1. OSI seven-layer model
Application layer : file transfer, file management, e-mail information processing
Presentation layer : encoding conversion, data analysis, management data decryption and encryption
Session layer : responsible for the establishment, maintenance and termination of communication between two nodes in the network
Transmission layer : data division segment, by port numbers to distinguish different service
network layer : ip address for logical addressing by
the data link layer : 1, mac medium access control 2, the logical link layer LLC fsc check for the upper
physical layer : the definition of the electrical voltage interface Standardize optical characteristics
Transport layer protocol: TCP : connection -oriented reliable transmission protocol
UDP : non-connection-oriented unreliable transmission protocol
TCP protocol is a connection-oriented reliable transmission protocol, connection-oriented is reflected in the three-way handshake, and reliability is reflected in confirmation and retransmission , Sorting, flow control (sliding window)
Two, TCP header interpretation
1. Port number: used to identify different application processes on the same computer.
Source port: The function of the source port and IP address is to identify the return address of the message.
Destination port: The port indicates the application program interface on the receiving computer.
2. Sequence number: record the number of transmissions, occupying four bytes, each byte of the byte stream transmitted in the TCP connection is numbered in sequence
3. Confirmation number: occupying 4 bytes, it is expected to receive the next one from the other party The serial number of the first data byte of the message
4. Header length/data offset: 4 bits, it indicates how far the data of the TCP message is from the beginning of the TCP message segment
5. Reserved bits: 6 Bit, reserved for future use, but should all be 0 at present, generally used for QoS strategy
6. Urgent URG: When URG=1, it indicates that the emergency pointer is valid. Tell the system that there is urgent data in this segment.
7. Confirm ACK: When ACK=1, the confirmation field is valid. TCP stipulates that ACK must be set to 1 in the transmission of all packets after the connection is established.
8. Push PSH: When two The interactive communication of the application program is that sometimes the application process at one end hopes to receive the response from the other party immediately after typing a command, then set PSH=1
9. Reset RST: When RST=1, it indicates that there is a TCP connection Serious error, the connection must be released and then re-established
10. Synchronization SYN: It is used to synchronize the serial number when the connection is established. When SYN=1 and ACK=0, it indicates that it is a connection request message. If the connection is approved, SYN=1 and ACK=1 in the response message.
11. Terminate FIN: used to release the connection. When FIN=1, it indicates that the data of the sender of this message has been sent, and it is required to release
12. Window: 2 bytes, which means to notify the receiver, how much space do you need to send this message to accept
13 , Checksum: 2 bytes, check the two parts of the header and data
14. Emergency pointer: 2 bytes, point out the number of bytes of urgent data in this segment;
15. Options: variable length, Define some other optional parameters
Three, three-way handshake and four waved hands of TCP protocol
1. The first handshake: When a connection is established, the client sends a syn packet (syn=j) to the server, and enters the SYN_SENT state, waiting for the server to confirm; SYN: Synchronize Sequence Numbers
2. The second handshake: When the server receives the syn packet, it must confirm the client's SYN (ack=j+1), and at the same time send a SYN packet (syn=k), that is, the SYN+ACK packet. At this time, the server enters the SYN_RECV state
3. The third handshake : The client receives the SYN+ACK packet from the server, and sends an acknowledgment packet ACK (ack=k+1) to the server. After this packet is sent, the client and server enter the ESTABLISHED (TCP connection successful) state, and complete the three-way handshake
SYN attack:
In the three-way handshake process, after the Server sends the SYN-ACK, the TCP connection before receiving the Client's ACK is called half-open connect. At this time, the Server is in the SYN_RCVD state. After receiving the ACK, the Server transfers to ESTABLISHED status. The SYN attack is that the client forges a large number of non-existent IP addresses in a short period of time, and continuously sends SYN packets to the server, the server replies to the confirmation packet, and waits for the client's confirmation. Since the source address does not exist, the server needs to continue to re- Until the timeout expires, these forged SYN packets will occupy the unconnected queue for time, causing normal SYN requests to be discarded because the queue is full, causing network congestion and even system paralysis. SYN attack is a typical DDOS attack. The way to detect SYN attack is very simple, that is, when there are a large number of semi-connected states on the Server and the source IP address is random, you can conclude that it has been attacked by SYN. Use the following command to make it Current:
#netstat -nap | grep SYN_RECV
Unconnected queue:
In the three-way handshake protocol, the server maintains an unconnected queue. The queue opens an entry for each client's SYN packet (syn=j), which indicates that the server has received the SYN packet and sends a confirmation to the client , Is waiting for the customer's confirmation package. The connection identified by these entries is in the SYN_RECV state on the server. When the server receives the client's confirmation packet, it deletes the entry and the server enters the ESTABLISHED state.
