websocket – There is no ack package for tcp SYN with window scale of 64

I have found a very strange problem. We found that the establishment time of the websocket connection between the mobile phone and the server was too long. Then I use tcpdump to capture the data and I discovered that the problem might have something to do with the window scaling option in the SYN package. Here is the SYN package for the websocket connection:

55488 → 443 [SYN] Seq = 0 Win = 65535 Len = 0 MSS = 1460 WS = 64 TSval = 570815281 TSecr = 0 SACK_PERM = 1

But the server did not respond with ack. Then several retransmissions of SYN occurred. Finally, the client sent a SYN retransmission:

55488 → 443 [SYN] Seq = 0 Win = 65535 Len = 0 MSS = 1460 SACK_PERM = 1

Then the server responded with ack.

I also captured other data from the HTTP connection and found that the window scaling option in the SYN package for the HTTP connection is "WS = 128". There is no retransmission in the link protocol for the HTTP connection.

So I just want to know the reason for that. The operating system on our server is CentOS version 6.7. The kernel version is 2.6.32-573.el6.x86_64.

web server: how to load the default web page only with the TCP connection and without HTTP transaction?

The packet capture is shown below when a web request is made to the Google server

enter the description of the image here

172.217.26.228 is the IP address of the Google server.

enter the description of the image here

In the previous packet capture, I only see the TCP transactions happening. I do not see any message exchange for the HTTP protocol.
Even then, how is it possible for the web browser to show the Google homepage?

enter the description of the image here

How did WebBrowser get the data from the Google homepage?

tls – Is it possible to pass the TCP link protocol with a forged IP address?

Short answer: yes, but not as possible as it used to be, and it depends on how literally one answers your question.

Long answer:

I realize you did it do not ask "Is it possible to have a TCP conversation with a forged IP address"? That question was answered skillfully by @symcbean. You asked specifically "Is it possible pass TCP handshake with the forged IP address. "Then, there is a difference between the question he asked:" Can you forge SYN-> SYN / ACK-> ACK in such a way that the server believes that a connection has been established successfully? and the question that probably meant: "Can you keep a TCP conversation with a counterfeit customer address?"

So let's take a look at the literal question you asked. In that case, the answer is "Yes, if the initial TCP sequence number included in the SYN / ACK by the server is predictable". That is why the predictability of ISN (Initial sequence number) is something tested by vulnerability scanners and something that is implemented much more correctly today than 10 or 15 years ago. To cite a Cisco 2001 warning related to this vulnerability, "The general case of this vulnerability in TCP is well known to the information system security community." More famously, Mitnick abused this characteristic in his attack on Shimomura.

Unless source routing or access to a router in the network path is available, this is not a sustainable configuration. The client may be able to guess the ISN, but the subsequent sequence numbers are increased by the size of the packets being sent, which the attacker will not see and can not reliably predict. So they should be able to receive at least one package after the three-way handshake, but not a conversation. And sometimes a package is enough.

The ISN prediction is a specific subset of TCP sequence prediction attacks. While I can not cite good numbers, my experience suggests that it is a vulnerability that lasted much longer than it should have been; You still run through devices that fail scans because of it. It is difficult to get everyone to fix their TCP batteries, especially when the solution involves a robust generation of random numbers, which is somewhat difficult in limited and cheap hardware (of the type that is thrown at network devices). all the time).

Firewall: detection and blocking of TCP VPN connections that bypass the existing VPN detection software

It is the endless race between weapons and armor … No firewall can prevent a user from doing bad things. Stupidly simple firewalls (only port filtering) will primarily prevent unintentional misuse. Common firewalls (port filtering + HTTP (S) whitelists will suffice for non-technical attackers.

If you want more, you will have to constantly analyze the records to detect any abnormal Trafic, and then act accordingly by inspecting more and finally asking the users what they were really doing.

What I mean here is that if the amount of work will increase by orders of magnitude if you want to have The safest firewall in the world.. In a moment, it will end at the previous good cost / profit …

And we must not forget the legal way. There must be a firewall to protect the internal network. Users should be warned that targeted attacks aimed at avoiding the firewall are strictly prohibited and could have legal consequences. A user who will use an external HTTP proxy without a filter to bypass some HTTP rules can pretend that he did it without really realizing what was happening. At least for the first time. But users who would configure a specific HTTPS tunnel to completely bypass the firewall would also have to fully assume their action. The technique is one hand, the legal approach is the other.

linux – How can I use the field "socket location in memory" in / proc / net / tcp

I'm working on a proxy for Linux (C ++) that, among other functions, keeps track of TCP connections and associates them with the PID of the process. To do that, I get the inode in / proc / net / tcp and then I analyze all the processes in / proc / pid / fd to see which process contains it. Very clear.

