Penetration Testing mailing list archives
Re: Some unusual network features
From: Shashank Rai <shashrai () emirates net ae>
Date: Wed, 14 Jan 2004 07:22:29 +0400
On Tue, 2004-01-13 at 13:46, Paul Johnston wrote:
3) Ports where the TTL is different on the SYN reply to the rest of the connection. ipid's also imply that different hosts are handling the SYN and the rest of the connection.
Cisco routers can be configured with a feature called TCP Intercept (i believe this has now been replaced by CBAC). With TCP intercept, the handshake is done by the router on the behalf of the server: http://www.cisco.com/univercd/cc/td/doc/product/software/ios113ed/113ed_cr/secur_c/scprt3/scdenial.htm#17332 This could be a possible explanation for the variation in the IPIDs and SYN values. -- shashank <-- Here is the Packet that was fragmented and has been assembled again. (with apologies to JRR Tolkien :) --> --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Some unusual network features Paul Johnston (Jan 13)
- Re: Some unusual network features Nathan R. Valentine (Jan 13)
- Re: Some unusual network features Andrew Simmons (Jan 13)
- Re: Some unusual network features Mike Hoskins (Jan 13)
- Re: Some unusual network features Shashank Rai (Jan 14)
- Re: Some unusual network features Alla Bezroutchko (Jan 14)
- Re: Some unusual network features die tuere (Jan 15)
- Re: Some unusual network features Daniel Lucq (Jan 15)
- <Possible follow-ups>
- RE: Some unusual network features Deckard, Jason (Jan 14)