TCP (Transmission Control Protocol)
When we get to the Transport layer, we first encounter TCP. TCP is a guaranteed delivery protocol, while IP is a best-effort protocol, meaning that every attempt is made to send messages from one system to another.
Perhaps this isn’t as stunning as it seems. TCP, by itself, cannot guarantee delivery in the event of a catastrophic network breakdown.
Instead, it implies that the protocol has mechanisms in place to keep track of all messages transmitted, and if anything doesn’t reach to the other end and is recognised, messages are reissued.
TCP’s protocol data unit is known as a segment.
So far, we’ve looked at layers with different types of addressing. It’s the same with the Transport layer. At the Transport layer, we start to be worried with getting messages to the application, where prior addresses are tied to the systems to guarantee messages move from one system to another.
Ports are used by transport layer protocols to address applications. They also provide multiplexing services. We wouldn’t be able to have different programmes listening on the same machine without ports. We have a lot of room for discussions with other systems thanks to ports.
We’ll look at the TCP headers in the same way that we looked at the IP headers. TCP is specified in RFC 793, which was published in 1981, indicating that it has been around for quite some time. The headers have remained intact during this period, and as the headers allow the protocol’s operation, the functionality has remained unchanged as well.
Below are the fields in a TCP packet –
Source Port
Port of Origin On the transmitting side, the source port is the port from which the traffic originated. Because talks are not one-way, this is critical. A port to transmit back to is required for the receiver to react.
The source and destination ports are inverted when messages are replied to. The source port has a length of 16 bits.
Destination Port
The application’s target port is the one that is linked with it. There is a client side and a server side to every interaction. An application is bound to a listening port on the server side.
As the destination port, the client transmits to this port. The destination port is the ephemeral port given to the application talking with the server if the server is transmitting from the server to the client.
The destination port is 16 bits long, much like the source port.
Sequences Number
The sequence number is one of the factors that goes into ensuring delivery. When the dialogue begins, this is a 32-bit integer that is set to a random value.
The amount of bytes transferred is multiplied by this value. The sender uses the sequence number to indicate the receiver where this message belongs in the discussion.
As you can see in the example, the sequence number is 0. This is because the packet capture programme displays a 0 before presenting relative sequence numbers, which are simpler to understand.
Acknowledgement Number
The sequence number is on the other side of the dialogue from the acknowledgement number. The acknowledgement number is set by the receiver, whereas the sequence number is set by the sender.
The next byte number that the receiver expects to receive is set as the acknowledgement number. In reality, this implies that the byte count is increased by one before being transmitted.
This informs the sender where the receiver is in the communication stream, allowing the sender to determine if anything was lost in transit.
Data offset
The data offset is a four-bit variable that indicates how many 32-bit words there are in the TCP header. It tells the system where to seek for information. Because the TCP header may be variable in length, this is required. This field isn’t visible in the diagram, although it’s a TCP header.
Reserved
The TCP header contains 6 bits that are reserved for future usage.
Control Bits
The message’s disposition is indicated by the use of six flag bits. The synchronise flag (SYN) indicates that the sequence number has been established and should be logged.
The acknowledgement number’s ACK flag is the same. The URG flag indicates that the urgent pointer contains important information. The PSH option indicates that rather than being buffered, the data should be pushed up.
When the RST flag is set, the connection is reset, which might happen if an error message is received. The FIN flag indicates that the discussion is over and no further data needs to be sent.
Window
The number in the window field indicates how many bytes the sender is prepared to accept to the receiver. This enables for communication to be sped up or slowed down.
A lower window size necessitates more acknowledgements, which might indicate that the communication channel isn’t trustworthy. A greater window size indicates that the channel is more trustworthy, therefore there is less of a need to check in often. The window field has a bit depth of 16 bits.
Checksum
This is a 16-bit field that ensures the transmission has not been tampered with. This is a value computed using 1’s complement over the headers and content.
Urgent Pointer
The next byte value following the urgent data is indicated by the 16-bit urgent pointer. This corresponds to the values of the sequence number. The urgent pointer basically communicates that the data from the current sequence number to the value in the urgent pointer is urgent data.
Options
These are header fields with varying lengths. On 32-bit words, the header must align. Padding bits are required to complete the rest of the header if the choices leave the header length short of that alignment.
How TCP ensure a reliable service?
TCP employs a number of methods to guarantee that the service is dependable. TCP is connection-oriented, for starters. A so-called three-way handshake is used to create connections.
Because both parties are expected to reply, the handshake assures that all sides of the dialogue remain live and engaged. The SYN message is the first of three messages in the three-way handshake.
The beginning sequence number, which is a random value, is set, as well as the SYN flag. An acknowledgement message is sent in response to the SYN message.
The ACK flag is set, and the beginning sequence number is increased by one, signifying that the first message has been received. The SYN flag and sequence number are also set in the same section.
