TCP established flag & ipfw rule
Gregory Bond
gnb at itga.com.au
Mon Mar 1 17:18:42 PST 2004
jtd at hostthecoast.org said:
> To clarify, instead of "EST" in my original post, replace with "ACK".
> Could some unscrupulous person add the "ACK" flag to the TCP packets
> and be accepted by this rule (even though they may not technically be
> "ACK")?
They could. But this is not as damaging as you think, because once the
malicious packet is passed by ipfw and gets to the destination machine, the
dest machine will try and look up the internal state (i.e. seq numbers, window
sizes, RTT estimates etc) for this supposed TCP connection. It will
presumably not have a TCP connection with the matching ip address/portnumbers,
so all this will do is cause the "attacked" machine to send an RST and discard
the malicious packet. It won't magically make a connection appear in the
target machine. The only way to initiate a TCP connection is with a SYN
packet, and they don't get passed by the "established" rule.
So this is a possible denial-of-service (forcing the internal machine to
consider and RST random attacking packets), but not a security failure as
such.
More information about the freebsd-ipfw
mailing list