Security TCP, SYN Flooding and nmap

Others 2019-08-16 03:29:51 views: null

table of Contents

SYN flooding

Introduction: continuing to target SYN = 1 to send a TCP packet, the target because memory is full and denial of service.
Command: netwox 76 -i target_ip -p port
works: a TCP connection is established, server received SYN packet, the TCB will allocate a larger space to store information, and enter the half-opening state.
Defense: After the discovery of this attack, Cookies open the SYN: echo 1> / prop / SYS / NET / ipv4 / tcp_syncookies
the SYN Cookies principle:
do not allocate any resources until ACK arrives. Upon receipt of SYN packet, server configured SYN + ACK packet back to the client, the sequence number in the data packet is no longer a random value,
but the SYN cookies, that is constructed in accordance with the following rules:

  1. Top 5: t mod 32. timestamp t is provided a slow increasing (usually time () logically right position 6, which gives a resolution of 64 seconds)
  2. In 3: m represents the encoded value of the order m is stored in the server queue entry SYN maximum segment size (MSS) value.
  3. Last 24: s = Hash (server ip, port, client ip, port)

When the client sends back ACK packet to the server, the server confirmation number is subtracted from 1, to give to the client transmits SYN cookie, and the test is performed:

  1. Check the value t and the current time, to see if the connection has expired.
  2. S recalculated to determine if it is indeed a valid SYN cookie.
  3. SYN cookie from the three codec value m, then it may be used to reconstruct the SYN queue entries.
    SYN Cookie disadvantages:
  4. The server is limited to 8 unique MSS value, because it is only 3 bits to encode.
  5. The server must reject all TCP options (such as large windows or time stamp).

nmap

Description: scanning tool that integrates multiple scan function
port detection command, nmap ip, also known as tcp connect (-sT) scanning
principle: the target sends a SYN each port, if the target port open, a connection is established, if close, the received RST, SYN filter if set, there was no reply.
Cons: After the connection is established will leave marks.

Improved: sudo nmap ip, TCP SYN (half open -sS) scanning
principle: the need for root privileges, direct intervention contract, after receiving the target of syn + ack, do not reply ack, but return RST, to avoid the connection is established.

-sF, FIN scan can be determined port is close or open / filter, is closed or scan results Open | Filtered
-sA, the ACK scan, the target port determines whether the filter setting. When the port open / close, ACK packet is received, it will return RST. Filtered or unfiltered scan result is
the intersection of F and A can determine the status of the target port.
| target Port | Open | Closed | Filtered |
| - | - | - | - |
| -sT | the SYN + ACK | RST | NO Reply |
| -sS | the SYN + ACK | RST | NO Reply |
| -sA | RST | RST | NO Reply |
| -sF | NO Reply | RST | NO Reply |

nmap idle

And nmap ratio, not to target their own contract, without leaving marks. Ip using the datagram identifier (identifier, for fragmentation and reassembly) of an increment law (currently that vulnerability).
step:

  1. hack to send SYN zombie (zombie, but no host networking events), RST in response zombie with ip_id = 1033
  2. hack posing the IP zombie, the SYN to the target, if the target host port is open, it will send SYN + ACK, zombie receives this packet, the RST will be issued; if it is closed, sends the RST, zombie receives this packet, it will simply be ignored.
  3. syn sent with reply to hack zombie, the zombie RST ip_id, if it + 1 = 1033, indicating no connection to the zombie target, target is close,
    if id = 1033 + 2, described target open, if ID = 1033 + 3, not really explain zombie zombie.

principle:

  • Upon receiving the SYN packet, if the port open, return SYN + ACK, if close, then the reply RST.
  • If you do not send a SYN, but received a SYN + ACK, will return RST.
  • According to the rule id is incremented by one, the identifier is detected, the distance is determined after a single host has made a contract several packets.

Reference 1:
https://zhuanlan.zhihu.com/p/59750145
"TCP / IP Detailed"

Guess you like

Origin www.cnblogs.com/ChengzhiYang/p/11360088.html
Recommended
Ranking
Spring Boot dynamic Bean injected through ImportBeanDefinitionRegistrar
titbit v21.8.6 released, the Web back-end framework for Node.js environment
Third, a VBA program code.
CPU bus
Find the iou of the vector file
Unity Record 4.4-Storage-System data is saved in configuration files
pyinstaller release exe, pop Failed to execute script main
Exercise: File upload example
Mass Data Processing (3) - Summary of Basic Methods of Mass Data Processing
Git case summary for busy people [recommended collection]
Daily
More
2024-09-06(0)
2024-09-05(0)
2024-09-04(0)
2024-09-03(0)
2024-09-02(0)
2024-09-01(0)
2024-08-31(0)
2024-08-30(0)
2024-08-29(0)
2024-08-28(0)

Code World

© 2018 codetd.com