Shulou(Shulou.com)06/01 Report--

This article will explain in detail how to talk about rst reset attacks from the principle of TCP protocol. The content of the article is of high quality, so the editor shares it for you as a reference. I hope you will have a certain understanding of the relevant knowledge after reading this article.

Before talking about RST attacks, you must first understand TCP: how to establish a TCP connection through a three-way handshake, how to close a full-duplex connection with a four-way handshake, how a sliding window transmits data, and when RST appears in the flag flag bit of TCP. Below I will draw some simplified diagrams to illustrate the above points, and then understand what the RST attack is all about.

1. What is TCP?

TCP is a transport layer protocol over the IP network layer that provides reliable connection-oriented byte streaming from port to port. Let me explain the above key words in vernacular:

Port to port: the IP layer only deals with the transmission of packets from one IP to another IP. After adding ports to the TCP layer above the IP layer, it is process-oriented, and each port can correspond to the user process.

Reliability: TCP will be responsible for maintaining connection concepts that are actually non-existent, including confirmation of packets after receipt, retransmission after packet loss, etc., to ensure reliability. Due to the difference in bandwidth and processing power of different machines, TCP should be able to control traffic.

Byte stream: TCP will cut the byte stream data from the application process into many packets and send them over the network. IP packets can be out of order or duplicate, and the TCP protocol should be able to revert to the byte stream as it really is.

From the TCP protocol diagram I drew with PowerPoint above, we can see that there are six flag bits, of which the RST bit appears when the TCP is abnormal, which is the focus of my article.

2. Establish a connection through a three-way handshake

Now I will show how the three-way handshake is accomplished by establishing a TCP connection from A to B.

In order to be able to explain the following RST attacks, you need to combine the above figure to say: SYN flag bits, serial numbers, sliding window size.

In the request to establish a connection, the flag bit SYN should be set to 1. In this request, the MSS segment size is told, which is the maximum size that the machine wants to receive the TCP packet.

All TCP packets sent have a serial number. It comes from this: when the SYN is first sent, there is an initial sequence number, and according to the definition of RFC, the implementation of each operating system is related to the system time. After that, the value of the sequence number will continue to increase, for example, the original sequence number is 100. if the data of this TCP packet has 10 bytes, then the next TCP packet sequence number will become 110.

A sliding window is used to accelerate transmission. For example, a packet that has sent a seq=100 should receive the confirmation ack=101 of this packet before sending the next packet. However, with a sliding window, as long as the difference between the seq of the new packet and the minimum seq that is not confirmed is less than the size of the sliding window, you can continue to send it.

3. Sliding window

There is no doubt that sliding windows are used to accelerate data transmission. In order for TCP to be "reliable", a packet needs to be acknowledged by ack to indicate that it has been received by the receiver. With a sliding window, the receiver can send only one ack packet after receiving many packets, confirming the multiple packets that have been received before. With a sliding window, the sender does not have to wait for its ack after sending a packet, but can continue to send other packets within the size of the sliding window. Let me give you an example.

If you look at the picture above, the mark is. Indicates that all flag are 0. The flag bit P represents the TCP packet whose flag is PSH and is used for fast data transmission.

The first three packages are three-way handshakes. The client side says its sliding window size is 65535 (my XP machine), and the server side says the sliding window is 5840 (the screen is wide and not cut out). Starting from the fourth packet, the client sends a PSH packet to the server with a data length of 520 bytes, and the server sends an ack acknowledgement packet. Notice that the size of the win window has changed. and so on.

In the penultimate packet, the server continuously sends packets to the client in the sliding window, and the ack 124sent by the client confirms the previous two packets at the same time. This is the function of sliding window.

If you talk about TCP attacks, it should be noted that in various implementations of TCP, seq outside the sliding window will be thrown away! We will talk about this question below.

4. The normal TCP connection of the four-way handshake is closed

First draw a simple normal closed connection state transition diagram.

The FIN flag bit is also seen, which is used to indicate that the connection is closed normally. On the left side of the figure is the active closed connection party, and on the right is the passive closed connection party. The marked connection status can be seen with the netstat command.

FIN is normally closed, it will be sent according to the order of the buffer, that is, all the packets before the buffer FIN are sent out and then send the FIN packet, which is different from RST.

5. RST marker bit

RST stands for reset, which is used to close the connection abnormally, which is indispensable in the design of TCP. As mentioned above, when sending a RST packet closes the connection, you don't have to wait for all the packets in the buffer to be sent (unlike the FIN packet above), just discard the cache packet and send the RST packet. After receiving the RST packet, the receiver does not have to send the ACK packet to confirm.

TCP handlers send RST packets at what they consider to be abnormal times. For example, if An initiates a connection to B, but the corresponding port is not listening on B, the TCP processor on operating system B sends RST packets.

For example, AB normally established a connection, while communicating, A sent a FIN packet to B to close the connection, B sent ACK, the network was disconnected, and A gave up the connection for a number of reasons (such as process restart). After Netcom, B began to send data packets. After receiving it, A said that there was a lot of pressure. He did not know where the wild connection came from, so he sent a RST packet to forcibly close the connection. After receiving it, B would have a connect reset by peer error.

6. RST attack

A TCP connection is established between An and server B. when C forges a TCP packet and sends it to B, B disconnects the TCP connection with An abnormally, which is a RST attack. In fact, you can see how this attack works from the function of the RST flag bit above.

So what kind of TCP package can be forged to achieve its goal? We looked down from the top.

Suppose C pretends to be a packet sent by A, and if the packet is a RST packet, there is no doubt that B will discard all data on the buffer with An and force the connection to be closed.

If the packet sent is a SYN package, B will indicate that A has gone crazy (related to the implementation of OS), build a new connection when connecting normally, and B actively sends a RST packet to An and forcibly closes the connection on its own side.

Both of these methods can achieve the effect of reset attack. It seems scary, but the point is, how can you fake a packet sent to B? There are two key factors, the source port and the serial number.

A TCP connection is a quad, which is uniquely determined by the source IP, the source port, the destination IP, and the destination port. So, if C wants to forge the packet A sends to B, fill in the source IP, source port, destination IP, and destination port correctly in the IP header and TCP header mentioned above. Here B is the server, the IP and port are public, An is our target, IP knows, of course, but the source port of An is not clear, because it may be randomly generated by A. Of course, it can be done if you can find out the rules of generating source port for common OS such as windows and linux.

The serial number problem corresponds to the sliding window. The fake TCP packet needs to fill in the serial number. If the value of the serial number is not in the sliding window of B when it is sent to B before A, B will actively discard it. So we need to find the serial number that can fall into the sliding window between the AB at that time. This can be solved violently, because the length of a sequence is 32 bits, with values ranging from 0 to 4294967296. If the window size is like the 65535 under the windows I caught in the picture above, you only need to divide it to know that you only need to send 65537 (4294967296) packets at most to have a serial number falling into the sliding window. RST packet is very small, IP header + TCP header is only 40 bytes, calculate our bandwidth to know that this only takes a few seconds to complete.

So, the serial number is not a problem, the source port will be troublesome, if each operating system can not generate the source port at random, or if hackers can obtain the source port,RST attack in other ways, the consequences will be serious.

On how to talk about TCP reset attacks from the principle of rst protocol to share here, I hope that the above content can be of some help to everyone, can learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.