Upload
anry-lu
View
116
Download
1
Embed Size (px)
Citation preview
Things You Should Know for Network Programming
Anry Lu2014/10/22
TCP & UDP
UDP (just IP + Port Number)
TCP is far more complicated!
TCP Quick ReviewTCP provides reliable, ordered and error-checked
delivery of data.
3-Way Handshaking
Ack, Retransmission & Sliding Window
Flow Control (AIMD)
● check the available flow control on your system ○ sysctl -a | grep tcp_allowed_congestion_control
TCP Options
● Maximum Segment Size● Select Ack● Explicit Congestion Notification● Window Scaling● Timestamp● Keepalive● ...
The life-cycle of a TCP connection.(use netstat or lsof to see the state)
What the state means?● SYN_SENT
○ packets are droppediptables -t filter -t filter -A OUTPUT -p tcp --dst 192.168.68.8 -j DROPnc 192.168.68.8 80
○ solution■ check your network
● ESTABLISHED○ usually means the connections is valid○ if the connection is dead, it takes 7,200 seconds to know
■ net.ipv4.tcp_keepavlid_time
● CLOSE_WAIT○ your code doesn’t handle connection well
(note: all data sent in this state are just dropped)○ server
import socketsock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)server_address = ('127.0.0.1', 10000)sock.bind(server_address)sock.listen(1)connection, client_address = sock.accept()connection.close()
○ clientimport socketsock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)server_address = ('127.0.0.1', 10000)sock.connect(server_address)
○ solution■ check your source code
● TIME_WAIT○ it’s a normal state to avoid sending RST and
interfering with new connections○ lasts for 2*MSL after close○ may cause port starvation on server○ solution
■ linger option(use this carefully)
■ net.ipv4.tcp_tw_resuse■ SO_REUSEADDR or SO_REUSEPORT
How to Debug - Sniffer Tools
● wireshark or tcpdump○ for normal socket
sudo tcpdump -i eth5
● socat○ for unix socket
cd /share/CACHEDEV1_DATA/.qpkg/CloudLink/tmp/mv tunnel_agent_monitor.sock tunnel_agent_monitor.sock.origsocat -t 100 -x -v UNIX-LISTEN:./tunnel_agent_monitor.sock,mode=777,reuseaddr,fork UNIX-CONNECT:./tunnel_agent_monitor.sock.orig
What if no sniffer available?
● Sniffer Machine○ sysctl -w net.ipv4.ip_forward=1○ tcpdump -i eth0 host 192.168.68.8
● Target Machine○ polite way
sudo sysctl -w net.ipv4.conf.all.accept_redirects=0sudo sysctl -w net.ipv4.conf.eth5.accept_redirects=0sudo route add -host 192.168.68.8 gw 192.168.68.80
○ hacker way (execute on the sniffer machine)arpspoof -t 192.168.68.51 192.168.68.254
What if SSL is enabled?● Man in the middle proxy
○ http://mitmproxy.org/○ only works if certificate is not checked
mitmproxy -T --hostiptables -t nat -A PREROUTING -s 192.168.68.51 -d 192.168.68.8 -p tcp --dport 8080 -j REDIRECT --to-port 8080iptables -t nat -A PREROUTING -s 192.168.68.51 -d 192.168.68.8 -p tcp --dport 443 -j REDIRECT --to-port 8080
How to disconnect a connection?
● ARP Spoofing + iptables● Faking TCP packets
○ use tcpdump to observer connectiontcpdump -S -n host 192.168.68.63 and tcp
○ use the libnet sample code to fake packets sudo ./tcp2 -s 192.168.68.63.8080 -d 192.168.68.51.52351 -n $SEQ_NO -a $ACK_NO -f "TH_FIN|TH_ACK" sudo ./tcp2 -s 192.168.68.63.8080 -d 192.168.68.51.52351 -n $SEQ_NO -f "TH_RST"
Reference
● dsniff○ http://www.monkey.org/~dugsong/dsniff/
● ettercap○ http://ettercap.github.io/ettercap/