TCP flags: Hackers Playground

TCP is a very important protocol on Internet. More than half of the traffic in Internet uses TCP. When it comes to services which require QoS (quality of service) TCP plays a major role whether it be logging into Facebook  or opening a website like the underlying protocol which takes care of “reliable” service is TCP. TCP’s dominance over internet has its advantages and disadvantages. The architecture of TCP/IP protocol suit doesn’t have any security features, what it has is algorithms for protocol timers, logics, buffering, mapping, management but there is nothing in code for its security. As Internet evolved the techniques to use it un-ethically also evolved. These techniques are nothing but exploitations of vulnerabilities in the protocol architectures. TCP being the major protocol used in internet, many hacking applications were developed which bypasses its ethical usage (we will study those tools in upcoming posts) so what are those vulnerabilities in TCP ? before we start let us have a brief look at a TCP packet structure.


TCP along with UDP lies in the Transport layer of the TCP/IP model (also called as DoD model)

TCP Packet structure:

  • TCP Packet = TCP Header (20 bytes) + DATA (max of 65,495).
  • Number of words (w) is included in the TCP Header length (n) = w x n = 20byte.
  • In the above packet = 32 x 5 = 160bits /8 = 20bytes (default word length = 32bit)
  • The size of header indicates the start of the data.
  • Sequence and Acknowledge numbers are both 32bit in size.
  • The dashed lines between TCP Header and flags are empty 6bits and are not used.
  • Next to the empty 6bits are 1bit flags.
  • Flags field:
    • URG – Urgent Flag
    • ACK – Acknowledge Flag
    • PSH – Push Flag
    • RST – Reset Flag
    • SYN – Sync Flag
    • FIN – Finish Flag
  • Window size indicates the available buffer memory in the stack for communication.
  • Checksum is used to calculate the integrity of the TCP packet
  • Urgent pointer is used along with the URG flag. It tells the receiving end where exactly the priority ends in the data.
  • Optional field varies with the header length.
  • Data field is where the actual data from the upper layers are stored.

Before we start studying about Flags let us see how they’ll look when captured through a packet sniffer like Wireshark.


The markings in the above figure are the flags in a TCP packet.

Let us check each one of them:


Urgent flag is used to process the data without any latency (virtually zero time). The packets in which the urgent flag is set to “1” will be processed at the destination end without any delay. These packets are not sent to the queue for their turn nor they are buffered. This is like a VIP convoy on a busy road where it will be transferred first by making the way no matter how busy the road is. When the URG flag is set then the “urgent flag” also needs to be set. Urgent pointer tells up to where the data is to be prioritized in the data field. Basically Urgent Pointer tell the destination end where the data priority ends in the data field.

  • Example: Best example is executing commands on a remote machine using Telnet client. The output of a command executed through telnet should be immediate so in order to accomplish this the data transferred to the remote machine will have the URG flag set to “1” on its TCP packet. But by any chance if the output takes time on the Telnet console then there has to be some kind of slowness in the network or the remote machine is not responding properly.
  • Hackers idea: This can be used for malicious activities too. What happens if someone crafts a packet by turning ON the URG flag and sends it across the network. The remote machine immediately process the data, and there are instances where this can even by-pass an IDS or a Firewall if proper rules/policies are not set.


Acknowledge flag is used to acknowledge a received Sync packet. ACK flag is set to “1” on a reply packet to the requesting machine along with the SYN flag set to “1”. This is just a confirmation sent to the requesting machine that your Sync request has been received. In the initial stage of connection set up the Window size is set to zero. Windowing plays one of the key role in acknowledgements and will be studied later.


Push flag is used to push the data without any intermediate buffering(storing). This is more like URG flag but there is a distinction as both have different roles. In a TCP packet if the PSH flag is set to “1” then it will not be buffered at any intermediate nodes, It will be simply pushed in to the network without any intermediate storage. No Intermediate processing will be done.

  • Example: Mostly PSH flag is set for communications where there shouldn’t be any interruption like live multimedia streaming, executing mission critical database queries, ATM transactions and so on. And also a situation can arise called “buffer deadlocks”. In this situation the originating machine’s buffer and the remote machine’s buffer will be filled up and both will get into a loop of sync and acknowledgements. So, in order to avoid this PSH flag is set at the beginning and at the end of the data transfer – more about : TCP buffer deadlocks.
  • Hackers idea: Did I mentioned something as “No Intermediate processing will be done”? Yes, this is one of the key factor in some attacks. An IDS or a Firewall will be placed in the intermediate position of the service requesting machine and the service providing machine. IDS and Firewall’s will have significant amounts of buffer memory for storing and analyzing the incoming data before sending them into the destination machine in the private network. So if a Hacker crafts a batch of TCP packets where the PSH flag is set to “1” then they can easily by-pass the Firewall and IDS without getting detected or processed. This is one of the technique used in attacking a remote server for attempting a DDoS attack.


Reset flag is used to reset a connection with an interruption. This is mainly used to allow/block or to interrupt a connection on a port.

