UDP & TCP

Where would we be without them!

UDP

User Datagram Protocol

UDP (1 of 5)

How does it work? Connectionless Provides only checksum Provides delivery to port number No detection of lost packets

UDP (2 of 5)

Why use it? Designed for apps that do not need to

put sequences of packets together. Speed

No acknowledgments are required Multicast applications? Definitely!

UDP (3 of 5)

Source Port (2 Bytes) UDP port used by the sender Defines that application that is sending the packet May be all zeros (very rare)

Destination Port (2 Bytes) Defines the destination application to receive the

packet

Destination Port Number

Data

Source Port Number

ChecksumHeader Length

0 16 32

UDP (4 of 5)

Header Length (2 Bytes) Defines the length of the packet from the UDP

header to the end of UDP data Checksum (2 Bytes)

Different from other headers Performed on contents of UDP header, less the

checksum field itself, the data and a pseudo-header derived from the IP header.

Pseudo-header is derived from the IP Source address, destination address, protocol, and UDP length fields.

UDP (5 of 5)

Data (variable length) Contains the payload of the packet E.g. DHCP

Client Server Software

Source Port=1024Destination Port=53

Source Port=53Destination Port=1024

Source Port=53Destination Port=1024

Source Port=1024Destination Port=53

TCP

Transmission Control Protocol

TCP Header

Destination Port Number

Sequence Number

Acknowledgement Number

HL

Options (if any)

Data

20 Bytes

Source Port Number

ReservedFIN

RST

PSH

SYN

ACK

URG

Window Size

Urgent PointerTCP Checksum

0 16 32

Source & Destination Ports – 16 bits Specify source and destination applications for

encapsulated data Assigned ports are numbered from 0 – 1023

Example: TFTP is port 69, Doom is 666 Any private application uses port numbers

above 1023 Sequence Numbers – 32 bits

Identifies where encapsulated data fits in data stream from sender

Example: if sequence # of segment is 1234 and segment contains 512 bytes of data, next segment should have sequence # of 1747 (1234 + 512)

Acknowledgement Number – 32 bits Identifies sequence number source

expects to receive from destination I.e: if last segment sent had sequence

number of 101, expects to see 613 (101 + 512) here

Header Length – 4 bits Length of TCP header in 32-bit words

Reserved – 6 bits For future use (?) – set to all 0’s.

Flags – 6 bits Used for data flow and connection control

Urgent (URG), Acknowledgement (ACK), Push (PSH), Reset (RST), Synchronize (SYN), Final (FIN)

Window Size – 16 bits Used for flow control Specifies number of bytes that can be sent

without waiting for acknowledgement Can be used for OS fingerprinting

Checksum – 16 bits Covers both header and encapsulated data,

providing error detection Urgent Pointer – 16 bits

Used only when flag set to URG indicating end of urgent data

Options and Padding – 32 bits (optional) Only really used for setting Maximum Segment

Size informing receiver of max. size segment source is willing to accept

Padding is used to fill in 0’s to make sure header length is multiple of 32 bits

TCP

TCP Flags A, ACK- (Acknowledge) The receiver will send an ACK that equals

the senders sequence number plus the Len, or amount of data, at the TCP layer.

SYN, and FIN flags count as 1 byte. The ACK can also be thought of as the sequence number of the next octet the receiver expects to receive.

S, SYN- Synchronize is used during session setup to agree on initial sequence numbers. Sequence numbers are random.

F, FIN- Finish is used during a graceful session close to show that the sender has no more data to send.

R, RST- Reset is an instantaneous abort in both directions (abnormal session disconnection).

P, PSH- Push forces data delivery without waiting for buffers to fill. This is used for interactive traffic. The data will also be delivered to the application on the receiving end with out buffering.

U, URG- Urgent- Data is sent out of band.

TCP

What is it? Designed to address several issues not

addressed by IP. Packets arriving out of sequence Packets not arriving at all Recipient not acknowledging receipt Excessive traffic flow

Packets arrive too fast for recipient to process

Packets too large for recipient

TCP

What is it? (cont.) Addresses these issues

Ensures packets reach their destination Retransmitting lost packets Tracks packet sequence numbers for

reassembly in right order Manages traffic flow via a windowing

process

TCP

How does it work? Ensures reliable communication

between sender and recipient Establishes this via a Three-Way-

Handshake process Via the TWH, negotiates a “socket” The socket remains open for duration of

communication

TCP

Sockets are paired into sender and receiver sockets IP address of sender Port number of sender IP address of receiver Port number of receiver

Allows multiple connections between two systems by changing the above combinations

TCP

W orkstation W ebServer

SEQ= 200Flag= SYN , SPort= 1027, DPort= 80

SEQ= 1450, ACK= 201Flag= SYN + ACK, SPort= 80, DPort= 1027

SEQ= 201, ACK= 1451Flag= ACK, SPort= 1027, DPort= 80

3 Way Handshake

TCP

Reliability TCP uses Sequencing to ensure that a

datagram hasn’t gotten lost If the receiver determines something is wrong,

it will notify the sender to resend the missing packet(s)

The acknowledgement field assists by informing the sender what the next sequence number is expected to be

It is always one greater than the most recently received data byte.

TCP

Sequencing example Sequence number of last packet

100 Data offset (in Bytes)

256 Therefore

100 + 256 + 1 = 357 Next expected sequence number

357

TCP

W orkstation W ebServer

SEQ= 1000

SEQ= 2000

ACK= 4000

SEQ= 3000

TCP Sequencing with no errors

TCP

W orkstation W ebServer

SEQ= 1000

SEQ= 2000

ACK= 2000

SEQ= 3000

SEQ= 2000

ACK= 4000

TCP Sequencing with errors

TCP Flow Control

Flow control Sliding window

Amount of data sent to a host before expecting to get an ack.

Negotiated by the two systems during the 3-way handshake.

Primary reason is for congestion control. Window size can be reduced to alleviate

congestion

TCP Windowing

W orkstation W ebServer

SEQ= 1000

SEQ= 2000

ACK= 4000, W indow = 4000

SEQ= 3000

SEQ= 4000

SEQ= 5000

ACK= 1000, W indow -3000

SEQ= 6000

SEQ= 7000

TCP End Communication

W orkstation W ebServer

Flag= ACK & FI N , SEQ= 1000

Flag= ACK & FI N , ACK= 1001SEQ= 2550

Flag= ACK, ACK= 1001

Flag= ACK, ACK= 2551

TCP Vulnerabilities

3-Way handshake Server will wait for a while after

sending the SYN/ACK. Server will send another SYN/ACK Repeated 5-6 times. Each time, server waits twice as long to

give client a better chance to connect. If server tries 6 times and starts with a

3 second delay, total wait time could be 189 seconds!

TCP Vulnerabilities

Denial of service SYN Flood

Attacking system sends SYN packets to server with invalid return address.

Server will try sending a SYN/ACK to the non-existent address.

End result is that the socket the attacker sent the SYN to is blocked temporarily.

1000’s of SYNs are sent, blocking all available sockets on the server.

TCP Vulnerabilities

Denial of service (cont.) SYN Flood

Many attempts have been made to stop this attack.

E.g. Sending RST to suspicious SYN packets

Failed to stop attack due to volume of SYN packets.