Re: 0xc0040017 FWX E TCP NOT SYN PACKET DROPPED

From: Jim Harrison [MSFT] (jmharr_at_online.microsoft.com)
Date: 08/30/04 

Date: Mon, 30 Aug 2004 08:46:15 -0700

This is ISA reporting a host that's violating the rules of TCP.
All TCP sessions should begin with a TCP-SYN packet and this one didn't do that.
It's a classic technique for OS and application fingerprinting that fails miserably against an ISA server.

Essentially, it's a non-issue unless you see a lot of these from a particular host.
In that case, you may want to contact their ISP and complain. 

-- 
 Jim Harrison [ISASE]
 Read the help, books and articles!
 This posting is provided "AS IS" with no warranties, and confers no rights.
"Lex Penrose" <LexPenrose@discussions.microsoft.com> wrote in message news:DCB3126F-8B23-44BE-AC0E-5D72013359B5@microsoft.com...
Could anyone tell me how we can interpret this error ? What is happening and
why ? Is ISA expecting a SYN packet sequence and not getting it , or is it
getting a wrong one ? Where is the original SYN packet gone ?
We have been using NLB but have deinstalled everything , it cannot be
related to that anymore.
Could anyone shed some light on this please ?
LexP

Relevant Pages

  • Re: Strange pings from 127.0.0.1
    ... I know you said the MAC address is also spoofed but this might help anyway: ... that are reporting port scans to their network all of which have a source ... Infected host picks address as source address and sends Syn packet to ... TCP/IP stack receives packet, responds with reset (if there is nothing ...
    (Security-Basics)
  • [Full-disclosure] Making unidirectional VLAN and PVLAN jumping bidirectional
    ... Wepwedgie, a tool by Anton Rager for traffic injection on 802.11 networks protected by WEP, solves the problem of unidirectional communication by bouncing packets from the target host to a third external host under the attackers control. ... We employ exactly the same principle to bypass both VLAN and PVLAN network segmentation. ... The attacker tags his malicious data with two 802.1q tags and sends the packet with a spoofed source IP of a host under his or her control. ...
    (Full-Disclosure)
  • Making unidirectional VLAN and PVLAN jumping bidirectional
    ... Wepwedgie, a tool by Anton Rager for traffic injection on 802.11 networks protected by WEP, solves the problem of unidirectional communication by bouncing packets from the target host to a third external host under the attackers control. ... We employ exactly the same principle to bypass both VLAN and PVLAN network segmentation. ... The attacker tags his malicious data with two 802.1q tags and sends the packet with a spoofed source IP of a host under his or her control. ...
    (Bugtraq)
  • Re: SBS Premium w/ ISA running as Virtual Machine in VMWARE-Connecting
    ... HOST A: ... but the HOST B VM1 is now a MS Small Business Server with ISA 2004. ... The VMs need to see each other, but does not need to see the host. ... I can keep my current network subnet at 192.168.1.x. ...
    (microsoft.public.windows.server.sbs)
  • Re: SBS Premium w/ ISA running as Virtual Machine in VMWARE-Connec
    ... Could you please point me to the article which indicate ISA server is not ... HOST A: ... *** Please suggest the best method to configure this Virtualization network ...
    (microsoft.public.windows.server.sbs)