Talk about RST reset attack from the principle of TCP protocol

Before you talk about RST attacks, you must understand TCP: How to set up a TCP connection through three handshakes, four handshake how to close the full duplex connection, how the sliding window transmits the data, and the TCP flag bit where the RST occurs. Below I will draw some simple diagram to express the above points, and then understand what the next RST attack is going on.

1, what is TCP?

TCP is a Transport layer protocol on top of the IP network layer that provides a reliable byte-stream transmission of port-to-port connection-oriented. Let me explain some of the above keywords in the vernacular:

Port to PORT:IP layer only the packet from one IP to another, the TCP layer above the IP layer plus the upper port, is process-oriented, and each port can correspond to the user process.

Reliable: TCP is responsible for maintaining the virtually nonexistent connection concept, including packet acknowledgement, post-packet re-delivery, etc. to ensure reliability. TCP is able to control traffic due to bandwidth and different machine processing capabilities.

BYTE stream: TCP cuts the byte stream data from the application process into a number of packets and sends it over the network. IP packets are either lost in order or duplicated, and the TCP protocol can be restored to the true byte stream.

I can see from the above the TCP protocol diagram in PowerPoint, there are Six Flags, in which the RST bit appears in the TCP exception, and this article is also the focus of my attention.

2, through three handshake to establish the connection

Below I set up a TCP connection through a to B to illustrate how the three-time handshake was done.

In order to be able to articulate the following RST attacks, you need to combine to say: SYN flag bit, ordinal, sliding window size.

In the request to establish a connection, the flag bit SYN is set to 1, in which the MSS segment size is notified, which is the maximum size that the machine expects to receive TCP packets.

The Sent data TCP packet has an ordinal number. That's how it came about: when the SYN was originally sent, there was an initial sequence number, according to the RFC definition, the implementation of each operating system is related to the system time. After that, the value of the sequence number will continue to increase, such as the original sequence number is 100, if the TCP packet data has 10 bytes, then the next TCP packet number will become 110.

The sliding window is used to speed up the transmission, such as sending a seq=100 package, it should receive the confirmation of this package ack=101 and then continue to send the next package, but with a sliding window, as long as the new package SEQ and not confirmed the minimum seq difference less than the sliding window size, you can continue to send.

3. Sliding window

The sliding window is undoubtedly used to speed up data transfer. To ensure "reliable" TCP, a packet Ack acknowledgement is received by the receiving side. With a sliding window, the receiver can wait for a lot of packets and send only one ACK packet, confirming that it has received multiple packets. With a sliding window, the sender does not wait for its ACK after sending a packet, and can continue to send other packets within the sliding window size. Let's take an example.

You see, the flag is. Indicates that all flags are 0. The flag bit p represents a TCP packet with flag PSH for fast data transfer.

The first three packets are three handshake, the client indicates that its sliding window size is 65535 (my XP machine), the server side indicates that the sliding window is 5840 (the screen is wide, not cut out). Starting with the fourth package, the client sends the PSH packet to the server, the data length is 520 bytes, and the server sends an ACK acknowledgement packet. Note that at this time the win window size has changed Kazakhstan. And so on

The second to third packet, the server in the sliding window continuous contract to the client, the client sent an ACK 124 at the same time confirmed the previous two packets. This is the function of the sliding window.

If you talk about TCP attacks, you need to be aware that in various implementations of TCP, the SEQ outside of the sliding window will be thrown away! This is a question that will be said below.

4, four times the normal TCP connection of the handshake is off

Draw a simple normal close connection state transition diagram first.

The FIN flag bit is also seen, which is used to indicate a graceful closing of the connection. The left side of the diagram is the active closing of the connecting side, the right side is the passive closed connection, and the netstat command can be used to see the marked connection status.

Fin is normally closed, it is sent according to the order of the buffer, that is, the buffer fin before the packet is sent out and then the fin packet, which is different from the RST.

5. RST Mark Bit

The RST represents the reset, which is used to close the connection abnormally, which is indispensable in TCP design. As stated above, when sending the RST packet off the connection, it is not necessary to wait for the buffer to be sent out (unlike the fin package above) and send the RST packet directly to the packet that dropped the cache. After receiving the RST packet, the receiver does not have to send an ACK packet to confirm.

The TCP handler sends the RST package at the time it deems it to be abnormal. For example, a makes a connection to B, but does not listen on the appropriate port above B, and the TCP handler on the B operating system sends the RST packet.

Another example, AB Normal establishment of the connection, is communicating, a to B sent fin packet request off the connection, B sent an ACK, the network is broken, a for several reasons abandoned the connection (such as process restart). Netcom, B began to send data packets, a received after the pressure is very large, do not know where the wild connection, sent a RST package to force the connection off, B received after the connect reset by peer error.

6. RST attack

A TCP connection was established between a and Server B, at which time C forged a TCP packet to B, causing the b exception to be disconnected from the TCP connection to a, which is the RST attack. In fact, the function of the RST flag bit above can be seen how this attack has achieved effect.

So what kind of TCP packets can be forged to achieve the goal? We look down to the top.

Assuming that C is disguised as a pass-through package, if the package is an RST packet, there is no doubt that B will discard all the data on the buffer with a and force the connection to be switched off.

If the packet sent past is a SYN packet, then B will indicate that a has gone mad (related to the implementation of the OS), the normal connection is to build a new connection, B actively to a a RST package, and on its own side force off the connection.

Both of these methods can achieve the effect of the reset attack. It seems scary, but the point is, how can you forge a package that is sent to B? Here are two key factors, source port and serial number.

A TCP connection is a four-tuple that uniquely identifies a connection by source IP, source port, destination IP, and destination port. Therefore, if C to forge A to B packets, to the above mentioned IP header and TCP header, the source IP, source port, destination IP, destination port are all filled in. Here B as server, IP and port is public, a is our target, IP certainly know, but the source port of a is not clear, because this may be a randomly generated. Of course, if you can find the common OS such as Windows and Linux to generate the source port law, can still be done.

Serial number problem is corresponding to the sliding window, the forged TCP packet needs to fill in the serial number, if the value of the serial number is not before a to B to send the sliding window B, B will be actively discarded. So we're going to find the serial number of the AB sliding window that can fall to that time. This can be resolved violently, because a sequence length is 32 bits, the value range 0-4294967296, if the window size like in the Windows I caught in the 65535 words, only need to divide, I know the most only need to send 65537 (4294967296/ 65535=65537) A package can have a serial number falling into the sliding window. RST packet is very small, IP head +tcp head is only 40 bytes, calculate our bandwidth to know that it really only takes a few seconds to get it done.

Then, the serial number is not a problem, the source port will be troublesome, if the operating system can not completely randomly generate the source port, or hackers can be obtained by other means to source Port,rst attack is very easy, the consequences are very serious.

Copyright NOTICE: This article for Bo Master original article, without Bo Master permission not reproduced.

Talk about RST reset attack from the principle of TCP protocol