Greetings!
On Tue, 9 Sep 2003 Knut Bjornstad <kbjo_at_interpost.no> wrote:
> Our IDS are seeing a lot of peculiar T/TCP traffic - the alerts on
> this is no problem in itself - I can easily disable them. But when I
> try to analyze the traffic, it seems like ordinary web traffic from
> various MS IE sources.
Do you see T/TCP, TAO or the braindead MS-IE/IIS speedup hack? Usually
newer IE try to send the HTTP request already in the SYN packet (or was
it first sending an ACK packet with the request?) ignoring the usual
need for a SYN - SYN/ACK - ACK handshake for a proper TCP connection.
While the IIS answers directly other servers respond with a RST, upon
which the IIS starts anew with the standard 3-way handshake. This way
a MS-IE/MS-IIS pair has a small speed advantage over standard clients
or servers. It's called improving industry standards, I fear.
If this is the traffic you see, you can safely ignore it (as MS-IE
does).
HTH
Volker Tanger
_______________________________________________
firewall-wizards mailing list
firewall-wizards_at_honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Received on Sep 11 2003
Intro
