[fw-wiz] Post connection SYN

From: Raghuveer (raghub_at_intotoinc.com)
Date: 10/17/03

  • Next message: ark_at_eltex.ru: "Re: [fw-wiz] SYN flood protection"
    To: firewall-wizards@honor.icsalabs.com
    Date: Fri, 17 Oct 2003 14:13:02 +0530
    
    

    Hi,
    I would like to know how SPI-firewall/IDS would handle the following
    scenario.

    Setup:
    A server, Public-Server1, is hosted behind a firewall/IDS capable of
    detecting post-connection SYN attack. A remote PC in the Internet,
    Remote-Client2, connects to Public-Server1 on TCP port 80 (and source port
    TCP1024).

    Details:
    Upon establishment of connection, Remote-Client2 gets rebooted without a
    normal shutdown and then starts a fresh connection to Public-Server1. This
    time it so happens that the new connection is generated with the same
    selector information (Src IP, DstIp, SPrt, Dprt & protocol). This
    connection request (SYNC) would be treated by the firewall device as post
    connection SYN attack and might drop the connection request. The client is
    not aware of this and keeps trying until the request times out.
    There are certain protocols that might work on fixed source & destination
    ports. In such cases, the chances of firewall/IDS detecting the connection
    request as post connection SYN could be quite high.
    How can SPI-firewalls/IDS in general handle such genuine scenarios at the
    same time avoid potential attacks?

    - B. Raghuveer.

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: ark_at_eltex.ru: "Re: [fw-wiz] SYN flood protection"