Firewall Wizards mailing list archives
Re: Strange Pix behavior.
From: Martin Mačok <martin.macok () underground cz>
Date: Sat, 18 Jun 2005 19:16:20 +0200
On Thu, Jun 16, 2005 at 01:00:20AM -0700, Jim MacLeod wrote:
It's invalid to ACK a RST, and would provoke yet another RST.
No, it's not invalid (in some scenarious). Yes, it would provoke yet another RST. ACKing RST is one of the countermeasures against recently debated TCP weakness (sequence number approximation bug) where the attacker spoofs RST packets and breaks (usually long-lived) established connections (like BGP). IIRC you can ACK the RST packet when it does not fit exactly into TCP sequence but somewhere inside the (TCP) window. The provoked next RST reply should fit exactly into sequence so this time you know the RST was not spoofed. (Just a side-note, sorry for the noise) Martin Mačok ICT Security Consultant _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Strange Pix behavior. George J. Jahchan, Eng. (Jun 10)
- Re: Strange Pix behavior. Victor Williams (Jun 10)
- RE: Strange Pix behavior. Paul Melson (Jun 15)
- Re: Strange Pix behavior. Jim MacLeod (Jun 17)
- RE: Strange Pix behavior. Paul Melson (Jun 17)
- Re: Strange Pix behavior. Martin Mačok (Jun 18)
- Re: Strange Pix behavior. Jim MacLeod (Jun 17)
- <Possible follow-ups>
- Re: Strange Pix behavior. LazloCarreidas (Jun 13)
- Re: Strange Pix behavior. Jim MacLeod (Jun 17)
- RE: Strange Pix behavior. Paul Melson (Jun 17)