  • Example: When a service is running on a socket like say http on port 80, it runs this http service on this port. When a remote machine tries to access this service it initially establishes a dedicated connection to this port. If let us say the http service is stopped on this port and when a remote machine tries to connect to this port 80 the socket interrupts the connection and acknowledges to the requesting machine with the RST flag set to “1”. Another situation is when we are actively working on a Telnet session and if by mistake when we close the telnet window the telnet service on the host machine’s port 23 will stop and it immediately sends a TCP packet with RST flag set to “1” and once the remote machine receives this, it will tear down the connection without any delay or acknowledgement.
  • Hackers idea: What if a Hacker wants to scan a remote machine for its open ports, services or to at-least to check whether the machine is alive or not ? He will simply sends crafted TCP packets to all the well know ports from 0-1023 and
    • if any of them are open they will send an SYN+ACK packet (acknowledge) which clearly tells the hacker that the port is open and its corresponding service is running.
    • If the service is stopped but the port is open it will send RST packet (acknowledge) which tell the hacker that the service is not running but the port is open.
    • If a port is filtered/closed (through firewall) the hacker will never gets any acknowledgement back which tells him that the port is unavailable.
    • If the hacker haven’t received any kind of acknowledgements  from the target machine on any of its ports then it means that the remote machine is shutdowned or not on the network.

    Note : The above points in the “Hackers idea” in RST section are the fundamental principles used in the port scanners like nmap.


Sync flag is the well know flag in TCP and is used to initiate a TCP session. Before the actual data starts to flow, a TCP packet with 0 data bytes are send to the remote machine with the SYN flag set to “1”, after the three way handshake a dedicated virtual path is established between the source machine to the target machine for the actual data to transfer.

  • Example: When we open any website the first step done by the TCP protocol is sending a sync packet (though initially a DNS query is sent for name resolution). And once a connection is established then we’ll see the homepage of that website. If anything goes wrong in the transmission we’ll get “Timed out” or if a firewall is blocking we’ll get “Access Denied” errors on the browser screen. See the below figure.


  • Hackers idea: Well why do a malicious hacker need to open a webpage ? if his intention is to crash it. So what he will do is he will craft a batch of TCP packets with SYN flag set to “1” and with a spoofed IP address like say A.A.A.A (or it can vary arbitrarily) as the source IP (where his machine’s actual IP is B.B.B.B. Note: alphabets are used instead of numbers in IP fields) and he’ll send these packets to a destination machine C.C.C.C which runs a website. So once C.C.C.C receives the SYN packets from B.B.B.B …. wait a min .. will it be from B.B.B.B? or from A.A.A.A ? .. It will be from A.A.A.A (spoofed IP) it thinks that it is from A.A.A.A and sends SYN+ACK to A.A.A.A which doesn’t exist. So what happens is
    •   The Hacker will never receives SYN+ACK and he will continuously sends the SYN packets
    • The webserver C.C.C.C continuously sends the SYN+ACK packets to the spoofed IP A.A.A.A and never receives the ACK. It will fill up its buffer and drops the legitimate connections.
    • The result it “page cannot be displayed” or “network timed out”. If it is a windows machine there might be a possibility for complete system crash or a BSOD.

    Note: This is a very old attack called “TCP flood” or “SYN Flood” most of the todays IDS systems will detect this attack easily and most web servers have enough resources to take the beat . I’ve just explained it for understanding the potential threats involved in it.

    FIN –

    Finally the FIN flag. FIN flag is used to negotiate between the peer systems that the communication is over and they can drop the connection. Basically, it tears down the TCP  virtual connection. FIN is a 4 way handshake which appears in the last packet of a session. This can be better explained from the below figure.


    I guess the picture is self explanatory. Once the source machine finishes the data transfer it sends a TCP packet with the FIN flag set to “1” and the destination machine acknowledges. But this is only one way, from the picture, source machine is finished its transmission not the destination machine. Now the connection acts as a simplex connection. Once the destination machine finishes its transmission it also sends a TCP packet with FIN flag set to “1” and the source acknowledges it and then the connection will be dropped. It is more like a telephone conversation.

    I think the above description itself covers the example. Lets see what hackers can do.

  • Hacker idea: I haven’t come across attacks where this flag is used. May be there are attacks which might use this flag. It is up to you guys to figure it out. The possible attack that I can think of is:
    • Let us say there are two machines A –> B which are communicating using TCP on a subnet. Consider that there is a Disgruntled employee and his machine is also on this subnet and some how he managed to get a packet crafter application installed on his machine (if it is windows ? no big deal) what he can do is he can craft a packet with A’s IP and set the FIN flag to “1” and send it to B. Guess what happens, the actual session of A’s has to tear down right? I don’t think so because actual A might be still transmitting data, even after the spoofed TCP packet triggered a FIN …. Interesting? Smile … Go figure out yourself.

    Thanks for reading …

12 thoughts on “TCP flags: Hackers Playground

  1. Pingback: Rechnernetze-Klausur

  2. Thanks for this article! I’m currently learning for an exam about networks / protocols and your article explained basics in TCP much better than the presentaitons of my prof. did.


Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s