In the early stage of the TCP session, there is a so-called "three-handshake": how to track the data amount sent each time to negotiate to synchronize the transmission and reception of the data segment, the number of data acknowledgements determined based on the received data amount, the data transmission, when to cancel the contact after the reception is completed, and a virtual connection is established. To provide reliable transmission, TCP sends the packets serial numbers in a specific order before sending new data, and requires confirmation messages after the packets are transmitted to the target machine. TCP is always used to send large quantities of data. TCP is also used when an application wants to make a confirmation after receiving the data. Since TCP requires constant tracking, this requires additional overhead, making the TCP format a bit complicated. Let's look at a classic case of TCP. This is what KEVIN created two attack technologies in the MITNICK attack later called MITNICK:
TCP session hijacking
SYN FLOOD (Synchronous Torrent)
Here we discuss the issue of TCP session hijacking.
Let us first understand the basic and simple process of establishing connections in TCP. To build a small imitation environment, we assume that there are 3 machines that are connected to the Internet. A is an attack aircraft operated by the attacker. B is the intermediary springboard machine (trusted server). C is the machine used by the victim (mostly a server), and here locks machine C as the target machine. Machine A sends a SYN packet to Machine B and requests to establish a connection. At this time, Machine B that has responded to the request will respond to the SYN/ACK to machine A, indicating that it agrees to establish the connection. When Machine A receives the SYN/ACK response sent by Machine B, it sends an answer ACK to establish the network connection between Machine A and Machine B. In this way, a TCP call channel between two machines is successfully established.
The trusted server of terminal B initiates a TCP connection to machine C, and machine A initiates SYN information to the server, making machine C unable to respond to machine B. At the same time, machine A also sent a false SYN packet to machine B. Machine B that received the SYN packet (trusted by machine C) to start sending SYN/ACK packets established by the reply connection. At this time, machine C is busy responding to the SYN data sent previously and has no time to respond to machine B. The attacker of machine A predicted the serial number of machine B packet (the current TCP serial number prediction difficulty has increased). Fake C machine sends a response ACK to machine B. At this time, the attacker deceived machine B's trust and made a dialogue connection between the TCP protocol with machine B. At this time, machine C is still responding to the SYN data sent by machine A.
Weaknesses of the TCP protocol stack: resource consumption of TCP connections, including: packet information, conditional status, serial number, etc. By deliberately failing to complete the three-way handshake process required to establish a connection, the resources of the connected party are exhausted.
By intentionally failing to complete the entire process of three handshakes required to establish a connection, the resources of the C machine are exhausted. Predictability of the serial number, predictable when the target host responds to the SYN/ACK sequence number returned when the connection request is answered. (For the early TCP protocol stack, please refer to the RFC793 document on the prototype of TCP issued in 1981)
TCP header structure
The TCP protocol header has a minimum of 20 bytes, including the following areas (because the translation is not allowed to be the same, the corresponding English words are given in the article):
TCP source port (Source Port): The 16-bit source port contains the port for initializing communication. The function of the source port and the source IP address is to indicate the return address of the report.
TCP destination port (Destination port): The 16-bit destination port domain defines the purpose of the transmission. This port indicates the application address interface on the computer that receives the message.
TCP serial number (sequence number): The 32-bit serial number is used by the receiving computer, and the resegmented messages are in the original form. When SYN appears, the sequence code is actually the initial sequence code (ISN), and the first data byte is ISN+1. This sequence number (sequence code) can compensate for inconsistencies in transmission.
TCP answer number (Acknowledgment Number): The 32-bit serial number is used by the receiving computer, and the reorganization of segmented messages into its original form. , If the ACK control bit is set, this value represents the sequence code of a packet to be received.
Data offset (HLEN): 4 bits include the TCP header size, indicating where the data starts.
Reserved: 6-bit value range, these bits must be 0. Reserved for future definition of new uses.
Code Bits: 6-bit flag field. It is expressed as: emergency sign, meaningful response sign, push, reset connection sign, synchronous serial number sign, and complete sending data sign. The order is: URG, ACK, PSH, RST, SYN, FIN.
Window (Window): 16 bits, used to represent the size of each TCP data segment you want to receive.
Checksum: 16-bit TCP header. The source machine calculates a value based on the data content, and the information receiving machine must be exactly the same as the source machine's numerical results, thereby proving the validity of the data.
Priority pointer (Urgent Pointer): 16-bit, pointing to the bytes that are followed by priority data, which is only valid when the URG flag is set. If the URG flag is not set, the emergency field is used as a padding. Speed up processing of data segments marked as emergency.
Option: The length is uncertain, but the length must be in bytes. If there is no option, it means that the field of this byte is equal to 0.
filling: Indefinitely long, the content of the fill must be 0, it exists for mathematical purposes. The purpose is to ensure predictability of the space. Ensure that the combination of the packet header and the offset at the beginning of the data can be divisible by 32, and generally additional zeros are required to ensure that the TCP header is an integer multiple of 32 bits.