The problem is that sometimes clients can open and close the connection faster than the proxy can analyze the fds of the processes. I noticed this field – "socket location in memory", which is present in / proc / net / tcp
https://www.kernel.org/doc/Documentation/networking/proc_net_tcp.txt

and I wonder if it could be of any help, everything is very badly documented and I did not find any online resource related to it.

My questions are: what exactly is the location of the socket memory, how can it be accessed and what can I find there?

Thank you.

Linux firewall to disconnect inactive tcp connections after a timeout

My requirement is to disconnect TCP connections that are inactive (there are no maintenance probes) for more than x time (timeout value). Is this configuration possible with UFW? otherwise I can configure this rule in iptables? As I found it on the Internet, this is possible with a layer 2 hardware firewall, but what I want is to do this using a Linux tool

dnd 5e – In the Adventurer League (rules of season 8), can you find a magical consumable item during the unlocking of the adventure to buy with TCP?

Suppose I play through an adventure in which AL potion to fly It is found. I know that I or another character can keep that potion, use it during that adventure or save it for a later adventure. But it is the potion to fly Unlocked so I can buy more with Treasure Checkpoints if I want? It is in Table D of Magical Objects, which means that it would cost 16 TCP of level 2 or higher.

FFmpeg TCP point-to-point transmission with muxer tee – handle network disconnections

We are using FFmpeg for live transmission between two computers (point-to-point transmission) via TCP.
The transmission works well and we wanted to add support for two features:

  1. Store the transmission locally in addition to transmitting it to the remote PC
  2. Handle network interruptions.

For the first article we started using the Muxer Tee and solved the first problem.
However, we can not keep the connection active during network interruptions, the sequence does not recover if the network disconnects for more than ~ 10 seconds.

A little more technical information:
The streaming command ffmpeg:

ffmpeg -f avfoundation -video_size 1280×720 -framerate 30.0 -pixel_format uyvy422 -i "0: 0" -preset veryfast -c: v libx264 -c: aac -b: a 128k -ac 2 -ar 44100 -pix_fmt yuv420p-b: v 500k -maxrate 500k -bufsize 1000k -sc_threshold 0 -g 60 -keyint_min 60 -af "aresample = async = 1: min_hard_comp = 0.100000: first_pts = 0" -r 30.0 -f tee -map 0 "[onfail=ignore]test_new.ts |[f=fifo:fifo_format=mpegts:drop_pkts_on_overflow=1:attempt_recovery=1:recovery_wait_time=1:recover_any_error=1]tcp: //[host]:[port]? waiting time = 900000000 "

The receiving end:

ffmpeg -i tcp: // host: port? listen & timeout = 900000000 & listen_timeout = 300000 …

After a few seconds, we reach the end of the transmission the following error:

Connection to tcp: //[host]:[port]? timeout = 900000000 error: the network is unreachable

And the current never recovers.

We want to keep the active tcp connection as long as possible (we chose 5 minutes for the test)

Does anyone know if this can be done and how?

Thank you

Honeypot detection: How is TCP / IP implemented in the honeypots?

I am currently studying how to perform honeypot detection and I was wondering if a possible solution is to analyze how they implement their TCP / IP protocol.

I have been looking in the source code for several of the honeypots (for example, Kippo) but I have not found where they implement this protocol. I'm not sure that the honeypot has left it in the operating system to run TCP / IP, or maybe I'm looking in the wrong places.

Any advice is appreciated. Thank you!

c # – What is the difference with async and sync in Tcp Socket?

Do you have a speed difference? Which is more sensitive? Does it matter which one to use?
The codes to these 3 questions:

void EndReading (result of IAsyncResult)
{
int size = ((NetworkStream) result.AsyncState) .EndRead (result);
}
void Start () => tcpClient.BeginRead (buffer, 0, 30000, EndReading, null);

Second:

Asynchronous task reading (clcc client)
{
int size = 0;
if ((size = cl.GetStream (). ReadAsync (buffer, 0, 30000)) = 0)
{
// ...
}
}
void Start () => Task.Run (Read) .Wait ();

The same to write but instead of Yes Y ReadAsync single WriteAsync