Re: TCP SYN packets which have the FIN flag set.
The FIN flag indicates that the host that sends it is ready to drop the
connection, but a SYN flag indicates that the host is ready to start a
connection. Having both set is bad because a cracker can use this to
sneak packets through a firewall that does not block them. If you are
using IPTables, then you would filter using the TCP Flags option, and
drop the packets. I recommend some reading over at
http://iptables-tutorial.frozentux.net/
There is a lot of good stuff over there including info on TCP
Connections, and the handshake process, which is vital in setting up a
"Good" firewall, IMHO, anyway.
--- Luis P�rez Meli� <luipeme@yahoo.es> wrote:
> Is this a serious problem?
>
> When I pass Nessus:
>
> Test ID:11618 View Source Category:Firewalls Title:Remote host
> replies
> to SYN+FIN Summary:Sends a SYN+FIN packet and expects a SYN+ACK
> Description:
> The remote host does not discard TCP SYN packets which
> have the FIN flag set.
>
> Depending on the kind of firewall you are using, an
> attacker may use this flaw to bypass its rules.
>
> See also :
> http://archives.neohapsis.com/archives/bugtraq/2002-10/0266.html
> http://www.kb.cert.org/vuls/id/464113
>
> Solution : Contact your vendor for a patch
> Risk factor : Medium Cross-Ref:BugTraq ID: 7487
>
> Thanks,
> --
>
> .''`. Luis P�rez Meli�
> : :' :
> `. `'`
> `- Debian GNU/Linux
>
=====
-"UNIX is basically a simple operating system, but you have to be a genius to understand the simplicity."-Dennis Ritchie
__________________________________
Do you Yahoo!?
Check out the new Yahoo! Front Page.
www.yahoo.com
Reply to: