Re: TCP: a practical question



I think your referring to a part of the RFC that is attempting to describe
passive and active opens. They were just making a point that both tcps could
establish connections at the same time in opposite directions on the same
service port without failure.

IMO, this kind of asynchronous communication over multiple sockets within an
application is quite common though something of a pain to maintain as NATs
and other translation layers will often break at least one direction of the
packet flow.



On 1/17/08 4:55 PM, "snort user" <snort.user@xxxxxxxxx> wrote:

Greetings.

Normally TCP connection establishment is a three packet sequence.

C -> S (Syn)
S -> C (Syn|Ack)
C -> S (Ack)

TCP specification (rfc 793) mentions about a simultaneous open and
it's use in distributed set ups.
In this case the handshake would proceed as follows:

C -> S (Syn) .. 1
S -> C (Syn) .. 2
(1 and 2 happends almost simultaneously)
C -> S (Syn|Ack)
S -> C (Syn|Ack)

My question is do we see this behavior in the practical world ?

Thanks
Ashley

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to
http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intr
o_sfw
to learn more.
------------------------------------------------------------------------



--

Adam Powers
Chief Technology Officer
Lancope, Inc.
c. 678.725.1028
f. 678.302.8744
e. adam@xxxxxxxxxxx


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------



Relevant Pages

  • [Full-disclosure] [TOOL RELEASE] T50 - an Experimental Mixed Packet Injector ( v5.3)
    ... Classless Inter-Domain Routing support for destination IP address, using a really tiny C algorithm. ... EGP: Exterior Gateway Protocol ... TCP Options Support: TCP Options are now supported to improve the TCP protocol, ... TCP No-Operation Option (RFC 793) ...
    (Full-Disclosure)
  • [TOOL RELEASE] T50 - an Experimental Mixed Packet Injector ( v5.3)
    ... Classless Inter-Domain Routing support for destination IP address, using a really tiny C algorithm. ... EGP: Exterior Gateway Protocol ... TCP Options Support: TCP Options are now supported to improve the TCP protocol, ... TCP No-Operation Option (RFC 793) ...
    (Bugtraq)
  • Re: packets with syn/fin vs pf_norm.c
    ... Packets for TCP with SYN + FIN set are valid under TCP, ... The only thing that RFC 1644 adds to this is the ability to ...
    (FreeBSD-Security)
  • Re: weird scans from port 80
    ... >>> played by the rules and send the TCP reset packet the standard says you ... >> Pardon me for butting in, but I have a comment about this response. ... Looking at the number, 793, of this RFC leads me to believe it is ...
    (comp.os.linux.security)
  • Re: Firewall question
    ... Lars is correct per rfc 1912 ... 1536 which specifies zone transfers, but it does not limit it to that. ... I find it hard to believe that a udp req could net a tcp reply. ...
    (comp.security.firewalls)