Re: Tcp Syncookies vulnarability

To: sim ton <firewall38@lycos.com>
Cc: debian <debian-firewall@lists.debian.org>
Subject: Re: Tcp Syncookies vulnarability
From: Bernd Eckenfels <lists@lina.inka.de>
Date: Mon, 13 May 2002 23:22:03 +0200
Message-id: <[🔎] 20020513212203.GB29466@lina.inka.de>
In-reply-to: <[🔎] OEDFOOHJKLAJMCAA@mailcity.com>
References: <[🔎] OEDFOOHJKLAJMCAA@mailcity.com>

On Mon, May 13, 2002 at 06:37:29AM -0700, sim ton wrote:
>  correct magic cookie. In order to find the correct cookie, an
>  attacker has to explore about 16 million values (2^24), which can be
>  done in a few hours on a fast link.

This is no longer a problem for Linux, cause it includes a timestamp and
will chnage the secret code for the cookies regularly,  effectively
reducing the time window one can try valid cookies to a timeframe which is
not exploitable over internet links.

> my question is still the same:
> is tcp_syncookies reliable ?

If you do not use services on your DMZ Servers whch you do not want to be
available on internet, then syn cookies are safe. Cause your firewall does
not restrict the access.

If you have to run services on DMZ servers which should be blocked by a
firewall, then make sure you not only filter on incoming SYN, but also on
ACK packages, if you want to be absolutely sure the brute force cant be
exploited.

Greetings
Bernd

-- 
To UNSUBSCRIBE, email to debian-firewall-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to:

References:
- Tcp Syncookies vulnarability
  - From: "sim ton" <firewall38@lycos.com>

Prev by Date: Re: tcp_syncookies
Next by Date: OT - strange email
Previous by thread: Tcp Syncookies vulnarability
Next by thread: OT - strange email
Index(es):
- Date
- Thread