Firewall Wizards mailing list archives
Post connection SYN
From: Raghuveer <raghub () intotoinc com>
Date: Fri, 17 Oct 2003 14:13:02 +0530
Hi, I would like to know how SPI-firewall/IDS would handle the following scenario. Setup: A server, Public-Server1, is hosted behind a firewall/IDS capable of detecting post-connection SYN attack. A remote PC in the Internet, Remote-Client2, connects to Public-Server1 on TCP port 80 (and source port TCP1024). Details: Upon establishment of connection, Remote-Client2 gets rebooted without a normal shutdown and then starts a fresh connection to Public-Server1. This time it so happens that the new connection is generated with the same selector information (Src IP, DstIp, SPrt, Dprt & protocol). This connection request (SYNC) would be treated by the firewall device as post connection SYN attack and might drop the connection request. The client is not aware of this and keeps trying until the request times out. There are certain protocols that might work on fixed source & destination ports. In such cases, the chances of firewall/IDS detecting the connection request as post connection SYN could be quite high. How can SPI-firewalls/IDS in general handle such genuine scenarios at the same time avoid potential attacks?- B. Raghuveer.
_______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Post connection SYN Raghuveer (Oct 17)
- Re: Post connection SYN Mikael Olsson (Oct 17)
- Re: Post connection SYN Paul Robertson (Oct 17)
- Re: Post connection SYN Mikael Olsson (Oct 17)
- Re: Post connection SYN Paul Robertson (Oct 17)
- Re: SYN flood protection strategies (Was: Post connection SYN) Mikael Olsson (Oct 17)
- Re: SYN flood protection strategies (Was: Post connection SYN) Paul Robertson (Oct 17)
- Re: SYN flood protection strategies (Was: Post connectionSYN) Mikael Olsson (Oct 17)
- Re: SYN flood protection strategies (Was: Post connection SYN) Chuck Swiger (Oct 17)
- Re: SYN flood protection strategies (Was: Post connection SYN) Paul Robertson (Oct 17)
- Re: SYN flood protection strategies (Was: Post connection SYN) Chuck Swiger (Oct 17)
- Re: Post connection SYN Mikael Olsson (Oct 17)