Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: PIX responding with SYN+ACK to SYN+ACK probe sent on open port

From: Martin Mačok <martin.macok () underground cz>
Date: Wed, 12 Jan 2005 13:40:14 +0100
On Wed, Jan 12, 2005 at 10:55:47AM +0100, stephane nasdrovisky wrote:


syn+ack flags on the first packet could mean t/tcp (similar to tcp 
without the 3 way handshake, it is described in tcp/ip vol 3 by stevens, 
I can't remember the rfc number)


I have read through RFC 1379 (Extending TCP for Transactions --
Concepts) and RFC 1644 (T/TCP -- TCP Extensions for Transactions) and
it seems to me that 

(1) T/TCP connection starts with SYN,FIN (not ACK) or just SYN
    (without ACK) with data payload

(2) T/TCP shouldn't reply with SYN+ACK to SYN+ACK ever (much less when
    (unrequested && loaded with arbitrary ISN/ACKn)

Am I wrong?

By the way, I have tested that I can successfully complete standard
TCP RFC793 three way hanshake with SYN+ACK being the first packet (so
it seems that PIX deliberately ignores ACK here). On the other side,
I have also tested that replying SYN+ACK (instead of ACK) in the third
phase of the hanshake does not make it through (so it does not ignore
SYN here). Mmmm...

Martin Mačok
ICT Security Consultant
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: