TCP flags组合

最新推荐文章于 2022-07-09 09:59:29 发布

weixin_34138377

最新推荐文章于 2022-07-09 09:59:29 发布

阅读量329

点赞数 1

文章标签：网络 python

原文链接：https://my.oschina.net/richard28530/blog/1548135

版权

2019独角兽企业重金招聘Python工程师标准>>>

TCP flags组合

Normal TCP Flag combination

● SYN, SYN ACK, and ACK are used during the three-way handshake which establishes a TCP connection. ● Except for the initial SYN packet, every packet in a connection must have the ACK bit set. ● FIN ACK and ACK are used during the graceful teardown of an existing connection. ● RST ACK can be used to immediately terminate an existing connection. ● Packets during the "conversation" portion of the connection (after the three-way handshake but before the teardown or termination) contain just an ACK by default. ● Optionally, they may also contain PSH and/or URG.

Abnormal TCP Flag combination

● SYN FIN is probably the best known illegal combination. Remember that SYN is used to start a connection, while FIN is used to end an existing connection. It is nonsensical to perform both actions at the same time. Many scanning tools use SYN FIN packets, because many intrusion detection systems did not catch these in the past, although most do so now. You can safely assume that any SYN FIN packets you see are malicious. ● SYN FIN PSH, SYN FIN RST, SYN FIN RST PSH, and other variants on SYN FIN also exist. These packets may be used by attackers who are aware that intrusion detection systems may be looking for packets with just the SYN and FIN bits set, not additional bits set. Again, these are clearly malicious.

转载于:https://my.oschina.net/richard28530/blog/1548135