Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 23 Apr 2004 17:44:22 +0300
From:      Peter Pentchev <roam@ringlet.net>
To:        Mipam <mipam@ibb.net>
Cc:        freebsd-security@freebsd.org
Subject:   Re: use keep state(strict) to mitigate tcp issues?
Message-ID:  <20040423144422.GD961@straylight.m.ringlet.net>
In-Reply-To: <Pine.LNX.4.33.0404231502170.611-100000@ux1.ibb.net>
References:  <Pine.LNX.4.33.0404231502170.611-100000@ux1.ibb.net>
next in thread | previous in thread | raw e-mail | index | archive | help 

--EuxKj2iCbKjpUGkD
Content-Type: text/plain; charset=windows-1251
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Fri, Apr 23, 2004 at 03:17:32PM +0200, Mipam wrote:
> Hi,
>=20
> When deploying a BSD with IPF in at the network perimeter
> and using rules like these:
>=20
> pass in .. proto tcp ... keep state(strict)
>=20
> it's possible to refuse tcp packets which arrive out of order.
> This would increase the difficulty doing blind attack resets and blind
> data injection attack, cause then you'd have to "guess" the exact expected
> number. Checpoint has a similar feature (is that right?) which is
> described here as the answer to the mentioned attacks:
>=20
> http://www.checkpoint.com/techsupport/alerts/tcp_dos.html
>=20
> Allthough this is nice, there is also the risk of breaking
> connection because it's not unlikely that packets arrive out of order.
> At least, that's what i think, any thoughts upon this?

IMHO, in the world of multihomed ISP's, BGP and multipath routing, no,
it is definitely *not* unlikely that packets should arrive out of order.

G'luck,
Peter

--=20
Peter Pentchev	roam@ringlet.net    roam@sbnd.net    roam@FreeBSD.org
PGP key:	http://people.FreeBSD.org/~roam/roam.key.asc
Key fingerprint	FDBA FD79 C26F 3C51 C95E  DF9E ED18 B68D 1619 4553
If I were you, who would be reading this sentence?

--EuxKj2iCbKjpUGkD
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (FreeBSD)

iD8DBQFAiSvG7Ri2jRYZRVMRAr3EAKCY5SzMGjTs0X9SmClNAJctFUG78wCfQImk
EBpeR056NKhtVWjG+CE5KaY=
=S8zF
-----END PGP SIGNATURE-----

--EuxKj2iCbKjpUGkD--

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040423144422.GD961>