If you plan on taking the Security+ exam you should have a good understanding of TCP/IP including some basic connectivity protocols. TCP/IP isn’t a single protocol, but a full suite of protocols and two important connectivity protocols are Transmission Control Protocol (TCP) and User Datagram Protocol (UDP). This blog covers them along with a few more.
Note: This blog is an excerpt from the
CompTIA Security+: Get Certified Get Ahead: SY0-401 Study Guide.
TCP and UDP
Some basic protocols used within the TCP/IP suite for basic connectivity and testing basic connectivity include:
- TCP. Transmission Control Protocol provides connection-oriented traffic (guaranteed delivery). TCP uses a three-way handshake, and the following figure shows the TCP handshake process. To start a TCP session, the client sends a SYN (synchronize) packet. The server responds with a SYN/ACK (synchronize/acknowledge) packet, and the client completes the third part of the handshake with an ACK packet. At this point, the connection is established.
SYN Flood Attack
SYN Flood Attack
The SYN flood attack is a common denial-of-service (DoS) attack. In the SYN flood attack, the attacker sends multiple SYN packets but never completes the third part of the handshake. Instead, the attacker withholds the last ACK packet, leaving the server with several open sessions waiting to complete the handshake in each.
This is like a friend extending his hand to shake hands with you, you extending your hand in response, and then, at the last instant, he pulls his hand away. While you or I will probably stop extending our hand back to someone doing this, the server doesn’t know any better and keeps answering every SYN packet with a SYN/ACK packet.
Each uncompleted session consumes resources on the server, and if the SYN flood attack continues, it can actually crash the server. Some servers reserve a certain number of resources for connections, and once the attack consumes these resources, the system blocks additional connections. Instead of crashing the server, the attack prevents legitimate users from connecting to the server.
An intrusion prevention system (IPS, covered in chapter 4) can detect a SYN lood attack and respond to block the attack. Additionally, many firewalls include a flood guard that can detect SYN flood attacks and take steps to close the open sessions.
Content goes here
- UDP. User Datagram Protocol provides connectionless sessions (without a three-way handshake). ICMP traffic and audio and video streaming use UDP. Many network-based denial-of-service (DoS) attacks use UDP. All TCP/IP traffic is either connection-oriented TCP traffic or connectionless UDP.
Other Connectivity Protocols
Three other basic connectivity protocols are Internet Protocol (IP), Address Resolution Protocol (ARP), and Internet Control Message Protocol (ICMP):
- IP. The Internet Protocol identifies hosts in a TCP/IP network and delivers traffic from one host to another using IP addresses. IPv4 uses 32-bit addresses represented in dotted decimal format, such as 192.168.1.100. IPv6 uses 128-bit addresses using hexadecimal code such as: FE80:0000:0000:0000:20D4:3FF7:003F:DE62
- ARP. Address Resolution Protocol resolves IP addresses to media access control (MAC) addresses. MACs are also called physical addresses, or hardware addresses. TCP/IP uses the IP address to get a packet to a destination network, but once it arrives on the destination network, it uses the MAC address to get it to the correct host. In other words, ARP is required once the packet reaches the destination subnet. ARP poisoning uses ARP packets to give clients false hardware address updates and can be used to redirect or interrupt network traffic.
- ICMP. Internet Control Message Protocol is used for testing basic connectivity and includes tools such as ping, pathping, and tracert. As an example, ping can check for basic connectivity between two systems. Many DoS attacks use ICMP. Because of how often ICMP is used in attacks, it has become common to block ICMP at firewalls and routers, which disables a ping response. Blocking ICMP prevents attackers from discovering devices in a network with a host enumeration sweep.
Remember this
Many DoS attacks use ICMP, so it is common to block ICMP at firewalls and routers. If ping fails, but other connectivity to a server succeeds, it indicates that ICMP is blocked.