Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: PIX DMZ Denial of Service - TCP Resets

From: avalon () COOMBS ANU EDU AU (Darren Reed)
Date: Wed, 22 Mar 2000 02:25:16 +1100

In some mail from Andrew Alston, sie said:
[...]


On recieving a RST packet (TCP Reset) from a given host with the correct
source and destination port, the PIX will drop the state entry for that
particular connection, which means the tcp connection dies due to the fact
that no state entry the external box can no longer talk to the internal
box.

[...]

              seq = rand() % time(NULL);      /* Randomize our #'s */
              ack = rand() % time(NULL);      /* Randomize ack #'s */

[...]

There have been many different ways in which it has been possible to
exercise this particular target, over the years.  The general problem
here is that the PIX doesn't really provide connection security like
it should and if FW-1 is vulnerable to the same problem, then I should
be a millionaire (;-) by now.

The general gist of this problem is poorly implemented TCP connection
state tracking.  You *must* track window sizes and sequence numbers
and acknowledgments to at least reduce the chance of any given TCP
packet from "outside" actually being part of that connection.

Darren
Previous By Date Next
Previous By Thread Next

Current thread: