Firewall Wizards mailing list archives

Re: Source of T/TCP traffic

From: Knut Bjornstad <kbjo () interpost no>
Date: Tue, 9 Sep 2003 19:36:43 +0200

On Tue, Sep 09, 2003 at 02:22:58PM +0200, Volker Tanger wrote:

Greetings!

On Tue, 9 Sep 2003 Knut Bjornstad <kbjo () interpost no> wrote:

Our IDS are seeing a lot of peculiar T/TCP traffic - the alerts on
this is no problem in itself - I can easily disable them. But when I
try to analyze the traffic, it seems like ordinary web traffic from
various MS IE sources.


Do you see T/TCP, TAO or the braindead MS-IE/IIS speedup hack? Usually
newer IE try to send the HTTP request already in the SYN packet (or was
it first sending an ACK packet with the request?) ignoring the usual
need for a SYN - SYN/ACK - ACK handshake for a proper TCP connection. 

While the IIS answers directly other servers respond with a RST, upon
which the IIS starts anew with the standard 3-way handshake. This way 
a MS-IE/MS-IIS pair has a small speed advantage over standard clients
or servers. It's called improving industry standards, I fear.

If this is the traffic you see, you can safely ignore it (as MS-IE
does).

What I see is not - I repeat not - the cheating MS-IE/IIS speedup hack.
(For this see: http://www.cs.wits.ac.za/~jon/help/email/slash.html )
I see SYN packets with proper CC.NEW TCP options. They come from a
handful of Scandinavian providers serving solid customers. We dont get
anything more of the T/TCP TAO because we have no T/TCP ourselves, and
then what is sending this falls back to ordinary TCP in accordance with
the protocol. Further there is quite clear indications of NAT source
adresses - the browser field in our weblogs vary with the same source among
other things. I am pretty sure this is one or several different devices
inserting T/TCP by rewriting the header - but I lack proof.

So what is this?
-- 
--Knut Bjornstad -- ErgoIntegration AS ---Oslo, Norway-------
--kbjo () interpost no -- t:47 23 14 53 36 -- mob: 901 15 917 --
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Source of T/TCP traffic Knut Bjornstad (Sep 09)
- Re: Source of T/TCP traffic Volker Tanger (Sep 11)
  - Re: Source of T/TCP traffic Knut Bjornstad (Sep 11)
  - Re: Source of T/TCP traffic Knut Bjornstad (Sep 12)
- RE: Source of T/TCP traffic lordchariot (Sep 12)
- Re: Source of T/TCP traffic Mikael Olsson (Sep 12)
- <Possible follow-ups>
- RE: Source of T/TCP traffic Dave Killion (Sep 11)