TCP/IP security performance

Internet technology shields underlying network hardware details so that heterogeneous networks can communicate with each other. TCP/IP protocol groups are currently the most widely used network interconnection protocols. However, TCP/IP protocol groups have some security issues. This gives "hackers" the opportunity to attack the network.

Because a large number of important applications use TCP as their transport layer protocol, TCP security issues will cause serious consequences to the network.

1. TCP status transition diagram and Timer

The t cp status transition chart controls the initialization, establishment, and termination of a connection. It consists of the defined status and the transition arc between these States. The TCP status transition diagram is closely related to the timer. Different timers correspond to connection establishment or termination, traffic control, and data transmission. Several main types of timers and their functions are as follows:

● Connection Timer: When a SYN packet is sent during connection establishment, the connection timer is started. If the response is not received within 75 seconds, the connection establishment is abandoned.

● FIN-WAIT-2 Timer: when the connection is changed from FIN-WAIT-1 to FIN-WAIT-2, a FIN-WAIT-2 timer is set to 10 minutes. If the connection does not receive a location within the specified time

Fin tcp packet, the timer times out, and then the timing is 75 seconds. If no FIN package exists during this period,

The connection is abandoned.

● TIME-WAIT Timer: the timer is activated when the connection enters the TIME-WAIT Status. When the timer times out, the kernel data block associated with the connection is deleted and the connection is terminated.

● Maintain the connection Timer: it is used to predict whether the other end of the connection is still active. If you have set the SO-KEEPALIVE socket selection option, the TCP server status is ESTABLISHED or CLOSE-WAIT.

Next we will focus on the network security issues caused by the TCP status transition diagram and timer.

2. Network Intrusion

2.1 counterfeit IP Address

Intruders use fake IP addresses to send packets and IP address-based confirmed applications. The result is that an unauthorized remote user enters the host system with a firewall.

Assume there are two hosts A, B, and Host X controlled by intruders. Assume that B grants certain privileges to A so that A can obtain some operations performed by B. The goal of X is to obtain the same rights as B. To achieve this goal, X must perform two steps: first, establish A false connection with B; then, prevent A from reporting to B the network to confirm system problems. Host X must impersonate the IP address of A so that B believes that the packet sent from X is indeed sent from.

We also assume that the communication between host A and host B complies with the three-way handshake mechanism of TCP/IP. The handshake method is as follows:

A →: SYN (serial number = M)

B → A: SYN (serial number = N), ACK (Response serial number = M + 1)

A → B: ACK (Response No. = N + 1)

The steps for Host X to forge an IP address are as follows: First, X impersonates A and sends a syn packet with A random serial number to host B. In response, host B sends A SYN + ACK packet with A response number to host A. The response number equals to the original serial number plus 1. At the same time, host B generates its own package serial number and sends it together with the response number. To complete three handshakes, Host X needs

Host B sends A response packet, whose response number is equal to the serial number of the packet sent by host B to host A plus 1. Assume that host X is different from that of host A and host B in A sub-network, the packet of host B cannot be detected. Host X can create a tcp connection only when the serial number of host B is calculated. The process is described as follows:

X → B: SYN (serial number = M), SRC =

B → A: SYN (serial number = N), ACK (response number = M + 1)

X → B: ACK (response number = N + 1), SRC =

At the same time, Host X should prevent host A from responding to host B's package. For this reason, X can wait until host A stops running for some reason, or block the operating system protocol section of host A so that it cannot respond to host B.

Once host X completes the preceding operations, it can send commands to host B. Host B will execute these commands and think they are sent by valid host.

2.2 TCP status transition

In the above intrusion process, how does host X prevent host A from sending A response to host B, but don't let A abort host A's login port from sending the SYN-ACK package to the call. As mentioned above, TCP maintains a connection to establish a timer. If a connection cannot be established within the specified time (usually 75 seconds), TCP resets the connection. In the previous example, the server port cannot respond within 75 seconds.

Next we will discuss the packet sequence sent between host X and host. X sends A packet to A with the SYN and FIN positions. A sends an ACK packet to X as A response:

X → A: syn fin (serial number = M)

A → X: ACK (Response No. = M + 1)

As shown in figure 2, A is in the listening (LISTEN) state. When it receives the package from X, it starts to process

Packages. It is worth noting that in the TCP protocol, there is no clear provision on how to handle packets with simultaneous positions of SYN and FIN. Let's assume that it first processes the SYN flag bit and moves to the SYN-RCVD state. Then, the FIN flag is processed and transferred to the CLOSE-WAIT Status. If the previous status is ESTABLISHED, the status is changed to CLOSE-WAIT.

. However, the transfer from the SYN-RCVD state to the CLOSE-WAIT state is not defined in TCP. However, such transfer exists in several TCP applications, such as the Open Systems SUN OS4.1.3, SUR4, and ULTRX4.3. Therefore, in these TCP applications there is a transfer arc from the State SYN-RCVD to the state CLOSE-WAIT not defined in the TCP protocol, as shown in 2.

