Home page logo

bugtraq logo Bugtraq mailing list archives

Re: PIX DMZ Denial of Service - TCP Resets
From: avalon () COOMBS ANU EDU AU (Darren Reed)
Date: Wed, 22 Mar 2000 02:25:16 +1100

In some mail from Andrew Alston, sie said:

On recieving a RST packet (TCP Reset) from a given host with the correct
source and destination port, the PIX will drop the state entry for that
particular connection, which means the tcp connection dies due to the fact
that no state entry the external box can no longer talk to the internal
              seq = rand() % time(NULL);      /* Randomize our #'s */
              ack = rand() % time(NULL);      /* Randomize ack #'s */

There have been many different ways in which it has been possible to
exercise this particular target, over the years.  The general problem
here is that the PIX doesn't really provide connection security like
it should and if FW-1 is vulnerable to the same problem, then I should
be a millionaire (;-) by now.

The general gist of this problem is poorly implemented TCP connection
state tracking.  You *must* track window sizes and sequence numbers
and acknowledgments to at least reduce the chance of any given TCP
packet from "outside" actually being part of that connection.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]