[fw-wiz] Post connection SYN

From: Raghuveer (raghub_at_intotoinc.com)
Date: 10/17/03

  • Next message: ark_at_eltex.ru: "Re: [fw-wiz] SYN flood protection"
    To: firewall-wizards@honor.icsalabs.com
    Date: Fri, 17 Oct 2003 14:13:02 +0530
    
    

    Hi,
    I would like to know how SPI-firewall/IDS would handle the following
    scenario.

    Setup:
    A server, Public-Server1, is hosted behind a firewall/IDS capable of
    detecting post-connection SYN attack. A remote PC in the Internet,
    Remote-Client2, connects to Public-Server1 on TCP port 80 (and source port
    TCP1024).

    Details:
    Upon establishment of connection, Remote-Client2 gets rebooted without a
    normal shutdown and then starts a fresh connection to Public-Server1. This
    time it so happens that the new connection is generated with the same
    selector information (Src IP, DstIp, SPrt, Dprt & protocol). This
    connection request (SYNC) would be treated by the firewall device as post
    connection SYN attack and might drop the connection request. The client is
    not aware of this and keeps trying until the request times out.
    There are certain protocols that might work on fixed source & destination
    ports. In such cases, the chances of firewall/IDS detecting the connection
    request as post connection SYN could be quite high.
    How can SPI-firewalls/IDS in general handle such genuine scenarios at the
    same time avoid potential attacks?

    - B. Raghuveer.

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: ark_at_eltex.ru: "Re: [fw-wiz] SYN flood protection"

    Relevant Pages

    • RE: FTP Proxy
      ... > If the client is configured to do active transfers, ... > (for the control connection), while it'll be the FTP server ... > the one that will issue the connection request for the data ...
      (Security-Basics)
    • Re: [openib-general] [PATCH v2 1/2] iWARP Connection Manager.
      ... error behaves the same as if the received MAD were lost or dropped. ... the connection to make forward progress. ... we could run out of work structs. ... When a MPA connection request is dropped, ...
      (Linux-Kernel)
    • Re: IAS Connection Request Policy
      ... OK, so the problem is that you need to configure remote access policy, not ... connection request policy. ... I am planning to use IAS as my authentication interface for VPN ... connection policy along with Client Friendly name. ...
      (microsoft.public.internet.radius)
    • Re: Internet Access trapped by Norton etal
      ... You could time out on the connection attempt after a few seconds. ... connection request. ... This gives the impression that the app is hung (may ...
      (microsoft.public.vc.mfc)
    • Re: [fw-wiz] Post connection SYN
      ... be sent for 'Post connection ... >connection SYN attack and might drop the connection request. ... >request as post connection SYN could be quite high. ... Firewall and IPSEC/IKE based VPN. ...
      (Firewall-Wizards)