全部博文(24)
分类: 网络与安全
2010-02-05 16:48:55
Whenever I interview someone for an Application Engineer or Security Research position, my favorite introductory question is, "Can you describe for me the TCP three-way handshake?". It is a fine baseline question to understand a candidate's knowledge of modern networking. Answers range from "SYN, SYN/ACK, ACK,", to a full description of ARP, to initial sequence number generation. It's a good springboard question, because then you can start talking about spoofing addresses, port scanning, the significance of IPIDs, and more.
We are , which means I'm asking this question a lot. After the fourth or fifth interview, I decided one morning to look over to make sure that I really did know everything there is to know about the handshake. That is when I found out that we've all been living a lie.
If you've spent any reasonable amount of time around network protocols, you're probably familiar with some version of this diagram:
Here, we see the client on the left starting up a conversation with the server on the right. All pretty normal and familar, right? Well, when I was reviewing the RFC again, I noticed something very, very, odd. Disturbing, even. Allow me to quote at some length:
The synchronization requires each side to send its own initial
sequence number and to receive a confirmation of it in acknowledgment
from the other side. Each side must also receive the other side's
initial sequence number and send a confirming acknowledgment.
1) A --> B SYN my sequence number is X
2) A <-- B ACK your sequence number is X
3) A <-- B SYN my sequence number is Y
4) A --> B ACK your sequence number is Y
Because steps 2 and 3 can be combined in a single message this is
called the three-way (or three message) handshake.
Do you see what I see? Because I'm thinking, "this is not a three-way handshake. This is a four-way handshake." The handshake is a lie, born of coalescing steps 2 and 3.
Now, surely, if I just decided to ACK a SYN, then send my own SYN, that couldn't possibly work, right? Enter . Turns out, 28 years or so after this RFC was written, clients behave rather strangely when you decide to actually honor ol' RFC 793. After some experimentation, I have a pretty decent proof-of-concept stack that behaves like so:
This is the point where things get a little weird. What's happening here is:
1) A --> B SYN my sequence number is X
2) That's nice. I'm not going to bother to ack that, because...
3) A <-- B SYN my sequence number is Y.
4) A --> B ACK your sequence number is Y, and my sequence number is X.
5) A <-- B ACK your sequence number is X
Does this work? You betcha! Take a look at the , collected from Linux (stock Ubuntu), Apple (stock OSX), and Microsoft (stock Windows XP). These three desktop operating systems are all totally cool with this crazy backwards TCP portal.
But what does it mean? Is this simply a parlor trick, where you can reverse the roles of client and server? How does this ? How about inspection devices like , which often need to have an idea of who the "real" client and server are? How about NAT devices, where the idea of "relatedness" is absolutely tied up with where SYN packets come from.
Clearly, there is a ton of testing work to be done here. Lucky for me, I happen to work at a really advanced testing equipment manufacturer, so I've dropped this nugget in the next StrikePack. Now, strikes can employ the "SneakAckHandshake" TCP override option, and all servers simulated will behave in accordance with this crazy backwards handshake. We'll see how well network inspection gear detects clientside attacks when the client is tricked into behaving like a server.
At the very least, now I have better interview questions and I should at least be able to detect if the next candidate is reading this blog. :)
