Securing Protocol Layers   «Prev  Next»

Lesson 5Transport layer (TCP/UDP)
ObjectiveIdentify the Transport Layer (TCP/UDP) and its weaknesses

Identify Transport Layerand its weaknesses

The transport layer controls the flow of information between hosts. Two protocols exist at the transport layer, the Transmission Control Protocol (TCP) and the User Datagram Protocol (UDP). These two protocols use ports for directing information, which are key to implementing Internet security measures.

TCP/IP Transport Layer

TCP/IP Protocol Layers
  1. Application Layer
  2. (TCP/UDP) Transport Layer
  3. (IP) Internet Layer
  4. (ARP) Network Layer

Transmission control protocol (TCP)

TCP is a connection-oriented protocol using a "handshaking" process and an information exchange to complete a connection upon which traffic passes. TCP is the protocol used by most Internet services, including HTTP (the World Wide Web), FTP, and SMTP (email).

TCP handshake

The TCP handshake is a common area of attack. What happens in the TCP handshake process when a connection is established and when it is attacked is shown in the following series of images.

1) In a SYN flood attack a series of SYN requests are made using a spoofed IP Address. The requesting host or client sends a message with a SYN flag and a unique sequence ID to establsih a connection with the remote host.
1) In a SYN flood attack a series of SYN requests are made using a spoofed IP Address. The requesting host or client sends a message with a SYN flag and a unique sequence ID to establsih a connection with the remote host.

2) The remote or server will respond with a SYN flag and the client's sequence ID
2) The remote or server will respond with a SYN flag and the sequence ID of the client

3) To complete the connection, a reply is sent in the form of an ACK flag from the requesting host and confirmed by the remote host.
3) To complete the connection, a reply is sent in the form of an ACK flag from the requesting host and confirmed by the remote host.

4) The remote host responds to the requests and waits for the reply
4) The remote host responds to the requests and waits for the reply

5) In a SYN flood attack, repeated SYN requests congest the remot host until the flooding stops. The allocation of memory will help prevent SYN flood attacks.
5) In a SYN flood attack, repeated SYN requests congest the remot host until the flooding stops. The allocation of memory will help prevent SYN flood attacks.


SYN Flood Attack

User datagram protocol (UDP)

UDP is a connectionless protocol often used for broadcast-type protocols, such as audio or video traffic. Because a host issues a UDP message and does not expect a reply, embedding malicious activities within these types of datagrams is difficult. In addition, it is possible to flood a port with UDP attacks.

TCP or UDP Port

A machine running TCP/IP almost always has many different applications running at the same time, and all must be able to communicate simultaneously. Security is largely contingent upon the proper directing of network packets. Each application is assigned a specific TCP or UDP port number and incoming network packets are directed to the correct application by the operating system.
There are 65,536 possible ports that can be used with either TCP or UDP. The Internet Assigned Numbers Authority (IANA) assigns and maintains port numbers including well-known ports, registered ports, and private ports. IANA has defined the first 1023 ports as reserved for specific server-side applications. Some examples are shown in the table below.

Internet Assigned Numbers Authority (IANA):

Oversees and coordinates the assignment of every unique protocol identifier used on the Internet.
Program / Application Standard Port
(FTP) File transfer protocol TCP 20 and TCP 21
(DNS) Domain name server TCP 53 and UDP 53
(HTTP) Web Server TCP 80
(SNMP) Simple Network Management Protocol UDP 161 and UDP 162
(SMTP) Mail servers Using Simple Mail Transfer Protocol TCP 25
(NNTP) Network News Transfer Protocol TCP 119
Telnet TCP port 23

UDP

To configure firewalls for use with DNS, you need to understand how UDP works.
TCP/IP Protocol Suite