TCP and UDP State Tracking in Security Analytics

book

Article ID: 168740

calendar_today

Updated On:

Products

Security Analytics

Issue/Introduction

Resolution

This document was created to assist in understanding how a flow is identified, indexed, and tracked.  The method for both TCP and UDP is the same but the result is different due to the way that TCP and UDP differ in state versus stateless communications.
 
Security Analytics implements a full TCP state machine to identify and track network flows.   A new network flow consists of a unique 5-tuple: IP protocol, src IP, dest IP, src port, dst port bound by either a time span or tcp session termination.   Every TCP packet entering the system is then tracked and recorded based on a unique computed hashkey for its flow within the TCP state table.  Generally speaking, most TCP flows will start with a graceful 3-way hand shake to establish a connection.   In some cases, this may not happen due to the nature of the application e.g. a probe utility, N-map, etc.  and the first packet may simply be a PSH/ACK, RST, etc.   If there is a 3 way handshake in combination with a unique 5-tuple not previously seen in the flow table, SA will generate a hashkey for this unique flow and track its flow state throughout the duration of the flow.   For new TCP packets entering the system without a corresponding flow entry and without a 3-way handshake, the first packet in the new flow along with the 5-tuple is used to determine the TCP state of initiator, responder, and a unique flow hashkey.   This behavior is very akin to Wireshark when following a TCP stream.

A flow is considered expired when either the TCP session is gracefully torn down by the 2 end points or is RST.  In cases where the session simply remains open but no new packets are seen for the flow, a default 60-second timer expires the flow from the state machine.    Should new packets come in for that previous session past the 60-second timer, they are treated like a new flow.

UDP works in similar fashion except with UDP there isn't a graceful setup or tear down of communication.   Packets simply arrive and stop in the course of UDP communication.   A UDP flow consists of a unique 5-tuple: IP protocol, src IP, dest IP, src port, dst port bound by a time out.  For new UDP packets entering the system without a corresponding flow entry, the first packet in the new flow along with the 5-tuple are used to determine the UDP initiator, responder, and a unique flow hashkey is created.  Just like TCP, all UDP packets are checked to see if they match an existing flow in the system and if not a new flow is created.  Unlike the default 60-second timer for TCP, the UDP time out expiration is set to 5 seconds.