Transport Layer Protocol (TCP/UDP) connection status jump

How does TCP perform the three-way handshake?

 

The sender sends a SYN = 1, ACK = 0 packet to the receiver and connects the request. This is the first handshake. If the receiver receives the request and allows the connection, a syn = 1,

 

ACK = 1 indicates that the packet is sent to the sender, telling the sender that it can communicate and asking the sender to send a confirmation packet. This is the second handshake. Finally, the sender sends a SYN = 0, ACK = 1

 

The packet is sent to the acceptor and the connection is confirmed. This is the third handshake. Then, a TCP connection is established to Start Communication.

 

* SYN: synchronization flag

The Synchronize Sequence Numbers column is valid. This flag is valid only when three handshakes are used to establish a TCP connection. It prompts the TCP connection server to check the serial number.

 

The serial number of the initial TCP connection end (usually the client. Here, we can regard the TCP sequence number as a 32-bit counter ranging from 0 to 4,294,967,295. TCP Connection

 

Each byte in the data to be exchanged is serial number. The serial number column in the TCP header contains the serial number of the first byte in the TCP segment.

 

* ACK: confirm the flag

The Acknowledgement Number column is valid. In most cases, this flag is set. The validation number (w + 1, Figure-1) contained in the validation number column in the TCP header is the next

 

The expected sequence number and prompt that the remote system has successfully received all the data.

 

* RST: reset flag

The reset flag is valid. Used to reset the corresponding TCP connection.

 

* URG: emergency sign

The urgent pointer sign is valid. Emergency flag placement,

 

* PSH: Push flag

When this flag is set, the receiving end does not process the data in the queue, but forwards the data to the application as soon as possible. This flag is always

 

.

 

* FIN: End flag

The packet with this flag is used to end a TCP session, but the corresponding port is still open, ready to receive subsequent data.

 

========================================================== ==================================

 

Three-way Handshake

 

A virtual connection is established through three-way handshakes.

 

1. (B) --> [SYN] --> ()

 

Assume that server A communicates with client B. When server A wants to communicate with server B, server B first sends A SYN (Synchronize) packet to server A and tells server A to establish A connection.

 

Note: a syn packet is a TCP packet with only the SYN flag set to 1 (see TCP Baotou Resources ). it is very important to realize this. Only when A receives a syn packet from B can A connection be established.

 

No other way. Therefore, if your firewall discards all Syn packets sent to the Internet interface, you cannot allow any external host to establish a connection.

 

2. (B) <-- [SYN/ack] <-- ()

 

Then, after receiving the SYN packet, a will send a confirmation packet (SYN/ACK) back to confirm the first SYN Packet and continue the handshake operation.

 

Note: SYN/ACK packets are only packets marked with SYN and ACK as 1.

 

3. (B) --> [ack] --> ()

 

B receives the SYN/ACK packet, B sends a confirmation packet (ACK), and notifies a that the connection has been established. So far, three handshakes are completed, and one TCP connection is completed.

 

Note: The ack package is only a TCP packet marked as 1. Note that when the three handshakes are complete and the connection is established, each packet of the TCP connection sets an ACK bit.

 

This is why connection tracking is very important. Without connection tracking, the firewall will not be able to determine whether the ACK packet received belongs to a established connection. The average packet filtering (ipchains) will receive ACK

 

Package, it will pass (this is definitely not a good idea ). when the status firewall receives this package, it will first find in the connection table whether it belongs to the established connection, otherwise it will discard the package

 

Four handshakes four-way handshake

 

Four handshakes are used to close established TCP connections.

 

1. (B) --> ack/fin --> ()

 

2. (B) <-- ACK <-- ()

 

3. (B) <-- ACK/FIN <-- ()

 

4. (B) --> ACK --> ()

 

Note: Because the TCP connection is a two-way connection, closing the connection requires two directions. The ACK/FIN package (the ACK and FIN are marked as 1) is usually considered as the FIN (final) package. However, due to the connection

 

If a FIN package is not closed yet, it is always marked with an ACK mark. A packet without an ACK mark is not a legal package and is generally considered malicious.

 

Connection Reset Resetting a connection

 

The four handshakes are not the only method to disable TCP connections. sometimes, if the host needs to close the connection as soon as possible (or the connection times out, the port or host cannot be reached), the RST (Reset) package will be sent. note that because

 

The RST package is not a required part of the TCP connection. You can only send the RST package (that is, without the ACK flag). However, in a normal TCP connection, the RST package can carry the ACK validation mark.

 

Please note that the RST package cannot be confirmed by the party

 

Invalid TCP flag Invalid TCP Flags

 

So far, you have seen SYN, ACK, FIN, and RST tags. In addition, PSH (Push) and URG (Urgent) tags.

 

The most common illegal combination is the SYN/FIN package. Note: Because the SYN package is used to initialize the connection, it cannot appear together with the FIN and RST Mark. This is also a malicious attack.

 

Most firewalls now know SYN/FIN packets, and some other combinations, such as SYN/FIN/PSH, SYN/FIN/RST, SYN/FIN/RST/PSH. Obviously, when such a package appears on the network

 

Your network must have been attacked.

 

Other known illegal packages include FIN (no ACK mark) and NULL. As discussed earlier, because ACK/FIN packets are generated to close a TCP connection, normal FIN packets always contain ACK

 

Mark. A "NULL" packet is a packet without any TCP flag (URG, ACK, PSH, RST, SYN, and FIN are all 0 ).

