Three-way handshake is used by a TCP client and a TCP server to establish a connection, as illustrated below: 1st: client:port1 -> server:port2, SYN 2nd: server:port2 -> client:port1, SYNACK 3rd: client:port1 -> server:port2, ACK When this client is performing scanning attacks, it will generated a large number of failed connections. In each failed connection, the three-way handshake fails to complete. People commonly use SYN together with the absence of its corresponding SYNACK in this same TCP session to identify whether this connection is failed. By investigating the failed connections, an engineer finds that in legitimate/benign cases, if the server does not return SYNACK to the client, the client will not send the ACK packet after SYNACK (e.g., the 3rd packet above). Therefore, this engineer suggests that we can count the failed connections based on the following rules without considering SYNACK: If a client:port1 sends a SYN packet to server:port2, and an ACK is sent from client:port1 to server:port2 after that SYN packet, then this connection is established. If a client:port1 sends a SYN to server:port2, and then there is no ACK belonging to this session from client:port1 to server:port2, then this connection is failed. Then this engineer uses these two rules to identify failed connections and use the number of failed connections to detect scanning behaviors. If an attacker knows these two rules, how can he/she perform effective scanning attacks and meanwhile evade these two detection rules?
Three-way handshake is used by a TCP client and a TCP server to establish a connection, as illustrated below:
1st: client:port1 -> server:port2, SYN
2nd: server:port2 -> client:port1, SYNACK
3rd: client:port1 -> server:port2, ACK
When this client is performing scanning attacks, it will generated a large number of failed connections. In each failed connection, the three-way handshake fails to complete. People commonly use SYN together with the absence of its corresponding SYNACK in this same TCP session to identify whether this connection is failed.
By investigating the failed connections, an engineer finds that in legitimate/benign cases, if the server does not return SYNACK to the client, the client will not send the ACK packet after SYNACK (e.g., the 3rd packet above). Therefore, this engineer suggests that we can count the failed connections based on the following rules without considering SYNACK:
- If a client:port1 sends a SYN packet to server:port2, and an ACK is sent from client:port1 to server:port2 after that SYN packet, then this connection is established.
If a client:port1 sends a SYN to server:port2, and then there is no ACK belonging to this session from client:port1 to server:port2, then this connection is failed.
Then this engineer uses these two rules to identify failed connections and use the number of failed connections to detect scanning behaviors.
If an attacker knows these two rules, how can he/she perform effective scanning attacks and meanwhile evade these two detection rules?
Unlock instant AI solutions
Tap the button
to generate a solution