WP What is TCP | Header Structure to DDoS Connection | Imperva

Transmission control protocol (TCP)

Edge SecurityDDoSProtocols

What is the transmission control protocol (TCP)

The transmission control protocol (TCP) is the internet standard ensuring the successful exchange of data packets between devices over a network. TCP is the underlying communication protocol for a wide variety of applications, including web servers and websites, email applications, FTP and peer-to-peer apps.

TCP operates with the internet protocol (IP) to specify how data is exchanged online. IP is responsible for sending each packet to its destination, while TCP guarantees that bytes are transmitted in the order in which they were sent with no errors or omissions. Together, the two protocols are referred to as TCP/IP.

Establishing a TCP connection: the three-way handshake

Establishing a TCP connection requires that both the client and server participate in what is known as a three-way handshake. The process can be broken down as follows:

  1. A client sends the server a SYN packet—a connection request from its source port to a server’s destination port.
  2. The server responds with a SYN/ACK packet, acknowledging the receipt of the connection request.
  3. The client receives the SYN/ACK packet and responds with an ACK packet of its own.

After the connection is established, TCP works by breaking down transmitted data into segments, each of which is packaged into a datagram and sent to its destination.

TCP header structure

TCP wraps each data packet with a header containing 10 mandatory fields totaling 20 bytes (or octets). Each header holds information about the connection and the current data being sent.

The 10 TCP header fields are as follows:

  1. Source port – The sending device’s port.
  2. Destination port – The receiving device’s port.
  3. Sequence number – A device initiating a TCP connection must choose a random initial sequence number, which is then incremented according to the number of transmitted bytes.
  4. Acknowledgment number – The receiving device maintains an acknowledgment number starting with zero. It increments this number according to the number of bytes received.
  5. TCP data offset – This specifies the size of the TCP header, expressed in 32-bit words. One word represents four bytes.
  6. Reserved data – The reserved field is always set to zero.
  7. Control flags – TCP uses nine control flags to manage data flow in specific situations, such as the initiating of a reset.
  8. Window size TCP checksum – The sender generates a checksum and transmits it in every packet header. The receiving device can use the checksum to check for errors in the received header and payload.
  9. Urgent pointer – If URG control flag is set, this value indicates an offset from the sequence number, indicating the last urgent data byte.
  10. mTCP optional data – These are optional fields for setting maximum segment sizes, selective acknowledgments and enabling window scaling for more efficient use of high-bandwidth networks.

TCP DDoS vulnerabilities and methods of mitigation

TCP is vulnerable to several types of DDoS attacks, including:

SYN flood

SYN floods occur during the initial stage of a three-way handshake by sending TCP connection requests (SYN packets) to every port on a target machine faster than it can process the requests. The server attempts to process the attacker’s fake SYN requests and becomes unresponsive to legitimate TCP requests, preventing the completion of the handshake.

SYN flood attack progression.SYN flood attack progression.

This causes the targeted machine to exhaust all of its available ports. In many cases, SYN packets are the go-to payload and are used simply to saturate a target’s network pipe.

There are several ways to mitigate SYN floods, including:

  1. Micro-blocks – The server allocates a micro-record in its memory for each SYN request instead of a complete connection object, thus reducing potential resource strain from too many requests.
  2. SYN cookies – The server uses cryptographic hashing to verify a TCP request before allocating memory.
  3. RST cookies – The server intentionally sends an incorrect response after the initial SYN request. If the client is legitimate, the server receives an RST packet, telling the server something is wrong.
  4. TCP stack tweaking – You can decrease the timeout for releasing memory allocated to a connection, or selectively drop incoming connections.

Note that in addition to the “classic” SYN flood attack method, many DDoS offenders use fake SYN payloads to mount generic network layer assaults – the type that simply aims to cause network congestion with an overload of fake packets. Mitigating these attacks requires the ability to scale up network resources on demand, e.g., using a cloud mitigation solution.

STOMP DDoS attack

STOMP is a text-based protocol that allows applications to communicate with message brokers using TCP. In a STOMP DDoS attack, perpetrators use a botnet to open large numbers of TCP handshakes with applications. The attackers then send junk data disguised as STOMP TCP requests, saturating the network. If the server is prepared to parse STOMP requests, the attack can also exhaust server resources.

TCP fragmentation (Teardrop)

A teardrop attack is a type of IP fragmentation attack that targets the TCP/IP reassembly mechanism, occurring after a three-way handshake has been completed and data is being transmitted. It involves an attacker deliberately sending data packets with defective segment offset fields, preventing the receiver from correctly putting together the fragmented data. Data packets overlap and quickly overwhelm the victim’s servers.

Preventing TCP fragmentation attacks requires the inspection of incoming packets using routers, secure proxies or a cloud-based DDoS protection service. Packets with incorrect fragmentation are then detected and dropped before they reach your server.

See how Imperva DDoS Protection can help you with TCP DDoS attacks.

TCP DDoS mitigation

Imperva allows you to scale up your network resources, enabling the absorption of TCP attacks of all sizes. Our dedicated multi-terabit scrubbing solutions use deep packet inspection (DPI) to identify and block malicious traffic before it gets a chance to reach your server.

The service can be deployed via BGP based or DNS based rerouting, either as an always-on or on-demand solution.