In the early stage of a TCP session, there was a so-called "three handshakes": how to track the data volume sent each time and negotiate to synchronize the sending and receiving of data segments, determines the number of data confirmations based on the amount of data received and when to cancel the contact after the data is sent and received, and establishes a virtual connection. To provide reliable transmission, TCP sends the serial number of the data packet in a specific order before sending new data, and needs the packets to be sent to the confirmation message after the target machine. TCP is always used to send large volumes of data. When the applicationProgramTCP is also used to confirm the received data. Because TCP requires time tracking, this requires additional overhead, making the TCP format somewhat complex. Next let's take a look at a typical TCP case. This is what was later called the Mitnick attack. Kevin created two attack technologies:
TCP session hijacking
SYN Flood (synchronous flood)
TCP session hijacking is discussed here.
Let us first understand the basic simple process of TCP connection establishment. To build a small imitation environment, we assume there are three machines connected to the Internet. A is an attacker. B is an intermediary springboard machine (a trusted server ). C is the machine used by the victim (mostly the server). Here, machine C is locked as the target machine. Machine A sends a SYN packet to machine B and requests to establish a connection. Then, machine B that has responded to the request will respond to machine A with SYN/ack indicating that it agrees to establish a connection, when machine A receives SYN/ACK responses from machine B, it sends a response ack to establish a network connection between machine A and machine B. In this way, the TCP communication channel between two machines is successfully established.
The trusted server of Terminal B initiates a TCP connection to machine C, and machine a initiates SYN information to the server, so that machine C cannot respond to machine B. At the same time, machine A also sends a false SYN Packet responded by machine C to machine B and receives the SYN packet from machine B (trusted by machine C) start to send the SYN/ack data packet established by the response connection. At this time, machine C is busy responding to the SYN data sent previously and has no time to respond to machine B, the attacker of machine a predicts the serial number of machine B's package (the current TCP serial number is more difficult to predict). The attacker defrauded the trust of machine B by sending a response ack to machine B's counterfeit machine C, the counterfeit C machine establishes a TCP conversation connection with the B machine. At this time, machine C is still responding to SYN data sent by machine.
Weakness of the TCP protocol stack: resource consumption of TCP connections, including packet information, condition status, and serial number. By deliberately failing to complete the three handshakes required for establishing a connection, the resources of the connection party are exhausted.
The entire process of three handshakes required by the attacker to establish a connection is intentionally not completed, resulting in the depletion of resources of the C machine. The predictability of the serial number, which can be predicted when the target host responds to the SYN/ack serial number returned by the connection request. (For details about the early TCP protocol stack, refer to the rfc793 document on the prototype of TCP published in 1981)
TCP Header Structure
The TCP Header must contain at least 20 bytes, including the following regions,Article):
TCP source port): The 16-bit source port contains the port for initial communication. The source port and source IP address are used to indicate the returned address.
Destination Port): A 16-bit destination port domain defines the purpose of transmission. This port specifies the application address interface on the receiving computer.
TCP serial number (sequence code, sequence number): The 32-bit serial number is used by the receiver computer, and the packet of the re-segmentation is in the initial form. When SYN occurs, the sequence code is actually the initial sequence code (ISN), and the First Data byte is ISN + 1. This serial number can compensate for inconsistency during transmission.
TCP answer number (acknowledgment number): The 32-bit serial number is used by the receiver computer, and the packet of the reorganization segment is in the initial form ., If an ACK control bit is set, this value indicates the sequence code of the packet to be received.
Data offset (hlen): The size of the TCP Header, which indicates where the data starts.
Reserved): 6-bit value range, which must be 0. Reserved for future definition of new uses.
Code bits): 6-digit flag domain. Indicates the emergency sign, meaningful response sign, push, reset connection sign, synchronous serial number sign, and complete sending data sign. In order: URG, ack, Psh, RST, Syn, and fin.
Window): 16 bits are used to indicate the size of each TCP data segment to be received.
Checksum): 16-bit TCP header. The source machine calculates a value based on the data content, and the receiving information machine must have the same result as the source machine to prove the data validity.
Priority pointer (urgent, Urgent Pointer): 16 bits point to the next byte of the priority data, which is valid only when the URG flag is set. If the URG flag is not set, the emergency domain is filled. Accelerate processing of data segments marked as emergency.
Option): The length is not fixed, but the length must be byte. If there is no option, the one-byte domain is equal to 0.
Fill: The length cannot be long. The filled content must be 0. It exists for mathematical purposes. The purpose is to ensure the predictability of space. Ensure that the combination of the header and the offset at the beginning of the data can be divisible by 32. Generally, the extra zero is used to ensure that the TCP header is an integer multiple of 32 bits.
Flag Control Function
URG: Emergency sign
The URGent pointer sign is valid. Emergency flag placement,
ACK: Validation mark
The acknowledgement number column is valid. In most cases, this flag is set. The validation number (W + 1, Figure: 1) contained in the validation number column in the TCP header is the next expected sequence number, prompting that the remote system has successfully received all data.
