> On Tue, Dec 08, 1998 at 11:06:34PM -0500,
> linux-kernel@progressive-comp.com wrote:
> > I also added detection
> > of bad/invalid TCP flag combinations (such as RST+SYN, FIN+SYN, etc).
> ^^^^^^^
> FIN+SYN is valid under some circumstances, is it not?
Hm, well, not as far as I know, but I could be wrong ;)
My understanding is, roughly, FINs are used to close an ESTABLISHED
connection, which means SYN should no longer be set. If SYN (or SYN+ACK)
is received for a socket not yet in ESTABLISHED state, and there is no
listener or whatnot, RST should be sent, not FIN (nor SYN). If there are
conditions in which FIN+SYN is valid, please enlighten me :)
The other reason I doubt it, though, is that I've had about a half-dozen
fairly busy servers running those patches for about two months now, each
pushing about 400,000 web hits/day, without any FIN+SYN false positives.
There are other false positives, though -- extra ACKs, FIN+ACKs, or RSTs to
"unserved" ports where our side has already closed the connection, and the
we catch a retransmit or somesuch from the other end...
This does remind me of one other question, though: is FIN+RST (w/ or w/o
ACK set) ever a valid combination? I tend to think not (by pretty much the
same reasoning as above) but I could be wrong, as there seem to be quite a
few stacks which disagree with me. But for now, my stance is that those
stacks are buggy :)
Hank Leininger <hlein@progressive-comp.com>
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/