Transport Protocol Communication
Our cyber-security team analyzes your company’s network traffic and flow. Net flow is a collection of internet protocol information, statistics, and metadata generated, from the devices on a network. The data is collected from packets entering and exiting the network interface devices. Internet protocols are responsible for sending and receiving packets of data across a connection from the source host to the destination host and vice versa. The packets are sent to the IP Addresses (located in the header of the packet).
Threat Vector monitors the addresses in these packets and can point out any that may potentially be harmful to your company’s network – this is done by reconstructing the entire conversation or stream and pattern matching against know attack vectors and malicious data streams. Additionally, our analysis matches all inbound and outbound IP requests to an international repository of malicious IP addresses (OTX) and will trigger alarms based on the level of the potential threat.
Threat Vector is capable of monitoring your network traffic at all levels of communication in the OSI model. In modern convention – digital communication between computers fall into a standardized model known as the OSI (Open Source Interconnection) layer model. The net flow portion of Threat Vector focuses on the transport layer of the OSI model. To better understand how information is aggregated, compiled, and correlated it is important to review the different types of protocols currently in common use on the OSI transport layer.
Basics:
Transmission Control Protocol (TCP)
The Transmission Control Protocol or TCP provides communication services between an application program or a network capable program and an internet connection and network interface. TCP is most often used on internet applications such as the web browsers, email clients, and media streaming applications. However, while it is the most common protocol in use, it is also not designed for security. For example, most basic types of attacks – such as DoS (Denial of Service) are executed exploiting the way the information travels through a TCP framework global infrastructure.
User Datagram Protocol (UDP)
The User Datagram Protocol or UDP, similar to TCP, establishes connections between applications on the internet including the domain name system (DNS), the simple network management protocol (SNMP), dynamic host configuration protocol (DHCP). UDP is a notoriously unreliable transmission protocol with a lack of handshaking dialogues, no guarantee of packet delivery, unordered packet delivery, and no protection from packet duplication. This makes it very easy for attackers to compromise sensitive data on your company’s network.
Internet Control Message Protocol (ICMP)
The Internet Control Message Protocol (ICMP) is another type of internet protocol on the transport layer. Unlike UDP and TCP, the ICMP isn’t used for sending packets across a system. Rather, its functionality is with network devices. The ICMP sends error messages indicating several different flaws with the communication such as destination host unreachable, network unreachable, datagram conversion error, just to list a few.
There are multiple other OSI transport layer protocols as well.
Threats
DoS attacks are commonly executed using the TCP. TCP connects a client to a server by sending a message to the server, SYN. The server then acknowledges the request to connect by sending back a message SYN-ACK. The server then waits for an ACK message back from the client and connection is established. The threat comes in before the client sends back an ACK message to the server. At this time there is a half open connection. The server has a database that holds all pending (or half open) connections and it is of limited size. If the database of pending connections fills, no new connections can be created until some are removed. An attacker can simply keep sending requests to the server but never acknowledge them, filling the pending connections database, and not allowing any new connections to be made. This is a very simple and effective denial of service technique that attackers like to use.
Threat Vector Solutions
Threat Vector Prevents these sorts of attacks by limiting access to the servers to authorized IP addresses only. This prevents the attackers from ever accessing the TCP connections. For companies who have a large amount of clients on their server a load balancer is another effective solution. A load balancer is a device that distributes the network connections across the server so that if one server fills up, connection requests will be bounced to another server and the connections will be made.