This article is participating in the “Network protocol must know must know” essay contest
TCP reset attack principle and actual reappearance
TCP is a connection-oriented transport layer protocol. Applications must establish TCP connections before using TCP. After data transfer is complete, the established TCP connection must be released. TCP is point-to-point communication that provides reliable delivery of data sent over a TCP connection without error, without loss, without duplication, and in sequence. TCP provides full-duplex communication. Both ends of the TCP connection are configured with send and receive caches to temporarily store bidirectional communication data. In this way, the TCP sends data when appropriate, and application processes read data from the cache when appropriate. TCP is byte stream oriented. TCP treats the data given by an application as a series of unstructured byte streams, but the data units TCP transmits are packet segments.
A TCP packet segment consists of the header and data. In the header, there is a ReSet RST field, which is the ReSet bit. When RST is 1, it indicates that a serious error occurs in the TCP connection and the connection must be released before the transport connection is re-established. RST set to 1 is used to reject an invalid packet segment or to refuse to open a connection.
In an RST attack, server A establishes A TCP connection with server B, and server C sends A forged TCP packet to server B to disconnect the TCP connection with server A abnormally.
When server C sends an RST packet disguised as A packet, server B discards the data in the buffer with server A, forcing the connection to be closed.
When server C sends A SYN packet disguised as A packet of A, server B creates A connection when the connection is normal. Then server B sends an RST packet to SERVER A and forcibly closes the connection.
This is how the reset attack is implemented.
To implement an attack successfully, you need to correctly set the IP addresses, port numbers, and serial numbers of the source and destination IP addresses. Putting the attacker and victim on the same network reduces the difficulty of guessing serial numbers.