[84461] in North American Network Operators' Group
Re: Computer systems blamed for feeble hurricane response?
daemon@ATHENA.MIT.EDU (Valdis.Kletnieks@vt.edu)
Tue Sep 13 16:42:23 2005
To: Joseph S D Yao <jsdy@center.osis.gov>
Cc: "william(at)elan.net" <william@elan.net>,
Larry Smith <lesmith@ecsis.net>,
Christian Kuhtz <kuhtzch@corp.earthlink.net>,
Mike Tancsa <mike@sentex.net>, David Ulevitch <davidu@everydns.net>,
"Steven M. Bellovin" <smb@cs.columbia.edu>,
"Fergie (Paul Ferguson)" <fergdawg@netzero.net>, nanog@merit.edu,
Steven Champeon <schampeo@hesketh.com>, root@ns2.fema.gov,
"Hannigan, Martin" <hannigan@verisign.com>
In-Reply-To: Your message of "Tue, 13 Sep 2005 15:50:12 EDT."
<20050913195012.GE16110@core.center.osis.gov>
From: Valdis.Kletnieks@vt.edu
Date: Tue, 13 Sep 2005 16:35:47 -0400
Errors-To: owner-nanog@merit.edu
--==_Exmh_1126643746_2803P
Content-Type: text/plain; charset=us-ascii
On Tue, 13 Sep 2005 15:50:12 EDT, Joseph S D Yao said:
> Oh, and also ... please consider that some firewalls try to discern
> whether the connection on port 25 is from a mail server or from Telnet.
OK, I'll bite. A long time ago, I saw code that would trap the fact that many
telnet binaries would send option negotiation on ports other than 21. What
are they keying off now? Since the host in question gave a 'Connection Refused',
it obviously made its decision based on the initial SYN packet. So what are
they looking at? TCP options? initial window? other?
16:25:37.240700 IP h80ad2467.async.vt.edu.43404 > listserv.vt.edu.smtp: S 1026334142:1026334142(0) win 5840 <mss 1460,sackOK,timestamp 3672334 0,nop,wscale 2>
16:25:57.420455 IP h80ad2467.async.vt.edu.45093 > listserv.vt.edu.smtp: S 1074086420:1074086420(0) win 5840 <mss 1460,sackOK,timestamp 3677379 0,nop,wscale 2>
One was a telnet connection, one was Sendmail. Damned if I can tell.. ;)
Of course, a busticated firewall trying to tell the difference *would* explain why
they aren't accepting mail. :)
--==_Exmh_1126643746_2803P
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Exmh version 2.5 07/13/2001
iD8DBQFDJzgicC3lWbTT17ARAly3AKDeap4Mq1jYZRy4KLiaKvrmdnxLgQCeIkFG
ghr//eI340DRfm7I1QP/NNc=
=r1MZ
-----END PGP SIGNATURE-----
--==_Exmh_1126643746_2803P--
