Re: TCP: a practical question



Hi Ashley -

I remember Dan Kaminsky talking about implementing this with Anyron at
CodeCon 2002, I'm not sure if it ever saw the light of day, though...

http://www.codecon.org/2002/program.html#gateway

John

On Thu, Jan 17, 2008 at 04:55:56PM -0500, snort user wrote:
Greetings.

Normally TCP connection establishment is a three packet sequence.

C -> S (Syn)
S -> C (Syn|Ack)
C -> S (Ack)

TCP specification (rfc 793) mentions about a simultaneous open and
it's use in distributed set ups.
In this case the handshake would proceed as follows:

C -> S (Syn) .. 1
S -> C (Syn) .. 2
(1 and 2 happends almost simultaneously)
C -> S (Syn|Ack)
S -> C (Syn|Ack)

My question is do we see this behavior in the practical world ?

Thanks
Ashley

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------



Relevant Pages

  • Re: Tracking back internal incidents to users, not IPs
    ... Note that I am assuming that the source is a DHCP system here (otherwise ... Note that I would take an open source or a commercial product as a ... with real-world attacks from CORE IMPACT. ...
    (Focus-IDS)
  • Re: What type of IDS should I use?
    ... communication is strictly prohibited. ... with real-world attacks from CORE IMPACT. ... Do You Yahoo!? ...
    (Focus-IDS)
  • Re: Tracking back internal incidents to users, not IPs
    ... Note that I am assuming that the source is a DHCP system here (otherwise ... it is much easier problem). ... with real-world attacks from CORE IMPACT. ...
    (Focus-IDS)
  • SV: Bittorrent - utorrent
    ... As I am a contractor on the job – I could not controle their policies to whats legal and whats not – so that issue was out of the question. ... If it's not based on protocol interpretation and file type look up, ... Find out quickly and easily by testing it with real-world attacks from ... with real-world attacks from CORE IMPACT. ...
    (Focus-IDS)
  • RE: Need Help in My Project
    ... Packet Decoding ... Find out by easily testing it with real-world attacks from CORE IMPACT. ...
    (Focus-IDS)