Firewall Wizards mailing list archives
RE: Source of T/TCP traffic
From: Dave Killion <Dkillion () netscreen com>
Date: Tue, 9 Sep 2003 09:18:30 -0700
From what I've seen, and I could be dead-wrong, is that IIS and IE form a
T/TCP bond when connecting. IE will actually try T/TCP first, and fall back to normal TCP after failing. This is how IIS-served webpages load so quickly on IE. You can tell when you're loading a non-IIS served page with IE because there's a bit of a pause while T/TCP fails. So three cheers to Microsoft for putting this half-dead protocol on life support. ;) Dave Killion Senior Security Engineer Security Group, NetScreen Technologies, Inc. -----Original Message----- From: Knut Bjornstad [mailto:kbjo () interpost no] Sent: Tuesday, September 09, 2003 4:23 AM To: firewall-wizards () honor icsalabs com Subject: [fw-wiz] Source of T/TCP traffic Our IDS are seeing a lot of peculiar T/TCP traffic - the alerts on this is no problem in itself - I can easily disable them. But when I try to analyze the traffic, it seems like ordinary web traffic from various MS IE sources. Now T/TCP is - according to my impression - a halfdead attemt at speeding up TCP, and nothing I would associate with this kind of everyday events. My theory is that this is coused by some firewall or similar product that modidfies outgoing traffic by adding the neccessary TCP option to the packets. First question: Do anyone in this forum know of a product that does something like that (I suspect something from Checkpoint, but I am not sure about that)? Second question: Given that T/TCP has problematic security, can ordinary firewalls handle the protocol by setting up relevant rules? -- --Knut Bjornstad -- ErgoIntegration AS ---Oslo, Norway------- --kbjo () interpost no -- t:47 23 14 53 36 -- mob: 901 15 917 -- _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Attachment:
smime.p7s
Description:
Current thread:
- Source of T/TCP traffic Knut Bjornstad (Sep 09)
- Re: Source of T/TCP traffic Volker Tanger (Sep 11)
- Re: Source of T/TCP traffic Knut Bjornstad (Sep 11)
- Re: Source of T/TCP traffic Knut Bjornstad (Sep 12)
- RE: Source of T/TCP traffic lordchariot (Sep 12)
- Re: Source of T/TCP traffic Mikael Olsson (Sep 12)
- <Possible follow-ups>
- RE: Source of T/TCP traffic Dave Killion (Sep 11)
- Re: Source of T/TCP traffic Volker Tanger (Sep 11)