[fw-wiz] Post connection SYN
From: Raghuveer (raghub_at_intotoinc.com)
To: firstname.lastname@example.org Date: Fri, 17 Oct 2003 14:13:02 +0530
I would like to know how SPI-firewall/IDS would handle the following
A server, Public-Server1, is hosted behind a firewall/IDS capable of
detecting post-connection SYN attack. A remote PC in the Internet,
Remote-Client2, connects to Public-Server1 on TCP port 80 (and source port
Upon establishment of connection, Remote-Client2 gets rebooted without a
normal shutdown and then starts a fresh connection to Public-Server1. This
time it so happens that the new connection is generated with the same
selector information (Src IP, DstIp, SPrt, Dprt & protocol). This
connection request (SYNC) would be treated by the firewall device as post
connection SYN attack and might drop the connection request. The client is
not aware of this and keeps trying until the request times out.
There are certain protocols that might work on fixed source & destination
ports. In such cases, the chances of firewall/IDS detecting the connection
request as post connection SYN could be quite high.
How can SPI-firewalls/IDS in general handle such genuine scenarios at the
same time avoid potential attacks?
- B. Raghuveer.
firewall-wizards mailing list