Introduction to TCP Protocol

•Transmission Control Protocol (TCP) is a core protocol of the

Internet Protocol Suite. It operates at Layer 4 of the OSI Model
(Transport Layer) and is commonly used in applications like HTTP, FTP,
and SMTP.
• Key Features:
• Connection-oriented protocol.(Ensures reliable, ordered, and error-
checked delivery of data.)
• Implements flow control and congestion control.
• Core RFCs for TCP
– RFC 793: Transmission Control Protocol
(September 1981) defines the original TCP
specification. It describes basic concepts,
header structure, connection establishment
(three-way handshake), data transfer, and
termination. It is the foundational document for
understanding TCP.
– RFC 1122: Requirements for Internet Hosts—
Communication Layers (October 1989)Updates
and clarifies some aspects of TCP behavior. It
includes topics like retransmissions, handling of
segment loss, and window management.
 TCP Segment Format
0 4 10 16 24
31
SOURCE PORT DESTINATION PORT
SEQUENCE NUMBER
ACKNOWLEDGMENT NUMBER
HLEN RESERVED CODE BITS WINDOW
CHECKSUM URGENT POINTER
OPTIONS (IF ANY)
PADDING DATA
...
 TCP Segment Header Fields
Fla Purpose Real word example
g
Used during the 3-way handshake to establish a
SYN Initiate a connection
TCP connection.
Acknowledge data Sent to confirm the successful receipt of data
ACK
reception packets.
Gracefully terminate a Used to signal that a side wants to close the TCP
FIN
connection connection.
Sending Ctrl+C in Telnet to interrupt a running
URG Urgent data
process.
Chat messages, HTTP requests, or real-time
PSH Immediate data delivery
streaming data.
Port scanning, firewall blocking, or when an
RST Reset connection
application crashes.
 TCP Port Number
• Port numbers are 16-bit integers (0 -
65,535)
• Internet Assigned Numbers Authority
(IANA) maintains a list of port number
assignment
– Well-known ports (0-1023) controlled and
assigned by IANA
– Registered ports (1024-49151) Assigned for
specific services or applications upon request
but not as strictly regulated as well-known
ports (49151 is ¾ of 65536)
– Dynamic ports (49152-65535) ephemeral
• Well-Known Ports (0-1023)
– Port 20, 21: FTP (File Transfer Protocol)
– Port 22: SSH (Secure Shell)
– Port 23: Telnet
– Port 25,587: SMTP (Simple Mail Transfer
Protocol)
– Port 53: DNS (Domain Name System)
– Port 80: HTTP (Hypertext Transfer Protocol)
– Port 110: POP3 (Post Office Protocol v3)
– Port 143: IMAP (Internet Message Access
Protocol)
– Port 443: HTTPS (HTTP Secure)
• Registered Ports (1024-49151)
– Port 1433: Microsoft SQL Server
– Port 3306: MySQL Database
– Port 3389: Microsoft Remote Desktop
Protocol (RDP)
– Port 8080: Alternate HTTP or Proxy Servers
 Socket Addressing
• Process-to-process delivery needs two
identifiers
– IP address and Port number
– Combination of IP address and port number is
called a socket address (a socket is a
communication endpoint)
– Client socket address uniquely identifies client
process
– Server socket address uniquely identifies server
process
• Transport-layer protocol needs a pair of
socket addresses
– Client socket address
– Server socket address
 Establishes Reliable
Communication
• The 3-way handshake in TCP
(Transmission Control Protocol) is a
process used to establish a reliable
connection between a client and a server.
This process ensures that both sides agree
to communicate, synchronize their
sequence numbers, and confirm that the
other side is ready to establish a
connection.
 Why Are There 3 Messages?
•First Message (SYN): The client informs the server it

wants to establish a connection and synchronizes its

sequence number.

•Second Message (SYN-ACK): The server acknowledges

the client's request and sends its sequence number.

