Devices that connect to each other using TCP protocol will need to perform three-way handshake, which is SYN-SYNACK-ACK.
- First, the source device will contact the destination device and ask if the destination device is available through a certain port by sending SYN flag.
- Second, if the device at the destination has the port open as requested, then it will send back the response by giving SYNACK flag.
- Third, the source device will send ACK flag as a response to the destination device.
In TCP protocol, any packet lost can be detected as it is connection-oriented protocol, thus the connection will make sure that the data packets are completely exchanged between the two servers/applications.
TCP protocol is always used for a connection that requires the data to be delivered completely to ensure the reliability of the information. TCP protocol is best suited to be used for applications that require high reliability instead of timing, such as HTTP/HTTPS application, Secure Shell (SSH), File Transfer Protocol (FTP), Email (SMTP, IMAP/POP), etc.
However, any TCP connection can be intercepted and analysed by an attacker as well. Attackers are capable of inspecting the traffic and seeing what data passes through the traffic. For example, any data exchanged through port 80 (HTTP) can be intercepted and read as plain text by the attacker as there is no encryption mechanism. Therefore, the attacker is able to run the same port scan and see the information regarding the port, service, and service versions on the target server.
Therefore, it is really important for a network administrator to have the right tool in order to check and verify the information returned by the scanner and then to come out with the proper security countermeasures before the attacker performs the attack.