In the above intrusion example, the three-way handshake was not completely completed, so no TCP connection was actually established, and the corresponding network application did not get the connection from the core. However, the TCP host of host A is in the CLOSE-WAIT state, so it can send a fin package to X to terminate the connection. This semi-open connection is retained in the socket listener queue, and the application process does not send any messages that help the TCP execution status transfer. As A result, the TCP host of host A is locked in the CL0SE-WAIT state. If active timer features are maintained, TCP will reset the connection and transfer to the CLOSED status after 2 hours.

When the TCP machine receives the RST from the peer host, it is transferred from the ESTABLISHED, FINWAIT-1 and FIN-WAIT-2 status to the CLOSED status. These transfers are important because they reset the TCP host and interrupt the network connection. However, the data segment to be reached is only confirmed based on the source IP address and the current queue window number. Therefore, intruders can pretend to have established a valid connection to a host, and then send an RST segment with an appropriate serial number to another host, so that the connection can be terminated!

From the above analysis, we can see that there are external status transfer in several TCP applications. This will cause serious security problems to the system.

2.3 timer Problems

As mentioned above, once the connection is established, the connection timer is started. If a connection cannot be established within the specified time, the TCP server returns to the CLOSED status.

Let's analyze the examples of host A and Host X. Host A sends a syn packet to Host X and looks forward to responding to A SYN-ACK package. Assume that host X wants to establish A connection with host A almost simultaneously and sends a syn packet to host. A and X send A SYN-ACK package to each other after receiving the SYN packet from the other party.

When you receive each other's SYN-ACK package, you can think that the connection has been established. In this article, we assume that when the host receives the SYN packet from the other host, the connection establishment timer is disabled.

X → A: SYN (serial number = M)

A → X: SYN (serial number = N)

X → A: SYN (serial number = M), ACK (response number = N + 1)

A → X: SYN (serial number = N), ACK (response number = M + 1)

● Host X sends an FTP request to host. Establish a tcp connection between X and A to transmit control signals. Host A sends a syn packet to X to start a tcp connection for data transmission and its status is transferred to the SYN-SENT state.

● When X receives a syn packet from A, it returns a syn Packet as A response.

● Host X receives the SYN-ACK package from A, but does not return any package.

● Host A is expected to receive SYN-ACK from X. Since X does not return any package, A is locked in the SYN-RCVD state. In this way, X successfully blocks A port of.

3. Use network monitoring devices to observe Network Intrusion

We installed a network monitoring device on the LAN to observe the packets through the network, so as to determine whether a network intrusion occurred. Next we will discuss the sequence packages that can be observed by network monitoring devices during several intrusion processes.

3.1 counterfeit IP Address

Initially, the network monitoring device will monitor A large number of tcp syn packets from A host to A's login port. Host A will return the corresponding SYN-ACK package. The SYN packet is designed to create A large number of semi-open TCP connections with host A, thus filling up the login port connection queue of host.

A large number of tcp syn packets are sent from host X over the network to host B, corresponding to a SYN-ACK package from host B to Host X. Then Host X uses the RST package for response. This SYN/SYN-ACK/RST packet sequence allows intruders to know the action of the TCP serial number generator of host B.

Host A sends a syn packet to host B. In fact, this is a "counterfeit" package sent by host X. After receiving this package, host B will send the corresponding SYN-ACK package to host. Host A sends an ACK packet to host B. According to the preceding steps, the intruded host can establish one-way TCP connection with host B.

3.2 false status transfer

When intruders attempt to block a network port of a server by moving from SYN-RCVD to CLOSE-WAIT for a long time, the following sequence of packets can be observed:

● Send a TCP packet with SYN and FIN flag positions from host X to host B.

● Host B First processes the SYN flag, generates a packet with the corresponding ACK flag position, and transfers the status to the SYN-RCVD, then processes the FIN flag, so that the status is transferred to CLOSE-WAIT, and returns the ACK package to X.

 

● Host X does not send any other packages to host B. The TCP host of the host is fixed in the CLOSE-WAIT Status. Wait until the connection timer is reset to the CLOSED status.

Therefore, if the network monitoring device finds a string of SYN-FIN/ACK packets, it can be inferred that the intruder is blocking a port of host B.

3.3 timer Problems

If an intruder tries to invalidate the connection establishment timer without establishing a connection, we can observe the following sequence package:

● Host X receives a tcp syn packet from host B.

● Host X returns a SYN packet to host B.

Host X does not send any ACK packets to host B. As a result, B is blocked in the SYN-RCVD status and cannot respond to connection requests from other clients.

4. Summary

At present, there is no easy way to prevent forgery of IP addresses and intrusion.