This is a trick essay, this is an unreliable hack essay.
There is a data set in the system, namely peer metric, which is in sysctl:
net.ipv4.tcp_no_metrics_savesuch a parameter. It contains the following fields for any peer:
enum {
RTAX_UNSPEC,
#define RTAX_UNSPEC RTAX_UNSPEC
RTAX_LOCK,
#define RTAX_LOCK RTAX_LOCK
RTAX_MTU,
#define RTAX_MTU RTAX_MTU
RTAX_WINDOW,
#define RTAX_WINDOW RTAX_WINDOW
RTAX_RTT,
#define RTAX_RTT RTAX_RTT
RTAX_RTTVAR,
#define RTAX_RTTVAR RTAX_RTTVAR
RTAX_SSTHRESH,
#define RTAX_SSTHRESH RTAX_SSTHRESH
RTAX_CWND,
#define RTAX_CWND RTAX_CWND
RTAX_ADVMSS,
#define RTAX_ADVMSS RTAX_ADVMSS
RTAX_REORDERING,
#define RTAX_REORDERING RTAX_REORDERING
RTAX_HOPLIMIT,
#define RTAX_HOPLIMIT RTAX_HOPLIMIT
RTAX_INITCWND,
#define RTAX_INITCWND RTAX_INITCWND
RTAX_FEATURES,
#define RTAX_FEATURES RTAX_FEATURES
RTAX_RTO_MIN,
#define RTAX_RTO_MIN RTAX_RTO_MIN
RTAX_INITRWND,
#define RTAX_INITRWND RTAX_INITRWND
RTAX_QUICKACK,
#define RTAX_QUICKACK RTAX_QUICKACK
RTAX_CC_ALGO,
#define RTAX_CC_ALGO RTAX_CC_ALGO
__RTAX_MAX
};However, most people think this is unreliable. Because of the inherent problems of IPv4, such as the limited number of addresses and no security measures, most organizations will use NAT to alleviate them, and operators will also use NAT with the consent of users. Can NAT, this will bring a problem.
Peer represents the IP address of a machine. If it is just a NAT device, then all device information behind it will be lost. Because of this, the Linux kernel turns off metric by default. Is that really the case?
no!
The network terminal portrait can not only be drawn by quintuple, it can be drawn using any field in the protocol header of the TCP/IP protocol suite. We have a very familiar example, nmap, which has a large fingerprint library behind this tool, which can locate the OS version based on the initial sequence number of TCP!
this is very simple. In fact, every field of the protocol header can be used, as long as you know their implementation details.
How to locate whether the reset in a TCP stream is real? Look at the IPID field of the IP header. As long as it is not loose and continuous with the normal flow of the previous quintuple, it means that the reset is forged by an intermediate device. Similar , the TTL is obviously abnormal, and the first impression can also be judged.
Slightly more complicated than locating reset, how to locate machines behind NAT? This may require some drawing, collect all the IPIDs intensively, and then draw the lines. At the same time, see how many lines there are. The maximum value is generally the number of machines behind the NAT.
What is even more powerful is to take TCP fingerprints. In fact, this does not require much work by yourself. There are many ready-made fingerprint libraries that can be used... Are these fun? Hmm, fun.
Not much to say!