Date: Fri, 11 Feb 2005 21:19:16 +0100 From: Andre Oppermann <oppermann@networx.ch> To: "Li, Qing" <qing.li@bluecoat.com> Cc: freebsd-current@freebsd.org Subject: Re: known TCP vulnerability ?? Message-ID: <420D1344.9DAC70D0@networx.ch> References: <00CDF9AA240E204FA6E923BD35BC64360879060E@bcs-mail.internal.cacheflow.com>
next in thread | previous in thread | raw e-mail | index | archive | help
"Li, Qing" wrote: > > http://www.kb.cert.org/vuls/id/464113 > > http://www.linuxsecurity.com/content/view/104980/98/ > > Ran the packet tests against FreeBSD 5.3 and 6-CURRENT and both > respond to the SYN+FIN packets with SYN+ACK. This is expected behaviour because of FreeBSD used to implement T/TCP according to RFC1644. I haven't removed this part from TCP because I have a better reincarnation of T/TCP without the previous shortcomings almost ready which uses this again. The CERT article describes how dumb firewalls with poor stateful inspection may get fooled by this and other flag combinations. All I can say is it's not our fault. The SYN+FIN combination is described in RFC1644 and if the firewall gets it wrong... Well, the real world sucks. > Should I file a PR if there isn't one already ?? No action required here. What you could check is whether our firewalls packages in stateful mode (ipfw, pf, ipfilter) can be fooled by this. I doubt it but if you can verify it, that would be great. -- Andre
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?420D1344.9DAC70D0>