Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Incidents
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

data payload in SYN (Re: DoS/DDoS on port 1863(MSN protocol))

from [Martin Mačok] Network Security [Permanent Link]
Subject: data payload in SYN (Re: DoS/DDoS on port 1863(MSN protocol))
Date: Wed, 29 Sep 2004 23:17:04 +0200 
On Mon, Sep 27, 2004 at 05:00:22PM -0600, Tillman Hodgson wrote:


Data certainly can appear in SYN packets.

RFC 793 section 3.4 allows data in SYN packets, saying ``this is
perfectly legitimate, so long as the receiving TCP doesn't deliver the
data to the user until it is clear the data is valid (i.e., the data
must be buffered at the receiver until the connection reaches the
ESTABLISHED state)''.


But the reality is different. Such payload will be ignored on some stacks,
rejected by others and accepted by the rest.

Comments from linux-2.4/net/ipv4/tcp_input.c:tcp_rcv_state_process() puts some
light on it:

[socket in TCP_LISTEN state, receiving SYN packet]

    /* Now we have several options: In theory there is
     * nothing else in the frame. KA9Q has an option to
     * send data with the syn, BSD accepts data with the
     * syn up to the [to be] advertised window and
     * Solaris 2.1 gives you a protocol error. For now
     * we just ignore it, that fits the spec precisely
     * and avoids incompatibilities. It would be nice in
     * future to drop through and process the data.
     *
     * Now that TTCP is starting to be used we ought to
     * queue this data.
     * But, this leaves one open to an easy denial of
     * service attack, and SYN cookies can't defend
     * against this problem. So, we drop the data
     * in the interest of security over speed.
     */


Martin Mačok
IT Security Consultant
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: DoS/DDoS on port 1863(MSN protocol), Tillman Hodgson
Next by Date:  Localhost packets on WAN, Kirby Angell
Previous by Thread:  Re: DoS/DDoS on port 1863(MSN protocol), Tillman Hodgson
Next by Thread:  Re: DoS/DDoS on port 1863(MSN protocol), terry white
Indexes:  [Date] [Thread] [Top] [All Lists]