Date: Mon, 1 Mar 2004 18:32:14 -0800 From: "J.T. Davies" <jtd@hostthecoast.org> To: <freebsd-ipfw@freebsd.org> Subject: Re: TCP established flag & ipfw rule Message-ID: <001a01c3fffe$93257ef0$3301020a@hostthecaost.org> References: <200403020118.MAA18408@lightning.itga.com.au>
next in thread | previous in thread | raw e-mail | index | archive | help
> jtd@hostthecoast.org said: > > To clarify, instead of "EST" in my original post, replace with "ACK". > > Could some unscrupulous person add the "ACK" flag to the TCP packets > > and be accepted by this rule (even though they may not technically be > > "ACK")? > > > They could. But this is not as damaging as you think, because once the > malicious packet is passed by ipfw and gets to the destination machine, the > dest machine will try and look up the internal state (i.e. seq numbers, window > sizes, RTT estimates etc) for this supposed TCP connection. It will > presumably not have a TCP connection with the matching ip address/portnumbers, > so all this will do is cause the "attacked" machine to send an RST and discard > the malicious packet. It won't magically make a connection appear in the > target machine. The only way to initiate a TCP connection is with a SYN > packet, and they don't get passed by the "established" rule. > > So this is a possible denial-of-service (forcing the internal machine to > consider and RST random attacking packets), but not a security failure as > such. > Excellent! Thank you all who responded!
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?001a01c3fffe$93257ef0$3301020a>