|
Firewall Wizards
mailing list archives
Re: PIX responding with SYN+ACK to SYN+ACK probe sent on open port
From: stephane nasdrovisky <stephane.nasdrovisky () paradigmo com>
Date: Wed, 12 Jan 2005 10:55:47 +0100
syn+ack flags on the first packet could mean t/tcp (similar to tcp
without the 3 way handshake, it is described in tcp/ip vol 3 by stevens,
I can't remember the rfc number) this packet could even contains datas
(i.e. GET /) and the psh & fin flags,the second packet could be a
syn+ack+fin+psh+data (i.e. the web page), the acknowledge number should
be the first packet's syn number + 1 + payload length.
In short: an almost standard tcp session in 2 or 3 packets ! If the
server does not support t/tcp, it will send an acknowledge=syn+1 or
nothing, which mean: let's continue with standard tcp.
If pix answers these packet, it may simply mean it supports t/tcp (which
is only usefull for short sessions such as most http). t/tcp is not
really less secure than tcp, they basically share the same vulnerabilities.
t/tcp may be less spoofing resistant.
Smith, Aaron wrote:
Sent to PIX:
hping2 -S -A -c 1 -p 22 aaa.bbb.ccc.ddd
Reply from PIX:
len=46 ip=aaa.bbb.ccc.ddd ttl=254 id=25026 sport=22 flags=SA seq=0 win=4096 rtt=0.3 ms
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
 By Date 
By Thread
Current thread:
- Re: PIX responding with SYN+ACK to SYN+ACK probe sent on open port, (continued)
|
Intro
