Re: weird scans from port 80
From: Kasper Dupont (kasperd@daimi.au.dk)
Date: 01/23/03
- Next message: dragon: "what is slpd"
- Previous message: Kasper Dupont: "Re: weird scans from port 80"
- In reply to: Tim Haynes: "Re: weird scans from port 80"
- Next in thread: Silviu Minut: "Re: weird scans from port 80"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Kasper Dupont <kasperd@daimi.au.dk> Date: Thu, 23 Jan 2003 16:36:01 +0100
Tim Haynes wrote:
>
> "Bill K." <bilkay@xxxlocalnet.com> writes:
>
> > In article <3E2ACF08.D4978104@daimi.au.dk>, "Kasper Dupont"
> > <kasperd@daimi.au.dk> wrote:
> >
> >> From RFC 793 page 36:
> >>
> >> As a general rule, reset (RST) must be sent whenever a segment arrives
> >> which apparently is not intended for the current connection.
> >
> > The next sentence reads: "A reset must not be sent if it is not clear that
> > this is the case."
>
> Incidentally, while we're passing by this appalling thread, what is `the
> current connection' supposed to mean in the context of a *NEW* packet??
You need to understand some of the philosophy behind TCP to
answer that question. At boot a computer has aproximately
2^64 connections all in the CLOSED state. Obviously they
cannot all be represented so connections in the CLOSED
state are simply not represented. In other words any
connection not in your table is in the CLOSED state. Every
connection has a fixed pair of peers all of them having
your IP as the local IP, but otherwise the 2^64 connections
have all possible combinations of local IP and remote IP,
port pair. If you have more than one local IP you have more
than 2^64 connections in the CLOSED state.
By opening a socket, binding it to a port, and listening
for connections, you move all the 2^48 possible connections
to the LISTEN state, but that those are represented by only
one entry in your table.
However the discussion are about connections in the CLOSED
state, and as noted previously all connections are initially
in the CLOSED state. In the CLOSED state no packet is
expected, thus no packet can be part of the current
connection. In other words any packet except from those with
a RST bit must be responded with a RST packet.
A connection cannot be moved out of the CLOSED state by a
packet being received. The only way to move a connection out
of the CLOSED state is by a local program beforming some
operation moving it to LISTEN or SYN-SENT state. (IIRC those
are the only two states you can move to from CLOSED.)
The standard does in fact allow multiple connections on the
same local IP:port pair as long as the remote IP:port pair
are different. But AFAIK actual implementations does only
make use of this on the server side. (I cannot see how the
BSD socket API would allow this to be done on the client
side.) The standard does also allow for simultaneously open
where both parties send SYN packets at the same time. That
is however rarely used (I don't know any software using it),
and I do not know if it is supported by Linux.
-- Kasper Dupont -- der bruger for meget tid på usenet. For sending spam use mailto:aaarep@daimi.au.dk for(_=52;_;(_%5)||(_/=5),(_%5)&&(_-=2))putchar(_);
- Next message: dragon: "what is slpd"
- Previous message: Kasper Dupont: "Re: weird scans from port 80"
- In reply to: Tim Haynes: "Re: weird scans from port 80"
- Next in thread: Silviu Minut: "Re: weird scans from port 80"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
