Firewall Wizards mailing list archives

Re: Post connection SYN

From: Mikael Olsson <mikael.olsson () clavister com>
Date: Fri, 17 Oct 2003 15:45:12 +0200



Raghuveer wrote:


Hi,
I would like to know how SPI-firewall/IDS would handle the following
scenario.

[connect from A:x -> B:y, restart A, connect again, same tuples]


Firewalls that track TCP state and/or sequence numbers will drop
or reject the second connect attempt.

Think that's bad? Well, somewhat, but even if the firewall _could_
somehow magically determine that this is a "nice" SYN and let it 
through, it wouldn't make one bit of difference.

That fact is, B's TCP stack won't listen to such packets either. 
It'll reject those SYNs. This is why fixed source-port TCP-based 
protocols is a Bad Idea.


-- 
Mikael Olsson, Clavister AB
Storgatan 12, Box 393, SE-891 28 ÖRNSKÖLDSVIK, Sweden
Phone: +46 (0)660 29 92 00   Mobile: +46 (0)70 26 222 05
Fax: +46 (0)660 122 50       WWW: http://www.clavister.com
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Post connection SYN Raghuveer (Oct 17)
- Re: Post connection SYN Mikael Olsson (Oct 17)
- Re: Post connection SYN Paul Robertson (Oct 17)
  - Re: Post connection SYN Mikael Olsson (Oct 17)
    - Re: Post connection SYN Paul Robertson (Oct 17)
    - Re: SYN flood protection strategies (Was: Post connection SYN) Mikael Olsson (Oct 17)
    - Re: SYN flood protection strategies (Was: Post connection SYN) Paul Robertson (Oct 17)
    - Re: SYN flood protection strategies (Was: Post connectionSYN) Mikael Olsson (Oct 17)
    - Re: SYN flood protection strategies (Was: Post connection SYN) Chuck Swiger (Oct 17)
    - Re: SYN flood protection strategies (Was: Post connection SYN) Paul Robertson (Oct 17)
    - Re: SYN flood protection strategies (Was: Post connection SYN) Chuck Swiger (Oct 17)
  - Re: Post connection SYN Raghuveer (Oct 17)

(Thread continues...)