TCP established flag & ipfw rule
J.T. Davies
jtd at hostthecoast.org
Mon Mar 1 18:29:43 PST 2004
> jtd at hostthecoast.org said:
> > To clarify, instead of "EST" in my original post, replace with "ACK".
> > Could some unscrupulous person add the "ACK" flag to the TCP packets
> > and be accepted by this rule (even though they may not technically be
> > "ACK")?
>
>
> They could. But this is not as damaging as you think, because once the
> malicious packet is passed by ipfw and gets to the destination machine,
the
> dest machine will try and look up the internal state (i.e. seq numbers,
window
> sizes, RTT estimates etc) for this supposed TCP connection. It will
> presumably not have a TCP connection with the matching ip
address/portnumbers,
> so all this will do is cause the "attacked" machine to send an RST and
discard
> the malicious packet. It won't magically make a connection appear in the
> target machine. The only way to initiate a TCP connection is with a SYN
> packet, and they don't get passed by the "established" rule.
>
> So this is a possible denial-of-service (forcing the internal machine to
> consider and RST random attacking packets), but not a security failure as
> such.
>
Excellent! Thank you all who responded!
More information about the freebsd-ipfw
mailing list