Re: [fw-wiz] Post connection SYN

From: Mikael Olsson (mikael.olsson_at_clavister.com)
Date: 10/17/03

  • Next message: Paul Robertson: "Re: [fw-wiz] Post connection SYN"
    To: Raghuveer <raghub@intotoinc.com>
    Date: Fri, 17 Oct 2003 15:45:12 +0200
    
    

    Raghuveer wrote:
    >
    > Hi,
    > I would like to know how SPI-firewall/IDS would handle the following
    > scenario.
    >
    > [connect from A:x -> B:y, restart A, connect again, same tuples]

    Firewalls that track TCP state and/or sequence numbers will drop
    or reject the second connect attempt.

    Think that's bad? Well, somewhat, but even if the firewall _could_
    somehow magically determine that this is a "nice" SYN and let it
    through, it wouldn't make one bit of difference.

    That fact is, B's TCP stack won't listen to such packets either.
    It'll reject those SYNs. This is why fixed source-port TCP-based
    protocols is a Bad Idea.

    -- 
    Mikael Olsson, Clavister AB
    Storgatan 12, Box 393, SE-891 28 ÖRNSKÖLDSVIK, Sweden
    Phone: +46 (0)660 29 92 00   Mobile: +46 (0)70 26 222 05
    Fax: +46 (0)660 122 50       WWW: http://www.clavister.com
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
    

  • Next message: Paul Robertson: "Re: [fw-wiz] Post connection SYN"

    Relevant Pages

    • Re: syn flooding
      ... SYN flooding is a very easy DoS attack against many ... >>> firewalls. ...
      (comp.security.firewalls)
    • RE: US-CERT Technical Cyber Security Alert TA04-111A -- Vulnerabilities in TCP
      ... go through many types of firewalls. ... adequately follow the sequence numbers being used in a connection, ... with correct source/dest IPs and ports but a random sequence number. ... Many firewalls will see this reset and remove the connection from their ...
      (Bugtraq)
    • Re: syn flooding
      ... >> firewalls. ... a selling point of many firewalls is that ... years ago were SYN floods. ...
      (comp.security.firewalls)