Re: Source of T/TCP traffic

[Knut Bjornstad <kbjo () interpost no>]

On Tue, Sep 09, 2003 at 02:22:58PM +0200, Volker Tanger wrote:
> Greetings!
>
> On Tue, 9 Sep 2003 Knut Bjornstad <kbjo () interpost no> wrote:
>
> > Our IDS are seeing a lot of peculiar T/TCP traffic - the alerts on
> > this is no problem in itself - I can easily disable them. But when I
> > try to analyze the traffic, it seems like ordinary web traffic from
> > various MS IE sources. 
>
> Do you see T/TCP, TAO or the braindead MS-IE/IIS speedup hack? Usually
> newer IE try to send the HTTP request already in the SYN packet (or was
> it first sending an ACK packet with the request?) ignoring the usual
> need for a SYN - SYN/ACK - ACK handshake for a proper TCP connection. 
>
> While the IIS answers directly other servers respond with a RST, upon
> which the IIS starts anew with the standard 3-way handshake. This way 
> a MS-IE/MS-IIS pair has a small speed advantage over standard clients
> or servers. It's called improving industry standards, I fear.
>
> If this is the traffic you see, you can safely ignore it (as MS-IE
> does).
>
> HTH
>
> Volker Tanger
What I see is SYN packets with the ccnew TCP option set. I don't see a
full TAO since we don't have T/TCP. I do not fully know the MS-IE/IIS
speedup hack, but that is different isn't it?

I have some indication that this is some netdevice changing the traffic.
The browser field in my access logs report varying versions of MSIE, so
I think the adresses are NAT'ed for several clients.
-- 
--Knut Bjornstad -- ErgoIntegration AS ---Oslo, Norway-------
--kbjo () interpost no -- t:47 23 14 53 36 -- mob: 901 15 917 --
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards