[Dshield] Valid TCP Flags?

Joel Esler eslerj at gmail.com
Fri Jun 2 14:15:31 GMT 2006


I agree.  I've seen it.

J

On 6/1/06, TILLEY, Alex <Alex.TILLEY at suncorp.com.au> wrote:
>
> Many times I've seen mainframes doing SYN-RST. It freaks firewalls out I
> can tell you! :)
>
>
> -----Original Message-----
> From: Chris Brenton [mailto:cbrenton at chrisbrenton.org]
> Sent: Thursday, 1 June 2006 2:23 AM
> To: General DShield Discussion List
> Subject: Re: [Dshield] Valid TCP Flags?
>
> On Wed, 2006-05-31 at 09:21 -0400, Jon R. Kibler wrote:
> >
> > I have been trying to put together a list of all possible valid
> combinations of IPv4 TCP flags. From the RFCs, I gather that the list
> should be:
> >
> >       SYN
> >       SYN-ACK
> >       ACK
> >       PSH-ACK
> >       URG-ACK
> >       URG-PSH-ACK
> >       FIN
> >       FIN-ACK
> >       RST
> >       RST-ACK
>
> I've also see FIN-ACK-PSH in the wild and even (eek) SYN-PSH.
>
> > Two questions:
> >    1) Can RST and/or FIN ever appear alone, without an ACK?
>
> Send an unsolicited ACK to an open or closed port and you will get back
> a plain RST. A FIN will *never* appear by itself which is why Cisco's
> "established" keyword filters on ACK and/or RST packets. Only FIN/ACK is
> valid.
>
> >    2) Are there other valid combinations that I have missed? If so,
> under what circumstances would you see that combination?
>
> As mentioned I've seen pretty liberal use of the PSH bit.
>
> HTH,
> Chris
>
>
>
>
>
> -----------------------------------------------------------------------------------
> This e-mail is sent by Suncorp-Metway Limited ABN 66 010 831 722 or one of
> its related entities "Suncorp".
>
> Suncorp may be contacted at Level 18, 36 Wickham Terrace, Brisbane or on
> 13 11 55  or at suncorp.com.au.
>
> The content of this e-mail is the view of the sender or stated author and
> does not necessarily reflect the view of Suncorp. The content, including
> attachments, is a confidential communication between Suncorp and the
> intended recipient. If you are not the intended recipient, any use,
> interference with, disclosure or copying of this e-mail, including
> attachments, is unauthorised and expressly prohibited. If you have received
> this e-mail in error please contact the sender immediately and delete the
> e-mail and any attachments from your system.
>
> If this e-mail constitutes a commercial message of a type that you no
> longer wish to receive please reply to this e-mail by typing Unsubscribe in
> the subject line.
>
>
>
> _________________________________________
>
> SANSFIRE 2006 - Meet ISC Handlers in Person -
> Learn about the latest in Information Security from the best instructors
> in the world.
>
> http://www.sans.org/sansfire006
>
> Internet Storm Center Webcasts: http://www.sans.org/webcasts . Every
> Wednesday after patch-tuesday.
> _______________________________________________
> send all posts to list at lists.dshield.org
> To change your subscription options (or unsubscribe), see:
> http://www.dshield.org/mailman/listinfo/list
>



-- 
--Joel


More information about the list mailing list