Psh: Push sign
When this flag is set, the receiving end does not process the data in the queue, but forwards the data to the application as soon as possible. This flag is always set to a bit when you connect to telnet, rlogin, or other interactive modes.
RST: Reset flag
The reset flag is valid. Used to reset the corresponding TCP connection.
SYN: Synchronization flag
The synchronize sequence numbers column is valid. This flag is valid only when three handshakes are used to establish a TCP connection. It indicates the serial number of the server check sequence of the TCP connection. The serial number is the serial number of the initial client of the TCP connection. Here, we can regard the TCP sequence number as a 32-bit counter ranging from 0 to 4,294,967,295. Each byte in the data exchange over TCP connections is serial number. The serial number column in the TCP header contains the serial number of the first byte in the TCP segment.
Fin: End mark
The packet with this flag is used to end a TCP session, but the corresponding port is still open, ready to receive subsequent data.
The server is listening, and the packet (IP packet) used by the client to establish a connection request is combined into a segment (segment) of TCP processing according to the TCP/IP protocol stack ).
Analyze header information: The TCP layer receives the corresponding TCP/IP header and stores the information in the memory.
Check TCP checksum): The standard checksum is located in the segment (figure: 2 ). If the verification fails and no confirmation is returned, the segment is discarded and will be retransmitted by the client.
Find the Protocol control block (PCB {}): TCP searches for Protocol control blocks associated with the connection. If not found, TCP discards the segment and returns the rst. (This is the mechanism for TCP processing without a port listener) if the Protocol control block exists but the status is disabled, the server does not call connect () or listen (). This segment is discarded, but RST is not returned. The client tries to re-establish the connection request.
Create a new socket: When a socket in the listening status receives this segment, a sub-socket will be created, and socket {}, tcpcb {} And pub {} will also be created. If an error occurs, the corresponding socket is removed and the memory is released through the flag. The TCP connection fails. If the cache queue is full, TCP considers an error to occur and all subsequent connection requests will be rejected. Here we can see how SYN flood attacks work.
Discard: If the flag in this segment is RST or Ack, or the SYN flag is absent, the segment is discarded. And release the corresponding memory.
Send Sequence variable
SND. Una: sending unconfirmed
SND. NXT: send the next
SND. WND: sending window
SND. Up: sending priority pointer
SND. wl1: Segment serial number used for last window update
SND. wl2: The validation number for the last window update
ISS: initial sending serial number
Receiving serial number
RCV. NXT: receives the next
RCV. WND: receives the next
RCV. Up: receive priority pointer
IRS: initial receiving serial number
Current segment variable
Seg. seq: Segment serial number
Seg. Ack: Segment validation mark
Seg. Len: Segment Length
Seg. WND: Segment window
Seg. Up: Segment emergency pointer
Seg. PRC: Segment priority
Closed indicates that no connection exists. The meaning of each status is as follows:
Listen: listens for connection requests from remote TCP ports.
SYN-SENT: wait for a matched connection request after a connection request is sent.
SYN-RECEIVED: wait for confirmation of the connection request after receiving and sending a connection request.
Established: indicates an opened connection. data can be transmitted to users.
Fin-wait-1: Wait for the connection interruption request of remote TCP or the confirmation of the previous connection interruption request.
Fin-wait-2: waits for connection interruption requests from remote TCP.
Close-Wait: Wait for the connection interruption request from the local user.
Closing: Wait for the remote TCP to confirm the connection interruption.
LAST-ACK: waiting for confirmation of the connection interruption request originally sent to remote TCP.
Time-Wait: Wait for enough time to confirm that the remote TCP receives the connection interruption request.
Closed: No connection status.
The TCP connection process is a state conversion, prompting the user to call open, send, receive, close, abort, and status to convert the status. The transmitted data segments, especially those marked as SYN, ack, RST, and fin. There is also timeout. The TCP status changes as mentioned above.
Serial number
Note that all the bytes sent in the TCP connection have a serial number. Because the numbers are encoded, you can confirm that they are received. The validation of serial numbers is cumulative. The sequence numbers that must be compared over TCP include:
① Determine the serial numbers sent but unconfirmed.
② It is determined that all serial numbers have been received.
③ Determine the serial number to be included in the next segment.
For TCP to receive and confirm the sent data, the following operations must be performed:
SND. Una = the old confirmed serial number.
SND. NXT = the next serial number to be sent.
Seg. ACK = receives TCP validation and the next serial number that TCP expects.
Seg. seq = the first serial number of a data segment.
Seg. Len = the number of bytes included in the data segment.
Seg. seq + SEG.LEN-1 = The Last serial number of the Data Segment.
If the serial number of a data segment is smaller than or equal to the value of the confirmation number, the entire data segment is confirmed. When receiving data, the comparison operation is required:
RCV. NXT = the expected serial number and the lowest edge of the receiving window.
RCV. NXT + RCV. WND: 1 = The Last serial number and the highest edge of the receiving window.
Seg. seq = the first serial number received.
Seg. seq + Seg. Len: 1 = The Last serial number received.
Article entry: CSH responsible editor: CSH
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