TIME_WAIT state:
There are two reasons for the TIME_WAIT state
<1> to reliably terminate the TCP connection . If the last ACK message is discarded due to network reasons, and the server times out and retransmits the FIN message because it did not receive the ACK, the client in the TIME_WAIT state can continue to reply to the FIN message and send an ACK message to the server.
<2> Ensure that the late TCP segment has enough time to be recognized and discarded . When the connection is over, the delayed packets in the network should also be discarded, so as not to affect the new connection established immediately.
Why TCP protocol needs three-way handshake:
TCP is a reliable transmission control protocol, three-way handshake can ensure reliable data transmission and improve transmission efficiency.
If the TCP handshake is two times:
<1> If the SYN message sent by the client to the server is delayed due to network reasons. Since the client does not receive the server's confirmation message for SYN, it will resend the SYN message, the server will reply with an ACK, and the connection will be established. After the data is sent, the connection is closed normally. At this time, the delayed SYN message was sent to the server. The server mistakenly thought this was a synchronization message re-sent by the client, and then responded with an ACK to establish a connection with the client.
<2>If the ACK message sent by the server to the client is discarded due to network reasons, the server thinks that the connection has been established, but the client does not receive the confirmation message and thinks that the connection is not established. The client will resend the SYN message. At this time, the server is already in the ready state and thinks that the connection has been established.
If the TCP handshake is four times: –
1. The client sends a SYN synchronization message to the server; –
2. After the server receives the SYN, it returns an ACK confirmation message
to the client;
– 3. The server sends a SYN synchronization message to the client; – 4. The client sends an ACK confirmation message to the server.
Between step 2.3, the server and client do not have any data interaction. Separate sending is equivalent to sending one more TCP segment. The SYN and ACK identifiers are just an identifier of the TCP header. Obviously, these two steps can be combined to increase the speed and efficiency of the connection.
TCP protocol waved four times:
1. Client A sends a FIN to close the data transmission from client A to server B.
2. When server B receives this FIN, it sends back an ACK, confirming that the serial number is the received serial number plus 1 . Like SYN, a FIN will occupy a sequence number
3. Server B closes the connection with client A, and sends a FIN to client A
4. Client A sends back an ACK message for confirmation, and sets the confirmation sequence number to the received sequence number plus 1
Why when the connection is three-way handshake, when it is closed handshake? :
Because when the Server side receives the SYN connection request message from the Client side, it can send a SYN+ACK message directly. The ACK message is used for reply, and the SYN message is used for synchronization. But when the connection is closed, when the server receives a FIN message, it may not immediately close the SOCKET, so it can only reply with an ACK message first and tell the client, "I received the FIN message you sent." Only after all the messages on my Server side have been sent can I send FIN messages, so I cannot send them together. Therefore, a four-step handshake is required.
4. How to defend the process of TCP's syn attack?
Process: The syn attack is a half-connection based on the three-way handshake of the TCP connection, which is a DOS attack. After the attacker sends the first handshake, the server maintains an unconnected queue and sends a reply, but the attacker does not send the ack for the third handshake, causing the server to wait, wasting CPU and memory, and there is a large amount of half-connection survival time The half connection will cause the server to be unable to serve the phenomenon.
