On Wed, 27 February 2002 A.D., Brewis, Mark wrote:
> Quite often these are commercial, off the peg TCP/IP stacks. I have seen
> some dreadful examples, both in terms of fragility and of TCP sequence
> number generation. I've seen sequential, sequential based on standard
> increments, and repeating sequences.
>
> [...]
>
> Compromise a network via the printers and you will have a network managers
> attention. The only problem lies in the paucity of solutions available to
> correct the issue.
Although it won't guard against attacks from within, one excellent
solution to this problem is an appropriately designed firewall. The
latest release of OpenBSD[1] contains a new packet filter (`pf') which
can help protect buggy TCP stacks. Two features will be of interest:
* The 'modulate state' directive, which causes a highly random initial
sequence number to be substituted for those supplied by a less
vigilant stack.
* The 'scrub' directive, which causes full fragment reassembly and
other packet normalization to take place before delivery to possibly
fragile stacks.
[1] http://www.openbsd.org/
--
"Everyone may openly covet everyone else's property, as long as he
appeals to democracy; and everyone may act on his desire for another
man's property, provided that he finds entrance into government."
-- Hans-Hermann Hoppe
Received on Mar 01 2002
Intro
