Sunday, July 6, 2014

Stimulus and Response - TCP - Setting 6 flags - The Christmas Tree

URG-ACK-PSH-RST-SYN-FIN -> Listening Port 80
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=80, flags="UAPRSF"),iface='eth0', count=1)
..
Sent 2 packets.

root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
  1   0.000000    10.0.0.50 -> 10.0.0.100   TCP 54 5000 > 80 [FIN, SYN, RST, PSH, ACK, URG] Seq=0 Ack=0 Win=8192 Urg=0 Len=0
  2   0.001215    10.0.0.50 -> 10.0.0.101   TCP 54 5000 > 80 [FIN, SYN, RST, PSH, ACK, URG] Seq=0 Ack=0 Win=8192 Urg=0 Len=0


From the above:
Windows 2012 - Packet with URG-ACK-PSH-RST-SYN-FIN flag set, sent to LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the Windows 2012 system simply drops the packet.


CentOS 6.5
  - Packet with URG-ACK-PSH-RST-SYN-FIN flag set, sent to LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the CentOS system simply drops the packet.


URG-ACK-PSH-RST-SYN-FIN -> Non-Listening Port 81
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=81, flags="UAPRSF"),iface='eth0', count=1)
..
Sent 2 packets.

root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
  5   4.149099    10.0.0.50 -> 10.0.0.100   TCP 54 5000 > 81 [FIN, SYN, RST, PSH, ACK, URG] Seq=0 Ack=0 Win=8192 Urg=0 Len=0
  8   4.155698    10.0.0.50 -> 10.0.0.101   TCP 54 5000 > 81 [FIN, SYN, RST, PSH, ACK, URG] Seq=0 Ack=0 Win=8192 Urg=0 Len=0


From the above:
Windows 2012 - Packet with URG-ACK-PSH-RST-SYN-FIN flag set, sent to NON-LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the Windows 2012 system simply drops the packet.

CentOS 6.5  - Packet with URG-ACK-PSH-RST-SYN-FIN flag set, sent to NON-LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the CentOS system simply drops the packet.


Conclusion:
While there are many cases in which both Windows 2012 and CentOS 6.5 TCP/IP Stack provides the same responses to the stimulus, there are also many cases in which they do not. Windows 2012 seems to be the more polite :-) of the two, being more willing to send a RST-ACK, while CentOS 6.5 discards the packet silently.

If you wish to have this as a reference, you may download:
"Stimulus and Response.pdf" document.
md5:8c931888caf948504188f57440396ebc
sha-1:c4cb5b06928e660a09ddc7eaf4b7e32fb0dd1a27

stimulus-response.xlsx
MD5:6176b65c89b73e3b07a519bf77db462a
SHA-1:1ff6308e2a56a1c950e4cc5831932d78563bf853 

No comments:

Post a Comment