The Transmission Control Protocol (TCP) is a foundational network protocol that is essential for the functioning of the Internet. It is responsible for establishing and maintaining the connection between two computers, allowing them to communicate with each other. TCP is one of the core protocols of the Internet Protocol Suite, which is a set of communication protocols used to interconnect computer networks.
TCP is a reliable, connection-oriented protocol that provides in-order delivery of data packets. It is used in applications that require reliable, end-to-end communication, such as web browsing, file transfer, and email. TCP is also used in applications that require more complex communication, such as streaming media and teleconferencing.
In this article, we will discuss the fundamentals of TCP, its purpose, benefits, limitations, history, and how it works. We will also explore the security concerns associated with TCP and how WireX Systems analyzes TCP packets to detect and protect.
What Is TCP
TCP, is a core network protocol that is used to facilitate communication and data transfer between two or more endpoints. It is part of the Transmission Control Protocol/Internet Protocol (TCP/IP) suite, which is the foundation of the modern internet.
At its core, TCP is a connection-oriented protocol that provides reliable, ordered delivery of data between two endpoints. It is a transport layer protocol, meaning it is responsible for establishing and maintaining connections between two endpoints and ensuring the delivery of data.
When two endpoints establish a connection, TCP begins by performing a three-way handshake between the two endpoints. This handshake is used to confirm the connection and to synchronize the sequence numbers between the two endpoints. Once the connection is established, TCP will then begin to send and receive data between the two endpoints.
To ensure reliable delivery, TCP will utilize a sequence number system. Each packet of data will be assigned a sequence number, which is used to track the order in which packets are sent and received. This ensures that the data is delivered in the correct order, and that all packets are accounted for.
TCP also utilizes a sliding window system to manage the flow of data. The sliding window system is used to limit the amount of unacknowledged data that can be sent at any given time. This helps to ensure that the connection is not overwhelmed with data and that data is sent and received in a timely manner.
Finally, TCP also utilizes a retransmission system to ensure that any lost or corrupted data is resent. If a packet is lost or corrupted, the receiving endpoint will send an acknowledgement to the sending endpoint, and the sending endpoint will retransmit the lost or corrupted packet.
In summary, TCP is a reliable, connection-oriented protocol that is used to facilitate communication and data transfer between two or more endpoints. It utilizes a three-way handshake, sequence numbers, a sliding window system, and a retransmission system to ensure reliable delivery of data.
What Is The Purpose Of TCP
The purpose of TCP is to provide reliable, ordered, and error-checked delivery of a stream of octets (bytes) between applications running on hosts communicating over an IP network. TCP is an end-to-end protocol that ensures the reliable delivery of data from one end of the connection to the other.
TCP is a connection-oriented protocol, meaning that a connection must first be established between the two endpoints before data can be transmitted. This connection is referred to as a “virtual circuit” and consists of a series of packets sent back and forth between the two endpoints to establish the connection. Once the connection is established, the data is sent in the form of packets.
TCP provides a number of features to ensure reliable delivery of data. These features include flow control, error correction, and congestion control. Flow control ensures that the data is sent at a rate that the receiving application can process. Error correction is used to detect and correct any errors that may occur in transmission. Finally, congestion control is used to ensure that the network is not overwhelmed by too much traffic. By providing these features, TCP helps to ensure that data is delivered correctly and efficiently, making it an important part of the internet.
Benefits Of TCP
The Transmission Control Protocol (TCP) is a reliable and widely used network protocol that provides a secure connection between two computers or devices. It is one of the core protocols of the Internet Protocol Suite and is used for the transmission of data over the internet. TCP is a connection-oriented protocol that ensures reliable communication between two endpoints. It provides end-to-end data delivery, error recovery, flow control, and congestion control.
The main benefits of TCP include:
Reliability: TCP is a reliable protocol because it employs error recovery and flow control mechanisms to ensure that data is transmitted accurately and securely. It also uses a three-way handshake to establish a connection between two endpoints.
End-to-end data delivery: TCP is an end-to-end protocol, which means that it is responsible for delivering data from the source to the destination. This ensures that data is not lost or corrupted in transit.
Flow control: TCP uses a sliding window protocol to manage the flow of data between two endpoints. This protocol helps to ensure that the sender does not overwhelm the receiver with too much data.
Congestion control: TCP uses algorithms to detect and reduce congestion on the network. This helps to ensure that data is delivered efficiently and quickly.
Security: TCP is a secure protocol as it uses a three-way handshake to establish a connection and encrypts data during transmission. This helps to ensure that data is not intercepted or modified in transit.
These features make TCP a reliable and secure protocol that is suitable for transmitting data over the internet. It is also used in many applications, such as web browsing, email, file transfer, and online gaming.
Limitations Of TCP?
TCP is one of the most widely used network protocols in the world, providing a reliable and secure way to transfer data between two networked devices. However, like any technology, it has its limitations.
