[fw-wiz] TCP DoS attack

• Previous message: Hughes, Chris: "RE: [fw-wiz] Pass-through VPN"
• Next in thread: gmx: "Re: [fw-wiz] TCP DoS attack"
• Reply: gmx: "Re: [fw-wiz] TCP DoS attack"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: <firewall-wizards@honor.icsalabs.com>
Date: Mon, 25 Oct 2004 23:20:15 +0530 (IST)

Hi,
One of my colleagues is testing a firewall product. He has written up a one
program which disconnects the TCP connection. This is the following setup.

PC (TCPClient)----------Firewall-----------------------------PC(Server)
                                                            |
                                                            |
                                                       Compromised Device

Test program does following.
- Reads the packets on the wire
- If it is TCP SYN packet, it immediately send TCP packet with SYN
with its own Initial sequence number and ACK with client sequence number.

Behavior on PC(TCP Client):
- It is observed that, actual TCP connection to the server succeeds
only 30 to 40% of the time.

We feel that, if SYN+ACK packet from Server goes first, then the connection
get established.

For this attack to succeed, the attacker should be able to see the traffic.
How real is this threat?
We tried to convince ourselves that, this is not realistic threat in the
sense that all devices would be protected in the path. If this is the case,
what is the need for IPSec, which indicates that it is needed to protect
traffic?

Comments?
I guess, firewalls in between can't do much from these kind of DoS attacks.
It might, at maximum, can detect some anomaly.
What could be the solution? IPSec between Client and Server OR firewall and
Server network?

Thanks
Ravi

_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

• Previous message: Hughes, Chris: "RE: [fw-wiz] Pass-through VPN"
• Next in thread: gmx: "Re: [fw-wiz] TCP DoS attack"
• Reply: gmx: "Re: [fw-wiz] TCP DoS attack"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Presentation: Bypassing client application protection techniques with notepad ... Bypassing client application protection techniques ... Kerio Personal Firewall 4.0 ... Last years were revolutionary for network services infrastructure ... (NT-Bugtraq) Presentation: Bypassing client application protection techniques with notepad ... Bypassing client application protection techniques ... Kerio Personal Firewall 4.0 ... Last years were revolutionary for network services infrastructure ... (Bugtraq) [Full-Disclosure] Presentation: Bypassing client application protection techniques with notepad ... Bypassing client application protection techniques ... Kerio Personal Firewall 4.0 ... Last years were revolutionary for network services infrastructure ... (Full-Disclosure) RE: Force use of ISA Firewall Client ... the Firewall client automatically sends user credentials ... or the user account must be mirrored on the ISA 2004 firewall. ... But if you visit Websites or FTP, the web proxy has improved performance. ... (microsoft.public.windows.server.sbs) RE: SBS Premium, Secure Banking site, certificate = no joy ... firewall client installed cannot access a specific banking web site. ... settings and create the ISA rules. ... 825763 How to configure Internet access in Windows Small Business Server ... On the ISA Server computer, stop the Microsoft Firewall service. ... (microsoft.public.windows.server.sbs)