•Third Message (ACK): The client confirms it has received

the server's response, and both sides are ready to

communicate.
• Sequence Number tracks what is sent
• Acknowledgment Number tracks what is received

SEQ = 101

ACK 102

SEQ 102

ACK 103

SEQ 103

ACK 104
Sequence/Acknowledgment Numbers are measures of bytes

SEQ 1001 [200 Bytes]

ACK 1201

SEQ 1201 [200 Bytes]

ACK 1401

SEQ 1401 [200 Bytes]

ACK 1601
• TCP cashes everything sent for duration of “Retransmission Timeout
(RTO)”
• If no ACK is received, Segment is resent

SEQ 1001 [200 Bytes]

ACK 1201

SEQ 1201 [200 Bytes]

ACK 1401

SEQ 1201 [200

Bytes]
ACK 1401
• TCP sent ACK after every received segment
• Delayed ACK, Send ACK every other segment
• ACK are cumulative

SEQ 1001 [200 Bytes]

SEQ 1201 [200 Bytes]

ACK 1401

SEQ 1401 [100

Bytes]
SEQ 1501 [100
Bytes]
ACK 1601

SEQ 1601 [200

Bytes] 500ms
ACK 1801
 • Windows Size is sent each segment
• Windows Size limits how much data can be sent “bytes in flight”

Window SEQ 1001 [200 Bytes]

Size 500 Window
SEQ 1201 [200 Bytes]
Size 500
SEQ 1401 [100 Bytes]

ACK 1501

SEQ 1501 [200 Bytes]

SEQ 1701 [200 Bytes]

SEQ 1901 [100 Bytes]

ACK 2001
• Windows Size can be dynamically updated through connection (Flow
Control)

Window SEQ 1001 [200 Bytes]

Size 500 Window
SEQ 1201 [200 Bytes]
Size 500
SEQ 1401 [100 Bytes]
Window
Size 0 ACK 1501 [WIN Size =0]
Window ACK 1501 [WIN Size =600]
Size 600
SEQ 1501 [200 Bytes]

SEQ 1701 [200 Bytes]

SEQ 1901 [200 Bytes]

ACK 2101 Win Size = 500

Closing TCP Connection 4 way hand shake - Graceful

FIN ACK SEQ = 1601 ACK=3601 [0bytes]

SEQ=3601 ACK 1602 [0 bytes] ACK

SEQ=3601 ACK 1602 [0 bytes] FIN ACK

ACK SEQ=1602 ACK 3602 [0 bytes]

Closing TCP Connection - Ungraceful

RST SEQ = 1601 ACK=3601 [0bytes]

OR

SEQ=3601 ACK 1601 [0 bytes] RST

 Example of Bidirectional
• TCP is bidirectional
• Both have Sequence numbers to track
bytes sent
• Both have Ack Numbers to track bytes
received
3-way hand shake

SYN SEQ = 1000 ACK=0000 [0bytes]

SEQ=3000 ACK 1001 [0 bytes] SYN ACK

ACK SEQ=1001 ACK 3001 [0bytes]

• TCP is bidirectional
• Both have Sequence numbers to track bytes sent
• Both have Ack Numbers to track bytes received

SEQ 1001 ACK=3001 [200 Bytes]

SEQ 3001 ACK=1201 [300 Bytes]

SEQ 3301 ACK=1201 [300 Bytes]

SEQ 1201 ACK=3601 [200 Bytes]

SEQ 1401 ACK=3601 [200 Bytes]

SEQ 3601 ACK=1601 [0 Bytes]

SEQ 1601 ACK=3602 [200 Bytes]

SEQ 3602 ACK=1801 [100 Bytes]

Closing TCP Connection 4 way hand shake - Graceful

FIN ACK SEQ = 1801 ACK=3702 [0bytes]

SEQ=3702 ACK 1802 [0 bytes] ACK

SEQ=3703 ACK 1802 [0 bytes] FIN ACK

ACK SEQ=1802 ACK 3704 [0 bytes]

 Techniques used for TCP port
scanning
• TCP port scanning is a common and
powerful way to discover open ports and
services on a target system.
1. Basic TCP Port Scan
– The default Nmap scan uses a TCP Connect
Scan (-sT).
– Command: nmap –p 80,443 -sT <target>
• Establishes a full TCP connection (three-way
handshake).
• Detects open ports reliably but is slower and
more noticeable
• -p option specified ports to scan
– Without –p it will scan top 1000 commonly used ports
– -p- will scan all ports (1-65350)
– -p 80,443,110 scan specific ports
– -p 1-100 scan ports from 1 to 100
 1-Wireshark TCP Port Scan ( Open PORT)

