TBIT, the TCP Behavior Inference Tool: ECN
The problem is that some Internet hosts are not reachable from an ECN-Capable
TCP client. See Problems
with non-ECN-compatible equipment for more information.
The test procedure for the response of web servers
to ECN-capable clients, and the
Tests from Dec. 4, 2000, were run only once (and therefore were not fully
verified) but gave essentially the same results, with 513
web servers responding to an ECN-setup SYN packet with a RST, and
web servers not responding to an ECN-setup SYN packet. We would note
that the tentative OS identifications for these web servers are from NMAP,
and are not necessarily correct.
Sept. 11, 2000 results, based on a smaller list
The April 30, 2001
results show that 332 of the 1699 web servers that had been unreachable
from an ECN-Capable TCP client have now been fixed. (The rest of the servers
that were unreachable in 2000 seem to no longer exist.)
The March 2002
203 addresses for which an
ECN-setup SYN packet is followed by a RST, and 420
addresses for which ECN-setup SYN packets appear to be dropped.
The fixes for Cisco PIX and Cisco Local Director. NMAP results tentatively
(and not necessarily correctly) suggest that some of the other web servers
exhibiting similar problems are running AIX 184.108.40.206-220.127.116.11, IRIX 6.2 -
6.5, Solaris 2.6 - 2.7, or Linux 2.1.122 - 2.2.14.
Jamal Hadi-Salim reports that Raptor
firewalls silently discard TCP SYN packets attempting to negotiate
SRVER ID tags for web servers returning RESET
to a SYN negotiating ECN. SRVER ID tags
for web servers failing to respond to a SYN negotiating ECN.
One signature for the port scanner tool QUESO is that it sends a SYN packet
with the last two Reserved bits in the TCP header set. These are the CWR
and ECN-Echo flags used with ECN, and are set in a TCP SYN packet negotiating
ECN. From the August 30 article on
Detection Level Analysis of Nmap and Queso
"[QUESO] is easy to identify,
if you see [these two Reserved bits and the SYN bit] set in the 13th byte
of the TCP header, you know that someone has malicious intentions for your
network." This is unfortunate for ECN.
Firewalls blocking TCP reserved flags:
Data from May 9, 2001, shows that most
of the web servers that block TCP SYN packets attempting to negotiate ECN-capability
do not block SYN packets that use the other four reserved flags in the
TCP header. (For the data, the first column gives the contents of the Reserved
field in the SYN packet, and the results tell how many of the web servers,
or their firewalls, responded with no answer, with a reset, or with a SYN/ACK
Last modified: May 2004.