beautypg.com

Tcpzerounusedack, Tcpzerounusedurg, Tcpopt_wsopt – D-Link DFL-2500 User Manual

Page 308: Tcpopt_sack, Tcpopt_tsopt, Tcpopt_altchkreq, Tcpopt_altchkdata

background image

Default: 7000 bytes

TCPZeroUnusedACK

Determines whether NetDefendOS should set the ACK sequence number field in TCP packets to
zero if it is not used. Some operating systems reveal sequence number information this way, which
can make it easier for intruders wanting to hijack established connections.

Default: Enabled

TCPZeroUnusedURG

Strips the URG pointers from all packets.

Default: Enabled

TCPOPT_WSOPT

Determines how NetDefendOS will handle window-scaling options. These are used to increase the
size of the windows used by TCP; that is to say, the amount of information that can be sent before
the sender expects ACK. They are also used by OS Fingerprinting. WSOPT is a common
occurrence in modern networks.

Default: ValidateLogBad

TCPOPT_SACK

Determines how NetDefendOS will handle selective acknowledgement options. These options are
used to ACK individual packets instead of entire series, which can increase the performance of
connections experiencing extensive packet loss. They are also used by OS Fingerprinting. SACK is
a common occurrence in modern networks.

Default: ValidateLogBad

TCPOPT_TSOPT

Determines how NetDefendOS will handle time stamp options. As stipulated by the PAWS (Protect
Against Wrapped Sequence numbers) method, TSOPT is used to prevent the sequence numbers (a
32-bit figure) from "exceeding" their upper limit without the recipient being aware of it. This is not
normally a problem. Using TSOPT, some TCP stacks optimize their connection by measuring the
time it takes for a packet to travel to and from its destination. This information can then be used to
generate resends faster than is usually the case. It is also used by OS Fingerprinting. TSOPT is a
common occurrence in modern networks.

Default: ValidateLogBad

TCPOPT_ALTCHKREQ

Determines how NetDefendOS will handle alternate checksum request options. These options were
initially intended to be used in negotiating for the use of better checksums in TCP. However, these
are not understood by any today's standard systems. As NetDefendOS cannot understand checksum
algorithms other than the standard algorithm, these options can never be accepted. The
ALTCHKREQ option is normally never seen on modern networks.

Default: StripLog

TCPOPT_ALTCHKDATA

Determines how NetDefendOS will handle alternate checksum data options. These options are used

TCPZeroUnusedACK

Chapter 13. Advanced Settings

308