[ale] Iptables: Packets from port 80 to unestablished ports

Jason Day jasonday at worldnet.att.net
Wed Jul 30 12:01:19 EDT 2003


On Wed, Jul 30, 2003 at 10:32:11AM -0400, Dow Hurst wrote:
> So to clarify this:
> 
> Are you saying that these web servers are sending ACKs to unrelated high 
> port numbers to accelerate the response of the client?  Sending the ACK 
> to a different port number than the port that would be appropriate is a 
> violation of the normal TCP protocol as y'all have stated.  So it looks 
> like an attack/probe to the firewall.
> Dow

MicroSoft is using a clever but dubious trick to accelerate browsing
from IE <--> IIS.  Basically, IIS leaves TCP connections half open, and
IE tries using a half open connection first when it contacts a server.
That way most of the TCP handshake is bypassed, and browsing is faster.
As long as you're using IE and IIS.

There is a much better discussion and analysis here:
http://www.mail-archive.com/mozilla-netlib@mozilla.org/msg01571.html

-- 
Jason Day                                       jasonday at
http://jasonday.home.att.net                    worldnet dot att dot net
 
"Of course I'm paranoid, everyone is trying to kill me."
    -- Weyoun-6, Star Trek: Deep Space 9
_______________________________________________
Ale mailing list
Ale at ale.org
http://www.ale.org/mailman/listinfo/ale





More information about the Ale mailing list