Is it impossible for non-middlemen to hijack TCP?

TCP initial sequence number

Hi, my name is Robert. Last time I mentioned that I worked very hard to pass the civil service exam in the Linux Empire and was assigned to work at the transport layer of the protocol stack building in the network department.

On my first day at work, my supervisor asked me to handle a new TCP connection to practice. Although I knew the theory by heart, I had never actually handled a TCP packet, so I was a little nervous.

After receiving the connection request packet, I prepared a response packet and turned on both the SYN and ACK flags. Then I was in trouble. I knew that the confirmation number ACK was the other party's sequence number + 1, but what sequence number should I reply with?

I closed my eyes and quickly searched the RFC in my mind, and soon remembered that RFC793 said that the initial sequence number ISN is a counter that increases by 1 every 4ms.

I quickly asked Cerf for help, "Hi, Cerf, where is the initial sequence number counter?"

Cerf pointed to a clock-like object on the wall and said, "Here, that's it. This is a global unified counter that everyone can use."

[[335382]]

I filled in the sequence number field and was about to send it, but Cerf stopped me and said, "Wait, are you going to use this counter as the initial sequence number to send it out?"

"Is there anything wrong with this? That's what RFC793 says."

"This is such an old version, it's no longer like this! It's dangerous to use this as a serial number directly."

You don't know ISN

I felt a little embarrassed, and then Cerf explained the whole story to me.

"It turns out that other empires in the Bit Universe designed ISNs directly according to RFC793. Later, an incident occurred. An attacker pretended to be a client and sent data packets to the server, hijacking other people's normal TCP connections and stealing confidential data! Guess how he did it?"

This was no problem for me, and I blurted out: "This guy must have monitored the network communication halfway, obtained the sequence number and confirmation number of their communication, and then forged one party to communicate."

Cerf shook his head. "No, this guy is not a middleman and he didn't monitor the communication."

I was confused and frowned. "If I'm not a middleman, then I have no way of knowing the serial number. How can I impersonate someone without knowing the serial number?"

Hearing my question, Cerf smiled knowingly, "This guy is so smart. Before impersonating, he first established a connection with the server and obtained the server's initial sequence number. Because this sequence number increases by 1 every 4ms, he can calculate the new ISN of the server when the connection is established later by timing."

I suddenly realized, "This guy is really cunning. It seems that this ISN cannot be set so easily."

"So, I just stopped you. Now RFC has issued a new regulation, document 1948, which stipulates that ISN should be calculated like this:"

ISN = M + F(localhost, localport, remotehost, remoteport)

"M is the counter you just saw. On this basis, an F is added. The IP and port of the communicating parties, that is, the four-tuple information, are calculated to get a value and add it to the counter to increase the unpredictability of the ISN."

I nodded. "What algorithm is generally used for this F?"

"In our Linux Empire, we used the MD4 algorithm before, and later upgraded to the MD5 algorithm."

"Thanks Cerf, if it weren't for you I would have made a mistake"

Cerf patted my shoulder and said earnestly: "You still need to keep studying. Passing the Imperial Civil Service Exam is just the first step."

[[335384]]

"It's not just him who needs to learn, you too. Are there any new regulations regarding ISN?"

We both turned around and saw that it was our supervisor coming over.

"Boss, what's the new rule?" Cerf asked.

"RFC has issued a new regulation, document 6528. The current ISN is calculated as follows:"

ISN = M + F(localip, localport, remoteip, remoteport, secretkey)

"There's an extra secretkey!" I immediately noticed the difference.

"That's right! If the two parties use the same port to communicate twice, the quaternary is fixed, and the result of the F function is also fixed, which greatly reduces the randomness. So add another secretkey to make the ISN more difficult to predict."

"So is this foolproof? No longer afraid of being hijacked?" I asked.

The supervisor paused and said, "Unless another unit in the network acts as a middleman to hijack the network, there should be no way to solve the problem."

The supervisor is worthy of being a supervisor, he knows more than us.

After a long delay, my connection still hadn't been responded to, so I quickly calculated the ISN using the new algorithm and sent it back to the other party.

The first practice connection taught me a lot. I didn’t expect that a simple ISN could have so many details.

Mysterious Counter

It was afternoon, and Cerf took me around the building to familiarize me with the environment.

Soon, we came to a room with a bunch of counters in it. The signal lights on them were flashing continuously.

[[335385]]

"What are these counters? Why are there so many?" I asked Cerf who was standing next to me.

"These are important displays that record the work data of our network department. Not only in our transmission layer, but there is also a room in the network layer on the first floor below that stores their counters. Every time we start up, the number of packets we sent, the number of packets received, the number of errors, the number of duplicate packets received, and other information are all recorded in this note. When you officially start working, you will have to come here often."

I looked around and saw that each counter had a label on it:

 SyncookiesSent
 SyncookiesRecv
 SyncookiesFailed
 EmbryonicRsts
 PruneCalled
 RcvPruned
 OfoPruned
 ······
 DelayedACKs
 DelayedACKLocked
 DelayedACKLost
 ListenOverflows
 ListenDrops
 TCPPrequeued

As I was looking at it, I suddenly found that there were many counters with the same name. After taking a closer look, I found that they were not the same name, but there were 8 partitions here, and the counters in each partition were the same.

"Cerf, why are there 8 identical counters here?"

"That's because the CPU we're dealing with has 8 cores. In order to prevent contention between multiple threads, locking would be too time-consuming, so we made 8 copies. We can just combine them together when we do the final statistics."

After leaving the counter room, Cerf took me to visit the warehouse where the connection request queues were stored, and then taught me how to use a few TCP timers. It was a very rewarding day.

I will start working officially tomorrow. I don’t know what kind of day it will be~

To be continued...

Easter Eggs

"Wake up, our superior has assigned us a task to cooperate with him to hijack the TCP connection."

"How can we hijack TCP connections if we don't have kernel privileges?"

"The letter didn't say anything, it just asked us to report the value of a counter."

"What counter?"

To know what will happen next, please pay attention to the follow-up excitement······