There are over 65 thousand logical computer ports most of which transport UDP and TCP data. Although these are both transport layer protocols, they work in very different ways.
TCP or transmission control protocol is a reliable mode of transport that utilizes a handshake process between sender and receiver. UDP or user datagram protocol is a faster transport protocol but it comes with downsides such as reliability; both TCP and UDP each have their own place in networking
There are a variety of services that use UDP, TCP, or both of these transport layer protocols. Services like HTTP/HTTPS which gives you access to the internet use the reliable TCP. Other important services that favor speed over reliability include the network time protocol (NTP) on UDP port 123.
What is TCP (transmission control protocol) and how does it work?
TCP is considered a connection-oriented protocol for internet communication. This protocol provides error detecting followed by correction. TCP is very reliable as well! TCP relies on a handshake for communications between the sender/receiver.
A TCP three-way handshake must be established before data is passed between the sender and receiver. The handshake has 3 steps, here they are:
- Sender sends a SYN or synchronize packet to the receiving host
- The receiver receives it and send a SYN-ACK (synchronize/acknowledge) packet verifying that they received the original SYN packet without error
- Sender receives SYN-ACK from receiver and then sends an ACK packet closing the handshake which enables the host to start exchanging data
TCP is a reliable transport protocol because if a packet gets lost in transit, TCP will re-transmit that packet so the communication can complete. Many services use TCP ports such as PPTP-port 1723, SMB-port 445, and IMAP-port 143 just to name a few.
Email, secure shell, web browsing, and file transfer protocols all use TCP ports. These services provide communications that you would want the most reliable transmission protocol. You wouldn’t want to receive half of an email message or web application errors because a packet was lost or damaged right?
So TCP makes the most sense in these cases, it is heavyweight but reliable. Error detection, speed, reliability, and orderly packet delivery are the strengths of TCP. It is however slower than UDP.
How does UDP (user datagram protocol) differ from TCP?
UDP is a connectionless protocol that is lighter weight and faster than TCP but far less reliable.
Examples of common services that use UDP are SNMP-port 161, L2TP-port 1701, and TFTP-port 69. There are even some services that utilize UDP and TCP ports such as DNS on port 53.
It is also important to note that there isn’t a handshake process with the sender/receiver as there is with a TCP connection. UDP doesn’t care if packets are dropped in transit, it just wants to send out as much as it can. It is very common for some UDP packets to not arrive at a destination; this can be noticeable by the receiving party.
For example, if you are video chatting through your Wi-fi and your connection pauses for a second or skips then chances are, a few UDP packets didn’t make it to your device. UDP’s advantages lie in the speed; the packets are transmitted in a continuous stream and it doesn’t care if there are errors during communication; this is what makes it unreliable. Common uses for UDP are streaming services, gaming, VOIP, VPN tunneling, DNS, trivial file transfer (TFTP) etc.
Next, we will cover how UDP and TCP fit into the OSI model…
What is the OSI model?
The open systems interconnection (OSI) model is a breakdown of the 7 layers of networking. Information starts as raw bits on physical equipment and ends as a human interactive window on a web page…wow!
7. Application Layer-this is the end-user software like a browser or email. The software on this layer is used to send and receive data from the user. This is where you would see networking protocols being used like HTTP, FTP, SMTP etc.
6. Presentation Layer-This layer gets the data ready for the user to interact with in the application layer. The presentation layer provides encoding, encryption, decryption for the data that just came from the session layer.
5. Session Layer-This layer is pretty self explanatory, it provides support for the session that is about to be established between the client and server. It provides services that can sync, terminate, and establish the session.
4. Transport Layer-This layer helps to transport messages in between hosts; this being said, transport=TCP/IP protocols. UDP and TCP are huge in the transport layer. End-to-end delivery, flow control, and multiplexing are performed within the transport layer.
3. Network Layer-This protocol breaks up segments from the data link layer and turns them into network packets. It also forwards and routes packets to the destination. Network layer devices include router, switches etc.
IPsec, ICMP, and IPX/SPX protocols are utilized in the network layer. Unfortunately, denial-of-service (DoS) and distributed denial-of-service (DDoS) attacks are very common against the network layer.
2. Data link Layer-This layer provides error free transmission to the network layer from the raw data that comes from the physical layer. Network switches are found on this layer as well. The logical link controller (LLC) and media access control (MAC) operate as part of the data link layer.
They are responsible for flow control, addressing, and error notification (LLC) and device interaction (MAC). This layer deals with network connection addressing hence the logical controller and the physical device address which is the MAC address.
1. Physical Layer-This is where the data starts out as bits and bytes, 1’s and 0’s. When you hear of bytes on the wire, say in a packet capture, that is referring to the physical layer. The electronic signals starting from the network hardware (physical link) and ending at the network nodes (logical link) describes the physical layer.
Ethernet cables, speeds, and physical network topologies (ring, star, hub etc.) are included in the physical layer. The TCP/IP Model further simplifies the OSI Model by combining several layers together. The purpose of this is to simplify the OSI conceptual model by combining certain layers. It also details TCP/IP protocols, data flow, connections, physical/logical devices and software, and how they work to transmit data across the network.
