Check out the new USENIX Web site. next up previous
Next: ICMP Normalizations Up: Normalizations performed by norm Previous: UDP Normalizations

TCP Normalizations

# TCP Field Normalization Performed
1 Seq Num Enforce data consistency in retransmitted segments.
2 Seq Num Trim data to window.
3 Seq Num Cold-start: trim to keep-alive.
4 Ack Num Drop ACK above sequence hole.
5 SYN Remove data if SYN=1.
6 SYN If SYN=1 & RST=1, drop.
7 SYN If SYN=1 & FIN=1, clear FIN.
8 SYN If SYN=0 & ACK=0 & RST=0, drop.
9 RST Remove data if RST=1.
10 RST Make RST reliable.
11 RST Drop if not in window.$\dagger$
12 FIN If FIN=1 & ACK=0, drop.
13 PUSH If PUSH=1 & ACK=0, drop.
14 Header Len Drop if less than 5.
15 Header Len Drop if beyond end of packet.
16 Reserved Clear.
17 ECE, CWR Optionally clear.
18 ECE, CWR Clear if not negotiated.$\dagger$
19 Window Remove window withdrawals.
20 Checksum Verify, drop if incorrect.
21 URG,urgent Zero urgent if URG not set.
22 URG,urgent Zero if urgent > end of packet.
23 URG If URG=1 & ACK=0, drop.
24 MSS option If SYN=0, remove option.
25 MSS option Cache option, trim data to MSS.
26 WS option If SYN=0, remove option.
27 SACK pmt'd If SYN=0, remove option.
28 SACK opt Remove option if length invalid.$\dagger$
29 SACK opt Remove if left edge of SACK block > right edge.$\dagger$
30 SACK opt Remove if any block above highest seq. seen.$\dagger$
31 SACK opt Trim any block(s) overlapping or continguous to cumulative acknowledgement point.$\dagger$
32 T/TCP opts Remove if NIDS doesn't support.
33 T/TCP opts Remove if under attack.$\dagger$
34 TS option Remove from non-SYN if not negotiated in SYN.$\dagger$
35 TS option If packet fails PAWS test, drop.$\dagger$
36 TS option If echoed timestamp wasn't previously sent, drop.$\dagger$
37 MD5 option If MD5 used in SYN, drop non-SYN packets without it.$\dagger$
38 other opts Remove options.


next up previous
Next: ICMP Normalizations Up: Normalizations performed by norm Previous: UDP Normalizations
Vern Paxson
2001-05-22