Network analysis for IR: TCP protocol with Wireshark
Transmission Control Protocol (TCP) is one of the most widely used protocols on the Internet. Unlike User Datagram Protocol (UDP), TCP is not a "fire and forget" protocol. TCP monitors packets being sent, confirms that they have been received, and retransmits copies if necessary.
As a result, TCP is ideal for applications that need a high level of reliability in their communication channels. A common use of TCP is to transfer hypertext transfer protocol (HTTP) packets that submit requests and serve web pages.
TCP in Wireshark
TCP differs from other protocols in that it is intended to provide reliable data transfer. As a result, a TCP communication is very standard, using different types of packets denoted by different TCP flags. A TCP communication channel is created using the TCP handshake and provides some guarantees to the sender and recipient.
One of the main differentiators between TCP and UDP is the use of flags in TCP. Like ICMP types and codes, TCP flags describe the purpose of the package. TCP flags are:
- SYNchronization: Login request
- ACKnowledgement: Recognizes the receipt of a package
- FINish: Closes a connection
- ReSeT: Terminates a connection immediately
- PuSH: Informs the recipient to process a package immediately (instead of buffering)
- URGent: Edit package before all other packages
Different types of packets are used at different times during the TCP session. Some are intended to be used at a specified connection time (such as SYN and FIN), others are used in its entirety (such as ACK) and others are used only in unusual scenarios (RST, PSH and URG).
TCP connections and the use of flags are very typical. However, flags can be misused. A common reason for flag abuse is scanning, as different operating systems have different responses to certain errors.
In TCP, data intended for the final recipient is never sent in the first packet. Instead, TCP users first go through the TCP handshake protocol to create a channel before sending real data.
The steps in the TCP handshake are quite simple. First, the sender starts the communication by sending a SYN packet, expressing their interest in connecting. The recipient responds with a SYN / ACK package that also expresses interest and acknowledges receipt of the sender's SYN package. Finally, the sender sends an ACK packet to identify the recipient's SYN / ACK.
After the handshake, the TCP channel between the sender and the recipient starts. At this point, the primary purpose of TCP packets changes from achieving TCP (ie connecting) goals to a carrier for another protocol. For example, the next packet after the TCP handshake may be a packet from the sender requesting an HTTP webpage.
The TCP protocol is primarily intended to provide some guarantees to the higher level protocol that uses it. These guarantees include package ordering, reliability, and bug fixes.
Another advantage of TCP over other protocols is that it provides built-in support for ordering packages. While different packets can be sent in a specific sequence, they can travel different paths on the network and reach the recipient off.
Unlike UDP, TCP is not a fire and forget protocol. As shown in the TCP handshake, every package it sends leads to a confirmation from the other party. Lack of recognition will result in the retransmission of the rejected package, ensuring that the recipient receives a copy of all data transmitted by the sender.
The recognition of each packet in TCP transmission provides a high level of reliability. It is impossible for a package to fall without being noticed.
Finally, TCP has built-in debugging functionality. As we cross the network, it is possible that part of the packet could be reversed by changing the message it contains. TCP error correction helps to determine if this has happened.
TCP applies bug fixes by incorporating a checksum into each packet. The recipient can then verify the checksum to make sure the package has been received correctly. If not, the recipient may request a retransmission.
TCP analysis for event response
As one of the most common protocols on the Internet, TCP can be used to deliver a wide variety of traffic. However, some attacks run at the TCP level itself, including using the protocol to scan and amplify DDoS.
A common misuse of the TCP protocol is to scan. The reason for this is that different operating systems respond differently when someone violates the "rules" of a TCP connection. By observing how a system responds to something, it is possible to determine whether a particular machine is activated or not. or if a door is open or closed.
In this type of scan, the scanner sends SYN packets to the target. A SYN / ACK in response means that the port is open, while a closed port would result in an RST response. For open ports, the scanner will then send an RST packet, closing the connection. If an organization only monitors and records connections that complete the TCP handshake, this type of scan may not be detected.
TCP reflection and DDoS amplification
As their name suggests, DDoS enhancement is designed to enhance the impact of a Distributed Denial of Service (DDoS) attack. These attacks are designed so that the attacker can send a small amount of traffic to an "amplifier" and has sent a much larger volume of traffic to the intended target.
Most DDoS attacks use UDP, but attackers have recently taken advantage of TCP reflection to enhance DDoS. In a TCP reflection attack, an attacker sends a TCP SYN packet to an amplifier while falsifying its IP address from that of the target. The amplifier, believing that the sender is trying to start a connection, will send a SYN / ACK packet to the target.
If the target does not respond as expected, the amplifier will continue to stream SYN / ACK packets, achieving rates of up to 5.000 packets per minute. As a target, the DDoS amplification of a TCP reflection can be detected as SYN / ACK packets without corresponding SYN. As an amplifier, the attack can be detected by systems within the network that send large volumes of SYN / ACK packets and receive no response.
Conclusion: Investigation of TCP traffic in Wireshark
TCP is a highly structured protocol, which allows it to provide some guarantees to the applications that use it. When considering TCP traffic in Wireshark, any deviation from the normal structure of a TCP conversation may be worth a closer look.
- SampleCaptures, Wireshark
- TCP flags, GeeksforGeeks
- New DDoS Attacks Leverage TCP Amplification, Dark Reading
- Understanding Xmas Scans, Plixer