Network Security: Detailed info on Re: TCP: a practical question

Subject:	Re: TCP: a practical question
Date:	Sun, 20 Jan 2008 12:15:26 +0530

oh got it.thanks for the reply.

On Jan 19, 2008 7:40 PM, Fernando Gont <fernando@gont.com.ar> wrote:

At 04:22 a.m. 19/01/2008, crazy frog crazy frog wrote:

That means the client should send its SYN before it receives the
server's SYN, and viceversa. That is, both SYNs should be sent almost
simultaneously. And this is unlikely.

Kind regards,
Fernando

nice discussion but what u mean by "Secondly, both SYNs should "cross
in the network". This is unlikely."
i mean its not cars on the road which will collide on network.those
two are different SYN so will it affect the network?

On Jan 18, 2008 12:39 PM, Fernando Gont <fernando@gont.com.ar> wrote:

At 07:55 p.m. 17/01/2008, you wrote:

TCP specification (rfc 793) mentions about a simultaneous open and
it's use in distributed set ups.
In this case the handshake would proceed as follows:

C -> S (Syn) .. 1
S -> C (Syn) .. 2
(1 and 2 happends almost simultaneously)
C -> S (Syn|Ack)
S -> C (Syn|Ack)

My question is do we see this behavior in the practical world ?


No, it is not.

Firstly, usually only clients perform an active open of a connection
(i.e., send a "SYN").  This has to do with the Client/Server model.
Therefore, you won't see a SYN coming from the server.

Secondly, both SYNs should "cross in the network". This is unlikely.

Thirdly, in order for a simultaneous open to take place, not only
should both systems send SYNs that cross each other in the network,
but the client's source port should match the server's destination
port, and the client's destination port should match the server's
source port. This usually unlikely.

Kind regards,

--
Fernando Gont
e-mail: fernando@gont.com.ar || fgont@acm.org
PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1






------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to

http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw

to learn more.
------------------------------------------------------------------------




--
advertise on secgeeks?
http://secgeeks.com/Advertising_on_Secgeeks.com
http://newskicks.com


--
Fernando Gont
e-mail: fernando@gont.com.ar || fgont@acm.org
PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1




-- 
advertise on secgeeks?
http://secgeeks.com/Advertising_on_Secgeeks.com
http://newskicks.com

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to 
http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
 
to learn more.
------------------------------------------------------------------------

<Prev in Thread]	Current Thread	[Next in Thread>
TCP: a practical question, snort user Re: TCP: a practical question, Adam Powers Message not available Re: TCP: a practical question, Fernando Gont Re: TCP: a practical question, crazy frog crazy frog Message not available Re: TCP: a practical question, Fernando Gont Re: TCP: a practical question, crazy frog crazy frog <= Re: TCP: a practical question, \"Zow\" Terry Brugger

Previous by Date:	Re: Snort 2.8.0.1 and No TCP Alerts., Andrea Barisani
Next by Date:	Re: TCP: a practical question, crazy frog crazy frog
Previous by Thread:	Re: TCP: a practical question, Fernando Gont
Next by Thread:	Re: TCP: a practical question, \"Zow\" Terry Brugger
Indexes:	[Date] [Thread] [Top] [All Lists]