

Incoming Connection Queue

But there was still a chance that multiple connection requests would arrive while the listening server is creating a new Process,

or while the operating system was busy running other higher-priority processes, or worse yet, that's the server is B Eing attacked with bogus connection requests that is never allowed to be established.

How does TCP handle these scenarios?

To fully explore this question, we must first understand the new connections may is in one of the both distinct STATES before they is made available to an applica-tion.

The first case was connections that had not yet completed but for which a SYN had been received (these was in the SYN_RCVD state).

The second case was connections that has already completed the Three-way handshake and is in the established STA Te but has not yet been acceptedby the application.

Internally, the operating system ordinarily has a distinct connectionqueues, one for each of the these cases.

An application have limited control over the sizing of these queues.

In modern Linux kernels This behavior have been changed to being the number of connections in the second case (establ ished connections).

In Linux and then, the following rules apply:

1 When a connection request arrives (i.e., the SYN segment), the system-wide parameter net.ipv4.tcp_ Max_syn_backlog is checked (default 1000).

If the number of connections in the SYN_RCVD state would exceed this threshold, the incoming connection is rejected.

2 Each listening endpoint had a fixed-length queue of connections that had been completely accepted by TCP (i.e. , the Three-way handshake is com-plete) and not yet accepted by the application.

The application specifies a limit to this queue, commonly called the backlog.

This backlog must is between 0 and a system-specific maximum called net.core.somaxconn, inclusive (defau LT 128).

Keep in mind so this backlog value specifies only the maximum number of queued connections for one listening en Dpoint

This backlog have no effect whatsoever on the maximum number of estab-lished connections allowed by the Syste m,

Or on the number of clients a concurrent server can handle concurrently.

3 Also, the client may think the server was ready to receive data when the client's active open completes SUCCESSF Ully,

before the server application has been noti-fied of the new connection. If this happens, the server ' s TCP just queues the incoming data.

4 If There is not enough . The queue for the new connection, the TCP delays responding to the SYN, To give the application a chance to catch up.

Linux is somewhat unique in this behavior-it persists in not ignoring incoming connections if it possibly can.

If the net.ipv4.tcp_abort_on_ overflow system control variable is set, new incoming connections is RESET with a reset segment.

Sending reset segments on overflow are not generally advisable and are not turned on by default.

The client has attempted to contact the server, and if it receives a reset during the SYN Exchange, it may falsely conclud E that no serveR is present (instead of the concluding that there are a server present but it's busy).

Being too busy is really a form of 'soft' or temporary error rather than a hard error.

normally, when the queue is full, the application or the operating system is busy, preventing the application fro M servicing incoming connections. This condition could change in a short while.

But if the server's TCP responded with a reset, the client's active open would abort (which is what we saw happen If the server is not started).

Without the reset, if the listening server does not get around to accepting some of the already-accepted connections that The filled its queue to the limit, the client's active open eventually times out, according to normal TCP Mechan Isms.

In the case of Linux, the connecting clients is just slowed for a sig-nificant period of Time-they would neither Time out nor being reset.

We can see how happens when the Incoming connection queue becomes full using our sock program.

We invoke it with a new option (-O) that tells it-to- pause After creating the listening endpoint, before Acceptin G any connection requests.

If we then invoke multiple clients during this pause period, the server ' s queue of accepted connections should fill 2 > And we can see what the happens with tcpdump.

linux% sock-s-v-q1-o30000 6666

THE-Q1 option sets the backlog of the listening endpoint to 1.

the-o30000 option causes the program to sleep for 30,000s before accepting any client connections.

So with Berkeley sockets, being aware that with TCP, when the application was told that a connection have just arrived , TCP ' s three-way handshake is already over.

If the server then looks at the client's IP address and port number and decides it does not wanT-service This Client

All the servers can do are either close the connection (causing a FIN to be sent) or reset the connection (causing An RST to be sent).

Attacks involving TCP Connection Management

A SYN flood is a TCP DoS attack whereby one or more malicious clients generate a series of TCP Connectio N Attempts (SYN segments) and

Send them at a server, often with a "spoofed" (e.g., random) source IP address.

The server allocates some amount of connection resources to each partial connection.

Because the connec-tions is never established, the server may start-to-deny service to a future legiti-mate requ ESTs

Because its memory was exhausted holding state for many half-open connections.

One mecha-nism invented to deal with this issue is called SYN-Cookies [RFC4987].

The main insight with SYN-cookies is, the most of the information, would be stored for a connection when a SYN arr Ives could is encoded inside the Sequence Number field supplied with the SYN + ACK.

The target machine using SYN cookie need not allocate any storage for the incoming connection request-

It allocates real memory only once the SYN + ACK segment have itself been acknowledged (and the initial Sequen Cenumber is returned).

Producing SYN cookie involves a careful selection process of the TCP ISN at servers.

Essentially, the server must encode any essential state in the Sequence number field in its SYN + ACK that is RET Urned in the ACK number field from a legitimate client.

There is several ways of doing this, but we'll mention the technique adopted by Linux.

TODO here

TCP Connection Management (5)