TCP three-way handshake and Its Principle

Source: Internet
Author: User
Tags number sign

TCP/IP is composed of many different protocols. It is actually a protocol group. It is also called the TCP transmission control protocol (Transport Control Protocol. Reliable host-to-host layer protocols. The transport control protocol is the fourth layer of the OSI network, and the TCP transmission control protocol is one of the six basic protocols for TCP/IP transmission. The two TCP methods have different meanings. ). TCP is a reliable connection-oriented transmission service. It performs data transmission in segments, and the host must establish a session to exchange data. It uses bitstream communication, that is, data is used as a non-structured byte stream. Specify the sequence number for each TCP transmission field to obtain the reliability. It is the fourth layer in the OSI reference model. TCP provides reliable data transmission by using the internetworking function of IP addresses, and the IP address keeps putting packets on the network, TCP is responsible for ensuring that packets arrive. TCP is responsible for handshaking process, packet management, traffic control, error detection and processing (control) in the actions of the IP addresses ), messages in an abnormal order can be sorted in a new order according to the order of numbers. RFC documents about TCP include rfc793, rfc791, and rfc1700.

In the early stage of a TCP session, there was a so-called "three handshakes": how to track the data volume sent each time and negotiate to synchronize the sending and receiving of data segments, determines the number of data confirmations based on the amount of data received and when to cancel the contact after the data is sent and received, and establishes a virtual connection. To provide reliable transmission, TCP sends the serial number of the data packet in a specific order before sending new data, and needs the packets to be sent to the confirmation message after the target machine. TCP is always used to send large volumes of data. When the applicationProgramTCP is also used to confirm the received data. Because TCP requires time tracking, this requires additional overhead, making the TCP format somewhat complex. Next let's take a look at a typical TCP case. This is what was later called the Mitnick attack. Kevin created two attack technologies:

TCP session hijacking
SYN Flood (synchronous flood)

TCP session hijacking is discussed here.

Let us first understand the basic simple process of TCP connection establishment. To build a small imitation environment, we assume there are three machines connected to the Internet. A is an attacker. B is an intermediary springboard machine (a trusted server ). C is the machine used by the victim (mostly the server). Here, machine C is locked as the target machine. Machine A sends a SYN packet to machine B and requests to establish a connection. Then, machine B that has responded to the request will respond to machine A with SYN/ack indicating that it agrees to establish a connection, when machine A receives SYN/ACK responses from machine B, it sends a response ack to establish a network connection between machine A and machine B. In this way, the TCP communication channel between two machines is successfully established.

The trusted server of Terminal B initiates a TCP connection to machine C, and machine a initiates SYN information to the server, so that machine C cannot respond to machine B. At the same time, machine A also sends a false SYN Packet responded by machine C to machine B and receives the SYN packet from machine B (trusted by machine C) start to send the SYN/ack data packet established by the response connection. At this time, machine C is busy responding to the SYN data sent previously and has no time to respond to machine B, the attacker of machine a predicts the serial number of machine B's package (the current TCP serial number is more difficult to predict). The attacker defrauded the trust of machine B by sending a response ack to machine B's counterfeit machine C, the counterfeit C machine establishes a TCP conversation connection with the B machine. At this time, machine C is still responding to SYN data sent by machine.

Weakness of the TCP protocol stack: resource consumption of TCP connections, including packet information, condition status, and serial number. By deliberately failing to complete the three handshakes required for establishing a connection, the resources of the connection party are exhausted.

The entire process of three handshakes required by the attacker to establish a connection is intentionally not completed, resulting in the depletion of resources of the C machine. The predictability of the serial number, which can be predicted when the target host responds to the SYN/ack serial number returned by the connection request. (For details about the early TCP protocol stack, refer to the rfc793 document on the prototype of TCP published in 1981)

TCP Header Structure

The TCP Header must contain at least 20 bytes, including the following regions,Article):

TCP source port): The 16-bit source port contains the port for initial communication. The source port and source IP address are used to indicate the returned address.

Destination Port): A 16-bit destination port domain defines the purpose of transmission. This port specifies the application address interface on the receiving computer.

TCP serial number (sequence code, sequence number): The 32-bit serial number is used by the receiver computer, and the packet of the re-segmentation is in the initial form. When SYN occurs, the sequence code is actually the initial sequence code (ISN), and the First Data byte is ISN + 1. This serial number can compensate for inconsistency during transmission.

TCP answer number (acknowledgment number): The 32-bit serial number is used by the receiver computer, and the packet of the reorganization segment is in the initial form ., If an ACK control bit is set, this value indicates the sequence code of the packet to be received.

Data offset (hlen): The size of the TCP Header, which indicates where the data starts.

Reserved): 6-bit value range, which must be 0. Reserved for future definition of new uses.

Code bits): 6-digit flag domain. Indicates the emergency sign, meaningful response sign, push, reset connection sign, synchronous serial number sign, and complete sending data sign. In order: URG, ack, Psh, RST, Syn, and fin.

Window): 16 bits are used to indicate the size of each TCP data segment to be received.

Checksum): 16-bit TCP header. The source machine calculates a value based on the data content, and the receiving information machine must have the same result as the source machine to prove the data validity.

Priority pointer (urgent, Urgent Pointer): 16 bits point to the next byte of the priority data, which is valid only when the URG flag is set. If the URG flag is not set, the emergency domain is filled. Accelerate processing of data segments marked as emergency.

Option): The length is not fixed, but the length must be byte. If there is no option, the one-byte domain is equal to 0.

