It's over! Something big has happened to TCP!

= [[335538]]

This article is reprinted from the WeChat public account "Programming Technology Universe", the author is Xuanyuan Zhifeng. Please contact the Programming Technology Universe public account for reprinting this article.

Uninvited Guests It was a dark and windy night, with dark clouds covering the moon.

Two uninvited guests, dressed in black, one tall and one short, sneaked into the Linux empire.

They dived for more than a month until they received a message...

The tall guy: "The higher-ups have finally assigned us a mission."

Shorty: "What task? I'm so bored."

The tall guy: "Our superiors asked us to cooperate with them to hijack the TCP connection."

Shorty: "TCP hijacking? We are just an ordinary program. We don't have kernel privileges. How can we modify the network connection? Isn't this asking too much?"

The tall guy: "Yeah, I'm also confused. The letter only states that we only need to tell them the value of a counter when the time comes, and we don't need to worry about anything else."

Shorty: "Counter, what counter?"

Tall guy: "DelayedACKLost, the letter says that you can see it by executing cat /proc/net/netstat"

Shorty: "Don't you need special permissions?"

The tall one: "I don't know either. How about we try it first?"

The two put away the letter, looked around, and seeing that no one was around, they secretly carried out this order:

"What are these? Why are there so many?" asked the short man.

"It looks like it records a lot of statistical information about the Linux Empire network protocol stack," the tall man said as he looked at it carefully.

"This information is actually public and anyone can see it?"

"You can only look at it, but you can't change it. What are you afraid of? Go find it quickly, and find DelayedACKLost first."

The two of them widened their eyes and finally found the counter they wanted among the densely packed outputs.

But they couldn't figure out how this small counter could help their superiors complete the TCP hijacking.

Secret Mission

The next night.

"Wake up quickly, there is more news from the higher-ups." After the tall man shook him, the short man opened his sleepy eyes.

"What's the news?"

“Let’s report the value of DelayedACKLost immediately.”

The two of them quickly got up, executed the command again, got the value of the counter, and reported it.

I had just sent the message and hadn’t recovered yet when my superiors gave me another instruction: Has DelayedACKLost increased?

The two looked at each other, confused, but still checked the counter again to confirm that it had not increased, and reported the result again.

In this way, they went back and forth dozens of times, and their superiors kept asking whether the counter had increased, which kept the two brothers very busy.

Finally, there were no more messages from their superiors, and the two had some time to catch their breath.

Weird TCP connections

At this moment, the protocol stack building of the Linux Empire Network Department is still brightly lit.

"What's going on tonight? Why is the network so bad? I've received so many error packets," sighed the newcomer Robert.

"Not really, is it because you just got here and aren't very experienced yet?" Cerf at the side asked casually.

"No, there was one connection where the sequence number of the packet I received was either too small or too large. It took me many attempts to get it right. I have never seen such a situation before!" Robert continued.

Upon hearing this, Cerf quickly put down his work and came to Robert's workstation. "Is this so weird? I have never seen this before in all my time here. Let me take a look."

Cerf carefully checked the communications over the past period of time. Data packets were continuously sent on this connection, but because the TCP sequence number was always wrong, they were always lost.

"It's a bit strange. Why does this guy feel like he is guessing the serial number? And the strange thing is that he actually guessed it in the end! There must be something strange about this connection. It is most likely hijacked. The hijacker has been trying to guess the serial number because he doesn't know the serial number," said Cerf.

Robert also took a look and said, "Now that you mention it, it is indeed true. And you see, he is not guessing blindly, but seems to be using binary search! The serial number is a 32-bit integer, and binary search only needs 32 times to guess it."

"Binary method? To use the binary method, he must know whether he guessed too high or too low. Without this feedback, he can only guess blindly. How does he know whether he guessed too high or too low?"

The two thought about it, but couldn't figure out how the other party used the binary method to guess the final serial number. They then reported the matter to the head of the transport layer of the network department, who then reported it to the Minister of Imperial Security.

Find the Lurker

After learning the news, the Minister attached great importance to it and requested a comprehensive investigation of the codes related to the TCP group of the Network Department.

We followed the TCP packet processing flow and found the problem at the sequence number check.

If the sequence number check fails, it will enter tcp_send_dupack, and everyone will focus on this:

"What does this before judgment mean here?" the supervisor asked.

Cerf stepped forward and answered: "This is to determine whether the sequence number of the received data packet is smaller than the expected sequence number. If it is smaller, it means that there is a retransmission on the network, and the delayed ACK mechanism must be turned off, and an ACK must be replied immediately."

"Delayed ACK?"

"Oh, supervisor, this is an optimization made by our TCP team. TCP transmission requires confirmation, but it would be a waste if ACK was sent for every data exchange. So we made an optimization. When there are multiple transmissions or data to be sent, the reply ACK is also included. This eliminates the need to send an ACK message every time. We call this Delayed ACK," Cerf continued to explain.

"So does the following tcp_enter_quickack_mode turn off this mechanism and enter the fast ACK reply mode?" the supervisor asked.

“That’s right!”

At this time, the security minister pointed to a line and asked, "This looks a bit strange, what are you doing?"

"I know this. Cerf taught me yesterday. This is statistics. The loss of this delayed ACK is recorded in the corresponding global counter," said Robert.

The experienced security chief realized the problem at this moment. "It seems that this counter will only increase when the received sequence number is smaller than expected, and it will not increase if it is larger. Imagine if the guesser can see whether this counter increases or not, wouldn't he know whether he guessed too high or too low?"

Robert shook his head and said, "No way, this counter is with us, how could other people on the Internet know it? Besides, this counter is used by everyone, and the error is too big if we use it to judge!"

The supervisor also shook his head. "No, although everyone is using it, this counter is very special. The probability of it happening is very small. It usually won't come here. The network is not prone to problems."

The Minister of Security said: "According to the information we have so far, other departments have reported that there are spies from the Empire, but they have been hiding in the dark and have not been caught yet. If they are colluding with the outside world and acting as spies, observing the changes in this counter, the outside world will know whether his guess is big or small. Yes, it must be like this!"

Afterwards, the security minister came to the file system department and called up the access records of /proc/net/netstat. Based on the records, he quickly located the two spies hidden in the Linux Empire and ordered their arrest.

The two spies, tall and short, confessed everything truthfully...

To be continued...