TCP/IP stack transport layer performance, privacy, and security issues

Transmission Control Protocol/ Internet Protocol (TCP/IP) is the backbone of Internet transmission. The Transport Layer of the TCP/IP stack, which includes TCP (Transmission Control Protocol) and UDP (User Datagram Protocol) protocols, plays a crucial role in ensuring reliable communication between devices over a network. To come up with measures that make networks more secure, it is important to learn about the vulnerabilities that exist in the transport TCP/IP stack and then have an understanding of the typical attacks carried out in such layer. This paper explores how the TCP Protocol works, the TCP/IP 3 Way Handshake, TCP Header Structure, the typical vulnerabilities and the classical attacks of transport layer TCP/IP, tools, and solutions adopted to prevent and reduce the chances of some of these attacks. The findings indicated that the major TCP/ IP stack transport layer threats include Finger printing, SYN Flood, TCP reassembly and sequencing, IP Spoofing, TCP session hijacking, RST and FIN denial of service attack, Ping of Death, Low Rate/ Shrew Attacks. Their preventive measures and mechanisms are discussed.


Introduction
The Transport Layer is responsible for end-to-end communication between hosts on a network.It includes protocols like TCP and UDP, which provide different levels of reliability and performance [1]- [4].TCP is connection-oriented, provides reliable, ordered delivery of data, while UDP is connectionless, and provides a best-effort delivery mechanism.TCP includes both a flow control mechanism, error checking and congestion control mechanism.Flow control means that the receiver's TCP is able to control the size of the segment dispatched by the sender's TCP [5] [6].The receiver's TCP accomplishes by putting to use the Window field of an acknowledgment packet.Congestion control means that the sender's TCP varies the rate at which it places the packets on the wire based on the traffic congestion on the route between the sender and the receiver.The sender TCP can measure traffic congestion through either the non-arrival of an expected ACK packet or by the arrival of three identical ACK packets consecutively The differences in levels of TCP reliability [7] have implications for performance, privacy, and security [8], [9].At the Transport Layer of the TCP/IP stack, there are several important considerations regarding performance, privacy, and security and the attacks.

Performance
TCP performance is a critical aspect of network communication, influencing the efficiency, reliability, and responsiveness of data transfer.TCP achieves reliability through mechanisms like error detection, acknowledgment, and retransmission of lost packets, ensuring data integrity even in the face of network congestion or packet loss [10]- [13].However, these mechanisms can introduce overhead and latency, impacting performance, particularly in highlatency or high-loss network environments.To mitigate these issues, various TCP optimization techniques such as window scaling, selective acknowledgment, and congestion control algorithms like TCP Vegas or TCP Cubic are employed to adapt TCP's behavior dynamically to network conditions, optimizing throughput and minimizing latency.
Balancing reliability with performance remains a constant challenge in TCP design, as improving one aspect often comes at the expense of another, necessitating continuous refinement and adaptation to meet the evolving demands of modern network applications.Figure 1 shows the TCP/IP protocol suite encapsulation model.

Figure 1 TCP/IP Encapsulation model
The TCP/IP transport layer protocols, primarily Transmission Control Protocol (TCP) and User Datagram Protocol (UDP), play pivotal roles in facilitating reliable and efficient communication across networks.TCP is a connectionoriented protocol that ensures reliable data delivery through features such as flow control, error detection, and retransmission of lost packets [14], [15].It establishes a virtual connection between sender and receiver, guaranteeing that data is delivered in the correct order and without errors.TCP achieves this reliability by employing mechanisms like sequence numbers, acknowledgment messages, and sliding window flow control, making it well-suited for applications that prioritize data integrity and completeness, such as file transfer, email, and web browsing.
In contrast, UDP is a connectionless protocol that provides a lightweight and fast transmission mechanism with minimal overhead.UDP sacrifices reliability for speed, as it does not implement features like acknowledgment or error recovery.Instead, UDP simply encapsulates data into datagrams and sends them across the network without establishing a connection or ensuring delivery [16], [17].This makes UDP ideal for applications that prioritize speed and efficiency over reliability, such as real-time multimedia streaming, online gaming, and VoIP (Voice over Internet Protocol).While UDP lacks the built-in mechanisms for reliability found in TCP, it allows for faster transmission of time-sensitive data, making it a valuable tool in a variety of network applications.

