- Source ports will remain the same across all packets, as this is the same connection attempt.
- The TCP Sequence numbers will also remain the same, for the same reason.
- IP ID numbers will increment, because the sending host is creating a new packet each time.
- Time stamps will increment equally. This is due to the TCP back-off algorithm that waits an increasing amount of time before resending the next retransmission attempt. Usually the time before attempts will double; for example 3, then 6 then 12 seconds between attempts.
Information, tools and how-to's for the new intrusion analyst. Mentoring by blogging.
Monday, January 11, 2010
Identifying TCP Retries
When looking at packet dumps, distinguishing TCP retry packets from network scanning is straightforward. Look for these characteristics:
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment