RE: Why is a forged ACK bit packet bad? (was Re: Packet Filtering vs. Proxy)

Tue, 18 Apr 2000 13:44:48 -0700 

folx,

i had read in a couple of different places that Microsoft's IP stack up
through NT4 regards SYN+ACK = SYN and responds with a SYN+ACK.  Does
anyone know if this is true?  if so, obviously forged packets with SYN+ACK
and a non-stateful packet filter will allow arbitrary connections throug
the firewall to any machine-port pairs that are normally allowed to send
traffic out the firewall.

references or debunking would be appreciated.

todd underwood
[EMAIL PROTECTED]


On Tue, 18 Apr 2000, Frank Heinzius wrote:

> Date: Tue, 18 Apr 2000 17:15:00 +0200
> From: Frank Heinzius <[EMAIL PROTECTED]>
> To: "Pepmiller, Craig E." <[EMAIL PROTECTED]>
> Cc: "'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]>
> Subject: RE: Why is a forged ACK bit packet bad? (was Re: Packet
>     Filtering  vs. Proxy)
> 
> Hi,
> 
> On 18 Apr 2000, at 8:59, Pepmiller, Craig E. wrote:
> 
> > I believe the receiving system will send back an error notice.  This tells
> > the attacker that the system exists and possibly what type of device it is.
> > >From there the attacker can try more specific probes and attacks.
> > 
> 
> You�re right. Most TCP/IP implementation answer a forged ACK packet with 
> an RST which will tell you this port is listening. Or with an icmp 
> unreachable, correct me if I�m wrong.
> 
> This is one thing. On the other hand, stateless static packet filters 
> just allow rules by looking on the SYN or the ACK bit (most 
> implementation use the ACK bit).
> 
> If you allow for example inbound packets with ACK bit set in any port 
> range, you can tunnel your firewall. There are patches for TCP/IP stacks 
> which allow connections to open with SYN and ACK set. If you combine this 
> with a trojan and it goes to your inside network, you are where don�t 
> want to be ;-)
> 
> 
> 
> Kind Regards / Mit freundlichen Gruessen,
> 
> --
> Frank M. Heinzius                       mms Communication AG         .~.
> mailto:[EMAIL PROTECTED]                     Eiffestrasse 598             /V\
> http://www.mms.de                       20537 Hamburg, Germany      // \\
> Phone: +49 40 211105-40                 Fax: +49 40 210 32 210     /(   )\
> PGP Pingerfrimp: 635E AFB4 6BF0 156E 4615  8C67 F258 C9F6 3595 80ED ^^-^^
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
> 

-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]

Reply via email to