Privacy
Privacy within the TCP/IP suite, which encompasses various protocols facilitating internet communication, is a multifaceted issue influenced by several factors.At the transport layer, TCP and UDP protocols themselves do not inherently prioritize privacy; rather, they primarily focus on reliable data delivery and efficient transmission [17], [18].However, privacy concerns often arise at higher layers of the protocol stack, such as the application layer, where sensitive user data is transmitted over the network [20].Encryption protocols like TLS (Transport Layer Security) can be employed to secure communication channels, ensuring privacy by encrypting data transmitted between endpoints.By implementing end-to-end encryption, TLS protects data from interception and eavesdropping, thus safeguarding user privacy in transit.Furthermore, privacy in the TCP/IP suite is influenced by the design and implementation of various network applications and services.For instance, web browsers, email clients, and messaging applications handle user data differently, and their privacy practices vary widely [21], [22].Some applications may collect and transmit user data without adequate encryption or consent, raising privacy concerns.Additionally, network protocols like DNS (Domain Name System) and DHCP (Dynamic Host Configuration Protocol) within the TCP/IP suite can inadvertently expose user information, as they often transmit data in plaintext, leaving it vulnerable to interception [23]- [26].Addressing privacy concerns at the application and protocol level requires careful consideration of data handling practices, implementation of encryption, and adherence to privacy regulations and standards.
Moreover, the proliferation of IoT (Internet of Things) devices and the integration of TCP/IP protocols into various smart devices introduce new privacy challenges.These devices often collect and transmit sensitive user data, including personal information and behavioral patterns, raising concerns about data privacy and security [27], [28].With the growing interconnectedness of devices and the internet, ensuring privacy within the TCP/IP suite necessitates comprehensive privacy-by-design principles, robust encryption mechanisms, and transparent data handling practices.Additionally, regulatory frameworks like GDPR (General Data Protection Regulation) and CCPA (California Consumer Privacy Act) play crucial roles in shaping privacy standards and holding organizations accountable for protecting user data across the TCP/IP ecosystem [29]- [32].

Security
Security issues within the TCP/IP suite represent a significant challenge due to the vast array of protocols and layers involved in internet communication.At the network layer, IP (Internet Protocol) is inherently vulnerable to various attacks such as IP spoofing, where attackers forge the source IP address of packets to impersonate legitimate users or bypass access controls [33]- [38].Additionally, IP fragmentation attacks exploit the fragmentation and reassembly process of IP packets to evade detection and overwhelm network resources.These vulnerabilities highlight the importance of implementing security measures like packet filtering, ingress and egress filtering, and network segmentation to mitigate the risk of network-layer attacks and protect against unauthorized access.Moreover, at the transport layer, TCP (Transmission Control Protocol) and UDP (User Datagram Protocol) present security challenges related to session hijacking, packet sniffing, and denial-of-service (DoS) attacks.TCP-based attacks, such as SYN flooding, exploit the three-way handshake process to exhaust server resources and disrupt network services [39]- [44].UDP-based attacks, on the other hand, leverage the connectionless nature of UDP to flood target systems with a high volume of malicious traffic, causing network congestion and service outages.To address these vulnerabilities, network administrators can implement techniques like TCP SYN cookies, rate limiting, and stateful inspection firewalls to detect and mitigate transport-layer attacks, ensuring the integrity and availability of network services [45].
Furthermore, security issues within the TCP/IP suite extend to the application layer, where protocols like HTTP, SMTP, and FTP are vulnerable to various attacks such as cross-site scripting (XSS), SQL injection, and email spoofing [46], [47].These attacks exploit vulnerabilities in web applications, email servers, and file transfer mechanisms to compromise user data, exfiltrate sensitive information, or disrupt service availability.Additionally, insecure authentication mechanisms and insufficient encryption protocols within application-layer protocols expose user credentials and sensitive data to interception and unauthorized access [48]- [50].To enhance security at the application layer, organizations can implement secure coding practices, deploy web application firewalls (WAFs), and enforce encryption standards like HTTPS and SFTP to protect against common attacks and safeguard user privacy.
Moreover, the proliferation of IoT (Internet of Things) devices and the integration of TCP/IP protocols into various smart devices introduce new security challenges, including device hijacking, botnet attacks, and data breaches.Insecure default configurations, lack of firmware updates, and insufficient authentication mechanisms in IoT devices expose them to exploitation by malicious actors, leading to widespread vulnerabilities and potential compromises of network infrastructure [51], [52].Addressing security issues within the TCP/IP suite requires a holistic approach encompassing network monitoring, threat intelligence, vulnerability management, and security awareness training to detect, prevent, and mitigate security breaches across all layers of the internet protocol stack [53]- [56].Additionally, collaboration between industry stakeholders, government agencies, and standards bodies is essential to develop and enforce security best practices and regulatory frameworks to protect against evolving cyber threats in an increasingly interconnected world [57], [58].

