Re: TCP question
On Tue, Mar 14, 2000 at 09:36:32AM +0100, Michael Meskes wrote:
> On Mon, Mar 13, 2000 at 05:01:06PM +0100, Tamas TEVESZ wrote:
> > am i understing right that this allows the inbound side of
> > (claimed to be) established connections _that do not have an entry in
> > the state table_ ? (ie. never been ``initialized'' properly, at
> > least without the fw putting an entry in the state table?)
>
> Yes.
>
> > if it's so, then, imho, it's crap. if not, then either the fw has some
> > seriuos problems (connections made through it and it does not know
> > about), or i don't get the whole picture at all...
>
> I'm afraid you're right. That's exactly what I think. But I have yet to find
> an explanation or a proof that convinces the upstream author. :-)
It shouldn't be an issue, because an 'established' packet for a nonexistent
connection will get a RST (reset) response without being passed to
application code.
So a packet that looks like that is one of two things:
1) Part of an established connection that the firewall already approved of
or
2) A packet that will get ignored anyway (except for the error response).
> Any exploit would do of course.
That would probably be hard to do. It would be very suprising to find that
kind of bug in the code that generates the RST packets. It might be possible
to do some kind of scan that way. Looking for RST packets might tell you that
there really is a system with that IP address. If the handling of unexpected
packets is particularly slow, then there might be a denial of service attack.
Jon Leonard
Reply to: