Re: [fw-wiz] Source of T/TCP traffic
From: Mikael Olsson (mikael.olsson_at_clavister.com)
To: Knut Bjornstad <firstname.lastname@example.org> Date: Tue, 09 Sep 2003 23:13:57 +0200
Knut Bjornstad wrote:
> Our IDS are seeing a lot of peculiar T/TCP traffic - the alerts on this
> is no problem in itself - I can easily disable them. But when I try to
> analyze the traffic, it seems like ordinary web traffic from various MS
> IE sources. Now T/TCP is - according to my impression - a halfdead
> attemt at speeding up TCP, and nothing I would associate with this kind
> of everyday events. My theory is that this is coused by some firewall or
> similar product that modidfies outgoing traffic by adding the neccessary
> TCP option to the packets.
> First question: Do anyone in this forum know of a product that does
> something like that (I suspect something from Checkpoint, but I am not
> sure about that)?
Question: Are you sure that this is actually T/TCP you're seeing?
T/TCP uses fairly obvious TCP options, as per
Or are you seeing things more along the lines of
(IE/IIS violating TCP to make things go faster, which results
in IE actually becoming _slower_ with non-IIS servers.
> Second question: Given that T/TCP has problematic security, can
> ordinary firewalls handle the protocol by setting up relevant
Any firewall that requires SYN/SYNACK/ACK will prevent T/TCP
as well as microsoft's optimizations from working.
T/TCP, by its design, reintroduces blind TCP spoofing
vulnerabilities, and there's nothing any firewall can
do about it -- except for blocking T/TCP and forcing the
connection to fall back to plain old TCP, that is, which
works just fine.
-- Mikael Olsson, Clavister AB Storgatan 12, Box 393, SE-891 28 ÖRNSKÖLDSVIK, Sweden Phone: +46 (0)660 29 92 00 Mobile: +46 (0)70 26 222 05 Fax: +46 (0)660 122 50 WWW: http://www.clavister.com _______________________________________________ firewall-wizards mailing list email@example.com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards