Full Disclosure mailing list archives

Re: Stateful Packet Inspection

From: Shashank Rai <shash () etisalat-nis ae>
Date: Mon, 02 Aug 2004 08:00:35 +0400


On Sun, 2004-08-01 at 20:19, Goetz Von Berlichingen wrote:

   The original message has some merit with respect to netfilter - the 
Linux kernel firewall is capable of looking at headers only.  This does 
allow some stateful packet inspection - one can discriminate against 
incoming connection attempts with --syn, for instance.  This isn't 
really stateful, however, since the firewall does not retain any 
knowledge of the state of a connection.

Not exactly correct... netfilter uses "connection tracking" helper
module to keep a track of connections. "--established" can be used to
define rules for the same. As Rusty says on the netfilter.org website
"netfilter, iptables and the connection tracking as well as the NAT
subsystem together build the whole framework."

iptables is pretty much useless 
agains covert channels such as Loki, Q, or any of the various tunneling 
packages.


A "packet filter" is not supposed to look into this kind of stuff.
Covert channels communication using DNS, ICMP or whatever can even pass
through Cisco PIX (another packet level filter) too. u'll need one of
the "deep packet inspection" (real fancy name) firewalls ;)

   The problem with stateful inspection is that it so easily leads to 
self-denial of service.  An attacker need only make enough legitimate 
connections to overflow the firewall's capability.  At that point, the 
firewall either crashes or quits stateful inspection.

Depends on which firewall you are using and it's features. Cisco PIX and
Checkpoint can be configured to start dropping connections after a
certain number of "established" or half open connections have been
reached and same with netfilter. None of these firewalls crash or "quit
statefull inspection" upon reaching these limits. And i wouldn't call it
self DoS. The idea of is to protect the resource behind the firewall....
and eventually everything has a limit and a cap. A bigger fish can
always eat a smaller one.

Goetz



-- 
shashank

<--
Here is the Packet that was fragmented and has been assembled again.
                                       (with apologies to JRR Tolkien :)
-->

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

Re: Stateful Packet Inspection Goetz Von Berlichingen (Aug 01)
- Re: Stateful Packet Inspection Aaron Gray (Aug 01)
- Re: Stateful Packet Inspection Shashank Rai (Aug 01)
- Re: Stateful Packet Inspection Michael Gale (Aug 03)
- Re: Stateful Packet Inspection whiplash (Aug 03)