Firewall Wizards mailing list archives
Re: Source of T/TCP traffic
From: Mikael Olsson <mikael.olsson () clavister com>
Date: Tue, 09 Sep 2003 23:13:57 +0200
Knut Bjornstad wrote:
Our IDS are seeing a lot of peculiar T/TCP traffic - the alerts on this is no problem in itself - I can easily disable them. But when I try to analyze the traffic, it seems like ordinary web traffic from various MS IE sources. Now T/TCP is - according to my impression - a halfdead attemt at speeding up TCP, and nothing I would associate with this kind of everyday events. My theory is that this is coused by some firewall or similar product that modidfies outgoing traffic by adding the neccessary TCP option to the packets. First question: Do anyone in this forum know of a product that does something like that (I suspect something from Checkpoint, but I am not sure about that)?
Question: Are you sure that this is actually T/TCP you're seeing? T/TCP uses fairly obvious TCP options, as per http://www.ietf.org/rfc/rfc1644.txt Or are you seeing things more along the lines of http://pix.cs.olemiss.edu/csci561/slash.html ? (IE/IIS violating TCP to make things go faster, which results in IE actually becoming _slower_ with non-IIS servers. Go figure.)
Second question: Given that T/TCP has problematic security, can ordinary firewalls handle the protocol by setting up relevant rules?
Any firewall that requires SYN/SYNACK/ACK will prevent T/TCP as well as microsoft's optimizations from working. T/TCP, by its design, reintroduces blind TCP spoofing vulnerabilities, and there's nothing any firewall can do about it -- except for blocking T/TCP and forcing the connection to fall back to plain old TCP, that is, which works just fine. -- Mikael Olsson, Clavister AB Storgatan 12, Box 393, SE-891 28 ÖRNSKÖLDSVIK, Sweden Phone: +46 (0)660 29 92 00 Mobile: +46 (0)70 26 222 05 Fax: +46 (0)660 122 50 WWW: http://www.clavister.com _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Source of T/TCP traffic Knut Bjornstad (Sep 09)
- Re: Source of T/TCP traffic Volker Tanger (Sep 11)
- Re: Source of T/TCP traffic Knut Bjornstad (Sep 11)
- Re: Source of T/TCP traffic Knut Bjornstad (Sep 12)
- RE: Source of T/TCP traffic lordchariot (Sep 12)
- Re: Source of T/TCP traffic Mikael Olsson (Sep 12)
- <Possible follow-ups>
- RE: Source of T/TCP traffic Dave Killion (Sep 11)
- Re: Source of T/TCP traffic Volker Tanger (Sep 11)