There are six original 1-bit control flags, and three additional flags added.
Experimental Flag RFC 3560:
NS - ECN-nonce concealment protection this is an optional field added to ECN intended to protect against accidental or malicious concealment of marked packets from the TCP sender.
Congestion Notification Flags - RFC 3168:
CWR - Congestion Window Reduced - Only used in TCP connections where Explicit Congestion Notification is used. Rarely seen in most TCP Conversations. ECN allows routers to inform the TCP endpoints that their transmit buffers are filling due to congestion. This allows the TCP endpoints to slow their data transmission to prevent packet loss. The CWR field is set by the sender to show that it received a TCP segment with the ECE flag set.
ECE - ECN – Echo – Used only by ECN-TCP connections. The ECN-Echo is sent to inform the other side of the TCP connection that it received an ECN notification from the network. This may trigger a TCP Slow Start. Like the CWR field, this is rarely seen in connections.
The 6 TCP Control Flags RFC 7414:
A simple pneumonic to help you memorize the 6 control flags.
Unskilled Attackers Pester Real Security Folks
Unskilled = URG
Attackers = ACK
Pester = PSH
Real = RST
Security = SYN
Folks = FIN
G - Urgent flag is used to process the data without any latency (virtually zero time). The packets in which the urgent flag is set to “1” will be processed at the destination end without any delay.
Example: The execution of commands on a remote machine via Telnet. The output of a command executed through telnet should be immediate so in order to accomplish this the data transferred to the remote machine will have the URG flag set to “1” on its TCP packet.
ACK - Acknowledge flag is used to acknowledge a received Sync packet. ACK flag is set to “1” on a reply packet to the requesting machine along with the SYN flag set to “1”.
PSH - Push flag is used to push the data without any intermediate buffering (storing). This is more like URG flag but there is a distinction as both have different roles.
Example: PSH flag is set for communications where there shouldn’t be any interruption like live multimedia streaming, executing mission critical database queries, ATM transactions and so on.
RST – The reset (RST) flag abruptly terminates an open connection. Either host in a connection may use the RST flag. A data segment containing a RST flag is usually not acknowledged.
Example: An active Telnet session is open and by mistake the telnet window is closed. The Telnet service will stop and send a TCP packet with the RST flag set to 1. The remote machine will receive the TCP packet with the RST flag set and immediately tear down the connection without any delay or acknowledgement.
SYN - Sync flag is the well know flag in TCP and is used to initiate a TCP session. Before the actual data starts to flow, a TCP packet with 0 data bytes are send to the remote machine with the SYN flag set to “1”, after the three way handshake a dedicated virtual path is established between the source machine to the target machine for the actual data to transfer.
Example: When we open any website the first step done by the TCP protocol is sending a sync packet (though initially a DNS query is sent for name resolution). And once a connection is established then we’ll see the homepage of that website.
FIN – The FIN flag initiates the graceful closure of an open connection.