Internet technology shields the underlying network hardware detail, allowing the xenon-type network to communicate with each other. The TCP / IP protocol group is currently using the most widely used network interconnect protocol. However, there are some security issues in the TCP / IP protocol group itself. This gives "hackers" attack the network to the machine. Since the large number of important applications are tcp as their transport layer protocol, the security problem of TCP will bring serious consequences to the network. §1 TCP State Transfer Chart and Timer TCP Status Transfer Chart controls the initialization, establishment, and termination of a connection, which is made of a defined state and a transstrang in these states. The TCP state transition diagram is closely related to the timer, and the different timers correspond to the connection establishment or termination, traffic control, and data transmission. Several primary timers and their functions are as follows: ● Connecting timer: In the connection establishment phase, the connection timer is activated when the SYN package is sent. If you do not receive your response within 75 seconds, give up the connection creation. ● FIN-WAIT-2 Timer: When the connection is transferred from the FIN-WAIT-1 state to the FIN-WAIT-2 state, set a FIN-WAIT-2 timer to 10 minutes. If the connection does not receive a TCP package with set FIN in the specified time, the timer is timeout, and the time is 75 seconds. If there is still no FIN package until this time period, the connection is discarded. ● Time-Wait Timer: This timer is activated when connecting to the Time-Wait state. When the timer is timeout, the kernel data block associated with the connection is deleted and the connection is terminated. ● Maintain the connection timer: It is predicted whether the other end of the connection is still active. If the SO-Keepalive socket selection is set, the TCP motor status is Established or Close-Wait. Below we focus on the network security issues brought by TCP state transitions and timers. §2 Network Intrusion Method §2.1 Forged IP Address Intruders Use a fake IP address to send packets, using an IP address-based application. The result is an unauthorized remote user enters a host system with a firewall. Assume that there are two hosts A, B and the host X for the invader. Assuming B grants a certain privilege so that A can obtain some of the operations performed by B. The goal of x is to obtain the same right as b. To achieve this goal, X must perform two steps: First, establish a false connection with B; then prevent A to report the network to b Report the network to confirm the system. Host X must assume an IP address to make B believe that the package from X is indeed from A. We simultaneously assume that communication between hosts A and B comply with TCP / IP three handshake mechanisms. Handshake method is: a →: syn (serial number = m) B → A: SYN (serial number = n), ACK (response number = m 1) a → b: ACK (response serial number = n 1) host x The forged IP address steps are as follows: First, the X is pretended to send a SYN package with a random serial number to host B. The host B responded to the host A, send a SYN ACK package with the response number, which is equal to the original sequence number plus 1. At the same time, host B produces yourself to send a package serial number and send it with your response. In order to complete three handshakes, the host X needs to send a response package to the host B, and its response number is equal to the package sequence number plus 1 of the host B sent to the host A. Assuming that the host x and A and b are different in one subnet, the packets of B can not be detected, and the host X only calculates the serial number of B to create a TCP connection.
The process is described as follows: X → B: SYN (Serial Number = M), SRC = AB → A: SYN (Serial Number = N), ACK (Ack = M 1) x → B: ACK (N ° = N 1), SRC = A, host X should prevent host A to respond to the package of host B. To this end, X can wait until the host A is terminated by some reason, or blocks the operating system protocol portion of the host A, making it unable to respond to host B. Once the host X completes the above operation, it can send commands to host B. Host B will execute these commands, think they are sent by legal host A. § 2.2 TCP State Transfer Problem The above intrusion process, how the host X is to prevent the host A to send a response to the host B, the host calls by sending a series of SYN packets, but does not allow A to send SYN-ACK package to abort The login port of host A. As mentioned earlier, TCP maintains a connection establishing timer. If the connection cannot be established within a specified time (usually 75 seconds), the TCP will reset the connection. In the previous example, the server port cannot be responded within 75 seconds. Let us discuss the package sequence sent between host X and host A. X-to A Send a package, the SYN bit, and the FIN position bit, a to X x → → 包:: x → A: SYN FIN (Series number = m) a → x: ACK (answer number = m 1) The state transition of Figure 2 can be seen that a begins in the Listen state. When it receives a package from the X, start processing this package. It is worth noting that in the TCP protocol, there is no clear regulation on how to handle SYN and FIN simultaneously. We assume that it first processes the SYN flag, transfer to the SYN-RCVD state. Then processes the FIN flag and transfer to the Close-Wait state. If the previous state is ESTABLISHED, then transferred to a Close-Wait state is normal transfer. However, the TCP protocol has not been defined from the transfer from the SYN-RCVD status to the CLOSE-WAIT state. However, there is such a transfer in several TCP applications, such as open system Sun OS4.1.3, SUR4, and ULTRX4.3. Therefore, there is a transition arc in which the undisprued slave state SYN-RCVD to state close-wait is shown in a TCP application in these TCP applications, as shown in FIG. In the above intrusion example, since the three handshakes are not completely completed, the TCP connection is not truly established, and the corresponding network application is not connected from the core. However, the TCP machine of the host A is in a Close-Wait state, so it can send a FIN package to X to terminate the connection. This semi-open connection remains in the socket listening queue, and the application process does not send any messages that help TCP execution status transfer. Therefore, the TCP machine of the host A is locked in the CL0SE-WAIT state. If the maintenance timer feature is used, the TCP will reset and transfer to the Closed state after 2 hours. When the TCP machine receives the RST from the peer host, it is transferred from the ESTABLISHED, FINWAIT-1 and FIN-WAIT-2 state to the Closed state. These metastasies are important because they reset the TCP machine and interrupt the network connection. However, since the data segment reached is only confirmed according to the source IP address and the current queue window number.
