mailing list archives
Re: PIX DMZ Denial of Service - TCP Resets
From: Guido.vanRooij () NL ORIGIN-IT COM (Guido van Rooij)
Date: Mon, 27 Mar 2000 13:57:43 +0200
On Wed, Mar 22, 2000 at 02:25:16AM +1100, Darren Reed wrote:
The general gist of this problem is poorly implemented TCP connection
state tracking. You *must* track window sizes and sequence numbers
and acknowledgments to at least reduce the chance of any given TCP
packet from "outside" actually being part of that connection.
The current implementation of this in IPfilter will be covered in
a paper that is due for SANE2000 (http://www.nluug.nl/events/sane2000/).
The submitted paper can be found at
Comments are welcome!
For those who installed Decon fix for con/con vulnerability Tima (Mar 16)
nmap causes DoS on DGUX The Unicorn (Mar 16)