Results 1 to 6 of 6

Thread: Invalid TCP Option

  1. #1
    Senior Member
    Join Date
    Dec 2002
    Posts
    144

    Invalid TCP Option

    hi. i hv a broadband router infront of me with 2 box(one XP, one linux) in my local network.. and i still got this IDS msg saying Invalid TCP Option.. isn't the router is acting as a firwall already.. how can the packet pass the router and send to my XP?

    how can i detect the internal ip address of a network with a firewall like router or checkpoint around?
    BlAcKiE
    GearBlitz

  2. #2
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Use Ethereal or TCPDump to look at the flags in the packets that trigger the alert. They are almost certainly not set to SYN alone and are probably a response to something your machine sent out. The responding machine is setting some IP option that is triggering the IDS rule.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  3. #3
    Senior Member
    Join Date
    Dec 2002
    Posts
    144
    ermm.. i don really understand u.. sorry...
    BlAcKiE
    GearBlitz

  4. #4
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Well..... Er..... This is a rather large subject to go into......

    I will simply say that you are probably in no danger whatsoever and leave it at that for now.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  5. #5
    Senior Member
    Join Date
    Dec 2002
    Posts
    144
    ok i am fine with it.. but theoritically, how the packet managed to get into my router?
    BlAcKiE
    GearBlitz

  6. #6
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Basically, it's not the business of the routers to be looking at and making decisions about the IP options some machine decides to set. So if your machine requests something from a server on the net and the server replies with some "odd" IP options the packet is going to get back to you regardless. What you are seeing is your IDS, whose job it is to look at such things and react, examining the packet and determining that the IP options are, indeed, "odd" and is dutifully reporting it to you.

    If you take a look at the log of the packets in the IDS you should be able to see that the flags set are not simply SYN, it will probably be SYN in combination with ACK, PSH or whatever though it may be a FIN combination too. In either case, assuming the only flags set is not SYN, then the packets are responses to valid connections made by one of your boxes and thus the firewall will allow them to pass. Were they only SYN packets then the firewall should be dropping them and if it isn't then it isn't working or you have some ports forwarded through the firewall to internal machines.

    To be really sure you need to put a packet sniffer on the inside of the network and examine the packets it logs to determine what exactly is going on. If you are having a problem reading the packet dumps then sanitize them and post them here and we'll all have a look.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •