TCP three-way handshake process carding four wave

1 schematically illustrates an exemplary data transmission

1.1 TCP connection several states described

  That all states netstat command results:

2. TCP connection establishment of the whole process 

2.1 TCP three-way handshake to establish a TCP connection

  1) The client and server are in CLOSED state. (Referred to as client initiates TCP requests, known as the server to accept the request)
  2) server to open service ports, in listen state.
  3) The client initiates a connection request. First send SYN (synchronous) packet to the server, the server waits for a response given ACK packet. Transmitting the SYN = 1, ACK = 0, indicates that only transmits a signal SYN . At this time, the client is SYN-SENT state (SYN signal has been sent).
  4) After the server receives the SYN signal, an ACK response message, and sends a connection request signal SYN own. In this case the server is in the state of SYN-RECV (syn recieved, is shown in FIG SYN-RCVD). Transmitting the SYN = 1 ACK = 1, it represents a transmitted SYN + ACK.
  5) client after receiving confirmation signal ACK server, and sends an ACK signal to the server again to restore syn sent by the server. At this time, the client enters the ESTABLISHED state, the transmission of SYN = 0, ACK = 1 indicates that only transmits the ACK .
  6) After the server receives the ACK signal, also enters the ESTABLISHED state. After the transmission data are performed through this connection. Step 3,4,5 which is three-way handshake process. In layman's terms this process means that both sides request and response process: ①A syn send a request and wait for B B responds; ②B response A, and at the same time request A; ③A response B

                               

2.2 TCP connection is released four times and waved off the whole process of the TCP connection

  1) The client sends a FIN (finally) message signal to request disconnection. Thereafter client enters FIN-WAIT-1 state.
  2) server receives FIN signal, an acknowledgment signal is given the ACK =. 1 , agreed disconnected. At this time, the server into the CLOSE-WAIT state. After this process represents the direction from the client to the server TCP connection has been closed, meaning that the entire TCP connection in a semi-closed state.
  3) After the client receives the ACK server enters FIN-WAIT-2 state, waiting for the server to issue an OFF signal FIN. In the process of waiting for the client's FIN-WAIT-2 state, the server then send their own FIN signal to the client. At this time, the server into the LAST-ACK state.
  4) The client receives the server FIN signal, to respond with the ACK signal, acceptance of the disconnection request to the server, then the client enters TIME-WAIT state, then the client has left the TCP whole, need to wait for some time (2 * MSL) automatically enters the CLOSED state.
  5) server receives a response ACK signals of the client, the client agreed to the service know-client direction TCP disconnect, direct access to the CLOSED state. 1.2.3.4 above waving is four stages, and the process of handshake wave are similar except that:. SYN and ACK handshake is transmitted in the same transmission packet, while waving, is sent by the server ACK and FIN score card transmitted.

                               

  Note: If the client requests disconnection, then the server is passive start off, may keep a large number of connections CLOSE-WAIT state, if it is actively requests the server off, it may leave a lot of TIME_WAIT state of connection . Since each connection requires a file descriptor, you may run out of these resources under high concurrency. Therefore, it is necessary to find the corresponding problems, make the corresponding control, in general, you can modify the kernel configuration file /etc/sysctl.conf to solve part of the problem.

View and SYN flood attack prevention under 3. Linux

  SYN flood attack is a common DDoS attacks. An attacker can fake a lot of tools in a very short period of time there is no designated ip random port to send tcp connection request to the server, which is sending a large number of syn = 1 ack = 0 of packet, when the server receives the reply packet will be sent and the same syn tcp connection request, i.e. transmit ack = 1 syn = 1 packet, then the server into the SYN-RECV state, under normal circumstances, the server expects to receive ACK client response. The problem is that the server ip response destination does not exist, the reply packet is always discarded, has been unable to receive an ACK reply, then continue retransmission ack = 1 syn = 1 until the timeout Reply Packet. When the server is compromised syn flood, since continued to receive a large number of bogus syn = 1 ack = 0 request packet, the time they get resource queues, such that normal SYN requests not handled correctly, and the server has been in response to a retransmission packet state, so that the cpu resources are consumed. In short, syn flood attacks will consume a lot of network bandwidth and cpu and memory resources, making the server is running slowly, may cause severe network congestion or even system collapse.

  Use netstat -lntap command to determine whether the server is suffering from SYN flood attacks, combined with iptables firewall /etc/sysctl.conf and are optimized / closure.

[root@xuexi ~]# netstat -tnlpa | grep tcp | awk '{print $6}' | sort | uniq -c
      1 ESTABLISHED
      7 LISTEN
    256 SYN_RECV

  Much of the above reference packet Friends Fair article  https://www.cnblogs.com/f-ck-need-u/p/7397146.html

  

Guess you like

Origin www.cnblogs.com/blog-tim/p/11823727.html