Therefore, intruders can pretend that a host has established a legal connection, then send an RST segment with an appropriate serial number to another host so that the connection is terminated! From the above analysis we can see that there are external state transitions in several TCP applications. This will bring serious security issues to the system. §2.3 Timer Problem As mentioned above, once enters the connection establishment process, start the connection timer. If the connection cannot be established within a specified time, the TCP machine returns to the Closed status. Let's analyze the examples of host a and host x. The host A sends a SYN package to the host X, looking forward to a SYN-ACK package. Suppose is almost simultaneous, the host X wants to establish a connection with the host A, and send an SYN package to A. A and X send a SYN-ACK package to the other party after receiving the other party's SYN package. After receiving the other party's SYN-ACK package, it can be considered that the connection has been established. In this article, it is assumed that when the host receives the other SYN package, turn off the connection establishment timer. X → A: SYN (Serial Number = M) A → x: SYN (Serial Number = N) x → A: SYN (Serial Number = M), ACK (Response Number = N 1) A → x: SYN (Sequence号 = N), ACK (Item = M 1) ● Host X Sends an FTP request to host A. A TCP connection is established between X and A to transmit control signals. The host A sends an SYN package to X to initiate a TCP connection to transmit data, and its status is transferred to the SYN-Sent state. ● When X receives the SYN package from A, it will send a SYN package as a response. ● The host X receives the SYN-ACK package from A, but does not return any packages. ● Host A looks to the SYN-ACK from X. Since X does not return any packages, A is locked in the SYN-RCVD state. In this way, X successfully blocks a port of A. §3 Using Network Monitoring Equipment Observation Network Invasion We install a network monitoring device on a local area to observe the package through the network, thus judge whether a network invasion has occurred. Below we will discuss the sequence packs that the network monitoring equipment over several intrusion will be discussed. §3.1 Forged IP Address Initially, the network monitoring device monitors a large number of TCP SYN packages from a host to a login port. Host A will return the corresponding SYN-ACK package. The purpose of the SYN package is to create a large number of semi-open TCP connections to host A, which fills the host A login port connection queue. A large number of TCP SYN packages will send from the host X to the host B, and the SYN-ACK package is sent from the host B to the host X. Then the host X will use the RST package to answer. This SYN / SYN-ACK / RST package sequence enables intruders to know the action of the TCP serial number generator of the host B. The host A sends a SYN package to the host B. In fact, this is a "forged" package sent by the host X. After receiving this package, host B will send the corresponding SYN-ACK package to the host A. The host A sends an ACK package to the host B. According to the above steps, the intrusion host can establish a single-way TCP connection with the host B. §3.2 False State Transfer When the invader tries to use the status transfer of a server from SYN-RCVD to Close-Wait to block a network port of a server, you can observe the following sequence package: ● Send a band from the host X to host B SYN and FIN logo location of the TCP package. ● Host B first processes the SYN flag to generate a package with the corresponding ACK flag position bit, and transfer the status to the SYN-RCVD, then process the FIN flag to transfer the status to Close-Wait, and send the ACK package to the x. ● Host X does not send other packages to host B. The TCP machine of the host will be fixed in the Close-Wait state. It is reset to a Closed state until the connection timer is maintained.
