From owner-freebsd-security@FreeBSD.ORG Fri Apr 23 07:27:52 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CDF2116A4CE for ; Fri, 23 Apr 2004 07:27:52 -0700 (PDT) Received: from ux1.ibb.net (ux1.ibb.net [64.215.98.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id BC41043D1F for ; Fri, 23 Apr 2004 07:27:51 -0700 (PDT) (envelope-from mipam@ibb.net) Received: from localhost (mipam@localhost) by ux1.ibb.net (8.9.3/8.9.3/UX1TT) with ESMTP id PAA01805 for ; Fri, 23 Apr 2004 15:17:32 +0200 X-Authentication-Warning: ux1.ibb.net: mipam owned process doing -bs Date: Fri, 23 Apr 2004 15:17:32 +0200 (MET DST) From: Mipam To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Subject: use keep state(strict) to mitigate tcp issues? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Apr 2004 14:27:53 -0000 Hi, When deploying a BSD with IPF in at the network perimeter and using rules like these: pass in .. proto tcp ... keep state(strict) it's possible to refuse tcp packets which arrive out of order. This would increase the difficulty doing blind attack resets and blind data injection attack, cause then you'd have to "guess" the exact expected number. Checpoint has a similar feature (is that right?) which is described here as the answer to the mentioned attacks: http://www.checkpoint.com/techsupport/alerts/tcp_dos.html Allthough this is nice, there is also the risk of breaking connection because it's not unlikely that packets arrive out of order. At least, that's what i think, any thoughts upon this? Bye, Mipam.