Folks,
I've been officially monitoring some TCP traffic on a network and I'm
having difficulty understanding some of the traffic sequences.
1.
HOST A----> TCP SYN ----> HOST B
HOST A----> TCP SYN ----> HOST B
HOST A----> TCP SYN ----> HOST B
HOST A----> TCP SYN ----> HOST B
(No TCP back in the other direction).
2.
HOST A----> TCP SYN ----> HOST B
HOST A<--- SYN_ACK <---- HOST B
HOST A----> TCP SYN ----> HOST B
HOST A<--- SYN_ACK <---- HOST B
HOST A----> TCP SYN ----> HOST B
HOST A<--- SYN_ACK <---- HOST B
HOST A----> TCP SYN ----> HOST B
HOST A<--- SYN_ACK <---- HOST B
( No ACK after the original SYN - even though the SYN_ACK is sent).
Is case 1. where an unauthorised host is trying to access an IP past a
Firewall ? (i.e. does a firewall work by simply IGNORING SYNS from
unauthorised hosts)
Is case 2. a valid recording of an IP Spoofing attack ? - where HOST A
is in fact causing HOST B to fill up its SYN-RCVD queue thus gagging it
- or is there another valid not so sinister reason?
Is there a good URL which shows valid/invalid TCP flow sequences ?
Thanks for your help!
--
Al Milne
-
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to [EMAIL PROTECTED]
