From owner-freebsd-security@FreeBSD.ORG  Fri Apr 23 08:31:23 2004
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 42D3E16A4CF
	for <freebsd-security@freebsd.org>;
	Fri, 23 Apr 2004 08:31:23 -0700 (PDT)
Received: from caligula.anu.edu.au (caligula.anu.edu.au [150.203.224.42])
	by mx1.FreeBSD.org (Postfix) with ESMTP id A759D43D5E
	for <freebsd-security@freebsd.org>;
	Fri, 23 Apr 2004 08:31:22 -0700 (PDT)
	(envelope-from avalon@caligula.anu.edu.au)
Received: from caligula.anu.edu.au (localhost [127.0.0.1])
	by caligula.anu.edu.au (8.12.9/8.12.9) with ESMTP id i3NFVKbF026625;
	Sat, 24 Apr 2004 01:31:21 +1000 (EST)
Received: (from avalon@localhost)
	by caligula.anu.edu.au (8.12.9/8.12.8/Submit) id i3NFVK9m026622;
	Sat, 24 Apr 2004 01:31:20 +1000 (EST)
From: Darren Reed <avalon@caligula.anu.edu.au>
Message-Id: <200404231531.i3NFVK9m026622@caligula.anu.edu.au>
To: mipam@ibb.net (Mipam)
Date: Sat, 24 Apr 2004 01:31:20 +1000 (Australia/ACT)
In-Reply-To: <Pine.LNX.4.33.0404231502170.611-100000@ux1.ibb.net> from "Mipam"
	at Apr 23, 2004 03:17:32 PM
X-Mailer: ELM [version 2.5 PL1]
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
cc: freebsd-security@freebsd.org
Subject: Re: use keep state(strict) to mitigate tcp issues?
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Security issues [members-only posting]
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 23 Apr 2004 15:31:23 -0000

In some mail from Mipam, sie said:
> 
> Hi,
> 
> When deploying a BSD with IPF in at the network perimeter
> and using rules like these:
> 
> pass in .. proto tcp ... keep state(strict)
> 
> it's possible to refuse tcp packets which arrive out of order.
> This would increase the difficulty doing blind attack resets and blind
> data injection attack, cause then you'd have to "guess" the exact expected
> number. Checpoint has a similar feature (is that right?) which is
> described here as the answer to the mentioned attacks:
> 
> http://www.checkpoint.com/techsupport/alerts/tcp_dos.html
> 
> Allthough this is nice, there is also the risk of breaking
> connection because it's not unlikely that packets arrive out of order.
> At least, that's what i think, any thoughts upon this?

My thoughts are that if the TCP on both ends is having trouble, it
will eventually fall back and get packets through that match the
state entries for "strict".  I would not, for example, advise using
"strict" for state connections where you intend on sending 100s of
megabytes over fast networks,.

In IPFilter, the "strict" applies to all TCP packets for a connection,
not just the SYNs or RSTs.

Darren