TCP 3 Way Handshake Protocol
TCP needs three handshakes to establish the connection, as shown in Figure 2. Multiple TCP socket connections can be transmitted in both directions simultaneously [59].A three-way handshake is also known as a TCP handshake or SYN-SYN-ACK, and requires both the client and server to exchange SYN (synchronization) and ACK (acknowledgment) packets before actual data communication begins [60], [61].In Step one (SYN), the client sends a SYN message.The client wants to establish a connection with a server, so it sends a segment with SYN (Synchronize Sequence Number) which informs the server that the client is likely to start communication and with what sequence number it starts segments [62]- [64].In Step two (SYN+ACK) [65] the server replies with an SYN/ACK message.SYN-ACK signal bits are set.In Step three, ACKnowledgement (ACK) signifies the response of the segment it received and SYN signifies with what sequence number it is likely to start the segments with [66], which then r esponds with an ACK message [67].In this final part, the client acknowledges the response of the server and they both establish a reliable connection [68] with which they will start the actual data transfer.Generally, the three messages transmitted by TCP to negotiate and start a TCP session are nicknamed SYN, SYN-ACK, and ACK for SYNchronize, SYNchronize-ACKnowledgement, and ACKnowledge respectively [69], [70].The threemessage mechanism enables the transport layer to pass information back and forth to two communicating computers to negotiate the parameters of the connection before transmitting data.This handshake step happens after a DNS lookup and before the TLS handshake, when creating a secure connection [71].Each side of the connection via a fourway handshake can terminate the connection independently after an error occurs in the communication [72], [73].

TCP Header Structure
The TCP header structure consists of several fields that govern the behavior and characteristics of TCP segments.As shown in Figure 3, these fields include the source and destination port numbers, which identify the endpoints of the communication; sequence and acknowledgment numbers, used for reliable data delivery [74] and flow control; TCP flags such as SYN, ACK, FIN, and RST, which manage connection establishment, acknowledgment, and termination; window size, indicating the amount of data that can be sent without acknowledgment; checksum, providing error detection for the TCP header and data; and urgent pointer, used to indicate urgent data within the segment [75], [76].Each field within the TCP header serves a specific purpose in facilitating reliable, connection-oriented communication between hosts, enabling features such as sequencing, acknowledgment, flow control, and error detection to ensure efficient and robust data transmission over IP networks.
In TCP, flags indicate a particular connection state or handle control of a specific connection [77], [78].Flags are also called control bits.Each flag corresponds to 1-bit information.The most commonly used flags are SYN, URG, ACK, PSH, FIN, and RST.TCP uses a variable-length header to support data transmissions.TCP Header is larger at 20 bytes with an option for additional data [79].The header can have anywhere between 20 and 60 bytes [80], [81].

Figure 3 TCP Header Structure
The Source Port is a 16-bit field that indicates the port number of the sending device where the data originates.It is a randomly assigned a field [82].
In Destination Port is the field indicates the port number on the receiving device where the data should be delivered.It is 16 bits field [83].
In Sequence Number part, TCP converts data into bytes and the collection of bytes is known as segment.Each TCP segment is assigned a sequence number, which helps the receiving end to reassemble the data in the correct order.It is a 32-bit value [84].
In TCP Acknowledgment Number, the data transmission is acknowledged to ensure reliability [85], [86].This field contains the sequence number that the receiving device expects to receive next.Acknowledgment no is always an incremental value i.e., if the sequence number is x, than Acknowledgment no is set to x+1.
At Data Offset field determines the size of the TCP header.It is necessary to locate the start of the data payload.It is a 4 bits field [86].
In Reserved field bits are reserved and set to zero [87].
The Control Bits (Flags), also called flags or TCP flags, are used to control and manage aspects of TCP connection and data transmission.Some common flags include are described in Table 1 that follows.

URG (Urgent)
This bit can be 0 or 1.When this bit is 1, it implies that the data should be treated as a priority.For example, data is always sent in a seq.but we have some urgent data bits that should be sent first.In that case, the Urgent bit is set ON for that particular data, and that data is sent first [88], [89].

ACK (Acknowledgment)
Indicates whether the acknowledgment number field is valid or not.If ACK is 1 it implies that the acknowledgment number is valid and if ACK is 0, it means that the segment is missing acknowledgment [90].

PSH (Push)
In general, applications collect a certain number of data and then process it.When the Push flag is set ON, it tells the application to transmit the data immediately and not wait for data to stack to fill the entire TCP segment [91].

RST (Reset)
Resets the connection.If it is set to 1, the connection is abruptly reset.

SYN (Synchronize)
Initiates a connection and synchronizes [92] sequence numbers.It is used in the 3-way handshake process [93].

FIN (Finish)
The fin flag is used to terminate the TCP connection [94]- [96].Whenever Host wants to end the connection with the receiving end, it sends data with FIN flag 1.Since TCP works in a full duplex mode, receiving end should also set its FIN flag as 1.

Window Size
This field indicates the size of the receiving device's window, which helps in flow control.It is a 16-bit field.It is used for flow control between the sender and receiver [97].
Checksum This is a 16-bit field numerical value calculated from the TCP header and data payload to detect errors during transmission.TCP header checksum option improves performance [98] over lossy links [99].

Urgent Pointer (URG)
This flag is set, and points to the last urgent data byte in the TCP segment i.e., it tells about the sequence number of the last urgent data byte.It is a 16-bit field [100].

Optional filed
This flag contains additional parameters or information related to the TCP connection [101], [102].

TCP Congestion Control
Congestion Control is a mechanism that controls the entry of data packets into a transport protocol, enabling a better use of a shared infrastructure and avoiding congestive collapse.Transport layer is the right layer to implement congestion control since it resides between application layer and network layer [103], [104].There are three ways to deal with congestion, depending on the Quality of Service (QoS) requirements for each session.By default, overflow packets are discarded without informing the sender.Figure 4 shows the TCP congestion control mechanism.

