Firewall Wizards mailing list archives
Re: Variations of firewall ruleset bypass via FTP
From: Darren Reed <darrenr () reed wattle id au>
Date: Fri, 11 Oct 2002 19:49:59 +1000 (EST)
In some email I received from Mikael Olsson, sie wrote: [...]
Darren Reed wrote:That aside, my view on this is "funky ACKing" may be within the bounds of legal TCP operation, but it's not what any "nornmal" FTP client is going to do so throw those packets away.I've been asking myself this question. It applies to IDSes too. (Indeed, I was pondering IDS evasion techniques when I came up with this.) There _is_ in fact a valid use for partial acknowledgments. - Receiving end checks pool of receive window buffers and comes to the conclusion that there's plenty free. Sends out RWIN=8192 - Sender sees RWIN=8192 and fires off several full-length segments. - Receiver receives segments, but, ACK(tm)! Other sockets snarfed all the buffers! All we can get our hands on is a measly 512 byte one! At this point, the receiver can either just drop all segments, _OR_ grab hold of the 512 first bytes of the first segment, and send out an ACK that only partially acknowledges the first segment.
Sure it can happen but how often does it really happen ? For the minor convienience of dropping whatever packets and causing a full resend, I think I'm happy to discard partial segments. Given this is only currently done for the FTP command channel (and that's hardly a massive user of buffering), I'm not concerned. If it breaks 1 time in 100, but the other 99 are secured, that 1 off is a sacrifice I'm willing to force. [...]
However, IMHO, the same _shouldn't_ have to be true for an attacker that simply creates file names (without CRLFs in them) via FTP and issues STAT commands. I'm thinking that f.i. the latest version of ipf stops this, but not the version currently shipping with NetBSD?
I'm not in control of what version ships with NetBSD. SEP. Darren _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Variations of firewall ruleset bypass via FTP Mikael Olsson (Oct 10)
- Re: Variations of firewall ruleset bypass via FTP Darren Reed (Oct 10)
- Re: Variations of firewall ruleset bypass via FTP Paul D. Robertson (Oct 10)
- Re: Variations of firewall ruleset bypass via FTP Carson Gaspar (Oct 11)
- Re: Variations of firewall ruleset bypass via FTP Mikael Olsson (Oct 11)
- Re: Variations of firewall ruleset bypass via FTP Darren Reed (Oct 11)
- Re: Variations of firewall ruleset bypass via FTP Mikael Olsson (Oct 11)
- Re: Variations of firewall ruleset bypass via FTP Darren Reed (Oct 11)
- Re: Variations of firewall ruleset bypass via FTP Darren Reed (Oct 11)
- Re: Variations of firewall ruleset bypass via FTP Paul Robertson (Oct 11)
- Re: Variations of firewall ruleset bypass via FTP Darren Reed (Oct 12)
- Re: Variations of firewall ruleset bypass via FTP Paul D. Robertson (Oct 12)
- Re: Variations of firewall ruleset bypass via FTP Darren Reed (Oct 12)
- Re: Variations of firewall ruleset bypass via FTP Paul D. Robertson (Oct 12)
- Re: Variations of firewall ruleset bypass via FTP Al Potter (Oct 11)
- Re: Variations of firewall ruleset bypass via FTP Paul Robertson (Oct 11)