SCTP (Stream Control Transmission Protocol)

SCTP is a transport layer protocol serving in a similar role to TCP and UDP. It provides some of the features of both, ensuring reliable, in-sequence transport of messages with congestion control like TCP, while preserving message boundaries like UDP.

Key Features of SCTP

Multi-homing

Allows an association to have multiple IP addresses for increased reliability.

Example command: sctp_darn -H 192.168.1.1,192.168.1.2 -P 9999 -l

Multi-streaming

Supports multiple streams within a single connection to reduce head-of-line blocking.

Example command: sctp_test -H 192.168.1.1 -P 9999 -S 4 -l

Message-oriented

Preserves message boundaries, unlike TCP's byte-stream oriented approach.

Example command: echo "Test message" | sctp_darn -H 192.168.1.1 -P 9999 -s

Partial reliability

Allows for intentional dropping of messages, useful for time-sensitive applications.

Example command: sctp_test -H 192.168.1.1 -P 9999 -R 100 -l

SCTP Header Structure

The SCTP packet consists of a common header and chunks. The common header includes:

SCTP Header Structure Diagram
  • Source Port (16 bits)
  • Destination Port (16 bits)
  • Verification Tag (32 bits)
  • Checksum (32 bits)

Security Implications for Red Teams

DoS Vulnerability

SCTP's multi-homing feature can be exploited for amplification attacks.

Example exploit: scapy: send(IP(dst="target")/SCTP(dport=80)/SCTPChunkInit(init_tag=RandInt()))

Reference: https://www.cisa.gov/uscert/ics/advisories/icsa-20-168-01

Firewall Evasion

SCTP traffic may bypass firewalls not configured to handle it.

Example exploit: nmap -sY -p 80 target_ip # SCTP INIT scan

Reference: https://nmap.org/book/scan-methods-sctp-init-scan.html

Chunk Handling Vulnerabilities

Malformed SCTP chunks can potentially crash or exploit SCTP implementations.

Example exploit: scapy: send(IP(dst="target")/SCTP()/SCTPChunkInit(params=[SCTPParamUnknown(type=0x1234)]))

Reference: https://www.rfc-editor.org/rfc/rfc4960.html#section-3.2

SCTP Tools for Red Teams

  • Scapy: Powerful interactive packet manipulation program. Can be used to craft and send custom SCTP packets.
  • nmap: Network scanning tool with SCTP scanning capabilities.
  • Wireshark: Network protocol analyzer with SCTP dissection capabilities.
  • lksctp-tools: User-space applications for Linux SCTP. Includes utilities like sctp_darn and sctp_test.

Related RFCs

Back to Transport Layer