Figure 4 TCP congestion Control
Since TCP must guarantee reliability [105] in communications, it re-transmits a TCP segment when an ACK is not received in a certain period or when three duplicate ACKs are received consecutively (a condition triggered by the arrival of an out-of-order segment at the receiver; the duplicate ACK being for the last in-order segment received).

TCP Vegas, Tahoe/Reno and Cubic performance in Congestion Control Avoidance
TCP Vegas enhances the congestion avoidance control algorithm of TCP Reno.In this case, TCP Vegas dynamically increases or decreases its sending window size according to observed RTTs (Round Trip Times) of sending packets, and therefore, TCP Vegas does not suffer from packet retransmissions [111], [112].TCP Tahoe/Reno is a classic congestion control algorithm that uses a mechanism called Additive Increase Multiplicative Decrease (AIMD) to adjust the TCP window size, which is the amount of data that can be sent without waiting for an Acknowledgement [113], [114].It employs a linear function.It increases the window size by one segment for every Round Trip Time (RTT) until a packet loss is detected which indicates a congestion.Then, it halves the window size and enters a fast recovery phase, where it increases the window size by one segment for every duplicate acknowledgement (ACK) received.This way, TCP Reno tries to maintain a high throughput while avoiding congestion collapse.TCP Cubic uses a cubic function.After packet loss, Reno halves the window size whereas Cubic reduces it by a smaller factor [115].TCP Cubic is more aggressive than TCP Reno in increasing the window size after a packet loss but also more conservative in reducing it.TCP Cubic also adapts to different network environments, such as high-bandwidth high-delay networks (HBHD), by using a scaling factor that depends on RTT.It aims to achieve a fair and efficient allocation of bandwidth while minimizing packet loss and delay.
Apart from TCP, there are other congestion control algorithms such as Explicit Congestion Notification (ECN), Stream Congestion Transmission Protocol (SCTP), and Data Center TCP (DCTCP), each designed to address specific network scenarios and requirements.

Slow Start Operation
A sender attempts to communicate to a receiver.The sender's initial packet contains a small congestion window, which is determined based on the sender's maximum window [116], [117].The receiver acknowledges the packet and responds with its own window size.If the receiver fails to respond, the sender knows not to continue sending data.After receiving the acknowledgement, the sender increases the next packet's window size.The window size gradually increases until the receiver can no longer acknowledge each packet, or until either the sender or the receiver's window limit is reached.Once a limit has been determined, slow start's job is done.Other congestion control algorithms take over to maintain the speed of the connection.

Challenges in identifying the type of congestion
The server point of view has several advantages, the most important being that it has direct information about outgoing packets and TCP state [118]- [120].However, even with a detailed view of the flow, distinguishing between the two types of congestion that is listed above is challenging.Some techniques include analyzing the flow throughput, TCP states, and/or flow packet arrivals or Round Trip Time (RTT).Each has its advantages and drawbacks.Information about flow throughput [121] is insufficient to determine the type of congestion unless we also know the actual service plan of the client.TCP state analysis can help us analyze TCP state transitions and flow behavior; however, it does not help us differentiate between different kinds of congestion.Transitions to/from the fast retransmit or the retransmission timeout state can potentially tell us about congestion events.However, it is difficult to parameterize and model these state changes.Simple techniques such as modeling the total number of fast retransmit and timeout states per time interval or the time to the first retransmit state have the same difficulty that it varies according to the path latency, service plan of the client, loss-rate, and cross-traffic, which are difficult to account for in controlled TCP settings.
Packet arrival patterns are used to uncover a congested path [122].Such techniques typically has the requirement that it be downstream of the point of congestion to be able to measure packet arrival rate.This is not possible with the server point of view, nor from the packet sender, unless they have access to network packets.Though packet spacing can be approximated by analyzing ACK arrival patterns, ACKs can be noisy, and cannot tell us any more than that the flow encountered congestion.Flow RTT, contains information about the condition of the underlying path [123].In particular, the RTTs of packets in a flow allow one to distinguish between an empty bottleneck buffer (increasing RTT as the flow fills up the buffer) and a busy buffer (RTT is relatively stable as it is dominated by the added latency due to an already full buffer).Flow RTTs are useful only during the slow start period, but fortunately, this short interval is sufficient for one to be able to distinguish the two congestion states.

Vulnerabilities and threats at transport layer and their counter measures
A vulnerability is a flaw or weakness in an asset's design, implementation, or operation and management that could be exploited by a threat [124]- [129].A threat is a potential for a threat agent to exploit a vulnerability.A risk is the potential for loss when the threat happens Insufficient Transport Layer Protection is a security weakness caused by applications not taking any measures to protect network traffic.During authentication, applications may use SSL/TLS, but they often fail to make use of it elsewhere in the application, thereby leaving data and session IDs exposed.Discussed below are the attacks at the transport layer.

