TCP flags

There are six original 1-bit control flags, and three additional flags added.

Experimental Flag RFC 3560:

NS — ECN-nonce concealment protection this is an optional field added to ECN intended to protect against accidental or malicious concealment of marked packets from the TCP sender.

Congestion Notification Flags — RFC 3168:

CWR — Congestion Window Reduced — Only used in TCP connections where Explicit Congestion Notification is used. Rarely seen in most TCP Conversations. ECN allows routers to inform the TCP endpoints that their transmit buffers are filling due to congestion. This allows the TCP endpoints to slow their data transmission to prevent packet loss. The CWR field is set by the sender to show that it received a TCP segment with the ECE flag set.

ECE — ECN — Echo — Used only by ECN-TCP connections. The ECN-Echo is sent to inform the other side of the TCP connection that it received an ECN notification from the network. This may trigger a TCP Slow Start. Like the CWR field, this is rarely seen in connections.

The 6 TCP Control Flags RFC 7414:

A simple pneumonic to help you memorize the 6 control flags.

Unskilled Attackers Pester Real Security Folks
Unskilled = URG
Attackers = ACK
Pester = PSH
Real = RST
Security = SYN
Folks = FIN

URG — Urgent flag is used to process the data without any latency (virtually zero time). The packets in which the urgent flag is set to “1” will be processed at the destination end without any delay.

Example: The execution of commands on a remote machine via Telnet. The output of a command executed through telnet should be immediate so in order to accomplish this the data transferred to the remote machine will have the URG flag set to “1” on its TCP packet.

ACK — Acknowledge flag is used to acknowledge a received Sync packet. ACK flag is set to “1” on a reply packet to the requesting machine along with the SYN flag set to “1”.

PSH — Push flag is used to push the data without any intermediate buffering (storing). This is more like URG flag but there is a distinction as both have different roles.

Example: PSH flag is set for communications where there shouldn’t be any interruption like live multimedia streaming, executing mission critical database queries, ATM transactions and so on.

RST — The reset (RST) flag unexpectedly terminates an open connection. Either host in a connection may use the RST flag. A data segment containing a RST flag is usually not acknowledged.

Example: An active Telnet session is open and by mistake the telnet window is closed. The Telnet service will stop and send a TCP packet with the RST flag set to 1. The remote machine will receive the TCP packet with the RST flag set and immediately tear down the connection without any delay or acknowledgement.

SYN — Sync flag is the well know flag in TCP and is used to initiate a TCP session. Before the actual data starts to flow, a TCP packet with 0 data bytes are send to the remote machine with the SYN flag set to “1”, after the three way handshake a dedicated virtual path is established between the source machine to the target machine for the actual data to transfer.

Example: When we open any website the first step done by the TCP protocol is sending a sync packet (though initially a DNS query is sent for name resolution). And once a connection is established then we’ll see the homepage of that website.

FIN — The FIN flag initiates the graceful closure of an open connection.

TCP buffers data that you send. This means it won’t send data immediately and will wait to see if you have more. By setting the PSH flag and confirming that you have no more data to send, TCP will “push” or send the buffered or collected data into the wire towards the receiver. In the receiving end, normally, it will also buffer data. But, if it sees the PSH flag being set, it pushes it immediately to the application. If a packet leaving the sender has the PSH field set, it only means that the sender has nothing more to send.

If you have pushed data, the receiving end will wait for all of the data first and will see the PSH flag being set. Then it forwards the data to the application. This means, you must wait for the receiver to get all of the data before forwarding it and processing a new one. If the URG flag is set, this is like the sender saying “You do not need to wait for all of the data before sending them. Go ahead and prioritize sending urgent data.”. This causes the receiving TCP to forward the urgent data on a separate channel to the application. This allows the application to process the data out of band.

The urgent pointer is the one that indicates how much of the data in the segment is urgent where in it starts counting from the first byte.


Did you find this article valuable?

Support Cyber Security by becoming a sponsor. Any amount is appreciated!