about combinations of TCP flags

1

  1. TCP FIN packet, ACK flag is always set?

  2. In TCP tear-down phase, there are usually 4 packets: FIN/ACK, ACK, FIN/ACK, ACK. Is it possible some of these packets may not be sent by a TCP peer?

  3. When there is payload, as far as I know, flags like PSH, ACK, FIN can be set. When FIN is set, PSH and ACK is also set. Are there any other flags can be set when there is data payload?

  4. When RST is set, is ACK always set? Are there any other flags that can be set?

misteryes

Posted 2013-06-14T22:56:24.903

Reputation: 2 255

Answers

3

The TCP Xmas attack uses URG in addition to FIN and PSH. Different operating systems react differently when receiving this kind of packet, so it's used for OS fingerprinting. Apparently, it may cause crashes for some IP stacks.

It's also worth noting that there are flood attacks based simply on setting invalid flag combinations. https://www.isi.edu/~mirkovic/bench/attacks.html

There may not be a specific answer to your question based on standards. In a glance at RFC-793, there do not appear to be any specifics about other flags in a FIN packet, other than that it must have ACK set (but not SYN), and SYN and ACK values that correspond to an established connection. If these minimum criteria are not met (or the stack determines that the flag combo is invalid), the packet will be dropped.

All standards have undefined aspects to their implementation, and TCP is definitely no exception. This is evidenced by the fact that some stacks crash for URG+FIN+PSH, others don't, and those that stay up respond differently.

Frank Thomas

Posted 2013-06-14T22:56:24.903

Reputation: 29 039

Asked: 2013-06-14T22:56:24.903

Viewed: 3 328 times

Active: 2018-03-28T02:22:14.230