TCP three-way handshake and four-way handshake

TCP three-way handshake and four-way handshake
Compared with SOCKET developers, the TCP creation and link Division processes are automatically created by the TCP/IP protocol stack. therefore, developers do not need to control this process. however, it is helpful to understand the underlying TCP operation mechanism. in addition, there are network protocol engineers such as the written examination, almost mandatory content. my company is very enthusiastic about this issue :-). This problem is sometimes emphasized before the interview in the morning and repeated once. In the afternoon, almost everyone is asked this question. So here we will explain these two processes in detail. TCP Three-way Handshake refers to the Three packets sent by the client and server when a TCP connection is established. The purpose of the three-way handshake is to connect to the specified port of the server, establish a TCP connection, synchronize the serial numbers and validation numbers of both parties, and exchange the TCP window size information. in socket programming, when the client executes connect. Three handshakes are triggered.

• First handshake:
  The client sends a packet with tcp syn flag position 1, indicating the port of the server to which the customer intends to connect, and the initial serial Number X, which is saved in the Sequence Number field of the packet header.

• The second handshake:
  The server sends back the ACK response. That is, the SYN flag and ACK flag are both 1, and the Acknowledgement Number is set to the customer's I S N plus 1 to. X + 1.

• The third handshake.
  The client resends the ack syn flag to 0 and the ACK flag to 1. in addition, the serial number field + 1 sent from the server is placed in the confirmation field and sent to the other party. and write the ISN's + 1 in the data segment.

SYN Attack

During the three-way handshake, after the server sends the SYN-ACK, the TCP connection before receiving the ACK from the client is called a semi-connection (half-open connect ). the server is in the Syn_RECV status. when ACK is received, the server is transferred to the ESTABLISHED status.

Syn attacks are attacks on clients that forge a large number of nonexistent IP addresses in a short period of time. They constantly send syn packets to the server. The server replies to the confirmation packet and waits for the customer to confirm that the source address does not exist, the server needs to continuously resend to timeout. These forged SYN packets will occupy the unconnected queue for a long time, normal SYN requests will be discarded, and the target system will run slowly, serious cases may cause network congestion or even system paralysis.

Syn attack is a typical DDOS attack. It is very convenient to detect SYN attacks. When you see a large number of semi-connection statuses on the server, especially when the source IP address is random, it can basically be determined that this is a SYN attack. in Linux, you can run the following command to detect Syn Attacks:

Netstat-n-p TCP | grep SYN_RECV

Generally, the new TCP/IP protocol stack fixes the process to prevent Syn attacks and modifies the TCP protocol implementation. The main methods include SynAttackProtect protection mechanism, SYN cookies technology, maximum semi-connection addition, and timeout reduction.

However, syn attacks cannot be completely prevented.

TCP Four Waves

The removal of the TCP connection requires four packets, so it is called four-way handshake ). The client or server can actively initiate a wave action. In socket programming, either party can execute the close () operation to generate a wave operation.

For more information, see wireshark packet capture. The measured packet capture results are not strictly in the wave sequence. I guess it is caused by a short interval. Network Attacks against TCP/IP protocols:

Land Attack

By sending ICMP echo or TCP syn request packets with the same source address and destination address and the same source port and destination port, the host can continuously send packets to itself, resulting in system crash. Check whether the source address and destination address of the packet are equal, and whether the source port and destination port are equal. Then, you can determine whether the packet is a Land attack.

Syn Flooding

Attacks initiated by using the TCP "three-way handshake" mechanism. When Server (B) receives the syn request packet from Client (A), it will send an (ack, syn) response packet and create A control structure, add it to a queue and wait for the ack packets of the other party. After receiving the ack packet, both parties enter the connection status and the data can be sent. If the Server does not receive a response within a period of time, the control block is released. In TCP software, the number of connections (that is, Backlog) waiting for each port to be established is usually limited (Windows NT4.0: 6, Solaris: 32 ), when the queue length reaches the set threshold, the TCP Syn request message that is received later is discarded. If attackers continuously send a large number of TCP syn packets, other users will no longer be able to connect to the attacked host. Such attacks cannot be prevented by increasing the number of backlogs and reducing the connection wait time. Although the "connection proxy" technology can protect internal hosts of the network from attacks, the connection proxy cannot prevent itself from being under Syn Flooding attacks, and because all data must be processed by the connection proxy, the total network latency will increase. Monitoring TCP connection requests in real time and filtering TCP Syn Flooding attack packets are more effective methods to prevent this attack. The TCP Syn Flooding detection algorithm (algorithm 1) provided in this article runs on the intrusion detection system to detect various types of Syn Flooding attacks, including fixed source IP addresses and randomly changed source addresses.