Finger printing a system
Fingerprinting is used to discover open ports and services that are running open on the target system.From a hacker's point of view, fingerprinting is done before the exploitation phase, as the more information a hacker can obtain about a target, the hacker can then narrow its attack scope and use specific tools to increase the chances of successfully compromising the target machine [127], [128].Figure 6 illustrates an operating system fingerprinting process.The most complete and widely used TCP/IP fingerprinting tool today is nmap.It uses a database of over 450 fingerprints to match TCP/IP stacks to a specific operating system or hardware platform.This database includes routers, switches, firewalls, and many other systems.Counter measure: The NMap tool delivers specially crafted probes to a target machine.Blocking the ICMP messages is only one of an array of defenses required for full protection against fingerprint attacks [136], [137].In addition, a fingerprint scrubber is used.A TCP fingerprint scrubber is a tool that prevents a remote user from determining the operating system of another host on a network.It works at both the network and transport layers to convert ambiguous traffic [138], [139].The fingerprint scrubber is built on the TCP scrubber and removes ambiguities from flows that can reveal implementation-specific details.TCP/IP fingerprinting involves detecting all open TCP and UDP ports to determine which services are running on the host [140].The default scan is approximately 1900 TCP ports and 180 UDP ports.

SYN flooding
One of the protocols that exist at the Transport Layer is TCP.TCP is used to establish a connection-oriented session between two devices that want to communication or exchange data.
For every TCP SYN packet received on a device, a TCP ACK packet must be sent back in response.One type of attack that takes advantage of this design flaw in TCP is known as a SYN Flood attack.The attacker sends continuous stream of TCP SYN packets to a target system Uses random source IP addresses are used [141], [142].This causes the target machine to process each individual packet and respond accordingly.Eventually, with the high influx of TCP SYN packets, the target system will become too overwhelmed and stop responding to any requests [143].
Counter measure: Use a keyed hash (H) Cookie.
Has an algorithm that creates a message authentication code based on both a message and a secret key shared by two endpoints.Also known as a hash message authentication code algorithm.After a server receives a SYN packet, it calculates a keyed hash (H from the information in the packet using a secret key that is only known to the server [144].This hash (H) is sent to the client as the initial sequence number from the server.H is called SYN cookie.The server will not store the half-open connection in its queue.If the client is an attacker, H will not reach the attacker.If the client is not an attacker, it sends H+1 in the acknowledgement field.The server checks if the number in the acknowledgement field is valid or not by recalculating the cookie [145].

TCP reassembly and sequencing
During a TCP transmission of datagrams between two devices, the sender tags each packet with a sequence number.This sequence number is used to reassemble the packets back into data.During the transmission of packets, each packet may take a different path to the destination.This may cause the packets to be received in an out-of-order fashion, or in the order, the sender sent them [146].An attacker can attempt to guess the sequencing numbers of packets and inject malicious packets into the network destined for the target.When the target receives the packets, the receiver would assume they came from the real sender, as they would contain the appropriate sequence numbers and a spoofed IP address [147].
Counter measure: Timing differences or information from lower(Data Link, Network) protocol layers could allow the receiving host to distinguish authentic TCP packets from the sending host and counterfeit TCP packets with the correct sequence number sent by the attacker [148].If such other information is available to the receiving host, if the attacker can also fake that other information, and if the receiving host gathers and uses the information correctly, then the receiving host may be fairly immune to TCP sequence prediction attacks.Usually, TCP sequence number is the primary means of protection of TCP traffic against these types of attack.

IP Spoofing
IP address spoofing or IP spoofing refers to the creation of Internet Protocol (IP) packets with a forged source IP address, called spoofing, with the purpose of concealing, the identity of the sender or impersonating another computing system [149], [150].Figure 7 demonstrates how IP spoofing works.Attackers may generate fraudulent packet headers, continuously randomizing the source address using a sniffing tool.They may also use the IP address of another existing device so that responses to the spoofed packet go there instead.

Figure 7 IP Spoofing in DoS attacks
Counter Measures: The first step is to eliminate host-based authentication on your network.Host-based authentication uses the public host key of the client machine to authenticate a user [151].Second, use Ingress filtering, a technique, which verifies that packets are coming from a legitimate source, is also an invaluable tool to safeguard against attacks perpetuated through IP spoofing.Third, use Egress filtering, in which packets that are being sent out of the internal network are examined via router or firewall and questionable packets are detained, and is often used in conjunction with ingress filtering [152]- [154].Fourth, use a proxy Server to hide your IP address, verifying traffic, and blocking access by unauthorized outsiders.Finally, use a VPN.Your internet traffic data will be sent to the VPN via a secure connection [155] and routed appropriately to the sites you intend to visit, effectively making your own IP address private and hidden.

