..:: MacHacking.net ::.. Article from MacHacking.net Knowledge Base: http://kb.machacking.net ********** Title: TCP/IP Connections: A 3-way handshake Author: Barfbag Author Contact: http://www.theblankpages.com ********** TCP/IP Connections: A 3-way handshake By Barfbag, Admin @ Team Blank. Introduction In any TCP/IP connection, a connecting protocol is used in order to make the connection. This protocol is known as the 3-way handshake. In applications such as REALbasic, when a connecting socket is called to make a connection with a listening socket, the 3-way handshake is performed automatically. Opening a connection The 3-way handshake can be broken down in a few steps; The client sends a SYN packet, used to initiate a connection. After receiving the SYN packet, the server responds with a SYN packet to initiate a connection with the client, and an ACK packet to acknowledge the client's SYN. After receiving the server's SYN/ACK packet the client sends an ACK packet to the server to acknowledge the server's SYN packet. Client Packet Server ----SYN----> <--SYN/ACK-- ----ACK----> Closing a connection To close a connection, the client sends the server a FIN packet used to terminate a connection. After the server receives the FIN packet, it sends an ACK packet, to acknowledge the clients FIN, and a FIN of its own to terminate the connection. After the client receives the server's FIN/ACK packet, the client sends an ACK packet to acknowledge the server's FIN packet. Client Packet Server ----FIN----> <--FIN/ACK-- ----FIN----> Exploits The good news; the 3-way handshake protocol is easily exploited in order to perform a stealth scan or a sophisticated DoS attack. The bad news; development tools such as REALbasic cannot break down the protocol. When a command like socket1.connect is used to connect to a listening socket, the handshake is automatically carried out. The only way to break down the protocol, or send only specific commands, is to program in a more powerful language such as C or C++. --SYN Scan: SYN scans, or half-scans are an especially hard scan to detect because a full connection is never made. The scanner sends a SYN packet to the server, which does one of three things: If the server sends back a SYN/ACK packet, the scanner assumes that the port is open. If the client receives the RST packet, used to abort or abruptly end a connection, then the scanner assumes the server is running but the port is closed. If the client receives nothing, it assumes that ether the IP address doesn't exist, or there is a firewall preventing the connection. --SYN Flood: A SYN flood is a simple yet devastating DoS attack. The attacker sends out multiple SYN packets to the server, but these packets contain spoofed return IP addresses that are nonexistent. When the server receives these packets it attempts to send back a SYN/ACK packet to the spoofed address, however since the address doesn't exist the connection remains open on the server side using up valuable system resources to wait for the clients ACK packet. This attack is particularly devastating, because the IPs are spoofed, and therefor extremely hard, if not impossible to trace. Additional Info Many more Scan types and DoS attacks exist than are covered in this article. For more information on these topics read Hacking Exposed or Anti-Hacker Toolkit ********** Article from MacHacking.net Knowledge Base: http://kb.machacking.net