Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Some unusual network features

From: Shashank Rai <shashrai () emirates net ae>
Date: Wed, 14 Jan 2004 07:22:29 +0400
On Tue, 2004-01-13 at 13:46, Paul Johnston wrote:


3) Ports where the TTL is different on the SYN reply to the rest of the 
connection. ipid's also imply that different hosts are handling the SYN 
and the rest of the connection.



Cisco routers can be configured with a feature called TCP Intercept (i
believe this has now been replaced by CBAC). With TCP intercept, the
handshake is done by the router on the behalf of the server:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios113ed/113ed_cr/secur_c/scprt3/scdenial.htm#17332

This could be a possible explanation for the variation in the IPIDs and
SYN values.

-- 
shashank

<--
Here is the Packet that was fragmented and has been assembled again.
                                       (with apologies to JRR Tolkien :)
-->


---------------------------------------------------------------------------
----------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: