当前位置: 文江博客话题详情

如何设置linux内核不发送RST_ACK,以便我可以在原始套接字中给出SYN_ACK

发布于 2024-12-14 00:42:11 字数 811 浏览 1 评论 0原文

我想问一个关于原始套接字编程和 Linux 内核 TCP 处理的经典问题。我已经对一些相同的线程进行了研究,例如linux原始套接字编程问题,< a href="https://stackoverflow.com/questions/4442060/how-to-reproduct-tcp-protocol-3-way-handshake-with-raw-sockets- Correctly">如何重现 TCP原始套接字的协议 3 向握手是否正确? 和 TCP ACK 欺骗,但仍然无法得到解决方案。

我尝试创建一个不侦听任何端口的服务器,但嗅探来自远程主机的 SYN 数据包。服务器进行一些计算后,会向相应的SYN数据包发送回一个SYN_ACK数据包,这样我就可以手动创建TCP连接,而不需要包括内核的操作。我已经创建了原始套接字并通过它发送 SYN_ACK,但数据包无法到达远程主机。当我在服务器(Ubuntu Server 10.04)上进行tcpdump并在客户端(Windows 7)上使用wireshark时,服务器返回RST_ACK而不是我的SYN_ACK数据包。经过一些研究,我得到的信息是我们无法抢占内核的 TCP 处理。

还有其他方法可以破解或设置内核不响应这些数据包的 RST_ACK 吗? 我已经在服务器的本地IP上添加了防火墙,以告诉内核也许防火墙后面有东西正在等待数据包,但仍然没有运气

原文

I want to ask a classic question about raw socket programming and linux kernel TCP handling. I've done the research to some same threads like linux raw socket programming question, How to reproduce TCP protocol 3-way handshake with raw sockets correctly?, and TCP ACK spoofing, but still can't get the solution.

I try to make a server which don't listen to any port, but sniff SYN packets from remote hosts. After the server do some calculation, it will send back a SYN_ACK packet to corresponding SYN packet, so that I can create TCP Connection manually, without including kernel's operation. I've create raw socket and send the SYN_ACK over it, but the packet cannot get through to the remote host. When I tcpdump on the server (Ubuntu Server 10.04) and wireshark on client (windows 7), the server returns RST_ACK instead of my SYN_ACK packet. After doing some research, I got information that we cannot preempt kernel's TCP handling.

Is there still any other ways to hack or set the kernel not to responds RST_ACK to those packets?
I've added a firewall to local ip of server to tell the kernel that maybe there's something behind the firewall which is waiting for the packet, but still no luck

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(2

东京女 2024-12-21 00:42:11

您是否尝试使用 iptables 删除 RST?< /a>

iptables -A OUTPUT -p tcp --tcp-flags RST RST -j DROP

应该为你完成这项工作。

Did you try to drop RST using iptables?

iptables -A OUTPUT -p tcp --tcp-flags RST RST -j DROP

should do the job for you.

回复 原文
源来凯始玺欢你 2024-12-21 00:42:11

我建议使用 ip 表,但既然您也询问了如何破解内核,这里是如何做到这一点的解释(我使用内核 4.1.20 作为参考):

当收到数据包(sk_buff)时, IP 协议处理程序会将其发送到注册的网络协议:

static int ip_local_deliver_finish(struct sock *sk, struct sk_buff *skb)
{
        ...
        ipprot = rcu_dereference(inet_protos[protocol]);
        if (ipprot) {
           ...
           ret = ipprot->handler(skb);

假设协议是 TCP,则处理程序是 tcp_v4_rcv:

static const struct net_protocol tcp_protocol = {
    .early_demux    =   tcp_v4_early_demux,
    .handler    =  tcp_v4_rcv,
    .err_handler    =   tcp_v4_err,
    .no_policy  =   1,
    .netns_ok   =   1,
    .icmp_strict_tag_validation = 1,
};

因此调用 tcp_v4_cv。它会尝试找到接收到的 skb 的套接字,如果没有,它将发送重置:

int tcp_v4_rcv(struct sk_buff *skb)
{
    sk = __inet_lookup_skb(&tcp_hashinfo, skb, th->source, th->dest);
    if (!sk)
        goto no_tcp_socket;

no_tcp_socket:
    if (!xfrm4_policy_check(NULL, XFRM_POLICY_IN, skb))
        goto discard_it;

    tcp_v4_send_reset(NULL, skb);
    ...

有很多不同的方法可以破解这个问题。您可以转到 xfrm4_policy_check 函数并修改/更改 AF_INET 的策略。或者,您可以简单地注释掉调用 xfrm4_policy_check 的行,以便代码始终转到 Discard_it,或者您可以注释掉调用 tcp_v4_send_reset 的行(但这会产生更多后果)。

希望这有帮助。

I recommend using ip tables, but since you ask about hacking the kernel as well, here is an explanation of how you could do that (I'm using kernel 4.1.20 as reference):

When a packet is received (a sk_buff), the IP protocol handler will send it to the networking protocol registered:

static int ip_local_deliver_finish(struct sock *sk, struct sk_buff *skb)
{
        ...
        ipprot = rcu_dereference(inet_protos[protocol]);
        if (ipprot) {
           ...
           ret = ipprot->handler(skb);

Assuming the protocol is TCP, the handler is tcp_v4_rcv:

static const struct net_protocol tcp_protocol = {
    .early_demux    =   tcp_v4_early_demux,
    .handler    =  tcp_v4_rcv,
    .err_handler    =   tcp_v4_err,
    .no_policy  =   1,
    .netns_ok   =   1,
    .icmp_strict_tag_validation = 1,
};

So tcp_v4_cv is called. It will try to find the socket for the skb received, and if it doesn't, it will send reset:

int tcp_v4_rcv(struct sk_buff *skb)
{
    sk = __inet_lookup_skb(&tcp_hashinfo, skb, th->source, th->dest);
    if (!sk)
        goto no_tcp_socket;

no_tcp_socket:
    if (!xfrm4_policy_check(NULL, XFRM_POLICY_IN, skb))
        goto discard_it;

    tcp_v4_send_reset(NULL, skb);
    ...

There are many different ways you can hack this. You could go to the xfrm4_policy_check function and hack/change the policy for AF_INET. Or you can just simply comment out the line that calls xfrm4_policy_check, so that the code will always go to discard_it, or you can just comment out the line that calls tcp_v4_send_reset (which will have more consequences, though).

Hope this helps.

回复 原文
~没有更多了~

关于作者

来日方长

暂无简介

文章
评论
26 人气
发私信

相关话题

更多

热门标签

操作系统 程序设计 IT运维 Linux系统管理 JavaScript 服务器应用 solaris C/C++ PHP Shell BSD Vue.js aix Oracle Python HTML 系统管理 HTML5 CSS 前端
更多

推荐作者

Promise

文章 0 评论 0

qq_lbRlsh

文章 0 评论 0

待"谢繁草

文章 0 评论 0

yy2010hell

文章 0 评论 0

漫无边际

文章 0 评论 0

傲娇萝莉攻

文章 0 评论 0

更多

友情链接

文江博客
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文