4.1.15 Layer 4: Transport

TCP Packet Header

Contains 10 fields totaling 160 bits in size, including source port, destination port, sequence number, acknowledgment number, checksum, and control flags.

CH: Understanding header size and fields helps distinguish TCP reliability and overhead compared to UDP.

UDP Datagram Header

Contains 4 fields totaling 64 bits in size, including source port, destination port, length of data, and checksum.

CH: Smaller header size explains why UDP is faster but less reliable than TCP.

TCP 3 Way Handshake

Method used by TCP to set up a TCP/IP connection over an IP network.

1. Host A sends SYN.

2. Host B replies with SYN ACK.

3. Host A replies with ACK.

This sequence establishes the connection.

The TCP three-way handshake takes place at Layer 4, the Transport Layer, of the OSI model.

CH: Frequently tested to explain connection establishment and attacks like SYN flooding. Implement rate limiting, use syn cookies, and deploy firewalls with anti-flood features.

Telnet

OSI Layer 7 protocol which provides text based communication between a client and server over an IP network. Telnet is not secure and SSH should be used instead.

CH: Often tested as an example of insecure plaintext protocols.

Border Gateway Protocol (BGP)

A routing protocol that operates at the border between separate networks, allowing gateway routers of different autonomous systems to exchange reachability information and decide which network paths to use across the Internet.

1. Both BGP routing and DNS redirection are methods of redirecting traffic to a scrubbing center, a datacenter with extremely high bandwidth that can handle enormous amounts of incoming traffic from DoS or DDoS attacks. The scrubbing center inspects the incoming requests and forwards only valid ones, thus mitigating the impact of the DDoS attack from the target/victim's perspective.

2. BGP (Border Gateway Protocol) is used to exchange routing and reachability information between routers. Essentially, BGP evaluates all available paths for a packet and selects the best route based on various factors.

Cloudflare uses BGP Anycast routing to spread traffic globally and distributed scrubbing at the edge to mitigate DDoS attacks before traffic reaches the origin.

CH: Internet-scale routing protocol between autonomous systems. Path selection is policy-based, not shortest-path. Commonly tested in route hijacking and BGP trust failure scenarios.

DNS Redirection

Layer 7 - but also 3 and 4

Technique used during DoS or DDoS mitigation where DNS records are changed to redirect new client connections away from the target system to a high bandwidth scrubbing center. The scrubbing center inspects traffic and forwards only legitimate requests back to the destination. DNS redirection operates at the control plane, affects only new sessions after DNS cache updates, and is commonly used by CDNs. It is less precise than BGP redirection and depends on DNS integrity and TTL behavior.

Both BGP routing and DNS redirection are methods of redirecting traffic to a scrubbing center, a datacenter with extremely high bandwidth that can handle enormous amounts of incoming traffic from DoS or DDoS attacks. The scrubbing center inspects the incoming requests and forwards only valid ones, thus mitigating the impact of the DDoS attack from the target/victim's perspective.

CH: Effective for rapid mitigation but limited by caching delays and cannot stop traffic sent directly to an IP address.