Logo control function
URG: Emergency Sign
The emergency pointer flag is valid. Emergency flag set,
ACK: Confirmation sign
Confirm that the Acknowledgement Number column is valid. In most cases, this flag is set. The confirmation number (w+1, Figure: 1) contained in the confirmation number column in the TCP header is the next expected sequence number, and it also prompts that the remote system has successfully received all data.
PSH: Push the logo
When this flag is set, the receiver does not queue the data, but transfers the data to the application as quickly as possible. This flag is always set when handling connections in interactive modes such as telnet or rlogin.
RST: Reset flag
The reset flag is valid. Used to reset the corresponding TCP connection.
SYN: Synchronous flag
The Synchronize Sequence Numbers column is valid. This flag is only valid when a three-handshake establishes a TCP connection. It prompts the server of the TCP connection to check the sequence number, which is the initial sequence number of the TCP connection initial (usually the client). Here, the TCP sequence number can be regarded as a 32-bit counter ranging from 0 to 4,294,967,295. Each byte in the data exchanged through the TCP connection is serially numbered. The sequence number column in the TCP header includes the sequence number of the first byte in the TCP segment.
FIN: End sign
The data packet with this flag is set to end a TCP reply, but the corresponding port is still open and ready to receive subsequent data.
The server is in a listening state, and the data packets (IP packets) used by the client to establish the connection request are combined into segments for TCP processing according to the TCP/IP protocol stack.
Analyze header information: The TCP layer receives the corresponding TCP and IP headers and stores this information in memory.
Checksum: The standard checksum is located in the segment (Figure: 2). If the verification fails and confirmation is not returned, the segment is discarded and waits for the client to retransmit.
Find Protocol Control Block (PCB{}): TCP looks for protocol control blocks associated with this connection. If not found, TCP discards the segment and returns RST. (This is the mechanism for TCP to handle no port monitoring) If the protocol control block exists but the status is closed, the server does not call connect() or listen(). The segment is discarded but does not return RST. The client will try to re-establish the connection request.
Create a new socket: When the socket in the listening state receives the segment, a subsocket will be established, and socket{}, tcpcb{} and pub{} will be established. If an error occurs at this time, the corresponding socket will be removed and the memory will be released through the flag bits, and the TCP connection will fail. If the cache queue is full, TCP believes that an error has occurred and all subsequent connection requests will be denied. Here you can see how the SYN Flood attack works.
throw away: If the flag in the segment is RST or ACK, or there is no SYN flag, the segment is discarded. and release the corresponding memory.
Send sequence variables
: Send not confirmed
: Send next
: Send window
: Send priority pointer
SND.WL1: The segment sequence number used for the last window update
SND.WL2: The segment confirmation number used for the last window update
ISS: Initial sending serial number
Receive serial number
: Receive the next one
: Receive the next one
: Receive priority pointer
IRS: Initial reception serial number
Current segment variable
: Segment serial number
: Segment confirmation mark
: Section chief
: Section window
: Emergency pointer
: Section priority
CLOSED means there is no connection, and the meaning of each state is as follows:
LISTEN: Listen to connection requests from remote TCP ports.
SYN-SENT: Wait for a matching connection request after sending the connection request.
SYN-RECEIVED: Waits for confirmation of the connection request after receiving and sending a connection request.
ESTABLISHED: Represents an open connection, and data can be transferred to the user.
FIN-WAIT-1: Wait for a connection interrupt request from the remote TCP, or a confirmation of a previous connection interrupt request.
FIN-WAIT-2: Waiting for a connection interrupt request from remote TCP.
CLOSE-WAIT: Waiting for a connection interrupt request sent from the local user.
CLOSING: Wait for remote TCP to confirm the connection interruption.
LAST-ACK: Wait for confirmation of the connection interrupt request originally sent to the remote TCP.
TIME-WAIT: Wait enough time to ensure that the remote TCP receives acknowledgement of the connection interrupt request.
CLOSED: There is no connection status.
The TCP connection process is a state transition, and what causes the state transition is the user calls: OPEN, SEND, RECEIVE, CLOSE, ABORT and STATUS. The transmitted data segments, particularly those including the following tagged data segments SYN, ACK, RST and FIN. There is also timeout, and the TCP state mentioned above changes.
Serial number
Note that the bytes we send in the TCP connection have a sequence number. Because they are numbered, they can be confirmed. The confirmation of the serial number is cumulative. The types of serial number comparison operations that TCP must perform include the following:
① Determine some sent but unconfirmed serial numbers.
② Decide that all serial numbers have been received.
③ Determine the serial number that should be included in the next paragraph.
For the sent data TCP to receive acknowledgement, it is necessary to perform acknowledgement:
= The oldest confirmed serial number.
= The next serial number to be sent.
= Receive TCP confirmation and receive the next serial number expected by TCP.
= The first sequence number of a data segment.
= Number of bytes included in the data segment.
+-1 = The last serial number of the data segment.
If the serial number of a data segment is less than or equal to the value of the confirmation number, then the entire data segment is confirmed. The following comparison operations are necessary when receiving data:
= The expected serial number and the lowest edge of the reception window.
+:1 = The last serial number and the highest edge of the receiving window.
= The first serial number received.
+:1 = The last serial number received.
Article entry: csh Editor in charge: csh