Re: [fw-wiz] Source of T/TCP traffic

From: Knut Bjornstad (kbjo_at_interpost.no)
Date: 09/09/03

  • Next message: Dave Killion: "RE: [fw-wiz] Source of T/TCP traffic"
    To: firewall-wizards@honor.icsalabs.com
    Date: Tue, 9 Sep 2003 14:29:42 +0200
    
    

    On Tue, Sep 09, 2003 at 02:22:58PM +0200, Volker Tanger wrote:
    > Greetings!
    >
    > On Tue, 9 Sep 2003 Knut Bjornstad <kbjo@interpost.no> wrote:
    >
    > > Our IDS are seeing a lot of peculiar T/TCP traffic - the alerts on
    > > this is no problem in itself - I can easily disable them. But when I
    > > try to analyze the traffic, it seems like ordinary web traffic from
    > > various MS IE sources.
    >
    > Do you see T/TCP, TAO or the braindead MS-IE/IIS speedup hack? Usually
    > newer IE try to send the HTTP request already in the SYN packet (or was
    > it first sending an ACK packet with the request?) ignoring the usual
    > need for a SYN - SYN/ACK - ACK handshake for a proper TCP connection.
    >
    > While the IIS answers directly other servers respond with a RST, upon
    > which the IIS starts anew with the standard 3-way handshake. This way
    > a MS-IE/MS-IIS pair has a small speed advantage over standard clients
    > or servers. It's called improving industry standards, I fear.
    >
    > If this is the traffic you see, you can safely ignore it (as MS-IE
    > does).
    >
    > HTH
    >
    > Volker Tanger
    What I see is SYN packets with the ccnew TCP option set. I don't see a
    full TAO since we don't have T/TCP. I do not fully know the MS-IE/IIS
    speedup hack, but that is different isn't it?

    I have some indication that this is some netdevice changing the traffic.
    The browser field in my access logs report varying versions of MSIE, so
    I think the adresses are NAT'ed for several clients.

    -- 
    --Knut Bjornstad -- ErgoIntegration AS ---Oslo, Norway-------
    --kbjo@interpost.no -- t:47 23 14 53 36 -- mob: 901 15 917 --
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
    

  • Next message: Dave Killion: "RE: [fw-wiz] Source of T/TCP traffic"