> A forged Ack bit does the following:
>
> Ack Scanning "is great for testing firewall rulesets. It can
>NOT find
> open ports, but it can distinguish between filtered/unfilterd
>by sending an
> ACK packet to each port and waiting for a RST to come back.
>Filtered ports
> will not send back a RST (or will send back ICMP
>unreachables)."
> [http://www.insecure.org/nmap/index.html]
>
> Therefore an Ack scan (using forged ACK bit) could easily map your entire
> firewall rulebase. Not the kind of recon I would like to have any would-be
> intruder to have on my site!
Beside getting a pretty good overview of yor internal network, routers and hosts...
> -Igor Gashinsky, GCIA
>
> At 02:27 PM 4/19/00 -0400, Geoff Gates wrote:
> >I can think of one reason why I wouldn't want a packet with a forged ACK
> bit in. For instance, if an enormous amount of packets with a forged ACK
> bit are let in to the same destination, this could cause a denial of
> service attack to that destination if the bandwidth is high enough.
> >
> >But you are mostly right, in 99% of the cases, I don't see where this
> forged ACK bit is really a problem, unless there is some type of TCP Hijack
> occuring, in which case you have more than just a forged ACK bit.
> >
> >There could be some extremely rare case where an insider has set up a
> machine that responds to this connection by effectively ignoring the first
> ACK bit, but then again, why not just initiate the conversation from the
> inside?
[rest deleted]
Just consider a malicious employee setting up a tunnel server that
listens uses non-established ACK-bit set tcp packets to tunnel IP over.
This effectivly makes your firewall completly useless, since he now can
access his workstation and from there the internal network without limitations!
The bad part of this is that (unlike most other tunnel's) he does not need to
initiate the connnection from his workstation, he can do it from everywhere
in the world. anytime.
and you wont see any of this in your logs, since your firewall believes that
these packets are part of a valid(ated) established tcp connection.
If you trust your internal users, or if you believe that your internal
PC's are invulnerable to trojan horses (that install such a service without
the konwledge of the user), you might be safe with a stateless packetfilter.
As everything else, it depends on the requirements and your situation wether
you need stateful firewalls or stateless packetfilters.
Juergen
--
Juergen P. Meier email: [EMAIL PROTECTED]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
