TCP protocol: SYN ACK FIN RST PSH URG Detailed

Source: Internet
Author: User
Tags connection reset stateful firewall

How the three handshake of TCP is carried out: the sending side sends a SYN=1,ACK=0 flag packet to the receiving end, the request connects, this is the first handshake, the receiver receives the request and allows the connection, it sends a Syn=1,ack=1 flag packet to the sending side, tells it, Can communicate, and let the sender send a confirmation packet, this is the second handshake; Finally, the sending side sends a SYN=0,ACK=1 packet to the receiving end, telling it that the connection has been confirmed, and this is the third handshake. After that, a TCP connection is established to start the communication.

*syn: Sync Flag
The synchronization sequence number (Synchronize Sequence Numbers) column is valid. This flag is valid only when a TCP connection is established on a three-time handshake. It prompts the server side of the TCP connection to check the serial number, which is the initial sequence number of the TCP connection's initial (typically client) end. Here, you can think of the TCP sequence number as a 32-bit counter that ranges from 0 to 4,294,967,295. Each byte in the data exchanged over a TCP connection is serial numbered. The Sequence number column in the TCP header includes the sequence number of the first byte in the TCP fragment.

*ack: Confirmation Flag
The confirmation number (acknowledgement) column is valid. In most cases, the flag bit is set. The confirmation number (w+1,figure-1) contained in the confirmation Number field within the TCP header is the next expected sequence number, prompting the remote system to successfully receive all data.

*rst: RESET Flag
The reset flag is valid. Used to reset the corresponding TCP connection.

*urg: Emergency Signs
The emergency (the urgent pointer) sign is valid. Emergency sign-in position,

*PSH: Push Flag
When this flag is set, the receiving side does not queue the data, but instead transfers the data to the application processing as quickly as possible. This flag is always placed when dealing with interactive modes such as Telnet or rlogin.

*fin: End Flag
Packets with this flag are used to end a TCP reply, but the corresponding port is still open and ready to receive subsequent data.

=============================================================

Three-time Handshake three-way handshake

The establishment of a virtual connection is achieved by a three-time handshake.

1. (B)--[SYN]--(A)

If server A and client B are communicating. When a wants to communicate with B, B first sends a SYN (SYNCHRONIZE)-tagged packet to A, which tells a request to establish a connection.

Note: A SYN packet is a TCP packet with only the SYN flag set to 1 (see TCP header Resources). It is important to recognize that a connection can only be established if a is received by a SYN packet sent by B, and there is no other way. Therefore, if your firewall discards all SYN packets destined for the extranet interface, you will not be able to allow any external hosts to actively establish a connection.

2. (B) <--[Syn/ack] <--(A)

Next, a receives a confirmation packet (syn/ack) of the SYN packet back, indicates the acknowledgment of the first SYN packet, and continues the handshake operation.

Note: The Syn/ack package is a SYN-only and ACK-marked 1 package.

3. (B)--[ACK]--(A)

b receives the Syn/ack packet, B sends a confirmation packet (ACK), notifies a connection that it has been established. At this point, three handshake completed, one TCP connection completed

The Note:ack package is a TCP packet with only ACK flags set to 1. It is important to note that when three of these handshakes are complete and the connection is established, the ACK bit is set for each packet of the TCP connection

That's why connection tracking is important. Without a connection trace, the firewall will not be able to determine whether the received ACK packet belongs to an already established connection. General packet filtering (Ipchains) when receiving an ACK packet, it will pass through (this is definitely not a good idea). When a stateful firewall receives this kind of packet, it will first look in the connection table to see if it belongs to which connection, otherwise it discards the package

Four-time handshake four-way handshake

Four-time handshake to close an established TCP connection

1. (B)--Ack/fin (A)

2. (B) <--ACK <--(A)

3. (B) <--Ack/fin <--(A)

4. (B)--ACK-

Note: Because the TCP connection is a two-way connection, closing the connection needs to be done in two directions. The Ack/fin package (ACK and fin marks set to 1) is usually considered a fin (termination) package. However, since the connection has not been closed, the FIN bag is always marked with an ACK. A package that has no ACK mark and only a fin tag is not a valid package and is usually considered malicious

Connection reset resetting a connection

A four-time handshake is not the only way to close a TCP connection. Sometimes, if the host needs to close the connection as soon as possible (or the connection times out, the port or the host is unreachable), the RST (Reset) package is sent. Note that because the RST package is not a necessary part of a TCP connection, you can send only the RST package (that is, without an ACK tag). However, in a normal TCP connection, the RST packet can be marked with an ACK acknowledgement

Please note that the RST package can not be confirmed by the receiving party?

Invalid TCP flag Invalid TCP Flags

So far, you've seen the SYN, ACK, FIN, and rst tokens. In addition, there are PSH (Push) and Urg (Urgent) tags.

The most common illegal combination is the Syn/fin package. Note: Since the SYN packet is used to initialize the connection, it cannot appear with the FIN and RST tags. This is also a malicious attack.

Since most firewalls are now known to syn/fin packages, some other combinations, such as SYN/FIN/PSH, Syn/fin/rst, Syn/fin/rst/psh. Obviously, when this packet appears on the network, your network is definitely under attack.

Other known illegal packets have fin (no ACK Mark) and "NULL" packets. As discussed earlier, the normal fin packet always has an ACK tag because the Ack/fin packet is in order to close a TCP connection. The "NULL" package is a package that does not have any TCP tags (urg,ack,psh,rst,syn,fin is 0).

