RE: [fw-wiz] Source of T/TCP traffic

From: Dave Killion (Dkillion_at_netscreen.com)
Date: 09/09/03

  • Next message: Volker Tanger: "Re: [fw-wiz] Source of T/TCP traffic" 
    To: "'Knut Bjornstad'" <kbjo@interpost.no>, firewall-wizards@honor.icsalabs.com
Date: Tue, 9 Sep 2003 09:18:30 -0700

    From what I've seen, and I could be dead-wrong, is that IIS and IE form a
    T/TCP bond when connecting. IE will actually try T/TCP first, and fall
    back to normal TCP after failing. This is how IIS-served webpages load so
    quickly on IE. You can tell when you're loading a non-IIS served page
    with IE because there's a bit of a pause while T/TCP fails.

    So three cheers to Microsoft for putting this half-dead protocol on life
    support. ;)

    Dave Killion
    Senior Security Engineer
    Security Group, NetScreen Technologies, Inc.

    -----Original Message-----
    From: Knut Bjornstad [mailto:kbjo@interpost.no]
    Sent: Tuesday, September 09, 2003 4:23 AM
    To: firewall-wizards@honor.icsalabs.com
    Subject: [fw-wiz] Source of T/TCP traffic

    Our IDS are seeing a lot of peculiar T/TCP traffic - the alerts on this
    is no problem in itself - I can easily disable them. But when I try to
    analyze the traffic, it seems like ordinary web traffic from various MS
    IE sources. Now T/TCP is - according to my impression - a halfdead
    attemt at speeding up TCP, and nothing I would associate with this kind
    of everyday events. My theory is that this is coused by some firewall or
    similar product that modidfies outgoing traffic by adding the neccessary
    TCP option to the packets.
    First question: Do anyone in this forum know of a product that does
    something like that (I suspect something from Checkpoint, but I am not
    sure about that)?

    Second question: Given that T/TCP has problematic security, can ordinary
    firewalls handle the protocol by setting up relevant rules? 

    --
--Knut Bjornstad -- ErgoIntegration AS ---Oslo, Norway-------
--kbjo@interpost.no -- t:47 23 14 53 36 -- mob: 901 15 917 --
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

  • Next message: Volker Tanger: "Re: [fw-wiz] Source of T/TCP traffic"

    Relevant Pages

    • Re: [fw-wiz] Source of T/TCP traffic
      ... > TCP option to the packets. ... > First question: Do anyone in this forum know of a product that does ... Are you sure that this is actually T/TCP you're seeing? ... Any firewall that requires SYN/SYNACK/ACK will prevent T/TCP ...
      (Firewall-Wizards)
    • Removing T/TCP and replacing it with something simpler
      ... I intend to remove T/TCP support from our TCP ... o The client has to enable the option in the TCP SYN request to the server. ... then it returns a unique cookie generated from ...
      (freebsd-arch)
    • Removing T/TCP and replacing it with something simpler
      ... I intend to remove T/TCP support from our TCP ... o The client has to enable the option in the TCP SYN request to the server. ... then it returns a unique cookie generated from ...
      (freebsd-net)
    • Re: [fw-wiz] PIX responding with SYN+ACK to SYN+ACK probe sent on open port
      ... syn+ack flags on the first packet could mean t/tcp (similar to tcp ... I can't remember the rfc number) this packet could even contains datas ... an almost standard tcp session in 2 or 3 packets! ...
      (Firewall-Wizards)
    • [fw-wiz] Source of T/TCP traffic
      ... Our IDS are seeing a lot of peculiar T/TCP traffic - the alerts on this ... My theory is that this is coused by some firewall or ... TCP option to the packets. ... First question: Do anyone in this forum know of a product that does ...
      (Firewall-Wizards)