On Tue, 11 Dec 2001, Sheer El-Showk wrote: > I actually checked out a short TCP tutorial and it seems to me that this is > possible -- it seems that one side can close down the TCP connection before > the other. > > Sheer All, a TCP connection-oriented services consist of: 1) Setup stage 2) Data transfer phase 3) Termination phase See the Four-way Handshake from http://www.knowplace.org/netfilter/ip_overview.html 1. (B) --> ACK/FIN --> (A) 2. (B) <-- ACK <-- (A) 3. (B) <-- ACK/FIN <-- (A) 4. (B) --> ACK --> (A) Since a TCP connection is a two way connection, it needs to be torn down in both directions. An ACK/FIN packet (ACK and FIN flags set) is sometimes referred to as a FIN (Finish) packet . However, since the connection is not yet torn down, it is always accompanied by the ACK flag. A packet with only the FIN flag set is NOT legal and is likely maliciously generated. The four-way handshake is not the only way to tear down an established TCP connection. Sometimes, if either hosts need to tear down the connection quickly (timeout, port or host unreacheable, etc.), a RST (Reset) packet is sent. Note that since a RST packet is not necessarily always part of a TCP connection, it can be sent by itself. RST packets that are part of a TCP connection is usually accompanied by the ACK flag as well. Note that RST packets are not acknowledged. I installed a rule like this => iptables -A INPUT -p tcp ! --syn -m state --state NEW -j LOG \ --log-level 7 --log-prefix New_Droped and went to http://tgftp.nws.noaa.gov/ I did not see anything on my logs similar to Dec 11 02:59:59 bob kernel: New not syn:IN=eth1 OUT= MAC=00:e0:29:22:10:80:00:06:2a:cf:ec:54:08:00 SRC=205.156.51.200 DST=<my ip> LEN=52 TOS=0x00 PREC=0x00 TTL=45 ID=23535 PROTO=TCP SPT=80 DPT=54248 WINDOW=65500 RES=0x00 ACK FIN URGP=0 I also did a tcpdump -i eth1 ip host 207.68.181.238 and <my IP> 22:56:47.272151 > <My IP> > greetingcards.msn.com.http: R 398:398(0) ack 1759 win 8688 <nop,nop,timestamp 3882425 12269148> (DF) 23:08:39.167867 < greetingcards.msn.com.http > <My IP>.34113: R 1677313511:1677313511(0) win 0 (DF) notice the end of the data transfer seq. ends with the RST flag. With tgftp.nws.noaa.gov is ending with a FIN flag 23:15:12.324011 < tgftp.nws.noaa.gov.http > <My IP> : F 16318:16318(0) ack 1048 win 65500 <nop,nop,timestamp 1009257744 3990813> On I side note : i have read of Hybrid TCP-UDP Transport for Web Traffic but I do not know a lot about it => http://research.sun.com/features/tenyears/volcd/papers/16Rom.pdf (PDF) HTML vers. :=> http://www.google.com/search?q=cache:-H8JwrOHMxk:research.sun.com/features/tenyear$ Maybe someone else can try these (or similar) tests and share with us what they see. Is a good question, i also would like find the answer. juzz my 2 cents ::dc:: David Correa RHCE CCNA _ _ _ _ _ _ _ _ ___ ____ ____ _ _ tech@linux-tech.com | | |\ | | | \/ | |___ | |__| http://www.linux-tech.com |___ | | \| |__| _/\_ | |___ |___ | | ------------------------------------------------------------------------ To unsubscribe email security-discuss-request@linuxsecurity.com with "unsubscribe" in the subject of the message.
