Date: Tue, 02 Mar 2004 12:18:38 +1100 From: Gregory Bond <gnb@itga.com.au> To: "J.T. Davies" <jtd@hostthecoast.org> Cc: freebsd-ipfw@freebsd.org Subject: Re: TCP established flag & ipfw rule Message-ID: <200403020118.MAA18408@lightning.itga.com.au> In-Reply-To: Your message of Sun, 29 Feb 2004 15:29:44 -0800.
next in thread | raw e-mail | index | archive | help
jtd@hostthecoast.org said: > To clarify, instead of "EST" in my original post, replace with "ACK". > Could some unscrupulous person add the "ACK" flag to the TCP packets > and be accepted by this rule (even though they may not technically be > "ACK")? They could. But this is not as damaging as you think, because once the malicious packet is passed by ipfw and gets to the destination machine, the dest machine will try and look up the internal state (i.e. seq numbers, window sizes, RTT estimates etc) for this supposed TCP connection. It will presumably not have a TCP connection with the matching ip address/portnumbers, so all this will do is cause the "attacked" machine to send an RST and discard the malicious packet. It won't magically make a connection appear in the target machine. The only way to initiate a TCP connection is with a SYN packet, and they don't get passed by the "established" rule. So this is a possible denial-of-service (forcing the internal machine to consider and RST random attacking packets), but not a security failure as such.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200403020118.MAA18408>