So far, under normal network activity, the TCP stack is unlikely to produce TCP packets with any of the above mentioned combinations of tags. When you find these abnormal packages, someone must be hostile to your network.

UDP (Subscriber Packet Protocol user Datagram Protocol)
TCP is connection-oriented, and UDP is a non-connected protocol. UDP does not have a token and acknowledgement mechanism for acceptance confirmation. The handling of packet loss is done at the application level. (or accidental arrival).

The important thing to note here is that, under normal circumstances, when a UDP packet arrives at a closed port, a UDP reset packet is returned. Because UDP is non-connection-oriented, there is no acknowledgement to confirm that the package has arrived at the destination correctly. So if your firewall drops UDP packets, it will open all UDP ports (?).

Because some packets will be discarded on the internet normally, even UDP packets destined for the closed ports (non-firewalls) will not reach the destination, they will return a reset UDP packet.

For this reason, UDP port scanning is always inaccurate and unreliable.

It looks like the fragmentation of a large UDP packet is a common form of a common DOS (denial of Service) attack (here is an example of a Dos attack, http://grc.com/dos/grcdos.htm).

ICMP (Inter-network Control Message Protocol, Internet controller messages Protocol)
As with the name, ICMP is used to pass control information between the host/router protocol. ICMP packets can contain diagnostic information (ping, traceroute-Note that the current UNIX system is traceroute with UDP packets instead of ICMP), error messages (Network/HOST/Port unreachable Network/host/port Unreachable ), information (timestamp timestamp, address mask addresses mask request, etc), or control information (source quench, redirect, etc.).

You can find the type of ICMP packet in Http://www.iana.org/assignments/icmp-parameters.

Although ICMP is usually harmless, there are some types of ICMP information that need to be discarded.

Redirect (5), Alternate Host address (6), Router advertisement (9) can be used to forward traffic.

Echo (8), Timestamp (+) and address mask Request (17) can be used to determine if the host is up, local time and address mask, respectively. Note that they are related to the type of information returned. They themselves cannot be exploited, but the information they reveal is useful to attackers.

ICMP messages are also sometimes used as part of a Dos attack (for example: Flood ping flood ping, dead ping? Hehe, fun ping of Death)?/p>

Packet fragmentation Note A note about Packet fragmentation

If the size of a package exceeds the maximum segment length of the TCP MSS (Maximum Segment size) or MTU (Maximum transmission Unit), the only way to send this packet to the destination is to fragment the packet. Since packet fragmentation is normal, it can be exploited to do malicious attacks.

Because the first shard of a fragmented package contains a header, the packet filter cannot detect additional packet shards without the reassembly of the packet shards. Typical attack typical attacks involve in overlapping the packet data in which packet headers is a typical attack typical attacks involve in over Lapping the packet data in which packet header isnormal until are it overwritten with different destination IP (or port) th Ereby bypassing firewall rules. Packet shards can be used as part of a DOS attack, which can crash older IP stacks or increase the CPU connection capability.

The connection tracking code in the Netfilter/iptables can automatically do the Shard reorganization. It still has weaknesses that could be compromised by a saturated connection that could consume the CPU resources.

Handshake Stage:
Ordinal direction seq Ack
1 a->b 10000 0
2 B->a 20000 10000+1=10001
3 A->b 10001 20000+1=20001
Explain:
1: A to B initiates a connection request, Initializes a SEQ with a random number, here is assumed to be 10000, at this time ack=0

2: B After receiving a connection request, also initializes a SEQ of B with a random number, this is assumed to be 20000, meaning: Your request I have received, my this side of the data flow from this number began. The Ack of B is a SEQ plus 1, which is 10000+1=10001

3: A received B's reply, its SEQ is its last request SEQ plus 1, that is, 10000+1=10001, meaning: Your reply I received, I this side of the data flow from this number began. A The ACK at this time is the seq of B plus 1, i.e. 20000+1=20001


Data transfer phase:
Ordinal direction seq ACK size
A->b 40000 70000 1514
B->a 70000 40000+1514-54=41460 54
A->b 41460 70000+54-54=70000 1514
B->a 70000 41460+1514-54=42920 54
Explain:
23:b received a seq=40000,ack=70000,size=1514 packet from a.
24: So B to a also send a packet, tell B, your last bag I received. The seq of B is populated with the ACK of the packet it receives, and the ACK is the SEQ of the packet it received plus the size of the packet (not including the Ethernet protocol header, IP header, TCP header) to verify that the data sent by B is all received.
25:a received B sent over the ACK 41460 packet, the first to see 41460, exactly its last packet of SEQ plus the size of the packet, it is clear that the last sent packet has arrived safely. Then it sends a packet to B. The SEQ of the packet being sent is also populated with the ACK of the packet it receives, and the ACK is populated with the packet's SEQ (70000) plus the size (54) of the package, i.e. ack=70000+54-54 (all head length, no data items).

In fact, in the handshake and the end of the confirmation number should be the other serial number plus 1, the transmission of data is the other side of the serial number plus the other side of the length of the application layer data. If you return from the Ethernet packet to calculate the added length, it is a detour.
In addition, if the other party does not have data, then its own confirmation number is unchanged, the serial number is the last serial number plus the application layer data send length.

TCP protocol: SYN ACK FIN RST PSH URG Detailed

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.