Educause Security Discussion mailing list archives
Re: Data in SYN Packets
From: Valdis Kletnieks <Valdis.Kletnieks () VT EDU>
Date: Mon, 26 Mar 2007 23:49:56 -0400
On Mon, 26 Mar 2007 14:24:39 CDT, Mike Hanson said:
Hello, In our IPS log I see the following entry *TCP C2S Ambiguity: Data in SYN Packet* daily directed towards our DNS server. These packets are coming from four or so different addresses in China. I did a brief Google search with results being a few or more years old. A couple of the posts reported the same *Data in SYN Packet* with the originating addresses also from China. Can anybody shed light on this?
Well, it may be somebody is actually deploying this RFC: 1644 T/TCP -- TCP Extensions for Transactions Functional Specification. R. Braden. July 1994. (Format: TXT=87362 bytes) (Updates RFC1379) (Status: EXPERIMENTAL) (Executive summary from the RFC: follows) TCP A (Client) TCP B (Server) CLOSED LISTEN #1 SYN-SENT* --> <SYN,data1,FIN,CC=x> --> CLOSE-WAIT* (TAO test OK) (data1->user_B) <-- LAST-ACK* #2 TIME-WAIT <-- <SYN,ACK(FIN),data2,FIN,CC=y,CC.ECHO=x> (data2->user_A) #3 TIME-WAIT --> <ACK(FIN),CC=x> --> CLOSED (timeout) CLOSED Most of the deployment I've seen has been broken spamware that did it basically in a fire-n-forget mode, targeting the fact that at least one high-market-share vendor's TCP stack was buggy and would queue up the whole SMTP transaction without bothering to actually check everything, so spamware could send a SYN EHLO MAIL FROM RCPT TO DATA <text> . in one long fragmented packet and it would actually work. Gaak.
Attachment:
_bin
Description:
Current thread:
- Data in SYN Packets Mike Hanson (Mar 26)
- <Possible follow-ups>
- Re: Data in SYN Packets Justin Klein Keane (Mar 26)
- Re: Data in SYN Packets scott hollatz (Mar 26)
- Re: Data in SYN Packets Gibson, Nathan J. (HSC) (Mar 26)
- Re: Data in SYN Packets Mark Newman (Mar 26)
- Re: Data in SYN Packets Valdis Kletnieks (Mar 26)
- Re: Data in SYN Packets John Kristoff (Mar 27)
- Re: Data in SYN Packets scott hollatz (Mar 27)