Fill: The length cannot be long. The filled content must be 0. It exists for mathematical purposes. The purpose is to ensure the predictability of space. Ensure that the combination of the header and the offset at the beginning of the data can be divisible by 32. Generally, the extra zero is used to ensure that the TCP header is an integer multiple of 32 bits.

Flag Control Function

URG: Emergency sign

The URGent pointer sign is valid. Emergency flag placement,

ACK: Validation mark

The acknowledgement number column is valid. In most cases, this flag is set. The validation number (W + 1, Figure: 1) contained in the validation number column in the TCP header is the next expected sequence number, prompting that the remote system has successfully received all data.

Psh: Push sign

When this flag is set, the receiving end does not process the data in the queue, but forwards the data to the application as soon as possible. This flag is always set to a bit when you connect to telnet, rlogin, or other interactive modes.

RST: Reset flag

The reset flag is valid. Used to reset the corresponding TCP connection.

SYN: Synchronization flag

The synchronize sequence numbers column is valid. This flag is valid only when three handshakes are used to establish a TCP connection. It indicates the serial number of the server check sequence of the TCP connection. The serial number is the serial number of the initial client of the TCP connection. Here, we can regard the TCP sequence number as a 32-bit counter ranging from 0 to 4,294,967,295. Each byte in the data exchange over TCP connections is serial number. The serial number column in the TCP header contains the serial number of the first byte in the TCP segment.

Fin: End mark

The packet with this flag is used to end a TCP session, but the corresponding port is still open, ready to receive subsequent data.

The server is listening, and the packet (IP packet) used by the client to establish a connection request is combined into a segment (segment) of TCP processing according to the TCP/IP protocol stack ).

Analyze header information: The TCP layer receives the corresponding TCP/IP header and stores the information in the memory.

Check TCP checksum): The standard checksum is located in the segment (figure: 2 ). If the verification fails and no confirmation is returned, the segment is discarded and will be retransmitted by the client.

Find the Protocol control block (PCB {}): TCP searches for Protocol control blocks associated with the connection. If not found, TCP discards the segment and returns the rst. (This is the mechanism for TCP processing without a port listener) if the Protocol control block exists but the status is disabled, the server does not call connect () or listen (). This segment is discarded, but RST is not returned. The client tries to re-establish the connection request.

Create a new socket: When a socket in the listening status receives this segment, a sub-socket will be created, and socket {}, tcpcb {} And pub {} will also be created. If an error occurs, the corresponding socket is removed and the memory is released through the flag. The TCP connection fails. If the cache queue is full, TCP considers an error to occur and all subsequent connection requests will be rejected. Here we can see how SYN flood attacks work.

Discard: If the flag in this segment is RST or Ack, or the SYN flag is absent, the segment is discarded. And release the corresponding memory.

Send Sequence variable

SND. Una: sending unconfirmed

SND. NXT: send the next

SND. WND: sending window

SND. Up: sending priority pointer

SND. wl1: Segment serial number used for last window update

SND. wl2: The validation number for the last window update

ISS: initial sending serial number

Receiving serial number

RCV. NXT: receives the next

RCV. WND: receives the next

RCV. Up: receive priority pointer

IRS: initial receiving serial number
Current segment variable

Seg. seq: Segment serial number

Seg. Ack: Segment validation mark

Seg. Len: Segment Length

Seg. WND: Segment window

Seg. Up: Segment emergency pointer

Seg. PRC: Segment priority

Closed indicates that no connection exists. The meaning of each status is as follows:

Listen: listens for connection requests from remote TCP ports.

SYN-SENT: wait for a matched connection request after a connection request is sent.

SYN-RECEIVED: wait for confirmation of the connection request after receiving and sending a connection request.

Established: indicates an opened connection. data can be transmitted to users.

Fin-wait-1: Wait for the connection interruption request of remote TCP or the confirmation of the previous connection interruption request.

Fin-wait-2: waits for connection interruption requests from remote TCP.

Close-Wait: Wait for the connection interruption request from the local user.

Closing: Wait for the remote TCP to confirm the connection interruption.

LAST-ACK: waiting for confirmation of the connection interruption request originally sent to remote TCP.

Time-Wait: Wait for enough time to confirm that the remote TCP receives the connection interruption request.

Closed: No connection status.

The TCP connection process is a state conversion, prompting the user to call open, send, receive, close, abort, and status to convert the status. The transmitted data segments, especially those marked as SYN, ack, RST, and fin. There is also timeout. The TCP status changes as mentioned above.

Serial number

Note that all the bytes sent in the TCP connection have a serial number. Because the numbers are encoded, you can confirm that they are received. The validation of serial numbers is cumulative. The sequence numbers that must be compared over TCP include:

① Determine the serial numbers sent but unconfirmed.

② It is determined that all serial numbers have been received.

③ Determine the serial number to be included in the next segment.

For TCP to receive and confirm the sent data, the following operations must be performed:

SND. Una = the old confirmed serial number.

SND. NXT = the next serial number to be sent.

Seg. ACK = receives TCP validation and the next serial number that TCP expects.

Seg. seq = the first serial number of a data segment.

Seg. Len = the number of bytes included in the data segment.

Seg. seq + SEG.LEN-1 = The Last serial number of the Data Segment.

If the serial number of a data segment is smaller than or equal to the value of the confirmation number, the entire data segment is confirmed. When receiving data, the comparison operation is required:

RCV. NXT = the expected serial number and the lowest edge of the receiving window.

RCV. NXT + RCV. WND: 1 = The Last serial number and the highest edge of the receiving window.

Seg. seq = the first serial number received.

Seg. seq + Seg. Len: 1 = The Last serial number received.

Article entry: CSH responsible editor: CSH

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.