Re: TCP DoS attack

[gmx <carpathin.wolf () gmx net>]

Hello Ravi,

Monday, October 25, 2004, 7:50:15 PM, you wrote:

<==============Original message text===============
RK> Hi,
RK> One of my colleagues is testing a firewall product. He has written up a one
RK> program which disconnects the TCP connection.  This is the following setup.

RK> PC
RK> (TCPClient)----------Firewall-----------------------------PC(Server)
RK>                                                             |
RK>                                                             |
RK>                                                        Compromised Device


RK> Test program  does following.
RK> -        Reads the packets on the wire
RK> -        If it is TCP SYN packet, it immediately send TCP packet with SYN
RK> with its own Initial sequence number and ACK with client sequence number.

RK> Behavior on PC(TCP Client):
RK> -        It is observed that, actual TCP connection to the server succeeds
RK> only 30 to 40% of the time.



RK> We feel that, if SYN+ACK packet from Server goes first, then the connection
RK> get established.

RK> For this attack to succeed, the attacker should be able to see the traffic.
RK> How real is this threat?
RK> We tried to convince ourselves that, this is not realistic threat in the
RK> sense that all devices would be protected in the path. If this is the case,
RK> what is the need for IPSec, which indicates that it is needed to protect
RK> traffic?

If the attacker has to see the trafic, we can talk here about a
man-in-the middle attack, and it depends on your server-conf. or on
your firewall-conf. how secure that scenario is.
If the server allows (somehow) logins or requests from services which
you wanted to exclude, it is a misconfiguration, and the threat is
verry realistic in that case.
Also if we use a Windows-based system, because afaik. the seq-nr. of
those systems is easy to be predicted.
On the other hand, if you server DONT allow anyn connections excepting
the ones you allowed explicite, the possibility for an atacker to see
the trafic could be ~0 .

RK> Comments?
RK> I guess, firewalls in between can't do much from these kind of DoS attacks.
RK> It might, at maximum, can detect some anomaly.
RK> What could be the solution? IPSec between Client and Server OR firewall and
RK> Server network?

If your server should offer only information for the public (eg.
webserver) i see no reason, why you should not place it outside the
firewall, because in that case, there is nothing what you want to
protect on that server, if someone really break in.

RK> Thanks
RK> Ravi


RK> _______________________________________________
RK> firewall-wizards mailing list
RK> firewall-wizards () honor icsalabs com
RK> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

<===========End of original message text===========

This is my point of view, i appreciate any kind of critics and i
hope i could give you a little help regarding your problem.


-- 
Best regards,
 Adam                            mailto:carpathin.wolf () gmx net

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards