TBIT, the TCP Behavior Inference Tool: ECN

ECN:

• The problem is that some Internet hosts are not reachable from an ECN-Capable TCP client. See Problems with non-ECN-compatible equipment for more information.
• The test procedure for the response of web servers to ECN-capable clients, and the Sept. 13, 2000 results.
• Tests from Dec. 4, 2000, were run only once (and therefore were not fully verified) but gave essentially the same results, with 513 web servers responding to an ECN-setup SYN packet with a RST, and 1638 web servers not responding to an ECN-setup SYN packet. We would note that the tentative OS identifications for these web servers are from NMAP, and are not necessarily correct.
• The Sept. 11, 2000 results, based on a smaller list of servers.
• The April 30, 2001 results show that 332 of the 1699 web servers that had been unreachable from an ECN-Capable TCP client have now been fixed. (The rest of the servers that were unreachable in 2000 seem to no longer exist.)
• The March 2002 results include 203 addresses for which an ECN-setup SYN packet is followed by a RST, and 420 addresses for which ECN-setup SYN packets appear to be dropped.
• The fixes for Cisco PIX and Cisco Local Director. NMAP results tentatively (and not necessarily correctly) suggest that some of the other web servers exhibiting similar problems are running AIX 4.3.2.0-4.3.3.0, IRIX 6.2 - 6.5, Solaris 2.6 - 2.7, or Linux 2.1.122 - 2.2.14.
• Jamal Hadi-Salim reports that Raptor firewalls silently discard TCP SYN packets attempting to negotiate ECN-capability.
• SRVER ID tags for web servers returning RESET to a SYN negotiating ECN. SRVER ID tags for web servers failing to respond to a SYN negotiating ECN.
• One signature for the port scanner tool QUESO is that it sends a SYN packet with the last two Reserved bits in the TCP header set. These are the CWR and ECN-Echo flags used with ECN, and are set in a TCP SYN packet negotiating ECN. From the August 30 article on Intrusion Detection Level Analysis of Nmap and Queso "[QUESO] is easy to identify, if you see [these two Reserved bits and the SYN bit] set in the 13th byte of the TCP header, you know that someone has malicious intentions for your network." This is unfortunate for ECN.
• Firewalls blocking TCP reserved flags:
Data from May 9, 2001, shows that most of the web servers that block TCP SYN packets attempting to negotiate ECN-capability do not block SYN packets that use the other four reserved flags in the TCP header. (For the data, the first column gives the contents of the Reserved field in the SYN packet, and the results tell how many of the web servers, or their firewalls, responded with no answer, with a reset, or with a SYN/ACK as desired.)