 

So far, in normal network activity, the TCP protocol stack cannot generate a TCP packet with any of the above-mentioned mark combinations. When you find these abnormal packets, someone will be interested in your network

 

The customer is unfriendly.

 

UDP (User data packet Protocol)

TCP is a connection-oriented protocol, while UDP is a non-connection protocol. UDP does not mark and confirm the acceptance. Packet Loss Processing is completed at the application layer. (Or accidental

 

Arrival ).

 

Note: Normally, when a UDP packet reaches a closed port, a UDP reset packet is returned. UDP is non-connection-oriented, so there is no confirmation

 

Information to confirm whether the package has arrived at the destination correctly. Therefore, if your firewall discards the UDP packet, it will open all the UDP ports (?).

 

Some packets on the Internet will be discarded normally, and even some UDP packets sent to the disabled port (non-firewall) will not reach the destination, they will return a reset UDP packet.

 

For this reason, UDP port scanning is always inaccurate and unreliable.

 

It seems that fragments of Large UDP packets are common forms of DOS (Denial of Service) attacks (here is an example of DOS attack, http://grc.com/dos/grcdos.htm ).

 

ICMP (internetcontrol Message Protocol Internet Control Message Protocol)

Like the name, ICMP is used to transmit control information between hosts and routers. ICMP packets can contain diagnostic information (ping, traceroute-note that the current unix System

 

Traceroute uses UDP packets instead of ICMP packets. error messages (network/host/port cannot reach network/host/port unreachable) and Information (timestamp, address Mask address)

 

Mask request, etc.), or control information (source quench, redirect, etc .).

 

You can find the region of the icmppackage at http://www.iana.org/assignments/icmp-parameters.

 

Although ICMP is generally harmless, some types of ICMP information need to be discarded.

 

Redirect (5), Alternate Host Address (6), and Router Advertisement (9) can be used to forward communication.

 

Echo (8), Timestamp (13) and Address Mask Request (17) can be used to determine whether the host is up, local time, and Address Mask respectively. Note that they are the same as the returned information.

 

Related. They themselves cannot be used, but the information they leak is useful to attackers.

 

ICMP messages are sometimes used as part of DOS attacks (for example, flood ping, dead ping? Haha, interesting ping of death )? /P>

 

Packet Fragmentation Note A Note About Packet Fragmentation

 

If the Size of a package exceeds the Maximum TCP Segment length (MSS (Maximum Segment Size) or MTU (Maximum Transmission Unit), the only way to send this package to the destination is

 

Split this package. Because packet sharding is normal, it can be used for malicious attacks.

 

Because the first part of a fragmented package contains a packet header, if the package fragment function is not available, the package filter cannot detect the additional package fragment. Typical attack Typical attacks involve in

 

Overlapping the packet data in which packet header is a typical attack against typical attacks involve in overlapping the packet data in which

 

Packet header isnormal until is it overwritten with different destination IP (or port) thereby bypassing firewall rules. Packet sharding capability

 

As part of a DoS attack, it can crash older IP stacks or increase the CPU connection capability.

 

The connection tracking code in Netfilter/iptables can be automatically split and reorganized. It still has vulnerabilities and may be vulnerable to saturated connection attacks, which can consume CPU resources.

 

Handshake phase:

SEQ ack in sequence direction

1 A-> B 10000 0

2 B-> A 20000 10000 + 1 = 10001

3 A-> B 10001 20000 + 1 = 20001

Explanation:

1: A initiates a connection request to B and initializes the seq of A with a random number. This is assumed to be 10000. At this time, ACK = 0.

 

2: After B receives the connection request from a, it also initializes the seq of B with a random number, which is assumed to be 20000, meaning: I have received your request, my data flow starts from this number. ACK of B

 

Is the seq of a plus 1, that is, 10000 + 1 = 10001

 

3: After A receives A reply from B, its seq is the seq plus 1 of its previous request, that is, 10000 + 1 = 10001. That is, I have received your reply, my data flow starts from this number. A here

 

When ACK is B's seq plus 1, that is, 20000 + 1 = 20001

 

 

Data transmission phase:

Seq ack size in sequence direction

23 A> B 40000 70000 1514

24 B-> A 70000 40000 + 1514-54 = 41460 54

25 A-> B 41460 70000 + 54-54 = 70000 1514

26 B-> A 70000 41460 + 1514-54 = 42920 54

Explanation:

23: B receives seq = 40000, ack = 70000, size = 1514 packets from.

24: Then B sends A packet to A, telling B That I have received your last packet. B's seq is filled with the ACK of the data packet it receives. ACK is the SEQ of the data packet it receives plus the size of the data packet (

 

Does not include the Ethernet protocol header, IP header, and TCP Header) to confirm that all data sent by B has been received.

25: When A receives A packet whose ack is 41460 sent by B, A sees 41460, which is exactly the size of the seq of its last packet plus the package, the last packet sent has arrived safely.

 

So it sends another packet to B. The seq of the packet being sent is also filled with the ACK of the packet it received, and ACK is filled with the seq (70000) of the packet it received plus the size (54) of the packet

 

Charge, that is, ack = 70000 + 54-54 (all headers are long and have no data items ).

 

In fact, at the handshake and end, the confirmation number should be the serial number of the other Party plus 1, while during data transmission, the serial number of the other Party plus the length of the data carried by the application layer. If the length is calculated from the Ethernet packet

 

Degree, it may be a detour.

In addition, if the other party does not have data, the confirmation number will not change, and the serial number will add the length of the data sent at the application layer to the previous serial number.

 

 

 

From: http://hi.baidu.com/abcserver/blog/item/aa1a347310c335148601b07c.html