TCP session hijacking
TCP session hijacking is a malicious technique that exploits the way TCP (Transmission Control Protocol) works to take over an established connection between two devices on a network [156], [157].By hijacking a TCP session, an attacker can impersonate one of the parties, intercept or alter the data, or launch other attacks.Transport Layer Hijacking occurs in TCP sessions and involves the attacker disrupting the communication channel between a client and server in such a way that data is unable to be exchanged [158].
Counter Measure: In order to protect against TCP session hijacking attacks, it is important to secure your network and devices from unauthorized access and monitoring [159]- [161].Encryption and authentication protocols, employed to protect the data and identity of the endpoints.

RST and FIN denial of service attack
RST (Reset) and FIN (Finish) denial of service (DoS) attacks are types of attacks that exploit vulnerabilities in the TCP protocol at the transport layer [162].These attacks aim to disrupt network communication by sending forged TCP packets to terminate existing connections or reset connections, thereby preventing legitimate users from accessing services.

RST Attack:
In an RST attack, the attacker sends a TCP RST packet to one or both endpoints of a TCP connection, with the goal of terminating the connection abruptly.This can lead to a denial of service for legitimate users, as their connections are unexpectedly closed, causing data loss and disruption of services.

FIN Attack:
In a FIN attack, the attacker sends a TCP FIN packet to one or both endpoints of a TCP connection, indicating that the sender has finished sending data.This can be used maliciously to trick the endpoints into closing the connection, causing disruption to legitimate users.

Countermeasures:
The following are some of the solutions to RST and FIN denial of service attacks

Firewalls and Intrusion Detection Systems (IDS):
Implement firewalls and IDS to detect and block malicious TCP packets, including RST and FIN packets.

TCP Sequence Number Randomization:
Randomize TCP sequence numbers to make it harder for attackers to predict and forge TCP packets.
Rate Limiting: Implement rate limiting to prevent an excessive number of TCP packets from a single source, which can help mitigate the impact of DoS attacks.

TCP Stateful Inspection:
Use TCP stateful inspection to validate incoming TCP packets and ensure they are part of legitimate connections.
Network Traffic Monitoring: Continuously monitor network traffic for signs of unusual or malicious activity, which can help detect and mitigate DoS attacks in real-time.

Ping of Death(PoD)
A Ping of Death (PoD) attack is a form of DDoS attack in which an attacker sends the recipient simple ping requests as fragmented IP packets that are oversized or malformed [163], [164].These packets do not adhere to the IP packet format when reassembled, leading to heap/memory errors and system crashes.
Counter Measure: Configure your firewall, add filters, look at spoofed packets, monitoring traffic patterns, and frequently scan the network [165].

Low Rate/ Shrew Attacks
These are DDoS attacks that generate periodic, short bursts of high volume traffic and create congestion [166], [167].This forces legitimate TCP connections to drastically reduce their sending rate.Figure 8 shows a typical shrew attack which exploits the deficiencies in the retransmission time-out (RTO) mechanism of TCP flows.They throttle legitimate TCP flows by periodically sending burst pulses with high peak rate in a low frequency [168].As such, the TCP flows see congestion on the attacked link every time it recovers from RTO.Indeed, such a shrew attack may reduce the throughput of TCP applications down to almost zero.

Figure 8 A Shrew attack
Counter Measure: A simple protection mechanism called SAP (Shrew Attack Protection) can be used to defend against a shrew attack.As shown in Figure 9, SAP is a destination-port-based mechanism that only requires a small number of counters.TCP uses packet drops as an indication of congestion and reacts to a packet drop by reducing the rate of the corresponding flow [169]- [171].The main idea of SAP is to neutralize a Shrew attack by controlling the drop rates of TCP flows at the application-aggregate level via the use of differential packet prioritization.

Continuous packet drop 4 x minRTO 2 x minRTO MinRTO
Destination port in the TCP/IP header of each packet is used to identify the application aggregate.The drop rates of application-aggregates, based on which SAP identifies potential victims are monitored by Drop Rate Collector.Note that SAP can easily generalize it to other aggregation levels.Alternatively, as often used in modern routers, SAP can employ a hash of flow description fields in the packet.While SAP also can consider using different fair drop rates for different types of packets.After the fair drop rate is determined, SAP starts to protect the victims by tagging their TCP packets as high priority to lower the victims' drop rate (e.g., controlled by Differential Tagging module) if their drop rates grow higher than the fair drop rate.Otherwise, they will be tagged as normal (e.g., low priority).All tagged packets will be passed to the priority Active Queue Management (AQM) module in the router, which implements preferential packet dropping [172], [173].Note that SAP could be treated as a form of traffic management mechanism that aims to ensure all flows experience similar drop rates when going through the same protocol by using multiple classes/tagging on flow level.

