Re: syn+fin IS LEGIT

[skyper <skyper () SEGFAULT NET>]

hi.

> > Why syn+fin? Isn't syn+fin something that will NEVER turn up in legit
> > traffic? It sticks out like nothing else (well, few other things anyway).
>
> syn+fin isn't a legit traffic but all (?) Unix tcp/ip stack think that
> syn+fin is a legit traffic and reply with a syn+ack or a rst+ack :

rfc 1644, "tcp for transaction" aka "t/tcp" aka "kammikaze packets".
or TCP/IP Illustrated 3 by Richard W. Stevens [my hero].


skyper