Three-time handshake (three times handshake;three-way handshake) so-called "three-time handshake" that is, the amount of data sent each time is how to track the data segment sent and received synchronization, based on the amount of data received and determined the number of data and data sent, When you have finished receiving the contact, and establish a virtual connection. To provide reliable delivery, TCP sends the sequence number of the packets in a specific order before sending new data, and it needs the acknowledgement message after the packets are delivered to the target. TCP is always used to send large amounts of data. TCP is also used when the application makes a confirmation when it receives the data. First handshake: When establishing a connection, the client sends a SYN packet (SYN=J) to the server and enters the syn_sent state, waiting for the server to confirm; SYN: Synchronous sequence Number (
Synchronize Sequence Numbers)。 Second handshake: The server receives the SYN packet, must confirm the customer's SYN (ACK=J+1), and also sends a SYN packet (syn=k), namely the Syn+ack packet, when the server enters the SYN_RECV state; third handshake: The client receives the server's syn+ ACK packet, send acknowledgment packet ack (ACK=K+1) to the server, the packet is sent, the client and server enter established (TCP connection succeeded) state, complete three handshake. After three handshake, the client and server begin to transfer data, in the above process, there are some important concepts: the non-connected queue in the three-handshake protocol, the server maintains an disconnected queue, the team is listed as a SYN packet per client (SYN=J) Open an entry that indicates that the server has received a SYN packet, and to confirm with the customer, is waiting for the customer's confirmation package. The connections identified by these entries are in the SYN_RECV state of the server, and when the server receives the customer's confirmation package, the entry is deleted and the server enters the established state. The backlog parameter indicates the maximum number of connections the kernel has queued for the corresponding socket. Syn-ack retransmission timesthree-time Handshake protocolThe server sends out the Syn-ack package, if not received the customer confirmation package, the server carries on the first retransmission, waits for some time still not to receive the customer confirmation package, carries on the second retransmission, if the retransmission frequency exceeds the system specified maximum retransmission number, the system will remove the connection information from the half-connection queue. Note that the time to wait for each retransmission is not necessarily the same. As noted in UNIX network programming, there has never been a formal definition of a backlog parameter, and the BSD 4.2 Handbook declares its definition to be: "The maximum length of the queue of pending connections may grow to", that is, not The maximum length of the queue that the connection consists of is processed, and the POSIX specification replicates the definition verbatim. However, this definition does not specify whether the connection refers to a connection in the SYN_RCVD state or to a established state that is not accepted by the process, or both. Regardless of which one the backlog parameter refers to, it is necessary for the server to handle the connection that is already in the established State as soon as possible. And just for the backlog, we need to take a larger value in response to a large number of service requests. The half-connection survival time is the maximum time that the entry for a semi-connected queue survives, that is, the maximum time that the server receives a SYN packet to confirm that the message is invalid, which is the maximum wait time sum of all retransmission request packets. Sometimes we also call the half-connection survival time timeout time, syn_recv survival time. TCP header structure The connection-oriented TCP three-time handshake is the basis for the existence of SYN flood. The TCP protocol header has a minimum of 20 bytes, including the following areas (due to the different translations, the corresponding English words are given in the article): TCP Source port (source port): 16-bit source port that contains the port that initiated the communication. The function of the source port and the source IP address is to indicate the return address of the message. TCP Destination port (Destination port): 16-bit destination port domain defines the purpose of the transfer. This port indicates the application address interface on the message receiving computer. TCP Serial Number (sequence code, Sequence number): 32-bit serial numbers are used by the receiving computer, and the re-segmented report Wencheng the original form. When a SYN occurs, the sequence code is actually the initial sequence code (ISN), and the first data byte is isn+1. This serial number (sequence code) is used to compensate for inconsistencies in the transmission. TCP Answer Number (acknowledgment): The 32-bit serial number is used by the receiving computer, and the Wencheng initial form of the fragmented report. If an ACK control bit is set, this value represents a sequence code for the package to be received. Data offset (Hlen): 4-bit includes TCP header size, indicating whatAt the beginning of the data. TCP Four-time wave end connectionReserved (Reserved): 6-bit domain, these bits must be 0. Reserved for defining new uses in the future. Flag (Code Bits): 6-bit flag domain. Indicated as: Emergency