IDS mailing list archives
Re: TCP: a practical question
From: "crazy frog crazy frog" <i.m.crazy.frog () gmail com>
Date: Sat, 19 Jan 2008 11:52:25 +0530
nice discussion but what u mean by "Secondly, both SYNs should "cross in the network". This is unlikely." i mean its not cars on the road which will collide on network.those two are different SYN so will it affect the network? On Jan 18, 2008 12:39 PM, Fernando Gont <fernando () gont com ar> wrote:
At 07:55 p.m. 17/01/2008, you wrote:TCP specification (rfc 793) mentions about a simultaneous open and it's use in distributed set ups. In this case the handshake would proceed as follows: C -> S (Syn) .. 1 S -> C (Syn) .. 2 (1 and 2 happends almost simultaneously) C -> S (Syn|Ack) S -> C (Syn|Ack) My question is do we see this behavior in the practical world ?No, it is not. Firstly, usually only clients perform an active open of a connection (i.e., send a "SYN"). This has to do with the Client/Server model. Therefore, you won't see a SYN coming from the server. Secondly, both SYNs should "cross in the network". This is unlikely. Thirdly, in order for a simultaneous open to take place, not only should both systems send SYNs that cross each other in the network, but the client's source port should match the server's destination port, and the client's destination port should match the server's source port. This usually unlikely. Kind regards, -- Fernando Gont e-mail: fernando () gont com ar || fgont () acm org PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1 ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------
-- advertise on secgeeks? http://secgeeks.com/Advertising_on_Secgeeks.com http://newskicks.com ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------
Current thread:
- TCP: a practical question snort user (Jan 17)
- Re: TCP: a practical question Adam Powers (Jan 18)
- Message not available
- Re: TCP: a practical question Fernando Gont (Jan 18)
- Re: TCP: a practical question crazy frog crazy frog (Jan 21)
- Message not available
- Re: TCP: a practical question Fernando Gont (Jan 21)
- Re: TCP: a practical question crazy frog crazy frog (Jan 21)
- Re: TCP: a practical question "Zow" Terry Brugger (Jan 23)
- Re: TCP: a practical question Fernando Gont (Jan 18)