Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Post connection SYN

From: Raghuveer <raghub () intotoinc com>
Date: Fri, 17 Oct 2003 14:13:02 +0530
Hi,
I would like to know how SPI-firewall/IDS would handle the following
scenario.

Setup:
A server, Public-Server1, is hosted behind a firewall/IDS capable of
detecting post-connection SYN attack. A remote PC in the Internet,
Remote-Client2, connects to Public-Server1 on TCP port 80 (and source port
TCP1024).

Details:
Upon establishment of connection, Remote-Client2 gets rebooted without a
normal shutdown and then starts a fresh connection to Public-Server1. This
time it so happens that the new connection is generated with the same
selector information (Src IP, DstIp, SPrt, Dprt & protocol). This
connection request (SYNC) would be treated by the firewall device as post
connection SYN attack and might drop the connection request. The client is
not aware of this and keeps trying until the request times out.
There are certain protocols that might work on fixed source & destination
ports. In such cases, the chances of firewall/IDS detecting the connection
request as post connection SYN could be quite high.
How can SPI-firewalls/IDS in general handle such genuine scenarios at the
same time avoid potential attacks?
- B. Raghuveer. 
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: