Educause Security Discussion mailing list archives

Re: Data in SYN Packets

From: scott hollatz <shollatz () D UMN EDU>
Date: Tue, 27 Mar 2007 10:54:45 -0500

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

In our IPS log I see the following entry *TCP C2S Ambiguity: Data in
SYN Packet* daily directed towards our DNS server. These packets are
coming from four or so different addresses in China.  I did a brief
Google search with results being a few or more years old. A couple of
the posts reported the same *Data in SYN Packet* with the
originating addresses also from China.

Can anybody shed light on this?


Well, it may be somebody is actually deploying this RFC:

1644 T/TCP -- TCP Extensions for Transactions Functional
    Specification. R. Braden. July 1994. (Format: TXT=87362 bytes)
    (Updates RFC1379) (Status: EXPERIMENTAL)

(Executive summary from the RFC: follows)

      TCP A  (Client)                                    TCP B (Server)
      CLOSED                                                     LISTEN
  #1  SYN-SENT*        --> <SYN,data1,FIN,CC=x> -->         CLOSE-WAIT*
                                                          (TAO test OK)
                                                        (data1->user_B)
                                                          <-- LAST-ACK*
  #2  TIME-WAIT   <-- <SYN,ACK(FIN),data2,FIN,CC=y,CC.ECHO=x>
    (data2->user_A)
  #3  TIME-WAIT          --> <ACK(FIN),CC=x> -->                 CLOSED
      (timeout)
        CLOSED

Most of the deployment I've seen has been broken spamware that did it
basically in a fire-n-forget mode, targeting the fact that at least one
high-market-share vendor's TCP stack was buggy and would queue up the
whole SMTP transaction without bothering to actually check everything, so
spamware could send a SYN EHLO MAIL FROM RCPT TO DATA <text> . in one long
fragmented packet and it would actually work.  Gaak.


The original observation was to TCP 53 not TCP 25.

The above scenario is interesting, though, but the SMTP transaction
would fail on MTAs which implement a pre-greet strategy similar to what's
in sendmail.

- --
scott hollatz                                        net shollatz () d UMn eDu
information technology systems and services          tel +1 218 726 8851
university of minnesota duluth mn usa                fax +1 218 726 7674
                                                                         --
                                              "Asn aD ta zlAp em uT zt33rg"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (SunOS)

iD8DBQFGCT5J4og1WWfEVRsRAolZAJwO39d6l2OImxv0dK7EqqjqFqBshwCfWJBo
ooYc7aZ7P3zKEp1/E4vPDKs=
=4ZSg
-----END PGP SIGNATURE-----

Current thread:

Data in SYN Packets Mike Hanson (Mar 26)
- <Possible follow-ups>
- Re: Data in SYN Packets Justin Klein Keane (Mar 26)
- Re: Data in SYN Packets scott hollatz (Mar 26)
- Re: Data in SYN Packets Gibson, Nathan J. (HSC) (Mar 26)
- Re: Data in SYN Packets Mark Newman (Mar 26)
- Re: Data in SYN Packets Valdis Kletnieks (Mar 26)
- Re: Data in SYN Packets John Kristoff (Mar 27)
- Re: Data in SYN Packets scott hollatz (Mar 27)