use keep state(strict) to mitigate tcp issues?
From: Mipam (mipam_at_ibb.net)
Date: Fri, 23 Apr 2004 15:17:32 +0200 (MET DST) To: <firstname.lastname@example.org>
When deploying a BSD with IPF in at the network perimeter
and using rules like these:
pass in .. proto tcp ... keep state(strict)
it's possible to refuse tcp packets which arrive out of order.
This would increase the difficulty doing blind attack resets and blind
data injection attack, cause then you'd have to "guess" the exact expected
number. Checpoint has a similar feature (is that right?) which is
described here as the answer to the mentioned attacks:
Allthough this is nice, there is also the risk of breaking
connection because it's not unlikely that packets arrive out of order.
At least, that's what i think, any thoughts upon this?
email@example.com mailing list
To unsubscribe, send any mail to "firstname.lastname@example.org"