The Transmission Control Protocol (TCP)

• TCP is a protocol that specifies:

– How to distinguish among multiple destinations on a given machine

– How to initiate and terminate a stream transfer

– Format of the data and acknowledgments that two computers exchange to achieve a reliable transfer

– Procedures the computers use to ensure that the data arrives correctly

Establishing a TCP Connection

• The 3-way handshake– Guarantee that both sides are ready for connection– Allows both sides to agree on initial sequence numbers

Receive SYN

Site 1 Network Site 2Send SYN seq=x

Send SYN seq=y, ACK x+1

Send ACK y+1

Receive SYN&ACK

Receive ACK

SYN Flood

• After the second message has been sent but before the third message has been received the connection is “half opened”– Most hosts store these half-opened connections in a

fixed-size table while they await the third message

– Half-opened connections are timed out after after half a minute or so

SYN Flood (cont)

• Attacker attempts to:– Fill up the half-opened connection table

• Attacker sends the victim machine a large number of SYN segments with spoofed source addresses (to nonexistent or unreachable hosts)

• Produces a large number of half-opened connections at the victim’s machine that will never become fully open

• The half-opened connection table fills and no new connections can be accepted until space is available

– Keep it full• Continue sending SYN segments to replace half-open connections as

they time out

• Result: the victim host cannot accept any other, legitimate attempts to open a connection

Land

• Attack tool exploits a vulnerability in certain TCP implementations

• Attacker creates an invalid TCP SYN segment:– Spoofed source address is identical to the destination

address– Source port is identical to the destination port

• Causes some TCP implementations to freeze or crash

• Fixed with software patches

Tribe Flood Network (TFN)

• Distributed denial of service attack tool– Newer versions have been developed (TFN2K, TFN3K,

Stacheldraht)

– Used in February, 2000 to attack several major e-commerce sites on the Web

• Similar to trinoo:– Daemon programs: listen for and execute commands from a

master

– Master programs• Control a number of daemons

• Communicate with an attacker and pass his/her commands on to daemons

TFN (cont)

• “Improvements” over trinoo:– Random protocol (TCP, UDP, or ICMP) for

communication between master and daemons

– Can send out “decoy” packets to random IP addresses to obscure the true target of the attack

– Daemons spoof the source IP address in the attack packets they send

– Daemons can attack multiple targets

– Wider variety of attacks

TFN (cont)

• Daemon attack strategies:– UDP flood (like with trinoo)

– TCP SYN flood

– ICMP ping flood

– ICMP directed broadcast flood (smurf)

– All of the above

Attacks Against Initial Sequence Numbers

• Recall: the 3-way handshake allows two communicating parties to agree on Initial Sequence Numbers (ISNs)

• What if the ISN can be guessed by a third-party?

Attacks Against ISNs (cont)

• If the ISN of an existing or future TCP connection can be determined an attacker may be able to:– Complete a 3-way handshake using a spoofed source IP

address

– Close an ongoing connection

– Hijack an ongoing connection

Scans and Probes

• Attackers typically engage in a variety of reconnaissance activities before attacking:– To identify important/interesting hosts– To identify potential vulnerabilities that could be exploited

• A port scanner is a program that tries to determine which ports have programs listening on them

• Example:– Attempts to open a TCP connection to each port in order– If a connection is made then immediately close it and record the

fact that the port is open– If the connection fails then the port is closed

Port Scanning (cont)

• Using fully-open connections to scan is likely to draw a lot of attention to the scan– Most hosts log:

• Each attempt to connect to a closed port• Each time a newly-opened connection is closed with little or no data

having been sent

• Clandestine scanning methods:– SYN scan:

• A SYN segment is sent to each port and any port that responds with a SYN+ACK segment is opened

• Instead of completing the handshake, a RST (reset) segment is sent to close the connection before it is fully opened

• Some hosts do not log half-opened connections

Closing a TCP Connection

• Applications should close a connection when they have no more data to transmit

• Connection can be closed in either one or both directions– Site 1 finishes transmitting data and waits for ACK from site 2– Site 1 transmits a segment with the FIN bit set– Site 2 acknowledges the FIN segment– Site 2 notifies the application that no more data is coming– Data can still be transmitted from site 2 to site 1– Site 1 will still receive and acknowledge data from site 2– Eventually, site 2 will finish transmitting and close its connection– Both endpoints delete record of the connection

Closing a TCP Connection (cont)

Site 1 Network Site 2

Send FIN seq=x

Receive FIN Send ACK x+1

Receive FIN&ACK

Receive ACK

Send FIN seq=y, ACK x+1

Send ACK y+1

Receive ACK

(app closes connection)

(inform application)

(app closes connection)

TCP Connection Reset

• Applications normally close connections• Sometimes abnormal conditions arise that break a

connection• Broken connections can be reset:

– Site 1 sends a segment with the RST bit set– Site 2 receives segment and aborts the connection– Transfers in both directions cease immediately– Resources for the connection are released– Applications programs are informed

Forcing Data Delivery

• TCP divides the stream of octets into segments for transmission

• This improves efficiency since octets can be buffered until a good-sized segment can be sent

• TCP provides a push operation for applications that want to force delivery of octets– Set PSH bit

– Send segment

Reserved TCP Port Numbers

• Like UDP:– Static port bindings for commonly used services

• Ports 0-1024 are reserved

– Dynamic port bindings• Port numbers over 1024

• Port numbers for services accessible by both UDP and TCP usually match– ECHO (7)

– TIME (37)

Reserved TCP Port Numbers

TCP Performance

• Silly Window Syndrome– Sender generates data quickly

– Receiver reads incoming data one octet at a time

Sender Receiver

TCP Performance (cont)

• Silly Window Syndrome– Each ACK advertises a small amount of space

– Each segment carries a small amount of data

• Problems:– Poor use of network bandwidth

– Unnecessary computational overhead

TCP Performance (cont)

• Avoiding Silly Window Syndrome– Use heuristics at sender to avoid transmitting a small

amount of data in each segment– Use heuristics at receiver to avoid sending small

window advisements

• Receive-side silly window avoidance– Monitor receive window size– Delay advertising an increase until a “significant”

increase is possible• “Significant” = min(half the window, maximum segment size)

Receive-Side Silly Window Avoidance Example

Receive 6 octets, send ACK 7 with window advisement of 0

Application reads one octet

Application reads one octet

Application reads one octet

Send window advisement of 3, receive 3 octets

Receive-Side SillyWindow Avoidance

• Two approaches:– Receiver can ACK received octets but does not

advertise an increase in its window until the increase is significant

– Receiver can not send ACKs when the window is not large enough to advertise

• Advantages/disadvantages?

Send-Side SillyWindow Avoidance

• Goal: avoid sending small segments• Application can generate data in small blocks• TCP must collect data sent by application into a

single large segment (clump) for transmission• TCP must delay sending a segment until it

contains a reasonable amount of data• How long should TCP wait before transmitting

data?

Send-Side Silly Window Avoidance (cont)

• The Nagle Algorithm:– Application generates data to be sent over a connection

that has already transmitted some data• If all previous transmissions have been acknowledged send the

data immediately

• If any ACKs are still pending do not transmit until:– Maximum segment size is reached, or

– An ACK arrives

• Self-clocking - does not compute delays• Applies even if the application requests a push

TCP Summary

• Provides reliable stream delivery service– Full duplex– Out-of-band for urgent data

• Makes efficient use of the network– Piggybacking– Sliding windows

• Efficiency• End-to-end flow control

– Acknowledgment and retransmission– Congestion recovery/avoidance