Re: Some unusual network features

From: Shashank Rai (shashrai@emirates.net.ae)
Date: Tue Jan 13 2004 - 22:22:29 EST

• Next message: Deckard, Jason: "RE: Some unusual network features"
• Previous message: Mike Hoskins: "Re: Some unusual network features"
• In reply to: Paul Johnston: "Some unusual network features"
• Next in thread: Deckard, Jason: "RE: Some unusual network features"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

On Tue, 2004-01-13 at 13:46, Paul Johnston wrote:

> 3) Ports where the TTL is different on the SYN reply to the rest of the
> connection. ipid's also imply that different hosts are handling the SYN
> and the rest of the connection.
>

Cisco routers can be configured with a feature called TCP Intercept (i
believe this has now been replaced by CBAC). With TCP intercept, the
handshake is done by the router on the behalf of the server:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios113ed/113ed_cr/secur_c/scprt3/scdenial.htm#17332

This could be a possible explanation for the variation in the IPIDs and
SYN values.

-- 
shashank
<--
Here is the Packet that was fragmented and has been assembled again.
                                       (with apologies to JRR Tolkien :)
-->
---------------------------------------------------------------------------
----------------------------------------------------------------------------

• Next message: Deckard, Jason: "RE: Some unusual network features"
• Previous message: Mike Hoskins: "Re: Some unusual network features"
• In reply to: Paul Johnston: "Some unusual network features"
• Next in thread: Deckard, Jason: "RE: Some unusual network features"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:45 EDT