sign, meaningful answer flag, push, reset connection flag, sync serial number flag, complete send data flag. In order are: URG, ACK, PSH, RST, SYN, FIN. window: 16-bit, used to indicate the size of each TCP data segment you want to receive. Check bit (Checksum): 16-bit TCP header. The source machine calculates a numerical value based on the data content, and the receiving information is exactly the same as the source machine numerical results, thus proving the validity of the data. Priority pointer (emergency, Urgent Pointer): 16 bits, pointing to bytes that are followed by the priority data, only valid when the URG flag is set. If the URG flag is not set, the emergency domain is populated. Expedite processing of data segments marked as urgent. Option: The length is variable, but the length must be one byte. If there is no option, the field representing this byte is equal to 0. Close TCP connection: Improved three-time handshake for an already established connection, TCP uses an improved three-time handshake to release the connection (using a segment with a fin tag attached). The steps for TCP to close a connection are as follows: In the first step, when the application of host a notifies the TCP that the data has been sent, TCP sends a message segment with the Fin additional tag (fin for English finish) to Host B. In the second step, after receiving this fin message, Host B does not immediately reply to host A with fin message segment, but first sends a confirmation sequence ACK to host a, and notifies itself of the corresponding application: the other party requests that the connection be closed (the purpose of the first ACK is to prevent this time, The other party re-transmitted fin message segment). In the third step, Host B's application tells TCP that I want to close the connection completely and TCP sends a FIN segment to host A. In the fourth step, when host a receives this fin segment, it sends an ACK to Host B to indicate that the connection is completely released. [1] Flag control URG: Emergency sign Emergency (the urgent pointer) sign is valid. Emergency sign set, ACK: Confirm Flag Confirmation Number (acknowledgement numbers) column is valid. Most of the time the flagTCP Three-time handshake is the basis for the existence of SYN floodBits are placed. The confirmation number (w+1,figure:1) contained in the confirmation Number field within the TCP header is the next expected sequence number, prompting the remote system to successfully receive all data. PSH: Push flag when the flag is set, the receiving side does not queue the data, but instead transfers the data to the application as soon as possible. This flag is always placed when dealing with interactive mode connections such as telnet or rlogin. RST: RESET flag is valid for reset flag. Used to reset the corresponding TCP connection. SYN: The sync flag synchronization sequence Number (Synchronize Sequence Numbers) column is valid. This flag is valid only when a TCP connection is established on a three-time handshake. It prompts the server side of the TCP connection to check the serial number, which is the initial sequence number of the TCP connection's initial (typically client) end. Here, you can think of the TCP sequence number as a 32-bit counter that ranges from 0 to 4,294,967,295. Each byte in the data exchanged over a TCP connection is serial numbered. The Sequence number column in the TCP header includes the sequence number of the first byte in the TCP fragment. FIN: End flag The packet with this flag set is used to end a TCP reply, but the corresponding port is still open and ready to receive subsequent data. The server is in a listening state, and the packet (IP packet) that the client uses to establish the connection request is grouped into a TCP processing segment (segment) According to the TCP/IP protocol stack. Parsing header information: The  TCP layer receives the appropriate TCP and IP headers to store this information in memory. Check the TCP checksum (checksum): The standard checksum is in the segment (Figure:2). If the validation fails, no acknowledgment is returned, and the fragment is discarded and waits for the client to retransmit. Find Protocol control block (pcb{}): TCP finds the Protocol control block associated with the connection. If it is not found, TCP discards the fragment and returns the RST. (This is the mechanism of TCP processing without port snooping) if the protocol control block exists, but the status is off, the server does not call connect () or listen (). The segment is discarded, but no RST is returned. The client tries to reestablish the connection request. Create a new socket: when the socket in the listening state receives the segment, a sub-socket is created, along with socket{},tcpcb{} and pub{}. If an error occurs, the corresponding socket is removed and the memory is freed through the flag bit, and the TCP connection fails. If the cache queue is filled, TCP considers an error to occur and all subsequent connection requests are rejected. Here you can see how the SYN flood attack works. Discard: If the flag in the segment is RSTOr ACK, or no SYN flag, the fragment is discarded. and release the appropriate memory. The data transmission sends the sequence variable snd. UNA: Send unconfirmed snd.nxt: Send next Snd.wnd: Send window Snd.up: Send priority pointer SND.WL1: segment serial number for last window Update SND.WL2: Segment confirmation number for last window updatethree-time handshakeISS: Initial send serial number receive serial number RCV.NXT: Receive next Rcv.wnd: Receive next