Scapy 不需要的 RST TCP 数据包
为了理解 TCP 的工作原理,我尝试伪造自己的 TCP SYN/SYN-ACK/ACK (基于教程:http://www.thice.nl/creating-ack-get-packets-with-scapy/ )。
问题是,每当我的计算机从服务器收到 SYN-ACK 时,它就会生成一个 RST 数据包,从而停止连接过程。
我在 OS X Lion 和 Ubuntu 10.10 Maverick Meerkat 上尝试过,都重置了连接。我发现了这个: http://lkml.indiana.edu/hypermail/linux /net/0404.2/0021.html,不知道是不是这个原因。
有谁能告诉我这可能是什么原因?以及如何避免这个问题呢?
谢谢。
In order to understand how TCP works, I tried to forge my own TCP SYN/SYN-ACK/ACK (based on the tutorial: http://www.thice.nl/creating-ack-get-packets-with-scapy/ ).
The problem is that whenever my computer recieve the SYN-ACK from the server, it generates a RST packet that stops the connection process.
I tried on a OS X Lion and on a Ubuntu 10.10 Maverick Meerkat, both reset the connection. I found this: http://lkml.indiana.edu/hypermail/linux/net/0404.2/0021.html, I don't know if it is the reason.
Does anyone could tell me what could be the reason? And how to avoid this problem?
Thank you.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(4)
你引用的文章已经很清楚地说明了这一点......
本质上,问题是
scapy运行在用户空间,linux内核会首先收到SYN-ACK。内核将发送 RST,因为在您有机会使用 scapy 执行任何操作之前,它不会在相关端口号上打开套接字。解决方案(正如博客中提到的)是在内核上设置防火墙,防止其发送 RST 数据包。
The article you cited makes this pretty clear...
Essentially, the problem is that
scapyruns in user space, and the linux kernel will receive the SYN-ACK first. The kernel will send a RST because it won't have a socket open on the port number in question, before you have a chance to do anything withscapy.The solution (as the blog mentions) is to firewall your kernel from sending a RST packet.
我没有非 iptables 的答案,但可以解决重置问题。不要尝试在过滤器表中过滤传出重置,而是在原始表中过滤来自目标的所有传入数据包。这可以防止来自目标的返回数据包被内核处理,尽管 scapy 仍然可以看到它们。我使用了以下语法:
此解决方案确实强制我为我的流量使用相同的源端口;请随意使用您自己的 iptables-fu 来识别目标的返回数据包。
I don't have a non-iptables answer, but one can fix the reset issue. Instead of trying to filter the outgoing reset in the filter table, filter all of the incoming packets from the target in the raw table instead. This prevents the return packets from the target from even being processed by the kernel, though scapy still sees them. I used the following syntax:
This solution does force me to use the same source port for my traffic; feel free to use your own iptables-fu to identify your target's return packets.
其他答案中引用的博客文章并不完全正确。这不仅是因为您没有完成三向握手,而且内核的 IP 堆栈不知道正在发生连接。当它收到
SYN-ACK时,它会发送RST-ACK,因为这是意外的。第一个或最后一个接收实际上并不重要。接收SYN-ACK的堆栈是问题所在。使用 IPTables 丢弃出站 RST 数据包是一种常见且有效的方法,但有时您需要从 Scapy 发送 RST。一个更复杂但非常可行的方法是走得更低,使用与主机不同的 MAC 生成和响应 ARP。这使您能够在不受主机干扰的情况下发送和接收任何内容。
显然,这是更多的努力。就我个人而言,当我确实需要自己发送
RST时,我只采用这种方法(而不是RST丢弃方法)。The blog article cited in other answers is not entirely correct. It's not only that you aren't completing the three way handshake, it's that the kernel's IP stack has no idea that there's a connection happening. When it receives the
SYN-ACK, it sends aRST-ACKbecause it's unexpected. Receiving first or last really doesn't enter into it. The stack receiving theSYN-ACKis the issue.Using IPTables to drop outbound
RSTpackets is a common and valid approach, but sometimes you need to send aRSTfrom Scapy. A more involved but very workable approach is to go lower, generating and responding to ARP with a MAC that is different from the host's. This allows you to have the ability to send and receive anything without any interference from the host.Clearly this is more effort. Personally, I only take this approach (as opposed to the
RSTdropping approach) when I actually need to send aRSTmyself.我在 https://widu 中找到了一个没有 IPTables 的解决方案.tumblr.com/post/43624355124/suppressing-tcp-rst-on-raw-sockets。
I found a solution without IPTables in https://widu.tumblr.com/post/43624355124/suppressing-tcp-rst-on-raw-sockets .