Home page logo

bugtraq logo Bugtraq mailing list archives

Re: Ambiguities in TCP/IP - firewall bypassing
From: Luis Bruno <lbruno () zbit pt>
Date: Sat, 19 Oct 2002 06:04:27 +0000

Alan DeKok wrote:
Benjamin Krueger <benjamin () seattlefenix net> wrote:
[snip RFC 1025 (TCP and IP bake-off)]

  Identify what the packet should be, and treat it as such? If that is
the correct way to handle these packets, then these stacks are correct.

  So... what should the packet be?  As I said, the spec is ambiguous.
If you don't know what the packet is, you obviously don't know how to
treat it.

Think of ECN; should older stacks simply reject a packet with Syn+0x42
because they don't know what 0x42 is?

If I've understood correctly, you were suggesting to drop "bad" packets.
I agree; only let established traffic through your firewall, and only
let packets with Syn or Syn+Ack set and with Fin and Rst unset establish
state in the firewall. Ignore the rest of the flags.

Of course, if anyone finds this un-interoperable, please chime in!

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]