Re: [fw-wiz] Source of T/TCP traffic

From: Mikael Olsson (mikael.olsson_at_clavister.com)
Date: 09/09/03

  • Next message: Pete Capelli: "RE: [fw-wiz] Authentication on PIX."
    To: Knut Bjornstad <kbjo@interpost.no>
    Date: Tue, 09 Sep 2003 23:13:57 +0200
    
    

    Knut Bjornstad wrote:
    >
    > Our IDS are seeing a lot of peculiar T/TCP traffic - the alerts on this
    > is no problem in itself - I can easily disable them. But when I try to
    > analyze the traffic, it seems like ordinary web traffic from various MS
    > IE sources. Now T/TCP is - according to my impression - a halfdead
    > attemt at speeding up TCP, and nothing I would associate with this kind
    > of everyday events. My theory is that this is coused by some firewall or
    > similar product that modidfies outgoing traffic by adding the neccessary
    > TCP option to the packets.
    > First question: Do anyone in this forum know of a product that does
    > something like that (I suspect something from Checkpoint, but I am not
    > sure about that)?

    Question: Are you sure that this is actually T/TCP you're seeing?
    T/TCP uses fairly obvious TCP options, as per
    http://www.ietf.org/rfc/rfc1644.txt

    Or are you seeing things more along the lines of
    http://pix.cs.olemiss.edu/csci561/slash.html ?
    (IE/IIS violating TCP to make things go faster, which results
     in IE actually becoming _slower_ with non-IIS servers.
     Go figure.)

    > Second question: Given that T/TCP has problematic security, can
    > ordinary firewalls handle the protocol by setting up relevant
    > rules?

    Any firewall that requires SYN/SYNACK/ACK will prevent T/TCP
    as well as microsoft's optimizations from working.

    T/TCP, by its design, reintroduces blind TCP spoofing
    vulnerabilities, and there's nothing any firewall can
    do about it -- except for blocking T/TCP and forcing the
    connection to fall back to plain old TCP, that is, which
    works just fine.

    -- 
    Mikael Olsson, Clavister AB
    Storgatan 12, Box 393, SE-891 28 ÖRNSKÖLDSVIK, Sweden
    Phone: +46 (0)660 29 92 00   Mobile: +46 (0)70 26 222 05
    Fax: +46 (0)660 122 50       WWW: http://www.clavister.com
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
    

  • Next message: Pete Capelli: "RE: [fw-wiz] Authentication on PIX."

    Relevant Pages

    • [fw-wiz] Source of T/TCP traffic
      ... Our IDS are seeing a lot of peculiar T/TCP traffic - the alerts on this ... My theory is that this is coused by some firewall or ... TCP option to the packets. ... First question: Do anyone in this forum know of a product that does ...
      (Firewall-Wizards)
    • RE: [fw-wiz] Source of T/TCP traffic
      ... T/TCP bond when connecting. ... IE will actually try T/TCP first, ... back to normal TCP after failing. ... First question: Do anyone in this forum know of a product that does ...
      (Firewall-Wizards)
    • Re: [Full-disclosure] 0trace - traceroute on established connections
      ... For example, rather than only launching UDP probes in an attempt to elicit ICMP "TTL exceeded" from hosts in the path, LFT can send TCP SYN or FIN probes to target arbitrary services. ... a tool to probe firewall ACLs; ...
      (Bugtraq)
    • Removing T/TCP and replacing it with something simpler
      ... I intend to remove T/TCP support from our TCP ... o The client has to enable the option in the TCP SYN request to the server. ... then it returns a unique cookie generated from ...
      (freebsd-arch)
    • Removing T/TCP and replacing it with something simpler
      ... I intend to remove T/TCP support from our TCP ... o The client has to enable the option in the TCP SYN request to the server. ... then it returns a unique cookie generated from ...
      (freebsd-net)