Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Firewall Wizards: Re: Source of T/TCP traffic

Re: Source of T/TCP traffic

From: Knut Bjornstad <kbjo_at_interpost.no>
Date: Tue, 9 Sep 2003 19:36:43 +0200

On Tue, Sep 09, 2003 at 02:22:58PM +0200, Volker Tanger wrote:
> Greetings!
>
> On Tue, 9 Sep 2003 Knut Bjornstad <kbjo_at_interpost.no> wrote:
>
> > Our IDS are seeing a lot of peculiar T/TCP traffic - the alerts on
> > this is no problem in itself - I can easily disable them. But when I
> > try to analyze the traffic, it seems like ordinary web traffic from
> > various MS IE sources.
>
> Do you see T/TCP, TAO or the braindead MS-IE/IIS speedup hack? Usually
> newer IE try to send the HTTP request already in the SYN packet (or was
> it first sending an ACK packet with the request?) ignoring the usual
> need for a SYN - SYN/ACK - ACK handshake for a proper TCP connection.
>
> While the IIS answers directly other servers respond with a RST, upon
> which the IIS starts anew with the standard 3-way handshake. This way
> a MS-IE/MS-IIS pair has a small speed advantage over standard clients
> or servers. It's called improving industry standards, I fear.
>
> If this is the traffic you see, you can safely ignore it (as MS-IE
> does).
>
What I see is not - I repeat not - the cheating MS-IE/IIS speedup hack.
(For this see: http://www.cs.wits.ac.za/~jon/help/email/slash.html )
I see SYN packets with proper CC.NEW TCP options. They come from a
handful of Scandinavian providers serving solid customers. We dont get
anything more of the T/TCP TAO because we have no T/TCP ourselves, and
then what is sending this falls back to ordinary TCP in accordance with
the protocol. Further there is quite clear indications of NAT source
adresses - the browser field in our weblogs vary with the same source among
other things. I am pretty sure this is one or several different devices
inserting T/TCP by rewriting the header - but I lack proof.

So what is this? 

-- 
--Knut Bjornstad -- ErgoIntegration AS ---Oslo, Norway-------
--kbjo_at_interpost.no -- t:47 23 14 53 36 -- mob: 901 15 917 --
_______________________________________________
firewall-wizards mailing list
firewall-wizards_at_honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Received on Sep 12 2003
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos