If you plan on taking the Security+ exam you should have a good understanding of TCP/IP including some basic connectivity protocols. TCP/IP isn’t a single protocol, but a full suite of protocols and two important connectivity protocols are Transmission Control Protocol (TCP) and User Datagram Protocol (UDP). This blog covers them along with a few more.
Note: This blog is an excerpt from the
CompTIA Security+: Get Certified Get Ahead: SY0-401 Study Guide.
TCP and UDP
Some basic protocols used within the TCP/IP suite for basic connectivity and testing basic connectivity include:
- TCP. Transmission Control Protocol provides connection-oriented traffic (guaranteed delivery). TCP uses a three-way handshake, and the following figure shows the TCP handshake process. To start a TCP session, the client sends a SYN (synchronize) packet. The server responds with a SYN/ACK (synchronize/acknowledge) packet, and the client completes the third part of the handshake with an ACK packet. At this point, the connection is established.
SYN Flood Attack
SYN Flood Attack
The SYN flood attack is a common denial-of-service (DoS) attack. In the SYN flood attack, the attacker sends multiple SYN packets but never completes the third part of the handshake. Instead, the attacker withholds the last ACK packet, leaving the server with several open sessions waiting to complete the handshake in each.
This is like a friend extending his hand to shake hands with you, you extending your hand in response, and then, at the last instant, he pulls his hand away. While you or I will probably stop extending our hand back to someone doing this, the server doesn’t know any better and keeps answering every SYN packet with a SYN/ACK packet.
Each uncompleted session consumes resources on the server, and if the SYN flood attack continues, it can actually crash the server. Some servers reserve a certain number of resources for connections, and once the attack consumes these resources, the system blocks additional connections. Instead of crashing the server, the attack prevents legitimate users from connecting to the server.
An intrusion prevention system (IPS, covered in chapter 4) can detect a SYN lood attack and respond to block the attack. Additionally, many firewalls include a flood guard that can detect SYN flood attacks and take steps to close the open sessions.
Content goes here
- UDP. User Datagram Protocol provides connectionless sessions (without a three-way handshake). ICMP traffic and audio and video streaming use UDP. Many network-based denial-of-service (DoS) attacks use UDP. All TCP/IP traffic is either connection-oriented TCP traffic or connectionless UDP.
Other Connectivity Protocols
Three other basic connectivity protocols are Internet Protocol (IP), Address Resolution Protocol (ARP), and Internet Control Message Protocol (ICMP):
- IP. The Internet Protocol identifies hosts in a TCP/IP network and delivers traffic from one host to another using IP addresses. IPv4 uses 32-bit addresses represented in dotted decimal format, such as 192.168.1.100. IPv6 uses 128-bit addresses using hexadecimal code such as: FE80:0000:0000:0000:20D4:3FF7:003F:DE62
- ARP. Address Resolution Protocol resolves IP addresses to media access control (MAC) addresses. MACs are also called physical addresses, or hardware addresses. TCP/IP uses the IP address to get a packet to a destination network, but once it arrives on the destination network, it uses the MAC address to get it to the correct host. In other words, ARP is required once the packet reaches the destination subnet. ARP poisoning uses ARP packets to give clients false hardware address updates and can be used to redirect or interrupt network traffic.
- ICMP. Internet Control Message Protocol is used for testing basic connectivity and includes tools such as ping, pathping, and tracert. As an example, ping can check for basic connectivity between two systems. Many DoS attacks use ICMP. Because of how often ICMP is used in attacks, it has become common to block ICMP at firewalls and routers, which disables a ping response. Blocking ICMP prevents attackers from discovering devices in a network with a host enumeration sweep.
Remember this
Many DoS attacks use ICMP, so it is common to block ICMP at firewalls and routers. If ping fails, but other connectivity to a server succeeds, it indicates that ICMP is blocked.
 | Pass the First Time! |
Up-to-date Content
New multiple-choice and performance-based questions added regularly
Pass the first time with quality practice test questions, performance-based questions, flashcards, and audio.Buy The Full Access Study Package Today
60 Days Access
Need more time? You can easily renew for another 60 days at a significantly reduced price.
All materials are available online shortly after making your payment.
Get the Security+ Full Access Study Package Here
Our online Security+ study materials are the perfect complement to the CompTIA Security+: Get Certified Get Ahead: SY0-501 Study Guide. They can also be used to help ensure you’re ready no matter what study guide you’re using.
This exam is expensive.
Make sure you’re ready before exam day.
Here’s what you’ll get:- All of the multiple-choice questions from the best-selling CompTIA Security+: Get Certified Get Ahead: SY0-501 Study Guide. See a demo here. All questions have full explanations so you’ll know why the correct answers are correct and why the incorrect answers are incorrect.
- Over 40 new multiple-choice questions we’ve added after publishing the study guide.
- Over 30 performance-based questions. See a demo here.
- All of the flashcards from the study guide. View them in any Web browser.
- All of the audio from the study guide. Listen to a sample here.
- Access to a free discount code for 10% off your Security+ voucher.
Buy The Full Access Study Package Today
60 Days Access
All materials are available online shortly after making your payment.
