Firewall Wizards mailing list archives
Re: Source of T/TCP traffic
From: Knut Bjornstad <kbjo () interpost no>
Date: Tue, 9 Sep 2003 19:36:43 +0200
On Tue, Sep 09, 2003 at 02:22:58PM +0200, Volker Tanger wrote:
Greetings! On Tue, 9 Sep 2003 Knut Bjornstad <kbjo () interpost no> wrote:Our IDS are seeing a lot of peculiar T/TCP traffic - the alerts on this is no problem in itself - I can easily disable them. But when I try to analyze the traffic, it seems like ordinary web traffic from various MS IE sources.Do you see T/TCP, TAO or the braindead MS-IE/IIS speedup hack? Usually newer IE try to send the HTTP request already in the SYN packet (or was it first sending an ACK packet with the request?) ignoring the usual need for a SYN - SYN/ACK - ACK handshake for a proper TCP connection. While the IIS answers directly other servers respond with a RST, upon which the IIS starts anew with the standard 3-way handshake. This way a MS-IE/MS-IIS pair has a small speed advantage over standard clients or servers. It's called improving industry standards, I fear. If this is the traffic you see, you can safely ignore it (as MS-IE does).
What I see is not - I repeat not - the cheating MS-IE/IIS speedup hack. (For this see: http://www.cs.wits.ac.za/~jon/help/email/slash.html ) I see SYN packets with proper CC.NEW TCP options. They come from a handful of Scandinavian providers serving solid customers. We dont get anything more of the T/TCP TAO because we have no T/TCP ourselves, and then what is sending this falls back to ordinary TCP in accordance with the protocol. Further there is quite clear indications of NAT source adresses - the browser field in our weblogs vary with the same source among other things. I am pretty sure this is one or several different devices inserting T/TCP by rewriting the header - but I lack proof. So what is this? -- --Knut Bjornstad -- ErgoIntegration AS ---Oslo, Norway------- --kbjo () interpost no -- t:47 23 14 53 36 -- mob: 901 15 917 -- _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Source of T/TCP traffic Knut Bjornstad (Sep 09)
- Re: Source of T/TCP traffic Volker Tanger (Sep 11)
- Re: Source of T/TCP traffic Knut Bjornstad (Sep 11)
- Re: Source of T/TCP traffic Knut Bjornstad (Sep 12)
- RE: Source of T/TCP traffic lordchariot (Sep 12)
- Re: Source of T/TCP traffic Mikael Olsson (Sep 12)
- <Possible follow-ups>
- RE: Source of T/TCP traffic Dave Killion (Sep 11)
- Re: Source of T/TCP traffic Volker Tanger (Sep 11)