Penetration Testing mailing list archives

Re: Some unusual network features

From: die tuere <reitenba () fh-brandenburg de>
Date: Thu, 15 Jan 2004 10:48:31 +0100

Am Mittwoch, 14. Januar 2004 12:01 schrieb Alla Bezroutchko:

Paul Johnston wrote:

Hi,

I've come accross the following anomoloies while auditing a network, can
anyone help explain what they are:

3) Ports where the TTL is different on the SYN reply to the rest of the
connection. ipid's also imply that different hosts are handling the SYN
and the rest of the connection.


I've seen that on a server behind a Cisco PIX firewall with SYN flood
protection enabled. The firewall handles connection setup itself and
once the handhsake is complete, establishes the connection with the
server behind it. If the handshake is not complete the server never sees
any of it.


i think openbsd's pf has also such a feature. called synproxy.

buzz


---------------------------------------------------------------------------
----------------------------------------------------------------------------

Current thread:

Some unusual network features Paul Johnston (Jan 13)
- Re: Some unusual network features Nathan R. Valentine (Jan 13)
- Re: Some unusual network features Andrew Simmons (Jan 13)
- Re: Some unusual network features Mike Hoskins (Jan 13)
- Re: Some unusual network features Shashank Rai (Jan 14)
- Re: Some unusual network features Alla Bezroutchko (Jan 14)
  - Re: Some unusual network features die tuere (Jan 15)
  - Re: Some unusual network features Daniel Lucq (Jan 15)
- <Possible follow-ups>
- RE: Some unusual network features Deckard, Jason (Jan 14)