[svlug] what about those tcp flags?

George Georgalis georgw at galis.org
Thu Mar 13 09:32:50 PST 2003


I did another search and was been swamped with examples, but not the doc
I'm looking for...

Using iptables you can filter based on tcp flags, but under what
circumstances do the various combinations come up? Ideally I'd like to
find a webpage that has a short paragraph explaining the circumstances
of every tcp flag permutation. :-} Surly somebody has done this...

In the past I've asked and was pointed to the Stevens book, I'm
sure the answer is in there but I'm also sure more specific doc is
available than I've been able to find.... what I'm looking for could
take quite a while (and prone to errors) if done from scratch. (cf
yenigul.net/tcpip/tcp_tran.htm#17_3)

These are some specific examples I have, but I don't always know
what to do with them, for example I _sometimes_ get a "--tcp-flags
SYN,ACK,FIN,RST RST" back when delivering mail, can I drop it?....

 --tcp-flags SYN,FIN SYN,FIN -j DROP # syn/fin-scan
 --tcp-flags SYN,ACK,FIN,RST RST # Stealth-Scan but might be normal too --limit 5/m
 --tcp-flags ALL FIN,URG,PSH -j DROP # nmap-xmas scan 
 --tcp-flags ALL FIN # fin-scan
 --tcp-flags ALL NONE # null-scan


Here are some resources I've saved...

http://yenigul.net/tcpip/
TCP/IP Illustrated, Volume 1: The Protocols, W. Richard Stevens
 http://www.kohala.com/start/tcpipiv1.html
 Pocket guide (2 pages: pictures of IP, UDP, and TCP headers)
 http://yenigul.net/tcpip/tcp_bulk.htm
 TCP Bulk Data Flow
http://lwn.net/2002/0221/a/kernel-net.php3
packet handling in Linux 2.4 (essentially ipv4) and including the
5 netfilter hooks. xfig source available from author.
http://cr.yp.to/syncookies.html
SYN cookies are particular choices of initial TCP sequence numbers by
TCP servers.
./Documentation/networking/ip-sysctl.txt
kernel doc
http://www.networkice.com/advice/Exploits/Ports/
List of frequently seen TCP and UDP ports and what they mean.
http://www.sans.org/resources/idfaq/oddports.php
Default ports used by some known trojan horses
http://iptables-tutorial.frozentux.net/
The aim of the iptables-tutorial is to explain iptables in a complete
and simple way.


// George


-- 
GEORGE GEORGALIS, System Admin/Architect    cell: 347-451-8229 
Security Services, Web, Mail,            mailto:george at galis.org 
Multimedia, DB, DNS and Metrics.       http://www.galis.org/george 




More information about the svlug mailing list