Battle of the Protocols: UDP VS TCP
Darlisha Campbell
Sr Tech Support Engineer Security SME @ Microsoft | Cyber Threat Hunting, Offensive Security| CC, Security+
Have you ever heard the saying that you can have something quick, good, or cheap? If you want something quick and good it won't be cheap, and if you want something good and cheap it won't be quick this is an amazing statement that also applies to the two biggest data transfer protocols UDP and TCP.
User datagram Protocol(UDP) is an unreliable connectionless protocol. It does not care if the packets actually get to their destination. So why in the world would we use it? Because this protocol should be used when you want something quick and cheap. A great example of this would be audio and video traffic. If you are on a video call with someone and a packet is lost and the image is not as clear as it could be it does not stop the call from being successful. What does that mean for attacks? It means that a threat actor can use the UDP protocol to send huge numbers of packets to a target and prevent actual useful packets from getting through. This type of attack is called a Denial-of-Service(DoS). With this knowledge, it is important to have ports with this UDP protocol that are not necessary to be closed. Is it a possibility that an attacker could use the ports using UDP that is needed, of course, but it limits the attack surface.
Transmission control protocol(TCP) is a more reliable connection protocol. The connection with TCP starts off with a 3-way handshake where the client will send a server an SYN that will start the connection and get the synchronized sequence that will help with determining the order of packets. The server will acknowledge (ACK)this request and send back an SYN/ACK that acknowledges the first packet and sends its sequence back for confirmation. The client will then acknowledge (ACK) that it received that confirmation and the flow of information can happen until the connection is broken. Sounds great super secure because how can an attacker go through that whole handshake and no one notice? Nope although it provides that connection to make sure that data is getting to its destination as a unit there is no encryption or authentication that comes by default with TCP. A common attack that can be used by TCP is a SYN flood attack. The attacker will send tons of SYN to the target which overloads it so it can not get other SYN that are legitimate. This is a different type of DoS attack. To counteract attacks that can come from TCP connections, make sure that you have strong encryptions and firewalls in place that can help make sure that all information going across the connection is secure.