Re: [fw-wiz] Source of T/TCP traffic

From: Mikael Olsson (mikael.olsson_at_clavister.com)
Date: 09/09/03

  • Next message: Pete Capelli: "RE: [fw-wiz] Authentication on PIX."
    To: Knut Bjornstad <kbjo@interpost.no>
    Date: Tue, 09 Sep 2003 23:13:57 +0200
    
    

    Knut Bjornstad wrote:
    >
    > Our IDS are seeing a lot of peculiar T/TCP traffic - the alerts on this
    > is no problem in itself - I can easily disable them. But when I try to
    > analyze the traffic, it seems like ordinary web traffic from various MS
    > IE sources. Now T/TCP is - according to my impression - a halfdead
    > attemt at speeding up TCP, and nothing I would associate with this kind
    > of everyday events. My theory is that this is coused by some firewall or
    > similar product that modidfies outgoing traffic by adding the neccessary
    > TCP option to the packets.
    > First question: Do anyone in this forum know of a product that does
    > something like that (I suspect something from Checkpoint, but I am not
    > sure about that)?

    Question: Are you sure that this is actually T/TCP you're seeing?
    T/TCP uses fairly obvious TCP options, as per
    http://www.ietf.org/rfc/rfc1644.txt

    Or are you seeing things more along the lines of
    http://pix.cs.olemiss.edu/csci561/slash.html ?
    (IE/IIS violating TCP to make things go faster, which results
     in IE actually becoming _slower_ with non-IIS servers.
     Go figure.)

    > Second question: Given that T/TCP has problematic security, can
    > ordinary firewalls handle the protocol by setting up relevant
    > rules?

    Any firewall that requires SYN/SYNACK/ACK will prevent T/TCP
    as well as microsoft's optimizations from working.

    T/TCP, by its design, reintroduces blind TCP spoofing
    vulnerabilities, and there's nothing any firewall can
    do about it -- except for blocking T/TCP and forcing the
    connection to fall back to plain old TCP, that is, which
    works just fine.

    -- 
    Mikael Olsson, Clavister AB
    Storgatan 12, Box 393, SE-891 28 ÖRNSKÖLDSVIK, Sweden
    Phone: +46 (0)660 29 92 00   Mobile: +46 (0)70 26 222 05
    Fax: +46 (0)660 122 50       WWW: http://www.clavister.com
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
    

  • Next message: Pete Capelli: "RE: [fw-wiz] Authentication on PIX."