From: die tuere (reitenba@fh-brandenburg.de)
Date: Thu Jan 15 2004 - 04:48:31 EST
Am Mittwoch, 14. Januar 2004 12:01 schrieb Alla Bezroutchko:
> Paul Johnston wrote:
> > Hi,
> >
> > I've come accross the following anomoloies while auditing a network, can
> > anyone help explain what they are:
> >
> > 3) Ports where the TTL is different on the SYN reply to the rest of the
> > connection. ipid's also imply that different hosts are handling the SYN
> > and the rest of the connection.
>
> I've seen that on a server behind a Cisco PIX firewall with SYN flood
> protection enabled. The firewall handles connection setup itself and
> once the handhsake is complete, establishes the connection with the
> server behind it. If the handshake is not complete the server never sees
> any of it.
i think openbsd's pf has also such a feature. called synproxy.
buzz
---------------------------------------------------------------------------
----------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:45 EDT