[Dshield] Valid TCP Flags?
eslerj at gmail.com
Fri Jun 2 14:15:31 GMT 2006
I agree. I've seen it.
On 6/1/06, TILLEY, Alex <Alex.TILLEY at suncorp.com.au> wrote:
> Many times I've seen mainframes doing SYN-RST. It freaks firewalls out I
> can tell you! :)
> -----Original Message-----
> From: Chris Brenton [mailto:cbrenton at chrisbrenton.org]
> Sent: Thursday, 1 June 2006 2:23 AM
> To: General DShield Discussion List
> Subject: Re: [Dshield] Valid TCP Flags?
> On Wed, 2006-05-31 at 09:21 -0400, Jon R. Kibler wrote:
> > I have been trying to put together a list of all possible valid
> combinations of IPv4 TCP flags. From the RFCs, I gather that the list
> should be:
> > SYN
> > SYN-ACK
> > ACK
> > PSH-ACK
> > URG-ACK
> > URG-PSH-ACK
> > FIN
> > FIN-ACK
> > RST
> > RST-ACK
> I've also see FIN-ACK-PSH in the wild and even (eek) SYN-PSH.
> > Two questions:
> > 1) Can RST and/or FIN ever appear alone, without an ACK?
> Send an unsolicited ACK to an open or closed port and you will get back
> a plain RST. A FIN will *never* appear by itself which is why Cisco's
> "established" keyword filters on ACK and/or RST packets. Only FIN/ACK is
> > 2) Are there other valid combinations that I have missed? If so,
> under what circumstances would you see that combination?
> As mentioned I've seen pretty liberal use of the PSH bit.
> This e-mail is sent by Suncorp-Metway Limited ABN 66 010 831 722 or one of
> its related entities "Suncorp".
> Suncorp may be contacted at Level 18, 36 Wickham Terrace, Brisbane or on
> 13 11 55 or at suncorp.com.au.
> The content of this e-mail is the view of the sender or stated author and
> does not necessarily reflect the view of Suncorp. The content, including
> attachments, is a confidential communication between Suncorp and the
> intended recipient. If you are not the intended recipient, any use,
> interference with, disclosure or copying of this e-mail, including
> attachments, is unauthorised and expressly prohibited. If you have received
> this e-mail in error please contact the sender immediately and delete the
> e-mail and any attachments from your system.
> If this e-mail constitutes a commercial message of a type that you no
> longer wish to receive please reply to this e-mail by typing Unsubscribe in
> the subject line.
> SANSFIRE 2006 - Meet ISC Handlers in Person -
> Learn about the latest in Information Security from the best instructors
> in the world.
> Internet Storm Center Webcasts: http://www.sans.org/webcasts . Every
> Wednesday after patch-tuesday.
> send all posts to list at lists.dshield.org
> To change your subscription options (or unsubscribe), see:
More information about the list