Firewall Wizards mailing list archives

Re: Source of T/TCP traffic

From: Mikael Olsson <mikael.olsson () clavister com>
Date: Tue, 09 Sep 2003 23:13:57 +0200



Knut Bjornstad wrote:


Our IDS are seeing a lot of peculiar T/TCP traffic - the alerts on this
is no problem in itself - I can easily disable them. But when I try to
analyze the traffic, it seems like ordinary web traffic from various MS
IE sources. Now T/TCP is - according to my impression - a halfdead
attemt at speeding up TCP, and nothing I would associate with this kind
of everyday events. My theory is that this is coused by some firewall or
similar product that modidfies outgoing traffic by adding the neccessary
TCP option to the packets.
First question: Do anyone in this forum know of a product that does
something like that (I suspect something from Checkpoint, but I am not
sure about that)?


Question: Are you sure that this is actually T/TCP you're seeing?
T/TCP uses fairly obvious TCP options, as per
http://www.ietf.org/rfc/rfc1644.txt

Or are you seeing things more along the lines of
http://pix.cs.olemiss.edu/csci561/slash.html ?
(IE/IIS violating TCP to make things go faster, which results
 in IE actually becoming _slower_ with non-IIS servers.
 Go figure.)

Second question: Given that T/TCP has problematic security, can 
ordinary firewalls handle the protocol by setting up relevant 
rules?


Any firewall that requires SYN/SYNACK/ACK will prevent T/TCP
as well as microsoft's optimizations from working.

T/TCP, by its design, reintroduces blind TCP spoofing 
vulnerabilities, and there's nothing any firewall can 
do about it -- except for blocking T/TCP and forcing the
connection to fall back to plain old TCP, that is, which
works just fine.


-- 
Mikael Olsson, Clavister AB
Storgatan 12, Box 393, SE-891 28 ÖRNSKÖLDSVIK, Sweden
Phone: +46 (0)660 29 92 00   Mobile: +46 (0)70 26 222 05
Fax: +46 (0)660 122 50       WWW: http://www.clavister.com
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Source of T/TCP traffic Knut Bjornstad (Sep 09)
- Re: Source of T/TCP traffic Volker Tanger (Sep 11)
  - Re: Source of T/TCP traffic Knut Bjornstad (Sep 11)
  - Re: Source of T/TCP traffic Knut Bjornstad (Sep 12)
- RE: Source of T/TCP traffic lordchariot (Sep 12)
- Re: Source of T/TCP traffic Mikael Olsson (Sep 12)
- <Possible follow-ups>
- RE: Source of T/TCP traffic Dave Killion (Sep 11)