Transmission Control Protocol provides reliable, ordered, error-checked segments in IP datagrams. Segment structure:
| Source Port (16-bit) | Destination Port (16-bit) | Sequence Number (32-bit) | Acknowledge Number (32-bit) | Data Offset (4-bit) | Reserved (3-bit) | Flags (9 bits) | Window Size (16-bit) | Checksum (16-bit) | Urgent Pointer (16-bit) | Options | Payload | |
TCP Flags
- NS - ECN-nonce (Explicit Congestion Notification) concealment protection (experimental, see RFC 3540)
- CWR - Congestion Window Reduced is set by the sender to acknowledge the receipt of ECE flag (see RFC3168)
- ECE - ECN-Echo. If both SYN and ECE flags are set, then the sender is ENC-capable. If only ECE is set, then it means that ECN=11 in IP header was received by this packet sender to signal to the TCP sender network congestion
- URG - Urgent Pointer field is significant.
- ACK - Acknowledgement field is significant, which indicates the next sequence number a receiver expects from a sender. All packet after the first SYN must have it set.
- PSH - asks to push data to the receiving application.
- RST - reset the connection.
- SYN - synchronize the sequence numbers. Only the first packet sent ny each end should have it set.
- FIN - no more data from the sender.
Checksum is computed similar to UDP using pseudo-header.
Windows size controls how much data can be sent unacknowledged, i.e. the sender will keep sending data even though the ack segments have not been received yet for the previously sent segments. There are two window sizes in TCP:
- Window size (RWND in TCP header) is used by flow control to protect the receiving node from overloading and is controlled by the receiver. 0 window size in acknowledgement means stop sending data to allow data in a buffer to be processed. Window scaling option, which sets the number of bits for left-shifting the window size, is used during handshaking phase for up to 1GB of data transfer.
- Congestion Window size (CWND in Options) is used by congestion control to protect the network from overloading and is controlled by the sender.
Modern TCP implementations use 4 algorithms: slow-start, congestion avoidance, fast retransmit and fast recovery (RFC 5681).
Slow-start initially sets the congestion window size to 1, 2 or 10 of the Maximum Segment Size (MSS) and then increases it by 1 MSS with each ack. The CWND increase may not be exactly exponential, because the receiver may sends its ack for every second segment. The CWND increase carries on until either a packet loss is detected, or RWND limit is reached, or the slow start threshold (ssthresh) is reached. In case of a loss, the behavior depends on the TCP congestion avoidance algorithm. Once ssthresh is reached, the rate of CWND change becomes linear - it increases by 1 MSS for each round-trip time (RTT).
Fast Retransmit uses typically 4 duplicate acknowledgements to assume that the packet was lost and will not arrive out-of-order and retransmits it before the retransmission’s timer times out.
TCP vulnerabilities
- DoS: SYN flood, sockstress, exploit of persist timer that normally helps to avoid a deadlock after a receipt of 0 window size ack.
- Connection hijacking, using TCP sequence prediction attack that may lead to one packet being erroneously accepted, after that synchronization is lost if packets with the same seq numbers have different length.
- TCP veto attack leading to accepting a packet without loss of synchronization by dropping the valid redundant packet after accepting the malicious one. The attack requires guessing not just the seq number but also the packet size.
- TCP reset attack that disrupts the legitimate TCP traffic.
The obvious protection for all kinds of TCP vulnerabilities is to use IPSec.