Defense: reduce the timeout time; SYN gateway and SYN proxy; increase the maximum number of half connections; SYN cookies technology
SYN Cookie is a three-way handshake protocol on the TCP server side to make some modifications, specifically for A means to prevent SYN Flood attacks. Its principle is that when the TCP server receives a TCP SYN packet and returns a TCP SYN+ACK packet, it does not allocate a special data area, but calculates a cookie value based on the SYN packet. When receiving the TCP ACK packet, the TCP server checks the validity of the TCP ACK packet based on the cookie value. If it is legal, allocate a special data area for processing future TCP connections.
If you can modify the protocol, you can refer to the SCTP four-way handshake mechanism.
Note: DOS attacks can also occur when TCP waves four times.
5. Briefly describe how the sender and receiver of the TCP protocol ensure the reliability of the data packet during the data transmission process?
1. In order to ensure reliable delivery of data packets, the sender must keep the sent data packets in the buffer;
2. And start a timeout timer for each sent data packet;
3. For example, receive before the timer expires When the response message from the other party (may be a response to this packet, or a response to subsequent packets of this packet), the buffer occupied by the data packet is released;
4. Otherwise, the data packet is retransmitted until the response is received Or the number of retransmissions exceeds the specified maximum number of times.
5. After receiving the data packet, the receiver first performs CRC check. If it is correct, the data is passed to the upper layer protocol, and then a cumulative response packet is sent to the sender, indicating that the data has been received. If the receiver happens to have data Send to the sender, the response packet can also be piggybacked in the data packet.
6. How does TCP implement flow control and congestion control through the sliding window protocol?
1. Slow start: The sender sends multiple segments to the network from the beginning until the window size announced by the receiver is reached. This method is possible when the sender and receiver are in the same local area network. However, if there are multiple routers and slower links between the sender and receiver, some problems may occur. Some intermediate routers must buffer packets and may run out of memory space.
2. Congestion avoidance: When a timeout is found or three identical ACK frames are received, it indicates that there is a packet loss event. At this time, the network has been congested, and corresponding congestion control must be performed at this time. Set the slow start threshold to half of the current congestion window; if a timeout is detected, the congestion window is set to 1. If the congestion window is less than or equal to the slow start threshold, TCP enters the slow start phase again; if the congestion window is greater than the slow start threshold, TCP executes the congestion avoidance algorithm.
3. Fast retransmit phase (fast retransmit): When the TCP source receives three identical ACK copies, it is considered that there is a packet loss, and the source retransmits the lost packet without waiting for the RTO to time out. At the same time, ssthresh is set to half of the current cwnd value, and cwnd is reduced to half of the original value.
4. Fast recovery phase (fast recovery): When the "old" data packet leaves the network, the "new" data packet can be sent into the network, that is, the number of data packets transmitted in the network at the same time is constant. If the sender receives a duplicate ACK, it is considered that a data packet has left the network, so the congestion window is increased by 1.
7. Describe the difference between TCP and UDP?
1. TCP is connection-based and provides reliable transmission; while UDP is connectionless and does not provide reliable transmission;
2. UDP messages are data-oriented messages, and TCP is data-flow-oriented;
3. UDP messages Simple, so the transmission efficiency is high;
4. TCP can only provide point-to-point communication, but UDP supports unicast, multicast and broadcast;
8. What timers does TCP have?
1. Retransmission timer: in order to control the lost or discarded message segment, that is, the waiting time for the confirmation of the message segment
. 2. Persistence timer: specially set up to deal with the zero window notification
3. Keep alive Timer: Whenever the server receives information from the client, it resets the keeplive timer. The timeout is usually set to 2 hours. If the server has not received the information from the client for more than 2 hours, it will send the probe segment, if 10 packets are sent If the detection message segment (sent within 75 seconds) has not received a response, the connection is terminated.
4. Time waiting timer: used during the connection termination period. When TCP closes the connection, it does not think that the connection is really closed. During the waiting period, the connection is still in an intermediate state. In this way, the repeated fin segment is discarded when it reaches the end. The value of this timer is usually set to twice the expected lifetime of a segment segment.