Discussion
It has been shown that the transport layer of the TCP/IP stack plays a crucial role in ensuring the efficient, reliable, and secure transmission of data across networks.Performance issues at this layer can arise due to factors such as network congestion, latency, and packet loss.TCP, being a connection-oriented protocol, employs mechanisms like flow control and congestion avoidance to manage these issues [174].However, these mechanisms can sometimes lead to performance degradation, especially in high-latency or high-loss network environments.Additionally, the overhead [175] introduced by TCP's reliability mechanisms, such as acknowledgment messages and retransmission of lost packets, can impact performance, particularly in scenarios where real-time communication or high throughput is required [176], [177].To mitigate these performance issues, optimization techniques such as TCP window scaling, selective acknowledgment, and congestion control algorithms like TCP Cubic are employed to adapt TCP's behavior dynamically to network conditions, optimizing throughput and minimizing latency.Table 2 presents a summary of the performance issues in the TCP/IP protocol suite.

Throughput
The maximum rate at which data can be transmitted over a network may be limited by the transport layer protocol or network congestion

Latency
The time delay between sending and receiving data packets can impact real-time applications like video conferencing and online gaming Packet Loss Occurs when data packets are lost during transmission, often due to network congestion or errors, leading to retransmissions and reduced throughput Privacy Issues Data Interception: Attackers can intercept and eavesdrop on data transmitted over the network, compromising the confidentiality of the information

Data Tampering
Attackers can modify or alter data packets in transit, leading to integrity issues and potential security risks

Traffic Analysis
By analyzing the patterns and volume of network traffic, attackers can glean sensitive information about the communication patterns of users Privacy concerns at the transport layer primarily revolve around the security and confidentiality of data transmitted between communicating parties [178]- [181].Without proper encryption mechanisms, data sent over TCP/IP networks can be intercepted and accessed by unauthorized parties, compromising user privacy.Transport Layer Security (TLS), which operates at the transport layer, addresses these concerns by providing end-to-end encryption and authentication for data transmitted between clients and servers.By encrypting data in transit, TLS protects sensitive information from eavesdropping and interception, ensuring user privacy and confidentiality [182], [183].However, implementation flaws or misconfigurations in TLS can sometimes lead to vulnerabilities, undermining its effectiveness in protecting user privacy.Additionally, privacy concerns may arise from the collection and storage of metadata associated with TCP/IP connections, such as IP addresses, port numbers, and timestamps, which can be used to track and profile users' online activities.
Security issues at the transport layer encompass a wide range of threats, including session hijacking, man-in-the-middle attacks, and denial-of-service (DoS) attacks.TCP/IP protocols like TCP and UDP are vulnerable to these attacks due to their connection-oriented and connectionless nature, respectively [184]- [187].TCP-based attacks, such as SYN flooding and TCP reset attacks, exploit weaknesses in the TCP handshake process to overwhelm target systems with a high volume of malicious traffic, causing service disruptions or denial of service.UDP-based attacks, such as UDP flooding and DNS amplification attacks, leverage the stateless nature of UDP to flood target systems with spoofed packets, consuming network resources and disrupting service availability.To mitigate these security issues, network administrators can implement security measures such as stateful firewalls, intrusion detection systems (IDS) [188], and rate limiting to detect and mitigate malicious traffic targeting TCP/IP protocols.
Furthermore, the transport layer is vulnerable to protocol-specific attacks that exploit weaknesses in TCP/IP implementations or configurations.For example, vulnerabilities in TCP's handling of sequence numbers or window sizes can be exploited to manipulate TCP connections and compromise network security [189], [190].Similarly, flaws in UDP implementations can lead to amplification attacks or enable unauthorized access to network services.Table 3 illustrates some of the privacy and security concerns in the TCP/IP protocol suite.RST (Reset) and FIN (Finish) denial of service (DoS) attacks are types of attacks that exploit vulnerabilities in the TCP protocol at the transport layer.These attacks aim to disrupt network communication by sending forged TCP packets to terminate existing connections or reset connections, thereby preventing legitimate users from accessing services RST Attack: In an RST attack, the attacker sends a TCP RST packet to one or both endpoints of a TCP connection, with the goal of terminating the connection abruptly.This can lead to a denial of service for legitimate users, as their connections are unexpectedly closed, causing data loss and disruption of services FIN Attack: In a FIN attack, the attacker sends a TCP FIN packet to one or both endpoints of a TCP connection, indicating that the sender has finished sending data.This can be used maliciously to trick the endpoints into closing the connection, causing disruption to legitimate users.

Finger Printing
Used to discover open ports and services that are running open on the target system Low Rates/Shrew Attacks DDoS attack that generate periodic, short bursts of high volume traffic and create congestion.This forces legitimate TCP connections to reduce their sending rate.Shrew attacks exploit the deficiencies in the retransmission time-out (RTO) mechanism of TCP flows

Ping of death attack
DDoS attack in which an attacker sends the recipient simple ping requests as fragmented IP packets that are oversized or malformed.These packets do not adhere to the IP packet format when reassembled, leading to heap/memory errors and system crashes.