Maintain in mind that this is a two-way dialogue, so both parties must keep track of where they are in it. Each side maintains track of their own sequence number and the other side’s acknowledgement number. The last message in the handshake has just the ACK flag set, and the acknowledgement field increases the SYN/ACK message’s sequence number.
We may be certain that the message was received by the intended party and that both parties are who they claim to be since both sides are required to react to messages using information given by the other.
If one or both parties were trying to spoof a discussion, they would not receive the messages and, as a consequence, would not reply appropriately.
The sequence number is the next technique that ensures dependability. Because the sequence number keeps track of the amount of bytes transferred, the acknowledgement number informs the sender whether any data was lost during transmission. If it has, the sender is aware that it must be resent.
Each person in the chat knows where they are and where their conversation partner is. TCP retransmits as many times as necessary, up to a predetermined limit.
The sequence and acknowledgement numbers also guarantee that the messages arrive in the right order to the receiver. The sequence numbers indicate whether messages should be stored for a lost message if they come out of order.
This is also part of assured delivery, which ensures that messages not only reach on time, but also in the right sequence. All of this, though, comes at a cost. TCP’s assured delivery paradigm isn’t required for every application.
UDP
The UDP protocol provides an alternative means of transport that does not have the same overhead as TCP. It’s a considerably more lightweight protocol with no assurance of delivery.
Messages transmitted via UDP are simply sent over the wire in the hopes that they will reach their intended recipient since the network protocol, IP, will handle everything.
Because of the smaller weight, there is less overhead associated with things like establishing connections and ensuring that messages reach their intended destination. In terms of the protocol, it also doesn’t matter in which sequence messages are received. If the application is interested in such information, it may handle the administration on its own.
Major difference between TCP vs UDP
RFC 768 is the RFC for UDP. The complete RFC is little over two pages long, demonstrating how straightforward the protocol is. There are four fields in the header. They’re all 16 bits in length.
The source and destination ports, unsurprisingly, account for half of them. It’s worth noting that the source port is regarded as an optional field.
The reason for this is because since there is no connection, the server may never respond. It is fully dependent on the programme in use, which is not TCP.
TCP requires a source port since it always receives a response, even if it’s merely to finish the three-way handshake.
RFC 768, somewhat surprisingly, does not specify a response to a closed UDP port. Closed ports aren’t addressed at all. The RFC for the Internet Control Message Protocol is the only source where answers to closed ports are discussed (ICMP).
Even then, there is just a port inaccessible code. There is no indication of where protocol applies. As a result, using UDP ports is completely unreliable.
It’s possible that you didn’t get a response because of a lost or dropped packet. It’s possible that the message was disregarded by the programme. It’s possible that no answer was necessary. Any of them are valid reasons for not receiving a response to a UDP port message.
What are the advantages of UDP?
For applications that demand quick setup and transmission, UDP is an excellent choice. Streaming video and music, for example, perform nicely with UDP. They aren’t compatible with TCP.
One important reason for this is because with UDP, it is up to the application to do any necessary message reordering. With streaming video, if a datagram (the PDU for UDP) arrives out of order, the programme will simply reject it.
The same is true for audio streaming. Consider what it would be like to communicate with someone over the Internet. You greeted the person on the other end of the line. In actuality, the word would most likely be sent as a single message, but let’s pretend that each letter sound was sent separately.
What would it sound like if you got messages with the letters x, p, r, p, f. Our brains are great at putting together missing info and creating something that seems whole, but it’s possible that your brain wouldn’t be able to understand the word as it sounded.
Even if your brain could comprehend it, it would sound strange and ruin your whole experience. Of course, the same is true for video. It would seem highly jumpy if late arrivals were added into the video stream you were viewing.
Why UDP communications may arrive out of sequence?
After all, we now have very stable Internet service. Messages that are out of sequence might occur for a variety of reasons. Let’s imagine you’re using UDP to convey a stream of data to someone.
Your data is being sent down the route A B C D, which is your goal. Let’s imagine C goes down just as your message is going to reach it. The network corrects itself and takes a different path around C, maybe A E F D.
However, the failure happened while at least one of your messages was in flight, and you have no way of knowing whether or whether the message was simply dropped due to the fault. Even if there isn’t a failure and messages aren’t lost, it’s possible that one message travels one path and a subsequent message takes a quicker one.
It’s possible that the second communication will come before the first. Messages might arrive out of sequence for a variety of reasons, or even go missing entirely.
There are several things that happen on the network that users are unaware of. As a result, TCP is used by the majority of applications. The majority of applications depend on messages being delivered in the proper sequence. UDP is used by real-time protocols since they are less concerned about exact order.
ICMP
ICMP stands for Internet Control Message Protocol. When it comes to protocols, the ICMP is unique in that it does not contain any user data. Instead, it communicates error and control messages via other protocols.
When something unexpected occurs on the network, devices will send ICMP messages back to the originating device to inform them of the situation. It sits on top of IP since it requires IP addressing, but it is still regarded part of the Internet layer. This also makes it a unique protocol in that it lies above the Internet layer yet is not a Transport layer protocol.
