Flags, or control bits, are used to denote the purpose and function of the TCP segment. These are used to initiate the three-way handshake that establishes a TCP session, and are also used in acknowledgment reply messages. The control bits are vital to the functioning of TCP. Without the ACK (acknowledgment) flag, the sender would continuously send data (subject to application layer timeouts), which can adversely affect network performance. Alternatively, without SYN (synchronize), no sessions would ever be initiated, and there would be an effect on availability.

Flags are particularly important to cybersecurity due to their use in the SYN flood attack and in connection hijacking. In the SYN flood attack, the attacker sends a number of SYN and ACK packets, which forces the server to consume resources to keep track of the connections. As the volume of connections increases, this can result in a denial-of-service attack.

In connection hijacking, an attacker predicts the next sequence number from a live connection and forges a segment to look like the next segment. When this is received and accepted, synchronization is lost – subsequent packets that arrive have incorrect/unexpected sequence numbers. This attack allows the attacker to send erroneous or dangerous information that will be automatically accepted in order to disrupt the data stream and result in a denial-of-service attack.