TCP three-way handshakeHow is it done: the sender sends a SYN = 1, ACK = 0 packet to the receiver, and the request is connected. This is the first handshake. If the receiver receives the request and allows the connection, A packet with SYN = 1, ACK = 1 is sent to the sender, telling the sender that it can communicate and asking the sender to send a confirmation packet. This is the second handshake. Finally, the sender sends a packet with SYN = 0 and ACK = 1 to the receiver, telling the receiver that the connection has been confirmed. This is the third handshake. Then, a TCP connection is established to Start Communication.
* SYN: synchronization flag
Synchronize Sequence
The numbers column is valid. This flag is valid only when three handshakes are used to establish a TCP connection. It prompts the serial number of the TCP connection Server check sequence, which is the initial end of the TCP connection (generally the customer
End. Here, we can regard the TCP sequence number as a 32-bit counter ranging from 0 to 4,294,967,295. Each word in the data exchanged over TCP connections
Sections are all serial numbers. The serial number column in the TCP header contains the serial number of the first byte in the TCP segment.
* Ack: confirm the flag
The acknowledgement number column is valid. In most cases, this flag is set. The validation number (W + 1, figure-1) contained in the validation number column in the TCP header is the next expected sequence number, prompting that the remote system has successfully received all data.
* Rst: reset flag
The reset flag is valid. Used to reset the corresponding TCP connection.
* URG: emergency sign
The URGent pointer sign is valid. Emergency flag placement,
* PSH: Push flag
When this flag is set, the receiving end does not process the data in the queue, but forwards the data to the application as soon as possible. This flag is always set to a bit when you connect to telnet, rlogin, or other interactive modes.
* Fin: End flag
The packet with this flag is used to end a TCP session, but the corresponding port is still open, ready to receive subsequent data.
========================================================== ==================================
Three-way handshake
A virtual connection is established through three-way handshakes.
1. (B) --> [SYN] --> ()
Assume that server a communicates with client B. When server a wants to communicate with server B, server B first sends a SYN (synchronize) packet to server a and tells server a to establish a connection.
Note
A syn packet is a TCP packet marked with 1 as SYN only (see TCP packet header resources ).
It is very important to realize this. Only when a receives a SYN packet from B can a connection be established. Therefore, if your firewall discards all Syn packets sent to the Internet interface, you will not
Allows any external host to actively establish a connection.
2. (B) <-- [SYN/ack] <-- ()
Then, after receiving the SYN packet, a will send a confirmation packet (SYN/ACK) back to confirm the first SYN Packet and continue the handshake operation.
Note: SYN/ACK packets are only packets marked with SYN and ACK as 1.
3. (B) --> [ack] --> ()
B receives the SYN/ACK packet, B sends a confirmation packet (ACK), and notifies a that the connection has been established. So far, three handshakes are completed, and one TCP connection is completed.
Note: The ack package is only a TCP packet marked as 1. Note that when the three handshakes are complete and the connection is established, each packet of the TCP connection sets an ACK bit.
This is why connection tracking is important.
If no connection trace is available, the firewall cannot determine whether the received ack package belongs to a established connection. when an ACK packet is received by ipchains
Good idea). When the status firewall receives this package, it will first find in the connection table whether it belongs to the established connection, otherwise it will discard this package.
========================================================== ========================================================
Four handshakes are used to close established TCP connections.
1. (B) --> ack/fin --> ()
2. (B) <-- ack <-- ()
3. (B) <-- ack/FIN <-- ()
4. (B) --> Ack --> ()
Note
Meaning: Because the TCP connection is a two-way connection, closing the connection requires two directions. Ack/FIN packages (ACK and fin
Set as 1) is usually considered as a fin (final) package. However, since the connection has not been closed, the fin package is always marked with an ACK.
A packet without an ACK flag and with only a FIN flag is not a valid package and is generally considered malicious.
Connection Reset resetting a connection
Thu
The secondary handshake is not the only method to disable TCP connections. Sometimes, if the host needs to close the connection as soon as possible (or the connection times out, the port or the host cannot be reached), the RST (reset) packet will be sent.
Note: Because the RST package is not a required part of the TCP connection, you can only send the RST package (that is, without the ACK mark). However, in a normal TCP connection, the RST package can carry the ACK validation mark.
Please note that the RST package does not receive confirmation from the party?
Invalid TCP flag invalid TCP flags
So far, you have seen SYN, ack, fin, and RST tags. In addition, PSH (push) and URG (urgent) tags.
The most common illegal combination is the SYN/FIN package. Note: Because the SYN package is used to initialize the connection, it cannot appear together with the fin and RST Mark. This is also a malicious attack.
Most firewalls now know SYN/FIN packets, and some other combinations, such as SYN/FIN/Psh, SYN/FIN/rst, SYN/FIN/rst/Psh. Obviously, when such a package appears on the network, your network is definitely under attack.
Other known illegal packages include fin.
(No ACK flag) and "null" packages. As discussed earlier, because ack/FIN packets are generated to close a TCP connection, normal FIN packets always contain ACK
Mark. A "null" packet is a packet without any TCP flag (URG, ack, Psh, RST, Syn, and fin are all 0 ).
