Knut Bjornstad wrote:
>
> Our IDS are seeing a lot of peculiar T/TCP traffic - the alerts on this
> is no problem in itself - I can easily disable them. But when I try to
> analyze the traffic, it seems like ordinary web traffic from various MS
> IE sources. Now T/TCP is - according to my impression - a halfdead
> attemt at speeding up TCP, and nothing I would associate with this kind
> of everyday events. My theory is that this is coused by some firewall or
> similar product that modidfies outgoing traffic by adding the neccessary
> TCP option to the packets.
> First question: Do anyone in this forum know of a product that does
> something like that (I suspect something from Checkpoint, but I am not
> sure about that)?
Question: Are you sure that this is actually T/TCP you're seeing?
T/TCP uses fairly obvious TCP options, as per
http://www.ietf.org/rfc/rfc1644.txt
Or are you seeing things more along the lines of
http://pix.cs.olemiss.edu/csci561/slash.html ?
(IE/IIS violating TCP to make things go faster, which results
in IE actually becoming _slower_ with non-IIS servers.
Go figure.)
> Second question: Given that T/TCP has problematic security, can
> ordinary firewalls handle the protocol by setting up relevant
> rules?
Any firewall that requires SYN/SYNACK/ACK will prevent T/TCP
as well as microsoft's optimizations from working.
T/TCP, by its design, reintroduces blind TCP spoofing
vulnerabilities, and there's nothing any firewall can
do about it -- except for blocking T/TCP and forcing the
connection to fall back to plain old TCP, that is, which
works just fine.
--
Mikael Olsson, Clavister AB
Storgatan 12, Box 393, SE-891 28 ÖRNSKÖLDSVIK, Sweden
Phone: +46 (0)660 29 92 00 Mobile: +46 (0)70 26 222 05
Fax: +46 (0)660 122 50 WWW: http://www.clavister.com
_______________________________________________
firewall-wizards mailing list
firewall-wizards_at_honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Received on Sep 12 2003
Intro
