Firewall Wizards mailing list archives
Re: PIX responding with SYN+ACK to SYN+ACK probe sent on open port
From: Chuck Swiger <chuck () codefab com>
Date: Fri, 14 Jan 2005 10:47:43 -0500
Martin Maèok wrote: [ ... ]
(1) T/TCP connection starts with SYN,FIN (not ACK) or just SYN (without ACK) with data payload
It depends on whether the sender of the T/TCP closes immediately, or whether the sender leaves the connection open to exchange more data. Basicly T/TCP tries to shortcut the initial data-less phase of the normal 3WHS, but it doesn't change the meaning of FIN.
(2) T/TCP shouldn't reply with SYN+ACK to SYN+ACK ever (much less when (unrequested && loaded with arbitrary ISN/ACKn) Am I wrong?
I'm not sure. T/TCP doesn't use SYN+ACK to initiate a connection, agreed, but it would be normal for T/TCP to see a SYN+ACK response to a SYN+data or SYN+FIN. This is because ACKs acknowledge receipt of SYN or FIN flags, as well as data. The SYN+ACK would correspond to the ISN & SEQ # within the sender's window, they would not be arbitrary.
By the way, I have tested that I can successfully complete standard TCP RFC793 three way hanshake with SYN+ACK being the first packet (so it seems that PIX deliberately ignores ACK here). On the other side, I have also tested that replying SYN+ACK (instead of ACK) in the third phase of the hanshake does not make it through (so it does not ignore SYN here). Mmmm...
Right, the other side will only expect a SYN+ACK in response to a connection open via a SYN, not later on. A new connection should never be opened using SYN+ACK, because there has been no data sent from the other side yet to ACK. In a normal connection, the receiving side will send a SYN+ACK with SEQ # + 1 to the initial SYN, or SEQ # + 1 + content_length for T/TCP.
Unless the sender had an open TCP control block which matched, an arbitrary incoming SYN+ACK should receive a RST.
-- -Chuck _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- PIX responding with SYN+ACK to SYN+ACK probe sent on open port Martin Mačok (Jan 11)
- Re: PIX responding with SYN+ACK to SYN+ACK probe sent on open port L Cubed (Jan 11)
- Re: PIX responding with SYN+ACK to SYN+ACK probe sent on open port Martin Mačok (Jan 14)
- Re: PIX responding with SYN+ACK to SYN+ACK probe sent on open port L Cubed (Jan 19)
- Re: PIX responding with SYN+ACK to SYN+ACK probe sent on open port Martin Mačok (Jan 14)
- Re: PIX responding with SYN+ACK to SYN+ACK probe sent on open port L Cubed (Jan 11)
- <Possible follow-ups>
- RE: PIX responding with SYN+ACK to SYN+ACK probe sent on open port Smith, Aaron (Jan 11)
- Re: PIX responding with SYN+ACK to SYN+ACK probe sent on open port stephane nasdrovisky (Jan 14)
- Re: PIX responding with SYN+ACK to SYN+ACK probe sent on open port Martin Mačok (Jan 14)
- Message not available
- Re: PIX responding with SYN+ACK to SYN+ACK probe sent on open port Martin Mačok (Jan 14)
- Re: PIX responding with SYN+ACK to SYN+ACK probe sent on open port Chuck Swiger (Jan 19)
- Re: PIX responding with SYN+ACK to SYN+ACK probe sent on open port stephane nasdrovisky (Jan 14)
- Re: PIX responding with SYN+ACK to SYN+ACK probe sent on open port L Cubed (Jan 11)