Summary analysis of transmission layer attack mode

1. Exception Pack

TCP/UDP: Packet with port value of 0, checksum error package

TCP Flag Bit exception packet: SYN exists only alone or only with ACK, and other flags coexist with exception packs; packages without flags or logos; packets with ACK flags but acknowledgment number 0; there are SYN flags but sequence A packet with a number of 0, with a Urg flag but a urgent pointer of 0, or a packet without a Urg flag but urgent pointer 0; A packet of RST and other signs other than the ACK sign;

This attack sign is very obvious, defense is also very easy, can do 100% detect and block;

2. Land attack

TCP layer attack, but can be protected at the network layer, the attacker sent the source address and destination address of the same TCP SYN packet, to some old operating systems will be sent synack packets to themselves, establish a null connection, and ultimately consume their own resources, the current operating system is not so silly, This attack can also be done 100% detection and blocking;

3. Flood attack

SYN Flood: Is the biggest weakness of TCP protocol, the analysis of SYN flood attack in another article explained in detail, the theory is not really defensive, only to a certain degree of relief;

UDP flood: is to send a large number of UDP packet blocking destination communication, because UDP is not connected to the protocol, it can only be judged by the statistical method, it is difficult to detect through the state detection, only through traffic restrictions and statistical methods to alleviate; For some protocols, the server portion of the computation will be much larger than the client , such as DNS, brute-mode IKE, etc., where flood attacks are more easily formed in DOS.

4. Port scan

Port scanning is often the prelude to network intrusion, through the port scan, you can understand the target machine open which services, and some services are originally open, but may be some of the ports are poorly managed to open or specifically open as a special control use but do not want to open, through the port scan can find these ports, And according to the target machine returns the package information, can even further determine the target machine operating system type, thus launches the next intrusion.

4.1 TCP Scan

In the RFC, the server returns the RST packet when an attempt is made to connect to a TCP port that is not open, and the server returns the Synack package when it connects to the open TCP port

Legitimate connection Scan:

Connect Scan: If the port is open, the attack aircraft call the Connect function to complete three times after shaking hands and then actively disconnected; the closed port will be connected to identify

SYN Scan: The attacker sends only SYN packets, and if the open port server returns Synack, the attacker may resend the RST, and the closed port is returned to RST;

Exception Pack Scan:

Fin Scan: The attack aircraft sends the FIN flag packet, and the Windows system responds to RST regardless of whether the port is turned on, but the UNIX system port responds with RST when it is turned off, and can be used to distinguish between Windows and UNIX systems;

ACK Scan: Attack aircraft send ACK packet, the target system will return RST packet, but the two kinds of RST packet differences;

For a legitimate connection scan, if the SYN package is correct, it can be through the firewall, the firewall can only be based on a certain statistical information to judge, on the server can be viewed through the Netstat connection status to determine whether there are from the same address time_wait or SYN_RECV state to judge.

For exception packet scanning, if there is no firewall installed, you do get pretty good scan results, the server does not see the corresponding connection state, but if the firewall installed, because these packets are not legally connected packets, the method of state detection is easy to identify ( Note: For a standard Linux kernel with a firewall netfilter implementation of TCP state detection, ACK and fin scans can be passed, need to modify to defense.

4.2 UDP Scan

When you attempt to connect to a UDP port that is not open, most types of servers may return an ICMP Port unreachable package, but there may be no response, as determined by the system-specific implementation; For an open port, the server may have packet returns, such as DNS, but may not respond.

UDP scan can be passed through the state of the firewall detection, because UDP is not connected, the firewall will be UDP scan packets as the first packet of the connection to allow the pass, so the firewall can only be statistical way to determine whether there is a UDP scan.

5. TCP Emergency pointer attack

WinNuke: On the old Windows system, the TCP139 port to send a packet with Urg logo, will cause system crashes, features obvious, firewall can 100% defense, but may also be accidental;

6. TCP option attack

Relative IP options, TCP option utilization is much higher, many of the normal package to use, TCP option attacks include:

1 illegal type option: normal option Type values are 0, 1, 2, 3, 8, 11, 23, 13, other types of appearance are suspicious (type 4,5,6,7 is defined but replaced by type 8 and is not normally used);

2 time stamp: Used for collecting the information of the target machine;

3 option length mismatch: The length of the option is inconsistent with the length of the TCP header as described in the TCP header;

4 option length is 0: not 0, 1 type of option length is 0, is illegal;

5 The option is missing, the General SYN package must have MSS option, but it is not normal.