Re: [fw-wiz] PIX responding with SYN+ACK to SYN+ACK probe sent on open port

• Previous message: Paul D. Robertson: "Re: [fw-wiz] External Load Balancing"
• In reply to: Smith, Aaron: "RE: [fw-wiz] PIX responding with SYN+ACK to SYN+ACK probe sent on open port"
• Next in thread: Martin Mačok: "Re: [fw-wiz] PIX responding with SYN+ACK to SYN+ACK probe sent on open port"
• Reply: Martin Mačok: "Re: [fw-wiz] PIX responding with SYN+ACK to SYN+ACK probe sent on open port"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: firewall-wizards@honor.icsalabs.com
Date: Wed, 12 Jan 2005 10:55:47 +0100

syn+ack flags on the first packet could mean t/tcp (similar to tcp
without the 3 way handshake, it is described in tcp/ip vol 3 by stevens,
I can't remember the rfc number) this packet could even contains datas
(i.e. GET /) and the psh & fin flags,the second packet could be a
syn+ack+fin+psh+data (i.e. the web page), the acknowledge number should
be the first packet's syn number + 1 + payload length.
In short: an almost standard tcp session in 2 or 3 packets ! If the
server does not support t/tcp, it will send an acknowledge=syn+1 or
nothing, which mean: let's continue with standard tcp.
If pix answers these packet, it may simply mean it supports t/tcp (which
is only usefull for short sessions such as most http). t/tcp is not
really less secure than tcp, they basically share the same vulnerabilities.
t/tcp may be less spoofing resistant.

Smith, Aaron wrote:

>Sent to PIX:
>hping2 -S -A -c 1 -p 22 aaa.bbb.ccc.ddd
>
>Reply from PIX:
>len=46 ip=aaa.bbb.ccc.ddd ttl=254 id=25026 sport=22 flags=SA seq=0 win=4096 rtt=0.3 ms
>
>
>

_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

• Previous message: Paul D. Robertson: "Re: [fw-wiz] External Load Balancing"
• In reply to: Smith, Aaron: "RE: [fw-wiz] PIX responding with SYN+ACK to SYN+ACK probe sent on open port"
• Next in thread: Martin Mačok: "Re: [fw-wiz] PIX responding with SYN+ACK to SYN+ACK probe sent on open port"
• Reply: Martin Mačok: "Re: [fw-wiz] PIX responding with SYN+ACK to SYN+ACK probe sent on open port"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: Using putty to debug ssh through a firewall ... that either doesn't understand or is misconfigured with regard to TCP ... window scaling. ... Have a look at the initial TCP packet and see if the WSCALE option ... The first packet had the following options: ... (comp.security.ssh) Re: (OT) Need to make TCP/IP really slooooow ... > impossible to do what we attempted: Passing TCP packets around ... It sounds like your program either needs to pass through every packet it ... or it needs to understand enough TCP to throw away duplicate IP ... You either need to wait for the answer to the first packet ... (comp.lang.tcl) alt.2600 FAQ Revision .014 (2/4) ... One type of firewall is the packet filtering firewall. ... Dropping packets instead of rejecting them greatly increases the time required to scan your network. ... Port scanning UDP ports is much slower than port scanning TCP ports. ... Chartreuse Use the electricity from your phone line Cheese Connect two phones to create a diverter Chrome Manipulate Traffic Signals by Remote Control ... (alt.2600) Re: jailed "system" needs IPV4 access ... see if the ACK flag is set on a tcp packet. ... the keep-state option just ... 00500 deny log ip from 192.160.1.0/24 to any in via dc1 ... (comp.unix.bsd.freebsd.misc) Re: Incoherent E-mails ... The Novell crap was originally run on IPX ... The term in the early-mid nineties was "packet storm". ... The original advantage of UDP was ... > 60 bytes for TCP. ... (alt.computer.security)