One of the main limitations of TCP is its inability to handle large volumes of data. This is because the protocol is designed to break large chunks of data into small packets and then send them separately. This can be time consuming, especially if the amount of data is large.
Another limitation of TCP is its lack of support for Quality of Service (QoS). This means that it can’t prioritize certain types of traffic, such as video or audio streaming, over others. This can lead to latency issues and packet loss, which can have a negative impact on the user experience.
In addition, TCP is not designed to be used in real-time applications. This means that it is not suitable for applications where data needs to be sent and received quickly, such as online gaming or VoIP.
Despite its limitations, TCP is still an important and widely used protocol. It provides a reliable way to transfer data between two networked devices, and is the backbone of many of the applications we use today. However, it is important to be aware of its limitations so that it can be used in the most effective way possible.
How Does TCP Work
TCP is a core component of the Internet’s infrastructure. It is responsible for establishing and maintaining connections between two computers over a network. It is also responsible for ensuring reliable delivery of data across the network.
TCP is a connection-oriented protocol, meaning that it requires an initial handshake between the two computers before any data can be exchanged. This handshake is known as the TCP three-way handshake. The three-way handshake involves the two computers exchanging a series of messages, which is known as the SYN-ACK-SYNACK sequence.
The first step of the handshake is the SYN message. This message is sent from the initiating computer, known as the client, to the receiving computer, known as the server. The SYN message contains information about the client, such as its IP address.
The server then responds with an ACK message, which acknowledges the receipt of the SYN message. The ACK message also contains information about the server, such as its IP address.
The final step of the handshake is the SYN-ACK message sent from the server to the client. This message contains information about the server, such as its IP address.
Once the three-way handshake is complete, the two computers can begin exchanging data. The data is broken down into packets, which are sent from one computer to the other. Each packet contains a header, which contains information about the packet, such as its size and destination.
When the receiving computer receives the packet, it sends an acknowledgement back to the sending computer to confirm that it has received the packet. If the sending computer does not receive an acknowledgement, it will re-send the packet until it receives an acknowledgement.
TCP also provides error correction and flow control. Error correction is used to ensure that any corrupted packets are re-sent, and flow control is used to ensure that the sending computer does not send more data than the receiving computer can handle.
Finally, TCP provides congestion control. This is used to ensure that the network is not overloaded with data. If the network becomes congested, the sending computer will reduce its sending rate until the congestion is relieved.
Security Concerns Of TCP
As with any form of data transmission, there are security concerns when it comes to TCP. As it is a connection-oriented protocol, it is vulnerable to various attacks that can disrupt or intercept data transmission.
One of the most common security threats is a man-in-the-middle attack. This is when an attacker intercepts data transmissions between two parties and can read, modify, or even block the data. This type of attack can be used to gain access to sensitive information, such as financial details or passwords.
Another security concern is denial of service (DoS) attacks. These are when an attacker floods a server with requests, causing it to become overwhelmed and unable to respond. This can lead to a complete shutdown of the server or a disruption of services.
Finally, there is the risk of buffer overflow attacks. These are when an attacker sends more data than the receiving buffer can handle, causing it to overflow. This can potentially lead to the execution of malicious code, which can result in data loss or corruption.
Attack Examples Using TCP
There have been several notable attacks that have utilized the TCP protocol, here are a few examples:
- Microsoft Exchange Server Attack (2021): In early 2021, a Chinese state-sponsored hacking group known as Hafnium carried out a large-scale attack on Microsoft Exchange Server, a widely-used email and collaboration platform. The attackers exploited several zero-day vulnerabilities to gain access to the servers and install webshells that allowed them to steal data, install additional malware, and carry out further attacks. The attackers used the TCP protocol to communicate with the webshells and maintain access to the compromised servers.
- VPNFilter Malware (2018-2019): In 2018 and 2019, a Russian state-sponsored hacking group known as Sofacy or APT28 carried out a global malware campaign targeting routers and other network devices. The malware, known as VPNFilter, allowed the attackers to monitor network traffic, steal data, and launch further attacks. The malware used the TCP protocol to communicate with the attackers’ command and control servers.
- Mirai Botnet (2016-2017): While the Mirai botnet attacks occurred a few years earlier, they remain one of the largest attacks in recent years that utilized the TCP protocol. Mirai was a malware that infected Internet of Things (IoT) devices such as routers, cameras, and DVRs, and used them to carry out distributed denial of service (DDoS) attacks against targets such as DNS provider Dyn and French web host OVH. The malware used the TCP protocol to communicate with its command and control servers and coordinate the attacks.
WireX Systems NDR can help with TCP Investigations
WireX Systems Ne2ition NDR (Network Detection and Response) solutions can be extremely helpful in investigations of attacks that utilize TCP because they can monitor network traffic and detect suspicious or anomalous behavior.
Ne2ition NDR solutions use advanced analytics and machine learning algorithms to analyze network traffic and identify patterns of activity that may indicate an attack. It can detect unusual traffic patterns, unusual ports or protocols, and other indicators of compromise (IOCs) that may be associated with an attack over TCP.
Ne2ition NDR solutions can also help with the investigation of attacks over TCP by providing visibility into network activity. They can help identify which systems are communicating with each other and what protocols they are using. This information can be used to map out the attack and determine the scope of the compromise.
In addition, Ne2ition can provide forensic data that can be used to determine the extent of the damage caused by the attack. They can capture the context of the data that can then be used to analyze the attack and determine what data was exfiltrated.
Overall, NDR solutions can be a valuable tool in investigations of attacks that utilize TCP. They can help identify and respond to attacks more quickly, minimize the impact of the attack, and prevent future attacks.
WireX Systems’ security solution is used to detect and protect against malicious attacks, suspicious activities, and other threats. TCP works by establishing a connection between two computers, allowing data to be transferred between them. When a connection is established, WireX can analyze the data being sent and received. If any suspicious or malicious activity is detected, WireX Systems can help determine the extent and help take steps to protect the user.
WireX Systems Ne2ition analyzes TCP traffic, extracts and indexes dozens of different attributes including the ones displays below to provide in-depth visibility and context for detection, response, forensics and hunting scenarios over TCP:
|MAC Address||Acknowledgment||Acknowledgment number||Address|
|Calculated window size||Checksum||Client port||Client-Payload|
|Client-Payload Preview||Differentiated Services Codepoint||Congestion Window Reduced (CWR)||Differentiated Services Field|
|Destination||Destination port||Destination resolved||TCP|
|Data Raw||Don’t fragment||ECN-Echo||Ethernet|
|SYN||length||MAC Address||More fragment|
|Type||Type text||Packet micro seconds||Packet time|
|Reserved bit||Reset||Sequence number||Server port|
|Server-First-Payload Preview||Explicit Congestion Notification||Source Address|
|Source port||Source resolved||Stream packet size||Stream packet size (diff)|
|Stream packets count||Stream packets count (diff)||Stream Pcap||SYNServer-First-PayloadClient-Payload|
|Syn||SYN Preview||Version|| Destination
|TCP Segment Len||tcp.flags.str raw||tcp.options raw||Time to live|
|Window size scaling factor||Window size value||Urgent||Urgent pointer|
MITRE ATT&CK and TCP
These attributes will help WireX System map into the MITRE ATT&CK framework techniques and tactics:
- Initial Access: Several techniques under the Initial Access tactic involve the use of the TCP protocol. For example, attackers may use TCP-based exploit techniques such as Remote File Inclusion (RFI) or Server-Side Request Forgery (SSRF) to gain access to a target system.
- Execution: Attackers may use the TCP protocol to execute malicious code on a target system. For example, they may use a command and control (C2) server to send commands to the compromised system over TCP.
- Persistence: Attackers may use the TCP protocol to establish persistent access to a compromised system. For example, they may use a TCP-based backdoor to maintain access to the system even after it has been rebooted or patched.
- Exfiltration: Attackers may use the TCP protocol to exfiltrate stolen data from a compromised system. For example, they may use a TCP-based protocol such as FTP or HTTP to send stolen data to a remote server.
- Command and Control: Several techniques under the Command and Control tactic involve the use of the TCP protocol. For example, attackers may use a TCP-based protocol such as HTTP or DNS to communicate with a C2 server and receive commands.
Other tactics and techniques that may be relevant include Lateral Movement, Collection, and Impact.
Here are some examples of tactics and techniques and their corresponding numbers that may be relevant to attacks over TCP:
- Initial Access:
- T1190 Exploit Public-Facing Application (TCP/UDP)
- T1210 Exploitation of Remote Services (TCP/UDP)
- T1047 Windows Management Instrumentation (TCP)
- T1218 Signed Binary Proxy Execution (TCP)
- T1573 Encrypted Channel (TCP)
- T1008 Fallback Channels (TCP)
- T1071 Standard Application Layer Protocol (TCP)
- T1574 Hijack Execution Flow (TCP)
- Command and Control:
- T1071 Standard Application Layer Protocol (TCP)
- T1072 Third-party Software (TCP)
- T1095 Non-Application Layer Protocol (TCP)
- T1041 Exfiltration Over C2 Channel (TCP)
- T1048 Exfiltration Over Alternative Protocol (TCP)
- T1020 Automated Exfiltration (TCP)
These are just a few examples of how attacks over TCP can map to specific tactics and techniques in the MITRE ATT&CK framework. Other tactics and techniques may also be relevant depending on the specifics of the attack.
In conclusion, TCP is a reliable, efficient, and secure protocol that is essential for the functioning of the internet. It is a critical component of the larger network protocol landscape and is used by many applications and services to ensure reliable data transmission. TCP is used by WireX to detect and protect against malicious activity on the network, making it an important part of the security solution. With its reliable connection and data integrity, TCP is an invaluable tool in the modern digital landscape.