Because the Internet by itself has no direct knowledge of optimizing the path for a particular application or user, the IP protocol provides a facility for upper layer protocols to convey hints to the Internet Layer about how the tradeoffs should be made for a particular packet. This facility is the "Type of Service" facility, abbreviated as the "TOS facility".
The TOS facility is one of the features of the Type of Service octet in the IP datagram header. The Type of Service octet consists of three fields. The first 3 bits ( 0,1,2) are for the first field, labeled "Precedence" , intended to denote the importance or priority of the datagram. The second field, labeled "TOS" , denotes how the network should make tradeoffs between throughput, delay, reliability, and cost.The last field, labeled "MBZ" ( for "must be zero" ) above, is currently unused. The originator of a datagram sets this field to zero (unless participating in an Internet protocol experiment which makes use of that bit). Routers and recipients of datagrams ignore the value of this field.This field is copied on fragmentation.
Specification of the TOS Field
The semantics of the TOS field values (expressed as binary numbers):
Use of the TOS Field in Routing
The most important of all the inherent limitations is that the TOS facility is strictly an advisory mechanism. It is not an appropriate mechanism for requesting service guarantees.There are two reasons why this is so:
There are 6 flags - the Urgent Pointer flag, ACK( acknowledgement) flag, Push flag, RST(reset flag), SYN(synchronisation) flag & the FIN(finished) flag.
The Urgent Pointer flag identifies the incoming data as 'urgent'. The identified segments are processed immediately by being assigned high priority without waiting till all queued data is processed. The ACKnowledgement flag can be used to acknowledge the successful receipt of packet(s) - either the acknowledgement can be made for every packet received or for every n-th packet received. The Push flag can be used to assign the data the desired priority and is processed either at the Source or Destination. In using the push flag attention need to be paid to the fact that correct data segment handling is done. Also the appropriate priority needs to be set at the two ends of a connection.
When a segment that is not intended for the current connection has arrived the reset flag( RST) can be set . For instance if a remote system were to send a packet to a host to establish connection, and if that service is not supported by the host then the host can reject the request and then set the RST flag indicating that the host has reset the connection.
The fifth flag in the TCP Flag options- the SYN flag is a highly used flag in TCP communication - the SYN flag is initialy sent when establishing the typical 3-way handshake between two hosts as shown above The Host 1 needs to establish contact with Host B using TCP as the protocol. In the course of the 3-way handshake there are 2 SYN flags transmitted . As the connection is set and data is transmitted between the two hosts more SYN flags will be sent and received.
The sixth & final flag available is the FIN flag which appears when the last packets are exchanged between a connection. When a host sends a FIN flag to close a connection, it may continue to receive data until the remote host has also closed the connection. A typical disconnection is shown below. TCP is a Full Duplex connection so there are two directions of data flow.
After the data transfer is completed the Host 1 sends a packet with the FIN, ACK flags set to Host 2. By this action Host 1 has acknowledged the previous data stream while simultaneously has initiated a TCP closing action to end this connection. After this Host 1's application will not receive any more data and the connection will be closed. Also Host 2 in response to Host 1's request to end the connection sends an acknowledgement back, After this is completed , the Host 2 sends its own FIN, ACK flags to end the connection. Finally Host 1 acknowledges the request Host 2 made earlier and this way the connection is closed
TCP & Worms :
Typically worm sources don't pool the whole network , but randomly try to open from time to time a single host connection. One can use TCP flags and ICMP tracking. When the attacker tries to open the TCP connection to an unused destination IP address the TCP SYN flag is set. If the connection is successful there will be cumulative TCP flags SYN and ACK, if the connection is unsuccessful only flows with SYN flag will be there. Based on the count of the unsuccessful connections for every source IP address outside the network and source, the attacker can be tracked - the one with the most number of connection attempts. If attacker is using UDP protocol and pools the whole network, an excessive number of ICMP messages will then be generated.
Copyright © 2004-2010 ZOHO Corp , Inc. All Rights Reserved.