RFC 792 defines ICMP, which specifies an 8-byte header. The type and code fields, which communicate the crucial information for ICMP, are followed by a checksum field and four bytes labelled “remain of header.”
The checksum is two bytes long, while the type and code are each one byte long. The remainder of the header field is used to store information about the type and code. What gets into those four bytes is determined on the type and code.
What is message type in ICMP?
The message type identifies the sort of communication being sent. It may include values that pertain to messages such as echo reply, echo request, destination unreachable, source quench, or timestamp.
There are several subtypes for each kind. The code field specifies the distinct subtypes. The destination unreachable type, for example, includes codes that specify what the destination is.
It’s possible that this is a network, a host, or a port. It might mean they’re inaccessible, or it could mean the message that produced the ICMP message was officially forbidden.
Through the usage of ICMP echo request and echo reply messages, anybody undertaking security or penetration testing will most likely come across ICMP messages. The ping software makes use of them.
The traceroute tool may also be used to get the network route to a location. Two ICMP packets are used by the traceroute application. The first is ICMP type 11, which indicates that time in transit has been surpassed.
The TTL field of the message was decremented to zero as a result of this. The software anticipates receiving an ICMP type 3 destination unreachable message, most likely with the number 3 signifying destination port inaccessible, after the traceroute is complete.
ICMP port number
Because the ICMP packet was meant to send network-layer information between hosts and routers rather than between application layer processes, it lacks source and destination port numbers.
ICMP may send an error message to the source if a certain host is unreachable. Consider the ping command.
Unlike TCP and UDP, ICMP does not employ ports, instead relying on types and codes.
ICMP packets do not have a port number associated with them.
How Ping works
The Ping software functions similarly to a sonar echo-location system. It transmits a short data packet containing an ICMP ECHO REQUEST to a specific computer, which responds with an ECHO REPLY packet.
By convention, the IP address 127.0.0.1 is used to identify your own machine. As a result, pinging that IP will constantly ping you, and the latency should be minimal.
What is a ICMP ping flood attack
Ping flood, also known as ICMP flood, is a typical DoS technique in which an attacker overwhelms a victim’s computer with ICMP echo requests, also known as pings, to bring it down.
The attack involves sending a large number of request packets to the victim’s network, knowing that the network would react with an equivalent amount of reply packets. Using specialised tools or scripts, such as hping and scapy, to bring down a target with ICMP queries is another option.
This puts a burden on the network’s incoming and outgoing channels, using a substantial amount of bandwidth and resulting in a denial of service.
why is it that an icmp packet does not have source and destination port numbers?
Because the ICMP packet was meant to send network-layer information between hosts and routers rather than between application layer processes, it lacks source and destination port numbers. A “Type” and a “Code” are assigned to each ICMP packet. The Type/Code combination indicates the particular message that has been received.
how does reverse tcp work?
Instead of the attacker starting the connection, which will be denied by the firewall, the device will begin the connection to the attacker, which will be accepted by the firewall, and the attacker will then gain control of the device and pass instructions. It’s a reverse shell of some kind.
Summary
TCP is a guaranteed delivery protocol, while IP is a best-effort protocol. This means that every attempt is made to send messages from one system to another. We’ll look at the TCP headers in the same way that we looked at the IP headers.
The sequence number is one of the factors that goes into ensuring delivery. The acknowledgement number is on the other side of the dialogue from the sequence number.
This informs the sender where the receiver is in the communication stream, allowing the sender to determine if anything was lost in transit. TCP employs a number of methods to guarantee that the service is dependable.
A so-called three-way handshake is used to create connections. Because both parties are expected to reply, the handshake assures that all sides of the dialogue remain live and engaged. The urgent pointer basically communicates that the data from the current sequence number to the value in the urgent pointer is urgent data.
Sequence and acknowledgement numbers ensure that messages arrive on time and in the right sequence. TCP retransmits as many times as necessary, up to a predetermined limit.
The UDP protocol provides an alternative means of transport that does not have the same overhead. It’s a considerably more lightweight protocol with no assurance of delivery. UDP is an excellent choice for applications that demand quick setup and transmission.
With UDP, it is up to the application to do any necessary message reordering. For example, if a datagram (PDU for UDP) arrives out of order, the programme will reject it.
ICMP stands for Internet Control Message Protocol. It does not contain any user data. Instead, it communicates error and control messages via other protocols.
This makes it a unique protocol in that it lies above the Internet layer yet is not a Transport layer protocol. Messages might arrive out of sequence for a variety of reasons. ICMP packets are used to communicate network-layer information between hosts and routers.
Ping software makes use of ICMP messages to get the network route to a location. The traceroute application anticipates receiving an ICMP type 3 destination unreachable message, most likely with the number 3 signifying destination port inaccessible.
An ICMP echo attack is a common form of denial of service (DoS) attack. It involves flooding the victim’s network with request packets, knowing that the network will respond with equal number of reply packets.
Additional methods for bringing down a target with ICMP requests include the use of custom tools such as hping and scapy.