Firewall Wizards mailing list archives
TCP DoS attack
From: "Ravi Kumar" <ravivsn () rocsys com>
Date: Mon, 25 Oct 2004 23:20:15 +0530 (IST)
Hi, One of my colleagues is testing a firewall product. He has written up a one program which disconnects the TCP connection. This is the following setup. PC (TCPClient)----------Firewall-----------------------------PC(Server) | | Compromised Device Test program does following. - Reads the packets on the wire - If it is TCP SYN packet, it immediately send TCP packet with SYN with its own Initial sequence number and ACK with client sequence number. Behavior on PC(TCP Client): - It is observed that, actual TCP connection to the server succeeds only 30 to 40% of the time. We feel that, if SYN+ACK packet from Server goes first, then the connection get established. For this attack to succeed, the attacker should be able to see the traffic. How real is this threat? We tried to convince ourselves that, this is not realistic threat in the sense that all devices would be protected in the path. If this is the case, what is the need for IPSec, which indicates that it is needed to protect traffic? Comments? I guess, firewalls in between can't do much from these kind of DoS attacks. It might, at maximum, can detect some anomaly. What could be the solution? IPSec between Client and Server OR firewall and Server network? Thanks Ravi _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- TCP DoS attack Ravi Kumar (Oct 26)
- Re: TCP DoS attack gmx (Oct 27)
- Re: TCP DoS attack Devdas Bhagat (Oct 28)
- Re: TCP DoS attack Kevin Sheldrake (Oct 28)
- Re: TCP DoS attack gmx (Oct 27)