Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: SYN/ACK probe attempt to TCP 3072?

From: Valdis Kletnieks <Valdis.Kletnieks () VT EDU>
Date: Thu, 8 Mar 2001 00:15:55 -0500
On Wed, 07 Mar 2001 12:36:39 CST, SIU Credit Union IS Dept <isdept () CECC NET>  said:

Mar 06 04:30:57 [192.149.115.1] %PIX-6-106015: Deny TCP (no
connection) from 204.178.125.65/25
to 192.168.x.x/3072 flags SYN ACK  on interface outside

...

reply to a connection origination. So, if this were legit traffic, it
would indicate that the our extranet system initiated the sending of
an email to this remote system. However, if this were the case,
the PIX firewall would have an entry in itÂ’s state table that allowed
the connection back through.Since there is no way that I know of
to trick the PIX state table, I suspect that this is a  crafted packet


4:30AM? Hmm... at least around here, that's maintenance/test time. You
might want to rule out the following scenario (and its variants):

1) One of your hosts sends out a TCP SYN to send mail to the 204.178.x.x
site, and is passed by the PIX, which makes an entry in the state table.

2) Delay happens.

3) The PIX is restarted/rebooted/reset for some local management reason.
As a side-effect, the state table is cleared.

4) The SYN+AK packet finally comes back, only to find a PIX that has
no recollection of (1).

In addition, the interior address is in the 192.168 private netblock,
which introduces another possible reset scenario:

0) The PIX becomes aware of the 192.168.x.x address via some means.

1) Your interior host sends a TCP SYN to open an outbound mail.

2) Delay happens.

3) The PIX sees a DHCP request, or a different ARP value for that IP
(indicating the machine has changed MAC addresses), or other "I've
rebooted" indication from the 192.168.x.x machine, and it therefore does
the reasonable thing and flushes knowledge of connections (which is an
intersting DOS attack if you can forge the "rebooted" indication).
No, I don't know offhand if the PIX actually does this, or if so, what
indications it accepts...

4) The TCP SYN+ACK arrives to find nobody home...

                                Valdis Kletnieks
                                Operating Systems Analyst
                                Virginia Tech
Previous By Date Next
Previous By Thread Next

Current thread: