On Sat, 1 Oct 2005, Robert Nichols wrote:
Actually, I find that an unsolicited TCP SYN/ACK packet matches state INVALID and does not match state NEW.
Right.. this is one of very few exceptions (SYN/ACK, FIN, RST) where otherwise valid TCP packets gets handled as INVALID if there is no existing session. A lonely SYN/ACK is nearly always "bad", and in worst case the SYN will need to be retransmitted for the session to get established when it is for real.
I am not entirely sure about the reasoning why a lone FIN is seen as invalid. The comment only says "Too late and no reason to do anything...". Also not entirely sure why a lone RST is seen as invalid. Both FIN and RST carries valuable meaning when resuming forgotten sessions.
I receive a handful of packets like that each day. I see the same thing with packets having a bad TCP checksum. They also get classified as INVALID.
Packets with bad checksums should be INVALID as these can by definition not be part of a valid session (the packets are not valid).
Regards Henrik