IP Spoofing
Creation of Internet Protocol (IP) packets with a forged source IP address, called spoofing, with the purpose of concealing, the identity of the sender or impersonating another computing system Attackers may generate fraudulent packet headers, continuously randomizing the source address using a sniffing tool To address these vulnerabilities, software vendors release patches and updates to fix known security issues, and network administrators apply these patches promptly to protect against potential exploits.Additionally, security awareness training and best practices in network configuration and management are essential for preventing and mitigating security incidents at the transport layer of the TCP/IP stack.Table 4 details some of the countermeasures that can be deployed to address these concerns.Randomize TCP sequence numbers to make it harder for attackers to predict and forge TCP packets

Network Traffic Monitoring
Continuously monitor network traffic for signs of unusual or malicious activity, which can help detect and mitigate DoS attacks in real-time.

Research Gaps
Research in the area of performance, privacy, and security issues at the transport layer of the TCP/IP stack has made significant progress, but there are still gaps that researchers are actively working to address.Some of these gaps include: Emerging Protocols: With the advent of new transport layer protocols such as QUIC (Quick UDP Internet Connections) [191], there is a need for research to evaluate their performance, privacy, and security implications compared to traditional protocols like TCP and UDP.
Machine Learning Applications: There is a growing interest in leveraging machine learning techniques to enhance the performance, privacy, and security of transport layer protocols [192], [193].Research in this area aims to develop intelligent algorithms that can adapt to changing network conditions and mitigate security threats.

Privacy-preserving Protocols:
As privacy concerns become increasingly important, there is a need for research to develop transport layer protocols that can ensure the confidentiality and integrity of data without compromising performance.According to [194], privacy-preserving protocols are designed to enable secure communication and data exchange while minimizing the exposure of sensitive information.These protocols typically employ cryptographic techniques to protect the confidentiality, integrity, and authenticity of data transmitted over networks [195]- [199].One example is Secure Multi-Party Computation (SMPC), which allows multiple parties to jointly compute a function over their inputs while keeping those inputs private.Another example is Homomorphic Encryption, which enables computations to be performed on encrypted data without decrypting it, preserving privacy even during data processing.Additionally, protocols like Zero-Knowledge Proofs and Differential Privacy provide mechanisms for verifying information or performing data analysis without revealing sensitive details about individuals.These privacy-preserving protocols play a crucial role in ensuring user privacy and data protection in various applications, including healthcare, finance, and telecommunications.
Addressing these future research scopes will be crucial in ensuring the development of efficient, secure, and privacypreserving transport layer protocols to support the evolving needs of modern networking environments.

Conclusion
The transport layer of the TCP/IP stack plays a critical role in ensuring reliable data transmission between applications.However, it faces various challenges related to performance, privacy, and security.By implementing the right strategies and best practices, these issues can be mitigated, ensuring a secure and efficient network communication environment.TCP/IP at the transport layer can face performance issues due to factors like latency and congestion.Latency can be reduced by using UDP for real-time applications, while congestion can be managed through TCP's congestion control algorithms like TCP Vegas or TCP Reno.Security concerns in TCP/IP at the transport layer include the potential for unauthorized access and data breaches.Implementing encryption protocols like TLS can protect data in transit, while VPNs can create secure tunnels for data to pass through, preventing unauthorized access.Privacy issues in TCP/IP at the transport layer relate to the potential for eavesdropping and data interception.Encryption protocols like TLS can encrypt data, ensuring that sensitive information remains private and secure during transmission.

Figure 2
Figure 2 Three-Way TCP Handshake

Figure 5
shows the TCP congestion control components.As to how frequently a TCP segment is retransmitted is based on what is known as a Congestion Avoidance Algorithm[106].TCP Congestion Avoidance Algorithm has a good overall summary of the different versions[107]-[109].

Figure 5
Figure 5 TCP congestion control components The TCP congestion control algorithm has three major phases: The Low start, Congestion avoidance and Congestion detection and fast recovery.Traffic dynamics in the Internet are heavily influenced by the behavior of the TCP Congestion Avoidance algorithm.TCP congestion control affects the round-trip time (RTT) of packets within the flow (i.e., the flow RTT): an endpoint sends packets at higher throughput, increasing the occupancy of the bottleneck [110] buffer, thereby increasing the RTT of packets in the flow.

Figure 6
Figure 6Operating system fingerprinting process Any system that speaks TCP/IP is potentially in the database, which is updated frequently.Nmap fingerprints a system in three steps.First, it performs a port scan to determine a set of open and closed TCP and UDP ports[130]-[134].Second, it generates specially formed packets, sends them to the remote host, and listens for responses.Third, it uses the results from the tests to determine a matching entry in its database of fingerprints.For example, we have a target machine 192.168.171.25, on a network.As a hacker would like to know which TCP ports are open, the services that use the open ports, and the service daemon(a service responsible for starting standard Internet services[135] when a system boots, they use transfer control protocol-TCP, Stream Control Transmission Protocol-SCTP, as their transport layer protocol) running on the target system.

Figure 9
Figure 9 SAP Architecture

Table 3
TCP/IP Security and privacy concerns

Table 4
TCP/IP Security and privacy concerns countermeasures Continuously monitor network traffic for signs of unusual or malicious activity, which can help detect and mitigate DoS attacks in real-time