Date: Fri, 1 Jul 2005 13:01:05 +0200 From: Daniel Hartmeier <daniel@benzedrine.cx> To: BB <brent.bolin@gmail.com> Cc: freebsd-pf@freebsd.org Subject: Re: Fwd: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-05:15.tcp Message-ID: <20050701110105.GS26761@insomnia.benzedrine.cx> In-Reply-To: <787dcac205063007324170b6e4@mail.gmail.com> References: <200506292155.j5TLt4cE008219@freefall.freebsd.org> <787dcac205063007324170b6e4@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Jun 30, 2005 at 09:32:27AM -0500, BB wrote: > I assume without upgrading the mighty pf would handle this ? Yes. The unpatched vulnerability can be exploited (to stall a connection) by spoofing only four (4) small packets, by choosing random sequence and timestamp values and their integer opposites[1]. Hence, exploiting it is relatively cheap, quick, and reliable. If you have pf in front of a peer, the attacker would have to successfully guess the proper sequence and acknowledgment numbers within small windows, which requires sending so many packets, it's considered unfeasible. If he could efficiently guess those numbers, he could simply RST the connection, or worse, inject payload, etc, anyway. Of course, if the other peer is unprotected, the attacker would send his spoofs there, and achieve the same effect. But if both are protected, the vulnerability is not exploitable. Daniel [1] http://downloads.securityfocus.com/vulnerabilities/exploits/tcp_paws.c
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050701110105.GS26761>