TCP protocol

TCP is a reliable and connection-oriented byte stream communication protocol.

reliability

  • Data verification: TCP uses checksum, confirmation, and retransmission mechanisms to ensure reliable transmission.
  • Data sequentiality: TCP sorts data into sections and uses cumulative validation to ensure that data is sequential and non-repetitive.
  • Traffic and congestion control: TCP uses the sliding window mechanism to control traffic and dynamically change the size of the window for congestion control.

Connection established and closed

Three handshakes establish a connection

The three-way handshake means that the client and server send three packets to establish a TCP connection.

First handshake (SYN=1, seq=x)

The client sends a TCP PACKET with the SYN flag at position 1, indicating the port on which the client intends to connect to the server, and the initial Sequence Number X, stored in the Sequence Number field of the packet header. After sending the packets, the client enters the SYN_SEND state.

The first sequence number is random, for the sake of network security, if the initial sequence number is not randomly generated, hackers will easily get the initial sequence number between you and other hosts, and forge the sequence number to attack.

Second handshake (SYN=1, ACK=1, seq=y, ACKnum=x+1)

The server sends an ACK reply. The SYN flag bit and ACK flag bit are both 1. The server selects its ISN serial Number, puts it in the Seq field, and sets the Acknowledgement Number to the ISN plus 1 of the client, that is, X+1. After sending the packets, the server enters the SYN_RCVD state.

Third handshake (ACK=1, ACKnum=y+1)

The client sends an ACK packet again with the SYN bit 0 and ACK bit 1, and sends the sequence number field +1 in the ACK field. After the TCP handshake is complete, the client enters the ESTABLISHED state.

Four waves close the connection

Quad wave means that four packets are sent to dismantle the TCP connection.

Either the client or the server can initiate the wave action. In socket programming, either side performs the close() operation to generate the wave action.

First wave (FIN=1, seq=x)

When a FIN packet is sent, it indicates that no data can be sent but data can still be received. After sending packets is complete, the client enters the FIN+WAIT_1 state.

Second wave (ACK=1, ACKnum=X+1)

The server validates the client’s FIN packet and sends an acknowledgement that it has received the client’s request to close the connection, but is not ready to close the connection (theoretically: data could still be sent to the client).

Third wave (FIN=1, seq=y)

When the server is ready to close the connection, it sends a request to end the connection to the client. FIN is set to 1. After sending the packet, the server enters the LAST_ACK state and waits for the last ACK from the client.

Fourth wave (ACK=1, ACKnum=y+1)

The client receives a shutdown request from the server, sends an acknowledgement packet, and enters a TIME_WAIT state, waiting for a possible request to retransmit the ACK packet. After receiving the acknowledgement packet, the server closes the connection and enters the CLOSED state.

After waiting for 2MSL, the client does not receive the ACK from the server and thinks that the server has CLOSED the connection normally, so it also closes the connection and enters the CLOSED state.

Aggression in the handshake

SYN Flooding

Attack principle

When Server B receives A SYN request packet from Client A, it sends an ACK packet, creates A control structure, and adds the PACKET to A queue to wait for the ACK packet. After receiving an ACK packet, both parties enter the connection state. If the Server does not receive a reply message for a period of time, the control block is released.

In TCP software, there is a limit on the number of connections to be established on each port. When the queue length reaches a specified threshold, the subsequent TCP SYN packets are discarded.

If an attacker sends a large number of TCP SYN packets, other users cannot connect to the attacked server.

response

You can increase the number of connections and reduce the timeout period to alleviate the attack, but cannot prevent the attack. This is a type of DOS. You can run the netstat command to check the network connections of the server.

Land attack

Using the three-way handshake established by TCP connection, the attack on the target computer is completed by sending a TCP SYN message (connection request message) to a target computer.

Attack principle

Different from normal TCP SYN packets, the source AND destination IP addresses of LAND attack packets are the same as those of the target computer. In this way, after receiving the SYN packet, the target computer sends an ACK packet to the source ADDRESS. A TCP connection control structure (TCB) is established, and the source address of the packet is itself. Therefore, the ACK packet is sent to itself. In this way, if the attacker sends enough SYN packets, the TCB of the target computer may be exhausted and the service may not be normal.

This is also a DOS attack. The ability to forge packages can be implemented through Kali Linux with features such as hping3.

response

You can use firewalls and routing devices to set up rules to discard SYN, SYN+ACK, and TCP packets whose source and destination addresses are the same.

TCP hijacked

Using TCP session hijacking, data can be easily modified and forged.

Attack principle

TCP uses the sliding window mechanism to verify the data sent by the peer party after establishing a connection through the three-way handshake. If the data sent by the peer party is not in the receiving window of the peer party, the peer party discards the data. This state is called asynchronous.

When the two communication parties enter the asynchronous state, the attacker can forge the packet whose sending serial number is in the valid receiving window, or intercept the packet, tamper with the content, and then modify the sending serial number. The receiver will consider the data as valid data.

The key of TCP hijacking is to make the two sides of communication into asynchronous state. There are several ways to do this.

If host A sends A SYN request and HOST B replies with ACK & SYN, host A considers that the connection has been established, as shown in the four-wave wave status diagram. In this case, the attacker sends an RST packet to B disguised as A, and B releases the connection. The attacker continues to establish A new connection with B disguised as A using its initial sequence number, but A and B are unaware of this. When an attacker establishes A connection disguised as A and B, A and B enter the asynchronous state.

The NOP command of Telnet protocol can also make the communication parties enter the asynchronous state. After receiving the NOP command, host B does nothing but confirms that the sequence number will be incremented by 1. If an attacker sends A large number of NOP commands disguised as A to B, A and B will be out of sync.

response

The key to detecting TCP hijacking is to detect asynchronous state. If you continuously receive data or acknowledgement packets outside the receiving window, you can determine that TCP hijacking attacks are launched. Or disable RST packets.

TCP camouflage

TCP spoofing is to obtain the initial serial number of other clients.

Attack principle

To do TCP spoofing means that an attacker needs to know the current initial serial number of the spooked person when establishing a connection.

There are three algorithms for generating serial numbers: one is to constantly add a constant, the other is to constantly add a time-related variable, and the third is a pseudo-random number. For the first two algorithms, their rules can be observed through testing. In other words, if the attacker and the target host are in the same network, it can be relatively simple to analyze the initial serial number through network sniffing after eliminating the interference of the host with the disguised identity.

When the attacker and the two hosts that can communicate with each other are on different networks, the attack is difficult because the attacker cannot receive the response packet. But it is not perfect, because the attacker can still cooperate with the route spoofing method to forward the response packet, so as to achieve the above attack.

response

TCP camouflage The most natural, direct, and essential way to use TCP is not to use TCP in situations with security requirements, but to consider protocols such as TLS that authenticate the connection parties and encrypt network sessions.

There are other ways to prevent this attack externally: switching the sequence number generation algorithm to a pseudorandom number prevents the initial sequence number from being extruded, or at the router rejecting packets from an external network that use an internal source IP address.

The text/blank

Sound/fluorspar

This article has been authorized by the author, the copyright belongs to chuangyu front. Welcome to indicate the source of this article.

To see more sharing from the front line of KnownsecFED development, please search our wechat official account KnownsecFED. Welcome to leave a comment to discuss, we will reply as far as possible.