Bugtraq mailing list archives
The TCP Flags Playground
From: ofir () PACKET-TECHNOLOGIES COM (Ofir Arkin)
Date: Mon, 27 Mar 2000 08:29:32 +0200
Ok, once and for all I want to list what certain TCP Flags combination do: Host Detection: Any combination of the ACK bit, except with a RST, would elicit a RST back from a probed machines whether we probe an opened port or a closed one. SYN+FIN+URG would elicit a RST|ACK back whether we probe an opened port or a closed one. SYN, SYN+FIN, SYN+PUSH, SYN+URG, SYN+FIN+PUSH, SYN+URG+PUSH, FIN+URG+PUSH+SYN, all will elicit a RST|ACK from a closed port and a SYN|ACK from an opened port. OS Distinguish: FIN, FIN+URG+PUSH, URG, URG+PUSH, URG+FIN, PUSH, PUSH+FIN and NULL Flags would all elicit a RST|ACK on a closed port, *NIX machines will not respond when probed for an opened port, Windows machines still reply with RST|ACK. Filtering Device Present: If we use one of the Host Detection Combinations and we do not get a reply - a filtering device is present and prevent the probe from going inside the protected "zone" or the reply from coming out. The Filtering Device is lame: if the firewall is just a simple packet filter that blocks incoming SYN's than some of the combinations I have listed would elicit a reply. If the Firewall is statefull (AND do his job as it should. I have seen some idiotically cases were statefull was not implemented as it should.) nothing should pass it. Hope this clarifies some questions I have seen people asked on various mailing lists. -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Ofir Arkin <ofir () packet-technologies com> Security QA Manager http://www.packet-technologies.com Packet Technologies -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- The opinions in this message are my own, and not in any way representative of Packet Technologies. -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Current thread:
- The TCP Flags Playground Ofir Arkin (Mar 26)
- Re: The TCP Flags Playground Granquist, Lamont (Mar 28)
- Vulnerability in IRIX 5.3 and 6.2 objectserver SGI Security Coordinator (Mar 28)