tcp analysis based on flags

8/8/2019 Tcp Analysis Based on Flags

1/29

TCP Analysis Based on FlagsCheng Guang

College of Computer Science & Engineering

Southeast University, Nanjing, P.R.China


2/29

Introduction

We have known that, some TCP segments carrydata while others are simple acknowledgements forpreviously received data. Such as, the popular 3-way handshake utilises the SYNs and ACKs

available in the TCP to help complete theconnection before data is transferred.

So we can get a conclusion that each TCP segmenthas a purpose, and this is determined with the help

of the TCP flag options, allowing the sender orreceiver to specify which flags should be used sothe segment is handled correctly by the other end.


3/29

Flags

Six Flags Urgent Pointer

ACKnowledgement

PUSH

Reset (RST) Flag

SYNchronisation Flag

FIN Flag

All flags, a value of '1' means that a particular flag is

'set. Each flag is one bit long, and since there are 6 flags,

this makes the Flags section 6 bits in total.


4/29

1st Flag - Urgent Pointer

This flag is used to identify incoming data as 'urgent

incoming segments are sent directly and processedimmediately.

An Urgent Pointer could be used during a stream ofdata transfer where a host is sending data to anapplication running on a remote machine.

By setting the abort signal's segment Urgent Pointer

flag to '1', the remote machine will give that specificsegment priority, processing it immediately andstopping all further data processing.


5/29

The Urgent Pointer

The urgent pointer flag allows us to mark a segment of data as'urgent', while this urgent pointer field specifies where exactly theurgent data ends.

Urgent Pointer can also be used when attacking remote hosts.


6/29

2nd Flag - ACKnowledgement

The ACKnowledgement flag is used toacknowledge the successful receipt ofpackets.


7/29

3rd Flag - PUSH

The Push flag ensures that the data is giventhe priority and is processed at the sending orreceiving end.

This particular flag is used quite frequently atthe beginning and end of a data transfer,affecting the way the data is handled at both

ends. Push flag is usually set on the last segment

of a file to prevent buffer deadlocks.


8/29

4th Flag - Reset (RST) Flag

The reset flag is used when a segmentarrives that is not intended for the currentconnection.

This 'feature' is used by most hackers inorder to scan hosts for 'open' ports.

All modern port scanners are able to detect

'open' or 'listening' ports thanks to the 'reset'function.


9/29

5th Flag - SYNchronisation Flag

The SYN flag is initialy sent whenestablishing the classical 3-way handshakebetween two hosts

During the 3-way handshake we are able tocount a total of 2 SYN flags transmitted, oneby each host.

As files are exchanged and new connectionscreated, we will see more SYN flags beingsent and received.


10/29

6th Flag - FIN Flag

This flag is used to tear down the virtualconnections created using the previous flag(SYN).

FIN flag always appears when the lastpackets are exchanged between aconnection.


11/29

Analysis worm's SYN scan

If a worm was designed to spread via TCP, during itspropagation there will be a lot of corresponding TCP SYNpackets sent out as it seeks vulnerable services in other hosts.

the destination host is alive,

the destination host it attempts to connect to is not living

the destination is alive but connection attempts from the wormare not functional

when worm tries to propagate, the destination addresses aretypically generated at random, and normally there will be a largenumber of destination hosts that are not living or functional.

Therefore we should expect to see a large number of SYN bitsset in the flow records associated with the worm-infected host.


12/29

Analysis RST/ACK

a closed port will send back a RST/ACK to aTCP request,

If a worm is scanning a large block of living

hosts, those hosts with closed ports wouldsend back a RST/ACK.

if a destination host receives too many

RST/ACK responses, this destination IP isvery likely infected with a worm.


13/29

SYN flood attack

attacker creates a random source address

SYN flag set in each packet is a request toopen a new connection

victim responds to spoofed IP address, thenwaits for confirmation that never arrives

victim's connection table fills up waiting forreplies

after table fills up, all new connections areignored


14/29

SYN

SYN+ACK Packet SA_SYN

RST+ACK packet RA_SYN

Non Response Non_SYN

SYN#=SA_SYN#+RA_SYN#+Non_SYN#


15/29

SYN+ACK

FIN+ACK FA_SA

RESET+ACK FIN+ACK RA_SA

RESET RT

Non Response Non_SA

SYN_ACK# =FA_SA#+FA_RA_SA#+RT#+Non_SA#


16/29

Related Model

SYN#=SA_SYN#+RA_SYN#+Non_SYN# SYN_ACK# = FA_SA# / 2+RA_SA#+RT#+Non_SA#

SA_SYN# = SYN_ACK#

RESET_ACK# = RA_SYN#+RA_SA# RESET# = RT#

FIN+ACK # = FA_SA#

Have 7 variables, but only 6 equations ? Non_SYN#, RA_SYN#, RA_SA#, Non_sa#


17/29

Hypothesis

We only consider the SYN attacks.

Let Non_sa# = 0;

SYN#=SA_SYN#+RA_SYN#+Non_SYN#

SYN_ACK# = FA_SA# / 2+RA_SA#+RT#

SA_SYN# = SYN_ACK#

RESET_ACK# = RA_SYN#+RA_SA#

RESET# = RT#

FIN+ACK # = FA_SA#

Have 6 variables, but only 6 equations

? Non_SYN#, RA_SYN#, RA_SA#


18/29

EXAMPLES

SYN SYN+ACK FIN RST (1) 27390 6739 1837 17983

(2) 30387 7736 1998 14607

(3) 29644 5411 2336 17129

So we can compute the SYN # which donthave any response. (1) Non_SYN# = 8488

(2) Non_SYN# = 14780

(3) Non_SYN# = 11347


19/29

Problems

In this example, we only consider the SYNflood and scan security, and our aim is tocompute the number of SYN which is

abnormal SYN packets. In the future, we will consider more conditions,

so that, we can estimate more variables.


20/29

Timestamps = 10s SYN/SYN+ACK

0

5

10

15

20

25

30

35

40

45

50

1 9 17 25 33 41 49 57 65 73 81 89 97 105 113


21/29


2005

0

10

20

30

40

50

60

70

1 5 9 13 1 7 2 1 25 2 9 3 3 37 41 4 5 49 53 5 7 61 65 69 7 3 77 81


22/29


2004.4.17

0

20

40

60

80

100

120

140

1 3 5 7 9 11 13 15 17 19 21 23


23/29

Timestamps = 10s ACK/PUSH

0

1

2

3

4

5

6

1 9 17 25 33 41 49 57 65 73 81 89 97 105 113


24/29


2005

0

1

2

3

4

5

6

1 5 9 13 17 21 2 5 29 3 3 37 41 4 5 49 53 5 7 61 65 69 7 3 77 81


25/29


2004.4.17

0

1

2

3

4

5

6

7

8

1 3 5 7 9 11 1 3 1 5 1 7 19 2 1 23


26/29

ACK+SYN+PUSH/SUM

2005

0.90.91

0.92

0.93

0.94

0.95

0.96

0.97

0.98

0.99

1 6 11 16 21 26 31 36 41 46 51 56 61 66 71 76 81


27/29

ACK+SYN+PUSH/SUM

2004.4.17

0.968

0.97

0.972

0.974

0.976

0.978

0.98

0.982

0.984

0.986

0.988

1 3 5 7 9 11 13 15 17 19 21 23


28/29

Time Series

0

200000

400000

600000

800000

1000000

1200000

1400000

1 6 11 16 21 26 31 36 41 46 51 56 61 66 71 76 81 86 91

SYN+ACK

FIN+ACK

RST


29/29

tcp analysis based on flags

Documents