So far, in normal network activity, the TCP protocol stack cannot generate a TCP packet with any of the above-mentioned mark combinations. When you find these abnormal packages, someone will be unfriendly to your network.
UDP (user data packet Protocol)
TCP is a connection-oriented protocol, while UDP is a non-connection protocol. UDP does not mark and confirm the acceptance. Packet Loss Processing is completed at the application layer. (Or accidental arrival ).
Note: Normally, when a UDP packet reaches a closed port, a UDP reset packet is returned. Because UDP is non-connection-oriented, there is no confirmation information to confirm whether the package has arrived at the destination correctly. Therefore, if your firewall discards the UDP packet, it will open all the UDP ports (?).
Some packets on the Internet will be discarded normally, and even some UDP packets sent to the disabled port (non-firewall) will not reach the destination, they will return a reset UDP packet.
For this reason, UDP port scanning is always inaccurate and unreliable.
It seems that fragments of Large UDP packets are common forms of DoS (Denial of Service) attacks (here is an example of DoS attack, http://grc.com/dos/grcdos.htm ).
ICMP (internetcontrol Message Protocol Internet Control Message Protocol)
For example
Like the name, ICMP is used to transmit control information between hosts and routers. An ICMP packet can contain diagnostic information (Ping, traceroute-
Note that traceroute in UNIX systems currently uses UDP packets instead of ICMP packets. error message (Network/host/port is not accessible to network/host/port)
Unreachable), Information (timestamp, Address Mask Request, etc.), or control information
(Source Quench, redirect, etc .).
You can find the region of the icmppackage at http://www.iana.org/assignments/icmp-parameters.
Although ICMP is generally harmless, some types of ICMP information need to be discarded.
Redirect (5), alternate host address (6), and router advertisement (9) can be used to forward communication.
Echo (8), timestamp (13) and Address Mask Request (17) can be used to determine whether the host is up, local time, and address mask respectively. Note that they are related to the returned information category. They themselves cannot be used, but the information they leak is useful to attackers.
ICMP messages are sometimes used as part of DoS attacks (for example, flood Ping, dead Ping? Haha, interesting ping of death )? /P>
Packet fragmentation note a note about packet fragmentation
If the size of a package exceeds the maximum TCP segment length (MSs (maximum segment size) or MTU (maximum transmission unit), the only way to send this package to the destination is to split the package. Because packet sharding is normal, it can be used for malicious attacks.
Because the first part of a fragmented package contains a packet header, if the package fragment function is not available, the package filter cannot detect the additional package fragment. Typical attack typical attacks
Involve in overlapping the packet data in which packet header is
Typical attack typical attacks involve in overlapping the packet data in which
Packet header isnormal until is it overwritten with different
Destination IP (or port) thereby bypassing firewall rules. Packet sharding can be used as DoS
Part of the attack, which can crash the older IP stacks or increase the CPU connection capability.
Connection Tracking in Netfilter/iptablesCodeAutomatic sharding. It still has vulnerabilities and may be vulnerable to saturated connection attacks, which can consume CPU resources.
Handshake phase:
SEQ ack in sequence direction
1 A-> B 10000 0
2 B-> A 20000 10000 + 1 = 10001
3 A-> B 10001 20000 + 1 = 20001
Explanation:
1: A initiates a connection request to B and initializes the seq of A with a random number. This is assumed to be 10000. At this time, ACK = 0.
2: After B receives the connection request from a, it also initializes the seq of B with a random number, which is assumed to be 20000, meaning: I have received your request, my data flow starts from this number. The ack of B is the seq of a plus 1, that is, 10000 + 1 = 10001
3: After a receives a reply from B, its seq is the seq plus 1 of its previous request, that is, 10000 + 1 = 10001. That is, I have received your reply, my data flow starts from this number. A's Ack is B's seq plus 1, that is, 20000 + 1 = 20001
Data transmission phase:
SEQ ack size in sequence direction
23 A> B 40000 70000 1514
24 B-> A 70000 40000 + 1514-54 = 41460 54
25 A-> B 41460 70000 + 54-54 = 70000 1514
26 B-> A 70000 41460 + 1514-54 = 42920 54
Explanation:
23: B receives seq = 40000, ACK = 70000, size = 1514 packets from.
24: Then B sends a packet to a, telling B That I have received your last packet. B's seq is filled with the ACK of the packet it receives. Ack is the seq of the packet it receives plus the packet size (excluding the Ethernet protocol header, IP header, and TCP Header ), to confirm that all data sent by B has been received.
25:
When we receive a 41460 ACK packet from B, we can see 41460, which is exactly the size of the seq of its last packet plus the package, the last packet sent has arrived safely. Yu
Is that it sends another packet to B. The seq of the packet being sent is also filled with the ACK of the packet it receives, and Ack is added with the seq (70000) of the packet it receives
Size (54) filling, that is, ACK = 70000 + 54-54 (all headers are long and there are no data items ).
In fact, at the handshake and end, the confirmation number should be the serial number of the other Party plus 1, while during data transmission, the serial number of the other Party plus the length of the application layer data carried by the other party. if the length is calculated from the Ethernet packet returned, it may be a detour.
In addition, if the other party does not have data, the confirmation number will not change, and the serial number will add the length of the data sent at the application layer to the previous serial number.