Re: Ambiguities in TCP/IP - firewall bypassing

From: Lyndon Nerenberg (lyndon@orthanc.ab.ca)
Date: 10/20/02

• Previous message: Joe Testa: "Reproducing the MS DCE-RPC DOS."
• Maybe in reply to: Paul Starzetz: "Ambiguities in TCP/IP - firewall bypassing"
• Next in thread: Ofir Arkin: "RE: Ambiguities in TCP/IP - firewall bypassing"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

To: bugtraq@securityfocus.com
Date: Sun, 20 Oct 2002 13:03:25 -0600
From: Lyndon Nerenberg <lyndon@orthanc.ab.ca>

>Think of ECN; should older stacks simply reject a packet with Syn+0x42
>because they don't know what 0x42 is?
>
>If I've understood correctly, you were suggesting to drop "bad" packets.
>I agree; only let established traffic through your firewall, and only
>let packets with Syn or Syn+Ack set and with Fin and Rst unset establish
>state in the firewall. Ignore the rest of the flags.
>
>Of course, if anyone finds this un-interoperable, please chime in!

Before people get too paranoid about accepting packets I recommend
they read RFC 3360: Inappropriate TCP Resets Considered Harmful.

   1. Introduction
   
      TCP uses the RST (Reset) bit in the TCP header to reset a TCP
      connection. Resets are appropriately sent in response to a
      connection request to a nonexistent connection, for example. The TCP
      receiver of the reset aborts the TCP connection, and notifies the
      application [RFC793, RFC1122, Ste94].
   
      Unfortunately, a number of firewalls and load-balancers in the
      current Internet send a reset in response to a TCP SYN packet that
      use flags from the Reserved field in the TCP header. Section 3 below
      discusses the specific example of firewalls that send resets in
      response to TCP SYN packets from ECN-capable hosts.

      [ ... ]

--lyndon

---

• Previous message: Joe Testa: "Reproducing the MS DCE-RPC DOS."
• Maybe in reply to: Paul Starzetz: "Ambiguities in TCP/IP - firewall bypassing"
• Next in thread: Ofir Arkin: "RE: Ambiguities in TCP/IP - firewall bypassing"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: iptables and dhcp ... > the same physical network segment as the firewall and the remote DHCP ... You used INPUT and not FORWARD chain ... # This target allows packets to be marked in the mangle table ... (comp.os.linux.networking) Re: Trouble accessing Outlook Web Access from behind firewall ... When starting the firewall I also set ... > rejected and dropped packets are logged, however I see nothing in my log ... > # Higher ports needed to accept incoming/outgoing calls ... (comp.security.firewalls) Re: Visnetic and 8signs firewall LOOPHOLE Read.... ... I said I am just reporting bug in your Firewall, ... From the Port Scan/Properties control screen: ... The firewall filtered 100% of the packets that were received. ... operating system (I'm talking Windows, ... (comp.security.firewalls) Re: strange network traffic ... Maybe not so wise to not have a firewall and trust a third party lurker to ... Subject: strange network traffic ... > -> connection established, following packets have neither SYN nor ... (Security-Basics) Re: port 80 is open ... The firewall drops all packets initiated ... > internet the ISP router does not send the unreachable message. ... and then close the connection as your IP is seen as not connected. ... (comp.security.firewalls)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Mailing-Lists  > securityfocus  > bugtraq  > 2002-10