Algorithm 1 TCP Syn Flooding Detection Algorithm

Time window: time window packet set: syn, syn & ack, ack packet set

Source ip: IP address of the source message

Destination ip: the destination IP address of the message.

Syn flood threshold: threshold for determining syn flood attacks

Current time: current system time

Sys number = 0;

Ack number = 0;

Ack Syn number = 0;

For (packetx ε packet set ){

If (packetx. time2current time> = time window ){

Delete packetx from packet set;

Continue;

}

If (packetx. syn = 1) AND (packetx. ack = 0)

Syn number ++;

Else if (packetx. syn = 0) AND (packetx. ack = 1)

Ack number ++;

Else

Ack syn number ++;

}

If (syn number> = syn flood threshold) AND (syn number> = 3 3

Ack number) OR (syn number> = 3 3 syn ack number )))

Syn flood attack = TURE;

Else

Syn flood attack = FALSE;

End

TCP session hijacking

With TCP session hijacking, attackers can easily modify and forge data.

Its basic principles are as follows:

TCP uses a sliding window mechanism to verify the data sent by the other party after the connection is established through a three-way handshake. If the data sent by the recipient is not in the receiving window, the data is discarded. The status of the sending sequence number that is not in the Receiving Window of the recipient is called non-synchronous. When the communication parties enter the non-synchronous status, attackers can forge a message with the sending serial number in the valid Receiving Window, intercept the packet, tamper with the content, and then modify the sending serial number, the receiver considers the data as valid data. The key to TCP hijacking is to enable both parties to enter the non-synchronous state. There are multiple ways to achieve this. As shown in figure 2, after host A sends A syn request, B sends ack & syn to respond, then A considers that the connection has been established. At this time, the attacker disguised as A to send an rst packet to B, then B releases the connection, and the attacker continues to disguise as A using its own initial serial number to create A new connection with B, A and B are not aware of this. After an attacker pretends to establish A connection with A and B, A and B are in A non-synchronous state. By using the Telnet NOP command, both parties can also enter the non-synchronous status. After receiving the NOP command, host B does not perform any operations, but confirm that the serial number is added with 1. If an attacker impersonates A to send A large number of NOP commands to B, the non-synchronous state of A and B will occur.

The key to TCP hijacking detection is to detect non-synchronous states. If you continuously receive data or validation packets outside the receiving window, you can determine that the packets are under TCP hijacking.

TCP camouflage

When using TCP hijacking for attacks, the attacker must be able to monitor the communication packets of both Parties to obtain the serial numbers sent by both parties, an attacker can launch an attack without monitoring the communication packets between the two parties. The attacker first uses a real address to access the services provided by V, such as WWW, to obtain the initial TCP serial number of V, then it is disguised as C's attempt to establish a connection to the Telent port of host V (attackers must ensure that C is shut down or attacked and cannot respond to external packets ). After the connection is established, attackers can send a series of commands to V. This attack can bypass the firewall or host's IP address check.

Because attackers cannot receive any information from V, they must meet the following conditions to successfully launch an attack:

1) when establishing a connection, the attacker needs to know the current initial serial number of V;

2) When sending commands, attackers need to know the Data Length of the V Response Message.

Condition 2) can be easily met. Attackers can test the content and length of the response information on a host that can be accessed legally. The TCP protocol requires that all TCP connections use the same initial serial number counter, each 4 us plus 1. When sending a TCP connection request, the current counter value is used. Because the initial serial number counter increases linearly with time, you can calculate the serial number value according to the following formula: Seq (t) = Seq (t0) + (t-t0) 3 r where, t is the current time, t0 is the previous time, and r is the speed at which the serial number increases by time. Since t0 and Seq (t0) can be easily obtained, attackers can successfully launch attacks by measuring the network transmission latency between the attack host and V. Although the network latency is always changing randomly, it remains relatively stable in a short period of time. After measuring the average latency, attackers can estimate the initial serial number used by V. Reducing the time interval of the counter increases the difficulty of attacks, but it cannot fundamentally prevent such attacks. This attack can be prevented if the initial serial number uses a random value or secret information is added to the initial serial number, such as the HASH value of the IP address. [8] methods to prevent TCP serial number prediction are discussed. Authentication at the application layer can also prevent TCP disguised attacks. Detection of TCP camouflage can only be performed during connection. When the connection is successful, detection cannot be performed again. When attackers perform TCP disguised attacks, they need to first detect the generation mechanism of the initial TCP serial number, test the network latency, and then try to establish a connection. If you receive multiple ack packets containing incorrect validation serial numbers, you can conclude that the packets are under TCP disguised attacks.