TCP Sessions
The Transmission Control Protocol (TCP) is one of the core protocols of the Internet Protocol Suite. It is designed to provide a reliable, ordered, and error-checked delivery of a stream of data between applications running on hosts communicating over an IP network. TCP is fundamental to modern internet-based communication, supporting a wide range of applications from web browsing and email to file transfers and streaming services. Its primary purpose is to ensure that data packets sent from one end of the network are received accurately and in the same order by the intended recipient at the other end. This is achieved through various mechanisms like packet segmentation, acknowledgement of received packets, and retransmission of lost packets, making TCP a cornerstone protocol for reliable communication over the internet.
TCP operates as a session-oriented protocol, meaning it establishes a connection between two endpoints (a client and a server) before data transfer begins, and maintains this connection until the communication session ends. The protocol uses various flags (such as SYN for initiating connections, ACK for acknowledging received packets, and FIN for closing connections), options (like window scaling and selective acknowledgments), and other information within the TCP header to manage and control the flow of data. By analyzing these components in the TCP headers of packets traversing a network, network engineers and IT professionals can detect disruptions in TCP services. For instance, repeated retransmission requests or a high number of reset (RST) flags might indicate connection issues or network congestion. Similarly, unusual patterns in TCP flags or options can signal potential security threats like TCP hijacking or Denial of Service (DoS) attacks. Therefore, monitoring and analyzing TCP traffic is crucial for maintaining the stability, performance, and security of networked communication systems.
Failed TCP Sessions
The "Failed TCP Sessions" anomaly detection job is designed to monitor and identify instances of an unusually high volume of failed TCP (Transmission Control Protocol) sessions within a network. TCP sessions are considered failed when they are unable to successfully establish a connection. In typical network operations, the number of failed TCP sessions is relatively low compared to successful ones, as TCP is designed to be a reliable, connection-oriented protocol.
An unusually high volume of failed TCP sessions can indicate several potential issues in the network:
Network Congestion or Unreliable Connections: One of the primary reasons for an increase in failed TCP sessions could be network congestion or unstable connections. Heavy network traffic or poor quality of service can lead to packet loss, high latency, and jitter, which in turn can disrupt the normal TCP three-way handshake process or cause premature session terminations.
Server Overload or Failures: If servers that are the endpoints of these TCP sessions are overloaded with requests or experiencing failures (either hardware or software), they may be unable to respond to connection requests or maintain existing connections, leading to an increase in failed sessions.
Security Incidents: A high rate of failed TCP sessions could also be indicative of security threats, such as Denial of Service (DoS) or Distributed Denial of Service (DDoS) attacks. These attacks typically involve overwhelming a target with superfluous requests, aiming to disrupt normal traffic and cause legitimate connection attempts to fail.
Network Configuration or Hardware Issues: Misconfigurations in network settings, such as incorrect firewall rules or routing problems, can block or misroute TCP traffic, leading to session failures. Similarly, malfunctioning network hardware like routers, switches, or cables can also contribute to this problem.
Attributes
Analysis
temporal
Downloads
CODEX
edge
CODEX
inbound
CODEX
outbound
CODEX
private
ECS
edge
ECS
inbound
ECS
outbound
ECS
private