|
Firewall Wizards
mailing list archives
Re: PIX responding with SYN+ACK to SYN+ACK probe sent on open port
From: Martin Mačok <martin.macok () underground cz>
Date: Wed, 12 Jan 2005 13:40:14 +0100
On Wed, Jan 12, 2005 at 10:55:47AM +0100, stephane nasdrovisky wrote:
syn+ack flags on the first packet could mean t/tcp (similar to tcp
without the 3 way handshake, it is described in tcp/ip vol 3 by stevens,
I can't remember the rfc number)
I have read through RFC 1379 (Extending TCP for Transactions --
Concepts) and RFC 1644 (T/TCP -- TCP Extensions for Transactions) and
it seems to me that
(1) T/TCP connection starts with SYN,FIN (not ACK) or just SYN
(without ACK) with data payload
(2) T/TCP shouldn't reply with SYN+ACK to SYN+ACK ever (much less when
(unrequested && loaded with arbitrary ISN/ACKn)
Am I wrong?
By the way, I have tested that I can successfully complete standard
TCP RFC793 three way hanshake with SYN+ACK being the first packet (so
it seems that PIX deliberately ignores ACK here). On the other side,
I have also tested that replying SYN+ACK (instead of ACK) in the third
phase of the hanshake does not make it through (so it does not ignore
SYN here). Mmmm...
Martin Mačok
ICT Security Consultant
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
 By Date 
By Thread
Current thread:
- Re: PIX responding with SYN+ACK to SYN+ACK probe sent on open port, (continued)
|
Intro
