Broken MS tcp new not syn: better to REJECT or DROP?

Broken MS tcp new not syn: better to REJECT or DROP?

[Phil Crooker]

Hi,

We've a recent install of iptables and came across the broken ms tcp 
problem. I was wondering, would rejecting the packet be faster than 
dropping it for the client?  Comparing the webserv and iptables logs 
there doesn't seem to be much correlation. If there is, presumably the 
client will wait for a timeout before sending a proper syn packet. Or is 
IE too dumb to recognise the reject? Also has anyone found a good way to 
test this?

thanks in advance

Re: Broken MS tcp new not syn: better to REJECT or DROP?

[SBlaze]

Fydor discusses this lightly I think in his OS Fingerprint documentation.. It's
prob a little dated though... mayb it will help

http://www.insecure.org


--- justin <cmbb@dslr.net> wrote:
> Is there a web page somewhere on this subject you can point me at?
> "broken ms tcp" ?
> 
> thanks -Justin
> 
> 


=====
"No touchy NO TOUCHY! Emperor Kuzko -=Emperor's New Groove=-"

__________________________________________________
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com

Re: Broken MS tcp new not syn: better to REJECT or DROP?

[Athan]

[-- Attachment #1: Type: text/plain, Size: 559 bytes --]

On Wed, Jan 29, 2003 at 06:03:42PM -0500, justin wrote:
> Is there a web page somewhere on this subject you can point me at?
> "broken ms tcp" ?

  I presume they mean this:

	http://slashdot.org/article.pl?sid=03/01/05/2025254&mode=thread
	http://grotto11.com/blog/slash.html?+1039831658

-Ath
-- 
- Athanasius = Athanasius(at)miggy.org / http://www.miggy.org/
                  Finger athan(at)fysh.org for PGP key
	   "And it's me who is my enemy. Me who beats me up.
Me who makes the monsters. Me who strips my confidence." Paula Cole - ME

[-- Attachment #2: Type: application/pgp-signature, Size: 240 bytes --]

Re: Broken MS tcp new not syn: better to REJECT or DROP?

[justin]

Is there a web page somewhere on this subject you can point me at?
"broken ms tcp" ?

thanks -Justin

Re: Broken MS tcp new not syn: better to REJECT or DROP?

[Maciej Soltysiak]

> Hi,
>
> We've a recent install of iptables and came across the broken ms tcp
> problem.
Um, i though new, not syn is a result of a conntrack entry expiry.
Ofcourse besides 'on purpose' packet crafting or scanning, etc.

> I was wondering, would rejecting the packet be faster than
> dropping it for the client?
Well, yes. The client's tcp stack on receiving either the tcp rst or icmp
unreach will inform the applicaton about it. Now it's up to the client's
application (eg. IE) to handle to network error properly.

Anyway dropping the packet will get you nowhere, you'll be waiting as much
as the clients application (or the tcp stack) timeout is. Or the user's
patience is :)

> client will wait for a timeout before sending a proper syn packet.
Really? ms ie sending unproper syn packets? What is so unproper about it?
It must be something else.

> IE too dumb to recognise the reject?
Well, try -j REJECT --reject-with tcp-reset, it will result as IE finding
that the port is closed.

Also this works great for blocking ads in messenger software, just have to
know the ip/port of the ads.

Regards,
Maciej