[prev in list] [next in list] [prev in thread] [next in thread] 

List:       dshield
Subject:    Re: [Dshield] Valid TCP Flags?
From:       Chris Brenton <cbrenton () chrisbrenton ! org>
Date:       2006-05-31 16:22:35
Message-ID: 1149092556.9728.264.camel () siren ! chrisbrenton ! org
[Download RAW message or body]

On Wed, 2006-05-31 at 09:21 -0400, Jon R. Kibler wrote:
> 
> I have been trying to put together a list of all possible valid combinations of \
> IPv4 TCP flags. From the RFCs, I gather that the list should be: 
> 	SYN
> 	SYN-ACK
> 	ACK
> 	PSH-ACK
> 	URG-ACK
> 	URG-PSH-ACK
> 	FIN
> 	FIN-ACK
> 	RST
> 	RST-ACK

I've also see FIN-ACK-PSH in the wild and even (eek) SYN-PSH. 

> Two questions:
> 1) Can RST and/or FIN ever appear alone, without an ACK?

Send an unsolicited ACK to an open or closed port and you will get back
a plain RST. A FIN will *never* appear by itself which is why Cisco's
"established" keyword filters on ACK and/or RST packets. Only FIN/ACK is
valid.

> 2) Are there other valid combinations that I have missed? If so, under what \
> circumstances would you see that combination?

As mentioned I've seen pretty liberal use of the PSH bit. 

HTH,
Chris


_________________________________________

SANSFIRE 2006 - Meet ISC Handlers in Person -
Learn about the latest in Information Security from the best instructors in the \
world.

http://www.sans.org/sansfire006

Internet Storm Center Webcasts: http://www.sans.org/webcasts . Every Wednesday after \
patch-tuesday. _______________________________________________
send all posts to list@lists.dshield.org
To change your subscription options (or unsubscribe), see: \
http://www.dshield.org/mailman/listinfo/list


[prev in list] [next in list] [prev in thread] [next in thread]