Security Incidents mailing list archives
Re: syn+fin IS LEGIT
From: skyper <skyper () SEGFAULT NET>
Date: Tue, 1 Aug 2000 02:34:25 +0000
hi.
Why syn+fin? Isn't syn+fin something that will NEVER turn up in legit traffic? It sticks out like nothing else (well, few other things anyway).syn+fin isn't a legit traffic but all (?) Unix tcp/ip stack think that syn+fin is a legit traffic and reply with a syn+ack or a rst+ack :
rfc 1644, "tcp for transaction" aka "t/tcp" aka "kammikaze packets". or TCP/IP Illustrated 3 by Richard W. Stevens [my hero]. skyper
Current thread:
- Re: syn+fin IS LEGIT skyper (Aug 01)