Re: [fw-wiz] Source of T/TCP traffic

From: Mikael Olsson (mikael.olsson_at_clavister.com)
Date: 09/09/03

  • Next message: Pete Capelli: "RE: [fw-wiz] Authentication on PIX." 
    To: Knut Bjornstad <kbjo@interpost.no>
Date: Tue, 09 Sep 2003 23:13:57 +0200

    Knut Bjornstad wrote:
    >
    > Our IDS are seeing a lot of peculiar T/TCP traffic - the alerts on this
    > is no problem in itself - I can easily disable them. But when I try to
    > analyze the traffic, it seems like ordinary web traffic from various MS
    > IE sources. Now T/TCP is - according to my impression - a halfdead
    > attemt at speeding up TCP, and nothing I would associate with this kind
    > of everyday events. My theory is that this is coused by some firewall or
    > similar product that modidfies outgoing traffic by adding the neccessary
    > TCP option to the packets.
    > First question: Do anyone in this forum know of a product that does
    > something like that (I suspect something from Checkpoint, but I am not
    > sure about that)?

    Question: Are you sure that this is actually T/TCP you're seeing?
    T/TCP uses fairly obvious TCP options, as per
    http://www.ietf.org/rfc/rfc1644.txt

    Or are you seeing things more along the lines of
    http://pix.cs.olemiss.edu/csci561/slash.html ?
    (IE/IIS violating TCP to make things go faster, which results
     in IE actually becoming _slower_ with non-IIS servers.
     Go figure.)

    > Second question: Given that T/TCP has problematic security, can
    > ordinary firewalls handle the protocol by setting up relevant
    > rules?

    Any firewall that requires SYN/SYNACK/ACK will prevent T/TCP
    as well as microsoft's optimizations from working.

    T/TCP, by its design, reintroduces blind TCP spoofing
    vulnerabilities, and there's nothing any firewall can
    do about it -- except for blocking T/TCP and forcing the
    connection to fall back to plain old TCP, that is, which
    works just fine. 

    -- 
Mikael Olsson, Clavister AB
Storgatan 12, Box 393, SE-891 28 ÖRNSKÖLDSVIK, Sweden
Phone: +46 (0)660 29 92 00   Mobile: +46 (0)70 26 222 05
Fax: +46 (0)660 122 50       WWW: http://www.clavister.com
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
  • Next message: Pete Capelli: "RE: [fw-wiz] Authentication on PIX."

    Relevant Pages

    • [fw-wiz] Source of T/TCP traffic
      ... Our IDS are seeing a lot of peculiar T/TCP traffic - the alerts on this ... My theory is that this is coused by some firewall or ... TCP option to the packets. ... First question: Do anyone in this forum know of a product that does ...
      (Firewall-Wizards)
    • RE: [fw-wiz] Source of T/TCP traffic
      ... T/TCP bond when connecting. ... IE will actually try T/TCP first, ... back to normal TCP after failing. ... First question: Do anyone in this forum know of a product that does ...
      (Firewall-Wizards)
    • Re: Code Red Doesnt care about TCP sessions?
      ... Code Red Doesn't care about TCP sessions? ... I also neglected to state that I've correlated this activity to firewall ... >> from the Web server before it sent it's ACK and then GET request. ...
      (Incidents)
    • Re: [Full-disclosure] 0trace - traceroute on established connections
      ... variety of different probes using both UDP and TCP layer-4 protocols. ... elicit ICMP "TTL exceeded" from hosts in the path, LFT can send TCP ... a tool to probe firewall ACLs; ...
      (Full-Disclosure)
    • Re: [Full-disclosure] 0trace - traceroute on established connections
      ... For example, rather than only launching UDP probes in an attempt to elicit ICMP "TTL exceeded" from hosts in the path, LFT can send TCP SYN or FIN probes to target arbitrary services. ... a tool to probe firewall ACLs; ...
      (Bugtraq)