Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: Ambiguities in TCP/IP - firewall bypassing
From: Lyndon Nerenberg <lyndon () orthanc ab ca>
Date: Sun, 20 Oct 2002 13:03:25 -0600

Think of ECN; should older stacks simply reject a packet with Syn+0x42
because they don't know what 0x42 is?

If I've understood correctly, you were suggesting to drop "bad" packets.
I agree; only let established traffic through your firewall, and only
let packets with Syn or Syn+Ack set and with Fin and Rst unset establish
state in the firewall. Ignore the rest of the flags.

Of course, if anyone finds this un-interoperable, please chime in!

Before people get too paranoid about accepting packets I recommend
they read RFC 3360: Inappropriate TCP Resets Considered Harmful.

   1.  Introduction
   
      TCP uses the RST (Reset) bit in the TCP header to reset a TCP
      connection.  Resets are appropriately sent in response to a
      connection request to a nonexistent connection, for example.  The TCP
      receiver of the reset aborts the TCP connection, and notifies the
      application [RFC793, RFC1122, Ste94].
   
      Unfortunately, a number of firewalls and load-balancers in the
      current Internet send a reset in response to a TCP SYN packet that
      use flags from the Reserved field in the TCP header.  Section 3 below
      discusses the specific example of firewalls that send resets in
      response to TCP SYN packets from ECN-capable hosts.

      [ ... ]

--lyndon


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]