1 / 26

The Transmission Control Protocol (TCP)

The Transmission Control Protocol (TCP). TCP is a protocol that specifies: How to distinguish among multiple destinations on a given machine How to initiate and terminate a stream transfer Format of the data and acknowledgments that two computers exchange to achieve a reliable transfer

erasto
Download Presentation

The Transmission Control Protocol (TCP)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The Transmission Control Protocol (TCP) • TCP is a protocol that specifies: • How to distinguish among multiple destinations on a given machine • How to initiate and terminate a stream transfer • Format of the data and acknowledgments that two computers exchange to achieve a reliable transfer • Procedures the computers use to ensure that the data arrives correctly

  2. Site 1 Network Site 2 Receive SYN&ACK Send SYN seq=x Send ACK y+1 Send SYN seq=y, ACK x+1 Receive ACK Establishing a TCP Connection • The 3-way handshake • Guarantee that both sides are ready for connection • Allows both sides to agree on initial sequence numbers Receive SYN

  3. SYN Flood • After the second message has been sent but before the third message has been received the connection is “half opened” • Most hosts store these half-opened connections in a fixed-size table while they await the third message • Half-opened connections are timed out after after half a minute or so

  4. SYN Flood (cont) • Attacker attempts to: • Fill up the half-opened connection table • Attacker sends the victim machine a large number of SYN segments with spoofed source addresses (to nonexistent or unreachable hosts) • Produces a large number of half-opened connections at the victim’s machine that will never become fully open • The half-opened connection table fills and no new connections can be accepted until space is available • Keep it full • Continue sending SYN segments to replace half-open connections as they time out • Result: the victim host cannot accept any other, legitimate attempts to open a connection

  5. Land • Attack tool exploits a vulnerability in certain TCP implementations • Attacker creates an invalid TCP SYN segment: • Spoofed source address is identical to the destination address • Source port is identical to the destination port • Causes some TCP implementations to freeze or crash • Fixed with software patches

  6. Tribe Flood Network (TFN) • Distributed denial of service attack tool • Newer versions have been developed (TFN2K, TFN3K, Stacheldraht) • Used in February, 2000 to attack several major e-commerce sites on the Web • Similar to trinoo: • Daemon programs: listen for and execute commands from a master • Master programs • Control a number of daemons • Communicate with an attacker and pass his/her commands on to daemons

  7. TFN (cont) • “Improvements” over trinoo: • Random protocol (TCP, UDP, or ICMP) for communication between master and daemons • Can send out “decoy” packets to random IP addresses to obscure the true target of the attack • Daemons spoof the source IP address in the attack packets they send • Daemons can attack multiple targets • Wider variety of attacks

  8. TFN (cont) • Daemon attack strategies: • UDP flood (like with trinoo) • TCP SYN flood • ICMP ping flood • ICMP directed broadcast flood (smurf) • All of the above

  9. Attacks Against Initial Sequence Numbers • Recall: the 3-way handshake allows two communicating parties to agree on Initial Sequence Numbers (ISNs) • What if the ISN can be guessed by a third-party?

  10. Attacks Against ISNs (cont) • If the ISN of an existing or future TCP connection can be determined an attacker may be able to: • Complete a 3-way handshake using a spoofed source IP address • Close an ongoing connection • Hijack an ongoing connection

  11. Scans and Probes • Attackers typically engage in a variety of reconnaissance activities before attacking: • To identify important/interesting hosts • To identify potential vulnerabilities that could be exploited • A port scanner is a program that tries to determine which ports have programs listening on them • Example: • Attempts to open a TCP connection to each port in order • If a connection is made then immediately close it and record the fact that the port is open • If the connection fails then the port is closed

  12. Port Scanning (cont) • Using fully-open connections to scan is likely to draw a lot of attention to the scan • Most hosts log: • Each attempt to connect to a closed port • Each time a newly-opened connection is closed with little or no data having been sent • Clandestine scanning methods: • SYN scan: • A SYN segment is sent to each port and any port that responds with a SYN+ACK segment is opened • Instead of completing the handshake, a RST (reset) segment is sent to close the connection before it is fully opened • Some hosts do not log half-opened connections

  13. Closing a TCP Connection • Applications should close a connection when they have no more data to transmit • Connection can be closed in either one or both directions • Site 1 finishes transmitting data and waits for ACK from site 2 • Site 1 transmits a segment with the FIN bit set • Site 2 acknowledges the FIN segment • Site 2 notifies the application that no more data is coming • Data can still be transmitted from site 2 to site 1 • Site 1 will still receive and acknowledge data from site 2 • Eventually, site 2 will finish transmitting and close its connection • Both endpoints delete record of the connection

  14. Closing a TCP Connection (cont) Site 1 Network Site 2 (app closes connection) Send FIN seq=x Receive FIN Send ACK x+1 (inform application) Receive ACK (app closes connection) Send FIN seq=y, ACK x+1 Receive FIN&ACK Send ACK y+1 Receive ACK

  15. TCP Connection Reset • Applications normally close connections • Sometimes abnormal conditions arise that break a connection • Broken connections can be reset: • Site 1 sends a segment with the RST bit set • Site 2 receives segment and aborts the connection • Transfers in both directions cease immediately • Resources for the connection are released • Applications programs are informed

  16. Forcing Data Delivery • TCP divides the stream of octets into segments for transmission • This improves efficiency since octets can be buffered until a good-sized segment can be sent • TCP provides a push operation for applications that want to force delivery of octets • Set PSH bit • Send segment

  17. Reserved TCP Port Numbers • Like UDP: • Static port bindings for commonly used services • Ports 0-1024 are reserved • Dynamic port bindings • Port numbers over 1024 • Port numbers for services accessible by both UDP and TCP usually match • ECHO (7) • TIME (37)

  18. Reserved TCP Port Numbers

  19. TCP Performance • Silly Window Syndrome • Sender generates data quickly • Receiver reads incoming data one octet at a time Sender Receiver

  20. TCP Performance (cont) • Silly Window Syndrome • Each ACK advertises a small amount of space • Each segment carries a small amount of data • Problems: • Poor use of network bandwidth • Unnecessary computational overhead

  21. TCP Performance (cont) • Avoiding Silly Window Syndrome • Use heuristics at sender to avoid transmitting a small amount of data in each segment • Use heuristics at receiver to avoid sending small window advisements • Receive-side silly window avoidance • Monitor receive window size • Delay advertising an increase until a “significant” increase is possible • “Significant” = min(half the window, maximum segment size)

  22. Receive-Side Silly Window Avoidance Example Receive 6 octets, send ACK 7 with window advisement of 0 Application reads one octet Application reads one octet Application reads one octet Send window advisement of 3, receive 3 octets

  23. Receive-Side SillyWindow Avoidance • Two approaches: • Receiver can ACK received octets but does not advertise an increase in its window until the increase is significant • Receiver can not send ACKs when the window is not large enough to advertise • Advantages/disadvantages?

  24. Send-Side SillyWindow Avoidance • Goal: avoid sending small segments • Application can generate data in small blocks • TCP must collect data sent by application into a single large segment (clump) for transmission • TCP must delay sending a segment until it contains a reasonable amount of data • How long should TCP wait before transmitting data?

  25. Send-Side Silly Window Avoidance (cont) • The Nagle Algorithm: • Application generates data to be sent over a connection that has already transmitted some data • If all previous transmissions have been acknowledged send the data immediately • If any ACKs are still pending do not transmit until: • Maximum segment size is reached, or • An ACK arrives • Self-clocking - does not compute delays • Applies even if the application requests a push

  26. TCP Summary • Provides reliable stream delivery service • Full duplex • Out-of-band for urgent data • Makes efficient use of the network • Piggybacking • Sliding windows • Efficiency • End-to-end flow control • Acknowledgment and retransmission • Congestion recovery/avoidance

More Related