Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: PIX responding with SYN+ACK to SYN+ACK probe sent on open port

From: stephane nasdrovisky <stephane.nasdrovisky () paradigmo com>
Date: Wed, 12 Jan 2005 10:55:47 +0100
syn+ack flags on the first packet could mean t/tcp (similar to tcp without the 3 way handshake, it is described in tcp/ip vol 3 by stevens, I can't remember the rfc number) this packet could even contains datas (i.e. GET /) and the psh & fin flags,the second packet could be a syn+ack+fin+psh+data (i.e. the web page), the acknowledge number should be the first packet's syn number + 1 + payload length. In short: an almost standard tcp session in 2 or 3 packets ! If the server does not support t/tcp, it will send an acknowledge=syn+1 or nothing, which mean: let's continue with standard tcp. If pix answers these packet, it may simply mean it supports t/tcp (which is only usefull for short sessions such as most http). t/tcp is not really less secure than tcp, they basically share the same vulnerabilities. 
t/tcp may be less spoofing resistant.

Smith, Aaron wrote:


Sent to PIX:
hping2 -S -A -c 1 -p 22 aaa.bbb.ccc.ddd

Reply from PIX:
len=46 ip=aaa.bbb.ccc.ddd ttl=254 id=25026 sport=22 flags=SA seq=0 win=4096 rtt=0.3 ms



_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: