Re: TCP: a practical question



At 07:55 p.m. 17/01/2008, you wrote:

TCP specification (rfc 793) mentions about a simultaneous open and
it's use in distributed set ups.
In this case the handshake would proceed as follows:

C -> S (Syn) .. 1
S -> C (Syn) .. 2
(1 and 2 happends almost simultaneously)
C -> S (Syn|Ack)
S -> C (Syn|Ack)

My question is do we see this behavior in the practical world ?

No, it is not.

Firstly, usually only clients perform an active open of a connection (i.e., send a "SYN"). This has to do with the Client/Server model. Therefore, you won't see a SYN coming from the server.

Secondly, both SYNs should "cross in the network". This is unlikely.

Thirdly, in order for a simultaneous open to take place, not only should both systems send SYNs that cross each other in the network, but the client's source port should match the server's destination port, and the client's destination port should match the server's source port. This usually unlikely.

Kind regards,

--
Fernando Gont
e-mail: fernando@xxxxxxxxxxx || fgont@xxxxxxx
PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1





------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more.
------------------------------------------------------------------------



Relevant Pages

  • Re: TCP: a practical question
    ... two are different SYN so will it affect the network? ... both SYNs should "cross in the network". ... but the client's source port should match the server's destination ...
    (Focus-IDS)
  • Re: PF or "traceroute -e -P TCP" bug?
    ... As I understand the -e option, that should send a sequence of TCP SYNs ... constant source port ...
    (freebsd-net)
  • Re: Event ID 529 Question
    ... Logon Failure: ... Caller User Name: SERVER01$ ... There is no "Mickey" user on our network, so it worries me that we have a hacker trying to get in using brute force logins as this occurred 45 times. ... Usually when you get this you see a source port and source IP Address, ...
    (microsoft.public.windows.server.sbs)
  • Re: FTP server
    ... With the original ftpd, here is what i get by analysing: ... Source port: 1025 Destination port: 65000 ... Connection not closed abruptly ...
    (microsoft.public.windowsce.embedded)
  • Re: FTP server
    ... With the original ftpd, here is what i get by analysing: ... Source port: 1025 Destination port: 65000 ... Connection not closed abruptly ...
    (microsoft.public.windowsce.embedded)