TCP Flow Control

From this article, let's see some basic stuff for TCP related. In RFC 793, there are comment for 'flow control' as following :

RFC 793 
https://tools.ietf.org/html/rfc793#page-15

flow Control:

TCP provides a means for the receiver to govern the amount of data sent by the sender. This is achieved by returning a "window" with every ACK indicating a range of acceptable sequence numbers beyond the last segment successfully received.  The window indicates an allowed number of octets that the sender may transmit before receiving further permission.


In TCP header, there are Window and Control field which can be used for flow control.


    0                   1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |          Source Port          |       Destination Port        |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                        Sequence Number                        |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                    Acknowledgment Number                      |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |  Data |           |U|A|P|R|S|F|                               |
   | Offset| Reserved  |R|C|S|S|Y|I|            Window             |
   |       |           |G|K|H|T|N|N|                               |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |           Checksum            |         Urgent Pointer        |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                    Options                    |    Padding    |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                             data                              |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

                            TCP Header Format


Window:  16 bits
The number of data octets beginning with the one indicated in the acknowledgment field which the sender of this segment is willing to accept.


Sliding window


WINDOW AND ACKNOWLEDGEMENT STRATEGY IN TCP : http://www.ietf.org/rfc/rfc813.txt

The window mechanism is a flow control tool.  Whenever appropriate, the  recipient of data returns to the sender a number, which is (more or less) the size of the buffer which the receiver currently has  available for  additional  data.   This number of bytes, called the window, is the maximum which the sender is permitted to  transmit  until  the  receiver returns  some additional  window.

http://www.omnisecu.com/tcpip/tcp-sliding-window.php

  • The sending device can send all packets within the TCP window size without receiving an ACK, and should start a timeout timer for each of them.

  • The receiving device should acknowledge each packet it received, indicating the sequence number of the last well-received packet. After receiving the ACK from the receiving device, the sending device slides the window to right side.



Slow Read DoS attack

Slow Read DoS attach is one of slow HTTP attack. When the Web server keeps too many resources busy, this situation becomes like DoS attacks. To realize this malicious condition, the attacker can take following two types of techniques. 
1) The technique of sending request slowly 
2) The technique of reading response slowly




Example


{{ TBD }}



References :

https://en.wikipedia.org/wiki/Transmission_Control_Protocol

http://www.rhyshaden.com/tcp.htm

http://www.tcpipguide.com/free/t_TCPMessageSegmentFormat-3.htm

https://www.youtube.com/watch?v=ADiuHeoT2GA

http://www.freesoft.org/CIE/Course/Section4/8.htm


반응형
저작자표시 비영리

'Security&Encryption > Network Packet Forensic' 카테고리의 다른 글

Wireless Packet Analysis - 2  (0) 2016.03.08
Wireless Packet Analysis - 1  (0) 2016.03.08
Shell code packet analysis - 1  (0) 2016.03.07
UDP Port Scan  (0) 2016.03.07
TCP Port Scan  (0) 2016.03.06

{{ SECURITY Network packet Forensic }} 

 

 Chapter_4 : FTP packet analysis

  • Port TCP 21 (User athentication, sending the commands), TCP 20 (Sending the response) 
  • Ethernet II frame, or Ethernet Version 2,[f] or DIX frame is the most common type in use today, as it is often used directly by the Internet Protocol.


  • TCP Flags
    • ACK (Acknowledge) : with same sequence number from the sender + len of the data at the TCP layer
    • SYN (Synchronize) : is used during session setup to agree on initial sequence numbers (random)
    • FIN (Finish) : graceful session close (no more data)
    • RST (Reset) : abnormal session disconnection
    • PSH (Push) : push forces data delivery without waiting for buffers to fill
    • URG (Urgent) 


  • Analyze > Follow TCP Stream

  • Statistics > Flow Graph

 

 

 References  

https://support.microsoft.com/en-us/kb/169292

http://www.tamos.net/~rhay/overhead/ip-packet-overhead.htm

TCP IP version : RFC 765 (June 1980) and RFC 959 (October 1985)

RFC 2228 (June 1997) proposes security extensions  

FTPS : RFC 4217

 

반응형

'Security&Encryption > Network Packet Forensic' 카테고리의 다른 글

TCP Port Scan  (0) 2016.03.06
Analysis for SMTP  (0) 2016.03.06
Analysis HTTP Contents  (0) 2016.03.03
File Magic Number  (0) 2016.03.02
Telnet packet analysis  (0) 2016.03.01

+ Recent posts

티스토리툴바