Re: Data in SYN Packets

[Valdis Kletnieks <Valdis.Kletnieks () VT EDU>]

On Mon, 26 Mar 2007 14:24:39 CDT, Mike Hanson said:
> Hello,
>
> In our IPS log I see the following entry *TCP C2S Ambiguity: Data in
> SYN Packet* daily directed towards our DNS server. These packets are
> coming from four or so different addresses in China.  I did a brief
> Google search with results being a few or more years old. A couple of
> the posts reported the same *Data in SYN Packet* with the
> originating addresses also from China.
>
> Can anybody shed light on this?

Well, it may be somebody is actually deploying this RFC:

1644 T/TCP -- TCP Extensions for Transactions Functional
     Specification. R. Braden. July 1994. (Format: TXT=87362 bytes)
     (Updates RFC1379) (Status: EXPERIMENTAL)

(Executive summary from the RFC: follows)

       TCP A  (Client)                                    TCP B (Server)
       CLOSED                                                     LISTEN
   #1  SYN-SENT*        --> <SYN,data1,FIN,CC=x> -->         CLOSE-WAIT*
                                                           (TAO test OK)
                                                         (data1->user_B)
                                                           <-- LAST-ACK*
   #2  TIME-WAIT   <-- <SYN,ACK(FIN),data2,FIN,CC=y,CC.ECHO=x>
     (data2->user_A)
   #3  TIME-WAIT          --> <ACK(FIN),CC=x> -->                 CLOSED
       (timeout)
         CLOSED

Most of the deployment I've seen has been broken spamware that did it
basically in a fire-n-forget mode, targeting the fact that at least one
high-market-share vendor's TCP stack was buggy and would queue up the
whole SMTP transaction without bothering to actually check everything, so
spamware could send a SYN EHLO MAIL FROM RCPT TO DATA <text> . in one long
fragmented packet and it would actually work.  Gaak.

Attachment: _bin
Description: