TCP Flags

From Frotmail Projects
Jump to navigation Jump to search

[1]

At least one of these six flags must be set in each TCP packet; each flag corresponds to a particular bit in the TCP header. The six flags are:

  • SYN (Synchronization) - Initiate a TCP connection.
  • ACK (Acknowledgment) - Indicates that the value in the acknowledgment number field is valid.
  • FIN (Finish) - Gracefully end a TCP connection.
  • RST (Reset) - Immediately end a TCP connection.
  • PSH (Push) - Tells the receiver to pass on the data as soon as possible.
  • URG (Urgent) - Indicates that the urgent pointer is valid; often caused by an interrupt.

Before reviewing abnormal flag combinations, let's look at the normal ones:

  • SYN, SYN ACK, and ACK are used during the three-way handshake which establishes a TCP connection.

Except for the initial SYN packet, every packet in a connection must have the ACK bit set.

  • FIN ACK and ACK are used during the graceful teardown of an existing connection.
  • PSH FIN ACK may also be seen at the beginning of a graceful teardown.
  • RST or RST ACK can be used to immediately terminate an existing connection.

Packets during the "conversation" portion of the connection (after the three-way handshake but before the teardown or termination) contain just an ACK by default. Optionally, they may also contain PSH and/or URG. Packets with any other flag combination can be classified as abnormal.

Here are some of the most commonly occurring ones:

  • SYN FIN is probably the best known illegal combination. Remember that SYN is used to start a connection, while FIN is used to end an existing connection. It is nonsensical to perform both actions at the same time. Many scanning tools use SYN FIN packets, because many intrusion detection systems did not catch these in the past, although most do so now. You can safely assume that any SYN FIN packets you see are malicious.
  • SYN FIN PSH, SYN FIN RST, SYN FIN RST PSH, and other variants on SYN FIN also exist. These packets may be used by attackers who are aware that intrusion detection systems may be looking for packets with just the SYN and FIN bits set, not additional bits set. Again, these are clearly malicious.
  • Packets should never contain just a FIN flag. FIN packets are frequently used for port scans, network mapping and other stealth activities.
  • Some packets have absolutely no flags set at all; these are referred to as "null" packets. It is illegal to have a packet with no flags set.
  • Besides the six flag bits described here, TCP packets have two additional bits which are reserved for future use. These are commonly referred to as the "reserved bits". Any packet which has either or both of the reserved bits activated is almost certainly crafted.

There are several other characteristics of TCP traffic where abnormalities may be seen:

  • Packets should never have a source or destination port set to 0.
  • The acknowledgment number should never be set to 0 when the ACK flag is set.
  • A SYN only packet, which should only occur when a new connection is being initiated, should not contain any data.
  • Packets should not use a destination address that is a broadcast address, usually ending in .0 or .255. (You may not be familiar with .0 as a broadcast address; it was an older style of broadcast.) Broadcasts are normally not performed using TCP.