Home page logo
/

nanog logo nanog mailing list archives

Re: MySQL Madness
From: Scott Howard <scott () doc net au>
Date: Thu, 28 Apr 2011 21:33:08 -0700

On Thu, Apr 28, 2011 at 8:40 PM, Joe Renwick <joe () gonetforward com> wrote:

Packet "1" is Syn from MySQL client to Server
Packet "2" is Syn/Ack from Server
Packet "3" is a TCP Push!  ??? HERE IS WHERE I AM CONFUSED


The "Push" is a red herring here.  Push is an historic flag that is (almost)
always ignored now days, but for historic reasons almost every TCP packet
has it set.

So packet 3 isn't really a "Push" packet, but it IS a data packet :
 3: 21:49:13.462210 74.81.76.195.3306 > 8.25.42.100.32929: P
2601320300:2601320363(63) ack 4107544001 win 46 <nop,nop,timestamp
2581054349 2065216038>

The "(63)" means the packet has 63 bytes of data in it.  So if there's
something strange happening here, it's that the server is sending a data
packet before it gets the 3rd packet in the 3-way handshake.

Whilst that's definitely strange, it's probably legal.  It's definitely
legal to include data in the SYN-ACK packet itself (and even, I think, in
the initial SYN packet!) although I've never seen anything that implements
that.

In this case, the data isn't in the SYN-ACK itself but in a packet following
it. I'm not sure if that's legal or not, but I can't see why it wouldn't be.

My firewall is dropping packet "3" as it is not happy there is a push going
on before it sees the completed handshake.


Not at all surprising.  Most firewalls will drop anything that's even
slightly unexpected, and this would certainly fit into that category - even
if it's legal.


  Scott.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault