[Fwd: Re: Real connection spoofing (Firewall Tester)]

[Burak DAYIOGLU <dayioglu () metu edu tr>]

Andrea Barisani wrote:
> Client (ftest.pl) ---> Firewall ---> Sniffer (ftestd.pl)
> 1 - The client (ftest.pl) send a Syn packet with a custom payload
> (Question:  is inserting data in a Syn packet legal?)

Data is allowed. If the receiving party supports T/TCP it may save
the data to be used after 3Way-handshake. If the receiving party
does not support T/TCP data will simply be discarded without any
notification to the sender.

> The problem is that between step 2 and step 3 the spoofed address will
> send a valid RST back to the sniffer, the firewall will see it and we
> can't proceed.

I didn't understand this point. If the spoofed source address for the
connection is on the sniffer side of the connection, you shouldn't
expect a reply back unless the firewall is in bridging mode.

cheers.
-- 
Burak DAYIOGLU
Phone: +90 312 2103379   Fax: +90 312 2103333
       http://www.dayioglu.net

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/