From owner-freebsd-security@FreeBSD.ORG Fri Apr 23 07:44:28 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E01A016A4CE for ; Fri, 23 Apr 2004 07:44:28 -0700 (PDT) Received: from gandalf.online.bg (gandalf.online.bg [217.75.128.9]) by mx1.FreeBSD.org (Postfix) with SMTP id 4D7FD43D5A for ; Fri, 23 Apr 2004 07:44:27 -0700 (PDT) (envelope-from roam@ringlet.net) Received: (qmail 7928 invoked from network); 23 Apr 2004 14:37:52 -0000 Received: from office.sbnd.net (HELO straylight.m.ringlet.net) (217.75.140.130) by gandalf.online.bg with SMTP; 23 Apr 2004 14:37:52 -0000 Received: (qmail 63536 invoked by uid 1000); 23 Apr 2004 14:44:22 -0000 Date: Fri, 23 Apr 2004 17:44:22 +0300 From: Peter Pentchev To: Mipam Message-ID: <20040423144422.GD961@straylight.m.ringlet.net> Mail-Followup-To: Mipam , freebsd-security@freebsd.org References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="EuxKj2iCbKjpUGkD" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.6i cc: freebsd-security@freebsd.org Subject: Re: use keep state(strict) to mitigate tcp issues? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Apr 2004 14:44:29 -0000 --EuxKj2iCbKjpUGkD Content-Type: text/plain; charset=windows-1251 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Apr 23, 2004 at 03:17:32PM +0200, Mipam wrote: > Hi, >=20 > When deploying a BSD with IPF in at the network perimeter > and using rules like these: >=20 > pass in .. proto tcp ... keep state(strict) >=20 > it's possible to refuse tcp packets which arrive out of order. > This would increase the difficulty doing blind attack resets and blind > data injection attack, cause then you'd have to "guess" the exact expected > number. Checpoint has a similar feature (is that right?) which is > described here as the answer to the mentioned attacks: >=20 > http://www.checkpoint.com/techsupport/alerts/tcp_dos.html >=20 > Allthough this is nice, there is also the risk of breaking > connection because it's not unlikely that packets arrive out of order. > At least, that's what i think, any thoughts upon this? IMHO, in the world of multihomed ISP's, BGP and multipath routing, no, it is definitely *not* unlikely that packets should arrive out of order. G'luck, Peter --=20 Peter Pentchev roam@ringlet.net roam@sbnd.net roam@FreeBSD.org PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 If I were you, who would be reading this sentence? --EuxKj2iCbKjpUGkD Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQFAiSvG7Ri2jRYZRVMRAr3EAKCY5SzMGjTs0X9SmClNAJctFUG78wCfQImk EBpeR056NKhtVWjG+CE5KaY= =S8zF -----END PGP SIGNATURE----- --EuxKj2iCbKjpUGkD--