Rcv.up: Receive priority pointer IRS: Initial receive serial number current segment variable SEG.SEQ: segment serial number Seg.ack: Segment Confirmation Flag Seg.len : section Seg.wnd: Segment window seg.up: Segment Emergency pointer SEG.PRC: Segment priority closed indicates no connection, the meanings of each state are as follows: LISTEN: Listens for connection requests from remote TCP ports. Syn-sent: Waits for a matching connection request after the connection request is sent. Syn-receⅳed: Waits for confirmation of the connection request after receiving and sending a connection request. Established: Represents an open connection to which data can be transmitted to the user. Fin-wait-1: Waits for a connection interrupt request from a remote TCP, or an acknowledgement of a previous connection interruption request. Fin-wait-2: Waiting for connection interrupt request from remote TCP. Close-wait: Waits for a connection interrupt request from a local user. CLOSING: Wait for the remote TCP acknowledgement of the connection interruption. Last-ack: Waits for acknowledgement of the connection interrupt request that was originally sent to remote TCP. Time-wait: Wait enough time to ensure that the remote TCP receives an acknowledgement of the connection interrupt request. CLOSED: There is no connection status. The TCP connection process is the transition of the state, prompting the user to invoke the state transition: Open,send,receⅳe,close,abort and status. Data segments transmitted over, particularly those including the following tagged data segments Syn,ack,rst and Fin. There is a timeout, and the TCP status changes as mentioned above. Sequence ID serial number The bytes sent in the TCP connection have a sequence number. It is possible to confirm their receipt because of the number. The confirmation of the serial number is cumulative. The types of serial number comparisons that TCP must perform include the following: ① determines which serial numbers are sent but not confirmed. ② decided that all the serial numbers had been received. ③ determines the serial number that should be included in the next paragraph. For sending data TCP to receive acknowledgement, confirmation must be made: Snd.una = oldest confirmed serial number. Snd. NXT = The next serial number to be sent.three-time handshake dataSEG. ACK = receives the acknowledgment of TCP and receives the next sequence number expected by TCP. SEG. SEQ = The first sequence number of a data segment. SEG. LEN = number of bytes included in the data segment. SEG. Seq+seg. LEN-1 = The last sequence number of the data segment. If the sequence number of a data segment is less than or equal to the confirmation number, then the entire data segment is confirmed. The following comparison operation is required when receiving data: RCV.NXT = expected serial number and the lowest edge of the receive window. RCV. Nxt+rcv. Wnd:1 = The last serial number and the highest edge of the receive window. SEG. SEQ = The first sequence number received. SEG. Seq+seg. Len:1 = The last serial number received. [2] basic principle of SYN flood attack based on three-time handshakethree-time Handshake protocolBuilding a small imitation environment assumes that there are 3 machines connected to the Internet. A is an attacker-manipulated attack aircraft. B is the intermediary springboard machine (trusted server). c The machine used for the victim (mostly servers), where the C machine is locked as the target machine. A machine sends a SYN packet to the B machine, requesting a connection, at which point the B machine that has responded to the request will respond to the a machine syn/ack to indicate consent to establish the connection, and when a machine receives the syn/ack response sent by the B machine, sends a reply ACK to establish the network connection between the A machine and the B machine. Such a TCP communication channel between the two machines was established successfully. B Terminal trusted server initiates a TCP connection to the C machine, and a machine initiates a SYN message to Server C so that the C machine cannot respond to the B machine. At the same time a machine sends a false C machine to the B machine to respond to the SYN packet, the B machine that receives the SYN packet (trusted by the C machine) begins to send the Syn/ack packet established by the answering connection, and the C machine is busy responding to the previously sent SYN data without having to respond to the B machine, The attacker of a machine predicted the serial number of the B machine package (TCP Serial number prediction is somewhat difficult) counterfeit C machine sends a reply ACK to the B machine, then the attacker cheats the trust of the B machine, impersonating the C machine and the B machine to establish a dialogue connection of the TCP protocol. This time the C machine is still responding to the SYN data sent by the attacker a machine. TCP protocol stack weakness TCP connection resource consumption, including: packet information, condition status, serial number, etc. The resources of the connecting party are exhausted by deliberately not completing the three handshake processes required to establish the connection. The resource exhaustion of the C machine is caused by an attacker who intentionally does not complete the three handshake required to establish the connection. The predictability of the serial number, which is predictable when the target host responds to the Syn/ack sequence number that is returned when the connection request is answered.
TCP three-time Handshake protocol
