Probing into the solution to the TCP connection being reset

Category: Network and security

A probe into the solution of the TCP connection being reset--the feasible way to cross the GFW to free network

May 25, 2010 Tuesday 00:19

This title is a bit long-actually started just want to write the part before the dash, because this kind of technical article said the obscure point of no harm, but also worried that we do not understand what is going on, bite the bullet or fill up the back part.

China's network environment is complex, and China is also one of the countries with a high degree of control over the Internet, of course limited to the mainland. And the control of Chinese Internet users free online customs is the famous GFW (Great Fire Wall, Great Firewall), GFW's working principle is to reset the TCP connection, then you have to mention the TCP protocol three times the simple principle of handshake.

According to the provisions of the TCP protocol, the user and the server to establish a connection requires three handshake: the first handshake the user sends a SYN packet request (SYN, x:0) to the server, the second handshake server sends a response to the user Syn/ack packet (syn/ack, y:x+1), The third handshake the user sends an ACK packet to the server to issue an acknowledgment (ACK, x+1:y+1), at which point a TCP connection is established successfully. where x is the serial number that the user sends to the server, and Y is the serial number that the server sends to the user.

Now let's talk about how GFW works. GFW is responsible for monitoring the national TCP connection, when the detection of sensitive words will intervene, the server sent back to the Syn/ack package to Syn/ack, y:0, which means that the TCP connection is reset, the user will voluntarily abandon the connection, the connection failed. Can be seen, in fact, GFW is to deceive the user, let the user mistakenly think the server refused to connect, and actively abandon continue to connect with the server.

Because GFW is working on the TCP protocol layer, which seems to be hard to break, but we should not ignore the detection of the national TCP connection is not a simple task, even if thousands of distributed computers may not have the ability to monitor the TCP connection one by one, then gfw how to do it? Very simply, GFW only monitors the first TCP connection when the connection is initiated, which can greatly improve the performance of GWF. But that's how a performance-providing approach leaves GFW a fatal loophole, and the solution I'm exploring today is based on this vulnerability.

First we normally send a SYN packet to the server for the first handshake, then the server sends back syn/ack to the user for a second handshake, and then the user continues to send the first handshake when the SYN packet, GFW according to the TCP protocol rules that the TCP connection ended, The monitoring of this TCP connection user is stopped, and the server knows how the TCP connection has not been established, so it ignores the packet and is not affected. But we only finished half of the work, because GFW is two-way monitoring, the server is still GFW monitoring, if the server can send back a connection reset of the packet, GFW will stop monitoring the server. Although it is easy to say, the server does not receive user control, how can the server send the user's wishes to connect the reset packet? According to the TCP protocol rules, if a user sends back a packet with an error, the server sends back the connection reset packet, as mentioned earlier, the ACK packet sent by the user at the third handshake should be ack:x+1:y+1, but if the user is sending Ack:x+1:y, Then the server naturally happens to connect the reset packet. When GFW receives this package, it is assumed that the server also resets the connection and no longer monitors the server. However, this connection reset package is received by the user can not actively abandon the connection, so that users need to ignore the reset packet, but the user side of our call, how to do all. At this point, GFW no longer monitors this TCP user and server, the two sides can freely communicate.

Let me summarize the process of this TCP connection:

User-[syn, X:0]->gfw-[syn, x:0]-> server {first handshake}

User <-[syn/ack, Y:x+1]-gfw<-[syn/ack, y:x+1]-server {second handshake}

User-[rst, x:0]->gfw[that the user TCP connection ends]-[rst, x:0]-> server {Ignore}

User-[ack, x+1:y]->gfw[stop monitoring user]-[ack, x+1:y]-> server {Bad Package}

User {Ignore}<-[rst, y:0]-gfw[thinks the server reset connection]<-[rst, y:0]-server {reset Connection}

User-[ack, x+1:y+1]->gfw[stop monitoring Server]-[ack, x+1,y+1]-> server {third handshake}

In this way, a three-time handshake process was changed to six times we shook hands, successfully fooled the GFW, the show officially began.

Now let's talk about some things about GFW. GFW is not as powerful as we think it is, but rather flawed and fragile. Because GFW is distributed-based, patching vulnerabilities is difficult, and if you monitor all TCP packets GFW change the monitoring rules, performance is greatly reduced. In addition, GFW will record the access to the sensitive information of the IP for a period of time, so that the IP can not continue to connect with the corresponding server, then this record IP buffer must have an upper limit, there is a natural overflow, if a large number of IP access to sensitive information, GFW will be unable to view the other TCP because of this buffer overflow. Yes, this is actually ddos,2010 year January 3 around the "solution" also heard that the Beijing GFW is related to DDoS. I heard that GFW have students involved, and these walls of the hit and bupt students ability, resulting in GFW module quality is uneven, which is one of the important factors of GFW there are loopholes.

But the final technology is not innocent, but technology is used by politics is the greatest sorrow. In fact, more than China, the United States to do network depth testing Cnci, the budget of $30 billion, is GWF how many times. The difference lies in the fact that Chinese deacons are too clumsy and have no bottom line, leading to a flaw in ordinary people.

Finally, the exploration of this scheme embodies people's enthusiasm for technology, while the research on FQ embodies people's pursuit of truth and freedom. I would like to be one of them, both from the point of view of technical zeal and from the perspective of truth and freedom.

Reference documents:

[1] In-depth understanding of gfw,http://gfwrev.blogspot.com/2010/03/gfw.html (outside the wall)

[2] "The West Wing plan" principle pee, http://blog.youxu.info/2010/03/14/west-chamber/

[3] Briefly describe the TCP three handshake process, and explain why to 3 handshake, http://hi.baidu.com/it_hawk/blog/item/d053ab346830783e5ab5f54e.html

Probing into the solution to the TCP connection being reset