Network analysis for IR: TCP protocol with Wireshark

Introduction to TCP

The transmission control protocol ( Control Protocol = TCP) is one of the most commonly used protocols on the internet. Unlike User Datagram Protocol (UDP), TCP is not a “fire and forget” protocol. TCP monitors the packets sent, confirms that they have been received, and retransmits copies if necessary.

As a result, TCP is ideal for applications that need a high level of reliability in their communication channels. A common use of TCP is to transport hypertext packets protocol (HTTP) that make requests and serve web pages.

 

TCP in Wireshark

TCP differs from other protocols in that it is intended to provide reliable data transfer. As a result, a TCP communication is very standard, using different types of packets denoted by different TCP flags. A TCP communication channel is created using the TCP handshake and provides some guarantees to the sender and recipient.

 

TCP Flags

One of the main differentiators between TCP and UDP is the use of flags in TCP. Like ICMP types and codes, TCP flags describe the purpose of the package. TCP flags are:

  • SYNchronization: Login request
  • ACKnowledgement: Recognizes the receipt of a package
  • FINish: Closes a connection
  • ReSeT: Terminates a connection immediately
  • PuSH: Informs the recipient to process a package immediately (instead of buffering)
  • URGent: Edit package before all other packages

Different types of packets are used at different times during the TCP session. Some are intended to be used at a specified connection time (such as SYN and FIN), others are used in its entirety (such as ACK) and others are used only in unusual scenarios (RST, PSH and URG).

The TCP and the use of flags is very standard. However, it is possible to abuse flags. A common reason for flag abuse is scanning, as different operating systems have different responses to certain errors.

 

TCP Handshake

In TCP, data intended for the final recipient is never sent in the first packet. Instead, TCP users first go through the TCP handshake protocol to create a channel before sending real data.

The steps in the TCP handshake are quite simple. First, the sender starts the communication by sending a SYN packet, expressing their interest in connecting. The recipient responds with a SYN / ACK package that also expresses interest and acknowledges receipt of the sender's SYN package. Finally, the sender sends an ACK packet to identify the recipient's SYN / ACK.

After the handshake the TCP channel between the sender and receiver is started. At this point, the primary purpose of TCP packets changes from achieving TCP goals (ie, establishing a connection) to being a carrier for another protocol. For example, the next packet after the TCP handshake might be a packet from the sender requesting a HTTP.

TCP guarantees

The TCP protocol is primarily intended to provide some guarantees to the higher level protocol that uses it. These guarantees include package ordering, reliability, and bug fixes.

Another advantage of TCP over other protocols is that it provides built-in support for ordering packages. While different packets can be sent in a specific sequence, they can travel different paths on the network and reach the recipient off.

Reliability

Unlike UDP, TCP is not a fire and forget protocol. As shown in the TCP handshake, every package it sends leads to a confirmation from the other party. Lack of recognition will result in the retransmission of the rejected package, ensuring that the recipient receives a copy of all data transmitted by the sender.

The recognition of each packet in TCP transmission provides a high level of reliability. It is impossible for a package to fall without being noticed.

Error correction

Finally, TCP has built-in debugging functionality. As we cross the network, it is possible that part of the packet could be reversed by changing the message it contains. TCP error correction helps to determine if this has happened.

TCP applies bug fixes by incorporating a checksum into each packet. The recipient can then verify the checksum to make sure the package has been received correctly. If not, the recipient may request a retransmission.

 

TCP analysis for event response

As one of the most common protocols on the Internet, TCP can be used to deliver a wide variety of traffic. However, some attacks run at the TCP level itself, including using the protocol to scan and amplify DDoS.

Scan

A common misuse of the TCP protocol is to scan. The reason for this is that different operating systems respond differently when someone violates the "rules" of a TCP connection. By observing how a system responds to something, it is possible to determine whether a particular machine is activated or not. or if a door is open or closed.

In this type of scan, the scanner sends SYN packets to the target. A SYN / ACK in response means that the port is open, while a closed port would result in an RST response. For open ports, the scanner will then send an RST packet, closing the connection. If an organization only monitors and records connections that complete the TCP handshake, this type of scan may not be detected.

TCP reflection and DDoS amplification

As their name suggests, DDoS enhancement is designed to enhance the impact of a Distributed Denial of Service (DDoS) attack. These attacks are designed so that the attacker can send a small amount of traffic to an "amplifier" and has sent a much larger volume of traffic to the intended target.

Most DDoS attacks use UDP, but attackers have recently taken advantage of TCP reflection to enhance DDoS. In a TCP reflection attack, an attacker sends a TCP SYN packet to an amplifier while falsifying its IP address from that of the target. The amplifier, believing that the sender is trying to start a connection, will send a SYN / ACK packet to the target.

If the target does not respond as expected, the amplifier will continue to stream SYN / ACK packets, achieving rates of up to 5.000 packets per minute. As a target, the DDoS amplification of a TCP reflection can be detected as SYN / ACK packets without corresponding SYN. As an amplifier, the attack can be detected by systems within the network that send large volumes of SYN / ACK packets and receive no response.

Conclusion: Investigation of TCP traffic in Wireshark

TCP is a very structured protocol, which allows it to provide certain guarantees to applications that use it. When examining TCP traffic in Wireshark, any deviation from the normal structure of a s TCP may be worth a closer look.

 

 

Sources

  1. SampleCaptures, Wireshark
  2. TCP flags, GeeksforGeeks
  3. New DDoS Attacks Leverage TCP Amplification, Dark Reading
  4. Understanding Xmas Scans, Plixer

iGuRu.gr The Best Technology Site in Greecefgns

every publication, directly to your inbox

Join the 2.100 registrants.

Written by Anastasis Vasileiadis

Translations are like women. When they are beautiful they are not faithful and when they are faithful they are not beautiful.

Leave a reply

Your email address is not published. Required fields are mentioned with *

Your message will not be published if:
1. Contains insulting, defamatory, racist, offensive or inappropriate comments.
2. Causes harm to minors.
3. It interferes with the privacy and individual and social rights of other users.
4. Advertises products or services or websites.
5. Contains personal information (address, phone, etc.).