[Dshield] Valid TCP Flags?

TILLEY, Alex Alex.TILLEY at suncorp.com.au
Fri Jun 2 01:36:05 GMT 2006


Many times I've seen mainframes doing SYN-RST. It freaks firewalls out I
can tell you! :)


-----Original Message-----
From: Chris Brenton [mailto:cbrenton at chrisbrenton.org] 
Sent: Thursday, 1 June 2006 2:23 AM
To: General DShield Discussion List
Subject: Re: [Dshield] Valid TCP Flags?

On Wed, 2006-05-31 at 09:21 -0400, Jon R. Kibler wrote:
>
> I have been trying to put together a list of all possible valid
combinations of IPv4 TCP flags. From the RFCs, I gather that the list
should be:
> 
> 	SYN
> 	SYN-ACK
> 	ACK
> 	PSH-ACK
> 	URG-ACK
> 	URG-PSH-ACK
> 	FIN
> 	FIN-ACK
> 	RST
> 	RST-ACK

I've also see FIN-ACK-PSH in the wild and even (eek) SYN-PSH. 

> Two questions:
>    1) Can RST and/or FIN ever appear alone, without an ACK?

Send an unsolicited ACK to an open or closed port and you will get back
a plain RST. A FIN will *never* appear by itself which is why Cisco's
"established" keyword filters on ACK and/or RST packets. Only FIN/ACK is
valid.

>    2) Are there other valid combinations that I have missed? If so,
under what circumstances would you see that combination?

As mentioned I've seen pretty liberal use of the PSH bit. 

HTH,
Chris




-----------------------------------------------------------------------------------
This e-mail is sent by Suncorp-Metway Limited ABN 66 010 831 722 or one of its related entities "Suncorp". 

Suncorp may be contacted at Level 18, 36 Wickham Terrace, Brisbane or on 13 11 55  or at suncorp.com.au.

The content of this e-mail is the view of the sender or stated author and does not necessarily reflect the view of Suncorp. The content, including attachments, is a confidential communication between Suncorp and the intended recipient. If you are not the intended recipient, any use, interference with, disclosure or copying of this e-mail, including attachments, is unauthorised and expressly prohibited. If you have received this e-mail in error please contact the sender immediately and delete the e-mail and any attachments from your system.

If this e-mail constitutes a commercial message of a type that you no longer wish to receive please reply to this e-mail by typing Unsubscribe in the subject line.





More information about the list mailing list