TCP/IP

TCP
the TCP and IP protocols perform different functions. I will begin by describing TCP.

TCP is what is called a connection orientated protocol .It can provide stable, reliable, stream
orientated connections, and guarantees delivery of the packet to the application layer. TCP
corresponds to the transport layer of the OSI model (layer 4). It is able to archive this reliability by
using sequence numbers to indicate what data has and has not yet been sent. Using these sequence
numbers, packets can be re-requested.

So TCP has the following features:

Streaming data transfer (delivers packets in a stream of bytes, identified by sequence numbers.
Reliability (failed data is re-transmitted)
Flow control (when a receiving computer sends acknowledgements back to the source computer,
indicating the highest sequence number it can receive without overflowing the buffer.
Full-Duplex (TCP can send and receive data at the same time)

Source Port and Destination Port:

These fields indicate the ports to use on on the sending and receiving end of the connection.

Sequence Number:
A unique number assigned to the packet.

Acknowledgement Number:
Contains the sequence number for the next expected packet on the receiving computer.

Data Offset:
This indicates the number of 32bit words in the TCP header. It Identifies where the Data starts.

Reserved:
This field has been reserved for future use. If should always be set to 0.
Flags:
This field contains control markers such as SYN, ACK, PSH, RST, URG and FIN. These flags are
used in connection establishment and termination, and control.

Window:
Indicates the size of the receiving buffer (or window) for incoming data.

Checksum:
Used for verifying the integrity of transmitted data.

Urgent pointer:
Marks the start of urgent data.

Options:
Includes numerous options (see further reading)

Data:
The information payload.

IP

IP is a connectionless protocol. Unlike TCP IP dose not establish a connection between the two hosts.
IP finds the correct host on the internet, based on it's IP address, and destination address in the IP
packet. Routers and other networking equipment then help the packet to reach it's destination. IP
operates at the network layer of the OSI model. this it why TCP and IP work together. On the internet,
IP is used to carry the data, but the actual delivery is is done by TCP (or other transport layer
protocols).

The header of the packet contains the 32bit IP addresses that identify the sending and receiving
computers. Routers use the IP header to route the packets to their destination. IP spoofing, is when
the return address in the IP header is changed.

IP packets may also be split in to smaller parts. This is called fragmentation, and allows large packets
to travel across the network. the Maximum Transmission Unit (MTU) defines the maximum size
packet a given network can handle. The IP protocol is able to re-assemble packets at the receiving
end. Under the right circumstances IP fragmentation can be used to defeat firewalls.
TCP/IP handshaking

As mentioned above, the TCP packet Flags section contains control information that is used in the
establishment and termination of connections. When two computers establish a connection, this is
known as handshaking. The connection between the two computers remains open until a finish (FIN)
signal is sent. The resources used by the connection will return to the computer eventualybut without
a finish signal the resources are needlessly tied up. If enough connections are opened, and are not
closed the host will eventually stop responding. This is the basis of some DoS attacks.

When a host receives a TCP packet, it checks the FLAGS section for control information. This first
packet in a connection, must contain a SYN (synchronize) flag. The host will then set the sequence
number to a random. These numbers are important, and allow the receiving host to determine if any
packets are missing. Once the SYN number is set, an acknowledgement (ACK) is sent back to the
client, along with a SYN to set the client sequence number to the same number as the host. Finally
upon receipt of the SYN and ACK from the remote host, the client will send an ACK back, and the
connection will be established. This is a rather simple version of events, but it serves to illustrate what
is going on.

When the session is over, and the client has finished requesting data, the client will send FIN (finish)
command to the server. The server receives this and sends it's own FIN back along with an ACK. the
client then sends one final ACK and the connection is terminated.

A TCP SYN attack, is an abuse of the TCP/IP handshake. By spoofing the source address of the
packet you can flood the victim with SYN requests. The victim will then respond to the fake source
address, add the request to the connection queue and wait for a response that never comes. This
also can result in a DoS, as the targets resources can become overwhelmed. It is also very difficult to
trace the source of the attack. There is no perfect defence for this. Possible ways to help mitigate the
problem include increasing the connection queue and decreasing the timeout, but like I said, not
perfect.

There is also something known as covert channels. It is possible to change the various fields in TCP
and IP headers. By doing so you can transmit hidden data. TCP and IP packets both contain fields in
the header that are undefined or optional. It is Possible to use this to your advantage and create
packets that do not seem to be anomalous, thus bypassing firewall or IDS systems. During the
handshake the sending host auto-generates a random initial sequence number. If data is injected in to
this field, it is very difficult to detect. Having said that a good application layer firewall or Proxy that
interrupts the original TCP session could detect such an attack.

As discussed above, fragmentation is a normal event, but it can also be cleverly exploited. For
example, firewalls when receiving a fragmented packet will check the IP header. However, only the
first fragment contains the header. Thus, not all firewalls will screen the remaining fragments, allowing
you to manipulate the fragments however you like. Screening each fragment can cost a lot in terms of
resources, that often the firewall does not have available. There is also the old “Ping of Death” where
by you create an IP packet larger than 65535 bytes (maximum allowed packet size). You then
fragment the packet in to lots of small parts and send it. When the receiving host reconstructs the
packet it's massive size can crash the host.