What attacks can hackers launch using TCP/IP?

TCP/IP is the most basic communication protocol of the Internet. Any computer system produced by any manufacturer can be interconnected with the Internet as long as it complies with this protocol. However, some defects in TCP/IP are often exploited by criminals as a means of launching attacks.

In early 2020, hackers launched an attack on the well-known code hosting platform GitHub. GitHub and many of its sub-sites were prompted to have information security issues, and a large number of visiting users were blocked from the website.

[[392234]]

There are many examples like this, such as the Microsoft account system hacking incident in 2014, the US network paralysis incident in 2016, and so on.

Today, let’s take a look at three common TCP/IP attack methods.

SYN Flood

To establish a TCP connection, a three-way handshake is required, and the process is as follows:

(1) The client sends a SYN packet to the server and enters the SYN_SENT state, waiting for the server to confirm;

(2) The server receives the SYN packet and confirms it, and sends a SYN packet to the client, that is, a SYN+ACK packet. At this time, the server enters the SYN_RECV state.

(3) After receiving the SYN+ACK packet from the server, the client sends an ACK packet to the server. After sending, the TCP connection is successful and the three-way handshake is completed.

In order to ensure the smooth establishment of the three-way handshake TCP connection, the TCP protocol sets up some exception handling mechanisms during the three-way handshake process.

In the third step, after the client sends the confirmation packet ACK, if the server does not receive it, it will remain in the SYN_RECV state in the second step, add the client IP to the waiting list, and resend the SYN+ACK message to try again.

Resending usually occurs 3-5 times, and the waiting list is polled every 30 seconds to retry all clients.

If the SYN_RECV state persists and exceeds the server's tolerance limit, new SYN packets will no longer be received and the establishment of new TCP connections will be rejected.

SYN Flood uses this setting to attack the target. The attacker disguises a large number of IP addresses and sends SYN packets to the server. Since the IP addresses do not exist, the client will not send the final confirmation packet ACK to the server, causing the server to maintain a huge waiting list and constantly retry to send SYN+ACK packets. When the SYN_RECV queue is full, the server will completely crash.

How to prevent SYN Flood? The simplest way is to use DDoS cloud cleaning. DDoS can not only clean SYN Flood attacks, but also other types of DDoS attacks, such as UDP Flood, CC, etc.

CDN can also mitigate this type of attack, provided that the attack volume does not reach the maximum capacity of CDN. Otherwise, it will directly penetrate to the source station, and the source station will soon be lost and completely destroyed. If the website/APP is often attacked by DDoS, it is best to use DDoS cloud cleaning.

IP Spoofing

We know that IP is important information for identifying identity, so it naturally becomes the object that hackers try their best to exploit.

Assuming that a user has established a normal TCP connection with the server, the attacker will construct TCP data to disguise his own IP as the same IP as the user and send a TCP data segment with the RSI bit to the server.

After receiving this data, the server will consider that the connection sent by the user is wrong and will clear the established connection in the buffer.

In this way, when the user sends data again, the server has no connection and cannot respond, and the user must re-establish the connection.

Hackers will forge a large number of IP addresses and send RST data to the target, making the server unable to serve normal users. This is an IP spoofing attack.

TCP Reset Attack

TCP connections have a special setting. If the client finds that the arriving segment is incorrect for the relevant connection, TCP will send a reset segment to disconnect the connection and prevent the connection from being used to exchange further information.

The attacker takes advantage of this mechanism and sends a forged reset segment to one or both parties to make the communicating party close the TCP connection in advance. Although the server can still create a new TCP connection to resume communication, it is still likely to be reset by the attacker.

There are two types of TCP reset attacks.

One is that the attacker intercepts the exchanged information between the communicating parties, reads the sequence number and confirmation response number on the data packet, and then obtains the sequence number of the disguised TCP reset segment.

The other is that the attacker cannot intercept the exchange information and cannot determine the sequence number of the reset message segment, but can blindly guess the sequence number by sending reset messages with different sequence numbers in batches. Once the sequence number is guessed correctly, the attack purpose is achieved.