Re: [fw-wiz] Strange Pix behavior.

From: Martin Mačok (martin.macok_at_underground.cz)
Date: 06/18/05

Next message: George Capehart: "Re: [fw-wiz] Transitive Trust: 40 million credit cards hack'd"

Previous message: Vin McLellan: "[fw-wiz] Re: Transitive Trust: 40 million credit cards hack'd"
In reply to: Jim MacLeod: "Re: [fw-wiz] Strange Pix behavior."
Next in thread: Jim MacLeod: "Re: [fw-wiz] Strange Pix behavior."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: 'Firewall Wizards List' <firewall-wizards@honor.icsalabs.com>
Date: Sat, 18 Jun 2005 19:16:20 +0200

On Thu, Jun 16, 2005 at 01:00:20AM -0700, Jim MacLeod wrote:

> It's invalid to ACK a RST, and would provoke yet another RST.

No, it's not invalid (in some scenarious). Yes, it would provoke yet
another RST.

ACKing RST is one of the countermeasures against recently debated TCP
weakness (sequence number approximation bug) where the attacker spoofs
RST packets and breaks (usually long-lived) established connections
(like BGP).

IIRC you can ACK the RST packet when it does not fit exactly into TCP
sequence but somewhere inside the (TCP) window. The provoked next RST
reply should fit exactly into sequence so this time you know the RST
was not spoofed.

(Just a side-note, sorry for the noise)

Martin Mačok
ICT Security Consultant
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Next message: George Capehart: "Re: [fw-wiz] Transitive Trust: 40 million credit cards hack'd"

Previous message: Vin McLellan: "[fw-wiz] Re: Transitive Trust: 40 million credit cards hack'd"
In reply to: Jim MacLeod: "Re: [fw-wiz] Strange Pix behavior."
Next in thread: Jim MacLeod: "Re: [fw-wiz] Strange Pix behavior."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]