Firewall Wizards mailing list archives
Re: TCP DoS attack
From: gmx <carpathin.wolf () gmx net>
Date: Wed, 27 Oct 2004 16:18:01 +0200
Hello Ravi, Monday, October 25, 2004, 7:50:15 PM, you wrote: <==============Original message text=============== RK> Hi, RK> One of my colleagues is testing a firewall product. He has written up a one RK> program which disconnects the TCP connection. This is the following setup. RK> PC RK> (TCPClient)----------Firewall-----------------------------PC(Server) RK> | RK> | RK> Compromised Device RK> Test program does following. RK> - Reads the packets on the wire RK> - If it is TCP SYN packet, it immediately send TCP packet with SYN RK> with its own Initial sequence number and ACK with client sequence number. RK> Behavior on PC(TCP Client): RK> - It is observed that, actual TCP connection to the server succeeds RK> only 30 to 40% of the time. RK> We feel that, if SYN+ACK packet from Server goes first, then the connection RK> get established. RK> For this attack to succeed, the attacker should be able to see the traffic. RK> How real is this threat? RK> We tried to convince ourselves that, this is not realistic threat in the RK> sense that all devices would be protected in the path. If this is the case, RK> what is the need for IPSec, which indicates that it is needed to protect RK> traffic? If the attacker has to see the trafic, we can talk here about a man-in-the middle attack, and it depends on your server-conf. or on your firewall-conf. how secure that scenario is. If the server allows (somehow) logins or requests from services which you wanted to exclude, it is a misconfiguration, and the threat is verry realistic in that case. Also if we use a Windows-based system, because afaik. the seq-nr. of those systems is easy to be predicted. On the other hand, if you server DONT allow anyn connections excepting the ones you allowed explicite, the possibility for an atacker to see the trafic could be ~0 . RK> Comments? RK> I guess, firewalls in between can't do much from these kind of DoS attacks. RK> It might, at maximum, can detect some anomaly. RK> What could be the solution? IPSec between Client and Server OR firewall and RK> Server network? If your server should offer only information for the public (eg. webserver) i see no reason, why you should not place it outside the firewall, because in that case, there is nothing what you want to protect on that server, if someone really break in. RK> Thanks RK> Ravi RK> _______________________________________________ RK> firewall-wizards mailing list RK> firewall-wizards () honor icsalabs com RK> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards <===========End of original message text=========== This is my point of view, i appreciate any kind of critics and i hope i could give you a little help regarding your problem. -- Best regards, Adam mailto:carpathin.wolf () gmx net _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- TCP DoS attack Ravi Kumar (Oct 26)
- Re: TCP DoS attack gmx (Oct 27)
- Re: TCP DoS attack Devdas Bhagat (Oct 28)
- Re: TCP DoS attack Kevin Sheldrake (Oct 28)
- Re: TCP DoS attack gmx (Oct 27)