TCP / IP is a lot of different protocols, actually a protocol group, TCP user data report protocol (also known as TCP Transmission Control Protocol, TRANSPORT Control Protocol Reliable Host To Host Level Agreement. Here you must first emphasize. The transfer control protocol is a fourth layer of the OSI network, and the TCP transmission control protocol is one of the six basic protocols of TCP / IP transmission. The two TCP means that it is not the same.). TCP is a reliable connection-oriented delivery service. It is diverted when transmitting data, and host exchange data must establish a session. It communicates with bitstream, that is, data is used as a structural stream. The sequence number is specified by the field transmitted by each TCP to obtain reliability. Is the fourth layer in the OSI reference model, TCP is a network interconnection function using IP to provide reliable data transmission, and IP is constrained on the network, while TCP is responsible for confident packets. In the operation of collaborative IP, TCP is responsible for: Handshake Process, Message Management, Flow Control, Error Detection, and Processing (Control), which can be given from new arrangements from new arrangements depending on a certain number of order sequences. About the RFC document of TCP has RFC793, RFC791, RFC1700.
At the beginning of the TCP session, there is a so-called "three handshake": how to track how the amount of data sent by each time makes the data segment transmission and reception synchronization, according to the data confirmation number and data determined by the received data. And when the connection is received, and the virtual connection is established. In order to provide reliable transmission, the TCP sequences the sequence number of the packet in a specific order before sending new data, and requires the confirmation message to the target machine. TCP is always used to send large quantities of data. TCP is used when the application is to make a confirmation after receiving the data. Due to TCP needs time tracking, this requires additional overhead, making TCP formats are more complicated. Let's take a look at a classic case of TCP, which is later called Mitnick attack, KEVIN, has created two attack techniques:
TCP session hijack SYN FLOOD (synchronous torrent)
Here we discuss the problem of TCP session hijacking.
Let us understand the basic simple process of TCP to establish a connection. In order to build a small imitation environment, we have three machines that access the Internet. A is an attacker manipulated by an attacker. B is a mediation skip machine (trusted server). C The machine (mostly the server) used for the victim, where the C machine is locked as a target machine. The A machine sends an SYN package to the B machine, requests the connection, and the B machine that has responded to the request will respond to the SYN / ACK to the A machine indicate the connection. When the ACK accepts the SYN / ACK sent by the B machine, send Answer ACK Establish a network connection of the A machine and B machine. Such a TCP call channel between two machines has been successful.
The B terminal trusted server initiates a TCP connection to the C machine, and the A machine initiates SYN information to the server so that the C machine cannot respond to the B machine. At the same time, the M machine also sends a false C machine to the B machine, and receives the SYN / ACK packet established by the SYN packet's B machine (Trust Circuit), which is the SYN / ACK packet created by the C machine. Busy responding to the SYN data previously sent to respond to the B machine, and the A machine's attacker predicts the serial number of the B machine package (now the TCP serial number prediction difficulty is increased) The counterfeit C machine sends answers to the B machine response ACK At the time of attackers defrauded the trust of the B machine, the counterfeit C machine established a dialogue connection of the TCP protocol with the B machine. This time C machine is still SYN data sent by the attacker A machine.
The weaknesses of the TCP protocol stack: the resource consumption of TCP connections, including: packet information, conditional status, serial number, etc. By deliberately do not complete the three handshakes required to establish a connection, the resource depletion of the connection is caused.
Through the intention of the attacker, the whole process of establishing the three handshakes required to establish a connection, thereby causing the resources of the C machine to exhaust. The predictability of the serial number, when the target host responds to the serial number of the SYN / ACK returned when the request is requested, the serial number of the SYN / ACK is predicted. (Early TCP protocol stack, specific can see RFC793 documentation on TCP prototypes in 1981) TCP head structure
The TCP protocol is at least 20 bytes, including the following areas (because the translation can not help but give the corresponding English words):
The Source Port: 16-bit source port contains ports that initialize the communication. The function of the source port and the source IP address is the return address of the logging.
TCP destination port: 16-bit destination port domain defines the purpose of transmission. This port indicates the application address interface on the report receiving the computer.
TCP serial number (sequence code, sequence number): 32-bit serial number is used by the receiving computer, and the re-segmentation message is initially form. When SYN appears, the sequence code is actually the initial sequence code (ISN), and the first data byte is ISN 1. This serial number (sequence code) is inconsistent in the transfer.
The TCP response number: 32-bit serial number is used by the receiving end computer, the reorganization of the message is initially form. If the ACK control bit is set, this value represents a sequence code for preparing the package.
Data Offset (HLEN): 4 bits include TCP headers, indicating where data begins.
Reserved: 6-bit value domain, these bits must be 0. It is preserved to define new uses in the future.
Sign (Code Bits): 6-bit logo domain. Representation is: emergency sign, meaningful response sign, push, reset connection mark, synchronous serial number mark, complete the sending data sign. Arrange in sequence is: URG, ACK, PSH, RST, SYN, and FIN.
Window: 16 bits, used to indicate the size of each TCP data segment you want to receive.
Checksum: 16-bit TCP header. The source machine calculates a value based on the data content, and the receiving machine should be exactly the same as the source machine numerical result, thereby demonstrating the effectiveness of the data.
Priority pointer (emergency, urgent pointer): 16 bits, pointing to the later one is the byte of the priority data, is valid when the URG flag is set. If the URG flag is not set, the emergency domain is fill. Accelerate the demonstration as an urgent data segment.
Options: The length is uncertain, but the length must be byte. If there is no option, it means that this one-byte domain is equal to 0.
Fill: Unit, the content of the filled must be 0, which is for the purpose of mathematically. The purpose is to ensure the predictability of space. To ensure that the binding of the header and the start of the data of the data can be divided by 32, generally extra zero to ensure that the TCP head is an integer multiple of 32 bits.
Sign control function
URG: The Urgent Pointer flag is valid. Emergency sign is set,
ACK: Confirm flag confirmation number (Acknowledgement Number) is valid. In most cases, the logo is set. The confirmation number (W 1, Figure: 1) included in the TCP header is included in the next expected sequence number, and it is suggested that the remote system has successfully received all data.
PSH: When the logo is set, the receiving end does not queue the data, but the data will be transferred as quickly as possible. This flag is always set when the connection of the interactive mode of Telnet or Rlogin is dealt.
RST: Reset flag reset flag is valid. Used to reset the corresponding TCP connection. Synch: The synchronization flag synchronization sequence number is valid. This flag is valid only when it is only established a TCP connection three times. It suggests the server check sequence number of the TCP connection, which is numbered the initial sequence number of the TCP connection initial end (typically the client). Here, the TCP sequence number can be regarded as a 32-bit counter range from 0 to 4, 294, 967, 295. Each byte through the TCP connection is sequence number. The sequence number column in the TCP header includes the sequence number of the first byte in the TCP segment.
FIN: End Sign With the packet with this flag to end a TCP back, but the corresponding port is still in an open state, ready to receive subsequent data.
The server is in the listening state, and the client is used to establish a connection request (IP Packet) as a segment of TCP processing according to the TCP / IP protocol stack combination.
Analyze header information: The TCP layer receives the corresponding TCP and IP headers, and stores this information into memory.
Check TCP Checksum: The standard checksum is located in the segment (Figure: 2). If the test fails, does not return confirmation, the segment is discarded and waits for retransmission.
Find A Protocol Control Block (PCB {}): TCP looks for protocol control blocks associated with this connection. If not found, TCP discards the segment and returns RST. (This is the mechanism that TCP handles without port monitoring) If the protocol control block exists, but the state is off, the server does not call Connect () or Listen (). This segment is discarded, but does not return RST. The client will try to re-establish the connection request.
Create a new Socket: When the Socket in the listening state receives the segment, a sub-socket is created, and there is also socket {}, TCPCB {} and pub}. At this time, if there is an error, the corresponding socket and release of the memory will be removed through the flag bits, and the TCP connection failed. If the cache queue is filled with, TCP believes that there is an error, and all subsequent connection requests will be rejected. Here you can see how the SYN FLOOD attack works.
Discard: If the flag in this segment is RST or ACK, or there is no SYN flag, the segment is discarded. And release the corresponding memory.
Send sequence variable
SND.una: Send unconfirmed
SND.NXT: Send the next one
SND.WND: Send window
SND.UP: Send a priority pointer
SND.WL1: Segment serial number used for the final window update
SND.WL2: Segment authentication number for the last window update
ISS: initial sequence number
Receive serial number
Rcv.nxt: Receive the next one
Rcv.wnd: Receive the next one
RCV.UP: Receive Priority Pointer
IRS: Initial reception serial number
Current paragraph variable
Seg.seq: segment serial number
Seg.Ack: Segment Confirmation Tag
Seg.lend: Section
Seg.Wnd: Segment Window
Seg.UP: Segment emergency pointer
Seg.prc: Segment priority
Closed indicates that there is no connection, the meaning of each state is as follows:
Listen: Monses the connection request from the distant TCP port.
SYN-SENT: Wait for a connection request after sending a connection request.
Syn-Received: The confirmation of the connection request after receiving and sending a connection request.
ESTABLISHED: On behalf of an open connection, the data can be transmitted to the user. FIN-WAIT-1: Wait for remote TCP connection interrupt request, or confirmation of previous connection interrupt requests.
FIN-WAIT-2: From the remote TCP waiting for the connection request.
Close-Wait: Wait a connection interrupt request from a local user.
Closing: Wait for remote TCP to confirm the connection interrupt.
Last-Ack: The confirmation of the connection interrupt request for the original to remote TCP.
Time-Wait: Wait enough time to ensure that remote TCP has a confirmation of the connection interrupt request.
CLOSED: There is no connection status.
The TCP connection process is a state transition that causes the status to convert to the user call: Open, Send, Receive, Close, Abort, and STATUS. The transferred data segment, especially those that include the following marked data segments SYN, ACK, RST, and FIN. There is also timeout, what is the TCP state changes when it is mentioned above.
serial number
Please note that the bytes sent in the TCP connection have a serial number. Because it is compiled, you can confirm that they have received. The confirmation of the serial number is accumulated. The serial number of the TCP must perform the species types include the following:
1 Decide some of the sequence numbers sent but unrecognized.
2 Decideting all the serial numbers have been received.
3 Decide the serial number that should be included in the next segment.
For the transmitted data TCP to receive confirmation, you must perform:
Snd.una = the oldest confirmed serial number.
SND.NXT = The next serial number to be sent.
Seg.ack = Receive the confirmation of TCP, receive the next serial number of TCP expectations.
Seg.seq = The first serial number of a data segment.
Seg.len = number of bytes included in the data segment.
Seg.seq seg.len-1 = the last serial number of the data segment.
If the serial number of a data segment is less than the value equal to the confirmation number, the entire data segment is confirmed. The comparison operation below when receiving data is required:
Rcv.nxt = The expectation number and the minimum edge of the receiving window.
RCV.NXT RCV.Wnd: 1 = The last serial number and the highest edge of the receiving window.
Seg.seq = The first serial number received is received.
Seg.seq seg.len: 1 = The last serial number received is received.