Re: use keep state(strict) to mitigate tcp issues?

From: Peter Pentchev (roam_at_ringlet.net)
Date: 04/23/04

  • Next message: Darren Reed: "Re: use keep state(strict) to mitigate tcp issues?" 
    Date: Fri, 23 Apr 2004 17:44:22 +0300
To: Mipam <mipam@ibb.net>

    On Fri, Apr 23, 2004 at 03:17:32PM +0200, Mipam wrote:
    > Hi,
    >
    > When deploying a BSD with IPF in at the network perimeter
    > and using rules like these:
    >
    > pass in .. proto tcp ... keep state(strict)
    >
    > it's possible to refuse tcp packets which arrive out of order.
    > This would increase the difficulty doing blind attack resets and blind
    > data injection attack, cause then you'd have to "guess" the exact expected
    > number. Checpoint has a similar feature (is that right?) which is
    > described here as the answer to the mentioned attacks:
    >
    > http://www.checkpoint.com/techsupport/alerts/tcp_dos.html
    >
    > Allthough this is nice, there is also the risk of breaking
    > connection because it's not unlikely that packets arrive out of order.
    > At least, that's what i think, any thoughts upon this?

    IMHO, in the world of multihomed ISP's, BGP and multipath routing, no,
    it is definitely *not* unlikely that packets should arrive out of order.

    G'luck,
    Peter 

    -- 
Peter Pentchev	roam@ringlet.net    roam@sbnd.net    roam@FreeBSD.org
PGP key:	http://people.FreeBSD.org/~roam/roam.key.asc
Key fingerprint	FDBA FD79 C26F 3C51 C95E  DF9E ED18 B68D 1619 4553
If I were you, who would be reading this sentence?

  • Next message: Darren Reed: "Re: use keep state(strict) to mitigate tcp issues?"