TCP/IP Model Layers:
- Application Layer-Combination of session, presentation, and application sub-layers.
- Transport Layer-Responsible for providing transport protocols and sends data to the application layer
- Internet Layer-This is essentially the network layer of the OSI model
- Network Interface Layer-This combines the data link and physical layer
In addition to TCP and UDP, there are several other common networking protocols that are helpful to learn about.
- HTTP–This is the hypertext transfer protocol and it brings us the worldwide web through TCP port 80. Without this protocol we have no internet access!
- HTTPS–This is HTTP but with an SSL certificate which makes it HTTPS; it is a secure protocol for web access and it runs on TCP port 443
- SSH–Secure shell is used through a command line terminal on a machine. It is used for a variety of purposes mainly to access remote hosts for troubleshooting, administration etc. purposes. Communications with SSH are secure due to the RSA encryption keys that are generated between both parties. SSH runs on TCP port 22
- FTP–File transfer protocol is responsible for transferring files to an FTP server and it runs on TCP ports 20/21. This is an insecure protocol as it provides no encryption or other safety.
- SFTP-Secure file transfer protocol makes use of secure connections for file transfers. SSH keys are created in advance before attempting the file transfer. This is a much better option than FTP! This service runs on TCP port 22.
- SCP–Better suited for quick file transfers between hosts, it’s not meant as a bulk transfer solution but it does provide interception protection and encryption. TCP port 22 transports SCP data.
- TELNET–Telephone network in simple terms is a secure shell without the secure! Needless to say, this protocol should never be used because it is severely outdated and insecure. Communications are NOT secure so it is not recommended and it runs on TCP port 23.
- NTP–Network time protocol runs on UDP port 123. The importance of NTP lies in its ability to keep your system synced with current time based on your geographic time zone. The protocol initiates a time-request with the NTP server which eventually gives your system the most accurate time.
- DHCP–Dynamic host configuration protocol uses UDP ports 67 for the destination server and 68 for the client. The reason why you need DHCP is for IP address assignment. Most if not all home routers provide automatic DHCP assignments.
Every network device must have an IP address assigned to them to allow for communication with local and remote devices and services. You can configure static or dynamic IP addresses in your network settings for any given network adaptor.
- ICMP–Internet control message protocol is a protocol that is used to send error messages, operating information, and other data to determine host activity and status. If you wanted to see if your computer could communicate with another network device (other machine or domain), you could send an ICMP echo request or ping to that host.
Upon pinging the host, if you get a reply back then the host is up and you have a line of communication. If packets are dropped then communication either isn’t allowed OR that host has disabled ICMP requests. ICMP runs on port 1 and it is unique in that it doesn’t rely on UDP or TCP.
ICMP is it’s own transmission protocol that’s why it doesn’t need TCP or UDP. If you are a system/network administrator, network engineer, etc. then you have more than likely used the ICMP protocol; I know I have and it’s very useful!
- ARP–The address resolution protocol is unique and it doesn’t use a port number, what?! This protocol matches IP addresses with corresponding hardware which is the network interface card or adaptor (NIC). The NIC has a unique identifier known as the MAC address.
ARP stores a cache of resolved address entries that speed up future communication with those stored MAC addresses and their corresponding physical machines. There are attacks to be aware of especially when using Wi-fi in public such as the man-in-the-middle attack (MITM).
The goal of this attack is to hijack the connection between the target and the router effectively poisoning the ARP cache. Use a VPN if you are using public Wi-Fi to help mitigate this attack! Of course you should do this even if the Wi-fi has a login/password for authentication. Attacks can still be executed even with authentication so be wary.
Can attackers see what protocols I am using?
This is all good information but what would happen if a threat actor were to discover those protocols on your network? With a tool like nmap and Wireshark, a malicious user can see your network traffic, operating system, open ports, protocols, and much more information!
Nmap is a tool used for penetration testing. There are many useful bits of intel to be gained from an nmap scan. The issue is that many attackers use it for evil. If you want to secure your devices and protect them from attackers to the highest extent possible, you should learn how to use it.
On the other hand, you don’t have to know how to use nmap to secure your system. There are things you can do that will make it harder for attackers to snoop on your system and get valuable information like disabling unused ports, disabling services you don’t use, and keeping your system and applications updated.
Nmap pings a host to determine if it is alive, if it is, additional scans can be performed that will grab other types of information. The most common being the open ports and services running on those ports. Just that information alone is enough to start staging an attack.
TCP and UDP play a huge role in overall communication between devices. Without them, we wouldn’t be getting a large portion of data to our devices. You can better understand TCP, UDP, and other protocols by utilizing a packet capture tool like Wireshark on your network!
This article provided a basic overview of TCP and UDP and how their importance plays a huge part in network communications. We also covered common protocols and the OSI model; hopefully it gave you some insight and something to practice and implement on your network!