2- Wireshark TCP Port Scan ( Filtered PORT)

3- Wireshark TCP Port Scan ( Close PORT)

2. TCP SYN Scan (Stealth Scan)
– The SYN scan (-sS) is faster and stealthier than a
TCP connect scan because it doesn’t complete
the three-way handshake.
– Command: nmap -sS <target>
• Sends SYN packets to probe ports.
• If the port is open, the target responds with SYN-ACK.
• Nmap responds with a RST to avoid completing the
connection.
• Requires root/administrator privileges.
– It is Considered a stealth scan because
• Many services log full connections but may not log
half-open connections.
• Firewalls and IDS/IPS systems are less likely to flag
SYN packets as suspicious than full connection
attempts.
 Wireshark TCP SYN Scan (Stealth Scan)

RESULT

Port State Response How Nmap Marks It

Open SYN-ACK Open
Closed RST Closed
No response or ICMP
Filtered "Destination Filtered
 TCP Attacks and
• TCP attacks exploit vulnerabilities in the
Transmission Control Protocol (TCP) to disrupt
network communications. Here are some common
types of TCP attacks:
1. SYN Flood Attack: Overwhelms a server by sending
numerous SYN requests without completing the
handshake, causing a denial of service.
2. TCP Reset Attack: Interrupts an established
connection by sending a forged TCP reset packet.
3. TCP Session Hijacking: Takes over an active
session by injecting malicious packets into the
communication stream.
 How to Avoid TCP Attacks
1. SYN Flood Attack:
1. Use SYN Cookies: This technique helps to handle SYN requests without allocating
resources until the handshake is completed.
2. Firewall Rules: Configure firewalls to limit the rate of incoming SYN packets.
3. Intrusion Detection Systems (IDS): Deploy IDS to detect and mitigate SYN flood
attempts.
2. TCP Reset Attack:
1. Encryption: Use protocols like TLS/SSL to encrypt traffic, making it harder for
attackers to inject reset packets.
2. Sequence Number Randomization: Ensure sequence numbers are unpredictable to
prevent attackers from guessing them.
3. TCP Session Hijacking:
1. Encryption: Encrypt sessions to prevent attackers from reading or injecting packets.
2. Strong Authentication: Use multi-factor authentication to secure sessions.
 Generating TCP Attacks

1.SYN Flood Attack:

sudo hping3 -S -p 80 --flood <target_ip>

2.TCP Reset Attack:

sudo hping3 -R -p 80 <target_ip>

3.TCP Session Hijacking:

sudo ettercap -T -q -i <interface> -M arp:remote /<target_ip>/ /<gateway_ip>/

 Analyzing TCP Attacks

1.SYN Flood Attack:

•Numerous SYN packets without corresponding ACK packets.
•Filter: tcp.flags.syn == 1 and tcp.flags.ack == 0
2.TCP Reset Attack:
•Unexpected RST packets in the middle of a session.
•Filter: tcp.flags.reset == 1
3.TCP Session Hijacking:
•Packets with unexpected sequence numbers or data.
•Filter: tcp.seq
 Analyzing Results with
Wireshark
To analyze the results of these scans, you can capture the network traffic using Wireshark.
Here’s how you might filter and interpret the results:
•SYN Scan: Look for SYN packets without corresponding ACK packets.
•Filter: tcp.flags.syn == 1 and tcp.flags.ack == 0
•TCP Connect Scan: Look for completed TCP handshakes.
•Filter: tcp.flags.syn == 1 and tcp.flags.ack == 1
•FIN Scan: Look for FIN packets.
•Filter: tcp.flags.fin == 1
•Xmas Scan: Look for packets with FIN, PSH, and URG flags set.
•Filter: tcp.flags.fin == 1 and tcp.flags.psh == 1 and tcp.flags.urg == 1
•Null Scan: Look for packets with no flags set.
•Filter: tcp.flags == 0x000