Bugtraq mailing list archives
Re: Ambiguities in TCP/IP - firewall bypassing
From: Lyndon Nerenberg <lyndon () orthanc ab ca>
Date: Sun, 20 Oct 2002 13:03:25 -0600
Think of ECN; should older stacks simply reject a packet with Syn+0x42 because they don't know what 0x42 is? If I've understood correctly, you were suggesting to drop "bad" packets. I agree; only let established traffic through your firewall, and only let packets with Syn or Syn+Ack set and with Fin and Rst unset establish state in the firewall. Ignore the rest of the flags. Of course, if anyone finds this un-interoperable, please chime in!
Before people get too paranoid about accepting packets I recommend they read RFC 3360: Inappropriate TCP Resets Considered Harmful. 1. Introduction TCP uses the RST (Reset) bit in the TCP header to reset a TCP connection. Resets are appropriately sent in response to a connection request to a nonexistent connection, for example. The TCP receiver of the reset aborts the TCP connection, and notifies the application [RFC793, RFC1122, Ste94]. Unfortunately, a number of firewalls and load-balancers in the current Internet send a reset in response to a TCP SYN packet that use flags from the Reserved field in the TCP header. Section 3 below discusses the specific example of firewalls that send resets in response to TCP SYN packets from ECN-capable hosts. [ ... ] --lyndon
Current thread:
- Ambiguities in TCP/IP - firewall bypassing Paul Starzetz (Oct 18)
- Re: Ambiguities in TCP/IP - firewall bypassing Alan DeKok (Oct 18)
- Re: Ambiguities in TCP/IP - firewall bypassing Benjamin Krueger (Oct 18)
- Re: Ambiguities in TCP/IP - firewall bypassing Alun Jones (Oct 18)
- RE: Ambiguities in TCP/IP - firewall bypassing John Fitzgerald (Oct 19)
- Re: Ambiguities in TCP/IP - firewall bypassing Tony Finch (Oct 19)
- Re: Ambiguities in TCP/IP - firewall bypassing Alan DeKok (Oct 18)
- Re: Ambiguities in TCP/IP - firewall bypassing Luis Bruno (Oct 19)
- Re: Ambiguities in TCP/IP - firewall bypassing Lyndon Nerenberg (Oct 21)
- Re: Ambiguities in TCP/IP - firewall bypassing Benjamin Krueger (Oct 18)
- Re: Ambiguities in TCP/IP - firewall bypassing Alan DeKok (Oct 18)
- Re: Ambiguities in TCP/IP - firewall bypassing cbrenton (Oct 19)
- Re: Ambiguities in TCP/IP - firewall bypassing Aaron Hopkins (Oct 19)
- Re: Ambiguities in TCP/IP - firewall bypassing Florian Weimer (Oct 22)