Aaron Hopkins <[EMAIL PROTECTED]> writes:
> On Sat, 19 Oct 2002, Florian Weimer wrote:
>
>> "established" in Cisco parlance does not mean "SYN unset", but "ACK or RST
>> set". This means that the impact for non-Linux hosts (which do not react
>> to SYN-RST packets according to Paul's survey) is l
CF2D D360 43FA
-Original Message-
From: Paul Starzetz [mailto:paul@;starzetz.de]
Sent: Friday, October 18, 2002 4:47 PM
To: [EMAIL PROTECTED]
Subject: Ambiguities in TCP/IP - firewall bypassing
1. Abstract
---
There are ambiguities in implementations of the TCP/IP suite for various
op
>Think of ECN; should older stacks simply reject a packet with Syn+0x42
>because they don't know what 0x42 is?
>
>If I've understood correctly, you were suggesting to drop "bad" packets.
>I agree; only let established traffic through your firewall, and only
>let packets with Syn or Syn+Ack set and
Alun Jones <[EMAIL PROTECTED]> wrote:
>
>Not necessarily. Have you heard of T/TCP? Before that was around, I
>remember hearing discussion of using a packet with SYN, FIN, and data all
>in one, to cut down on round-trips in really short communications, while
>still providing reliability.
One o
On Sat, 19 Oct 2002, Florian Weimer wrote:
> "established" in Cisco parlance does not mean "SYN unset", but "ACK or RST
> set". This means that the impact for non-Linux hosts (which do not react
> to SYN-RST packets according to Paul's survey) is less severe if your
> filters run IOS.
This is tr
Paul Starzetz wrote:
>We believe that the flaws we have detected have a big impact on
>design of firewalls and packet filters since an improper implementation
>can easily lead to serious security problems.
Is there any reason to expect that such improper implementation
would be common?
As far
Alan DeKok wrote:
> Benjamin Krueger <[EMAIL PROTECTED]> wrote:
> > > [snip RFC 1025 (TCP and IP bake-off)]
> >
> > Identify what the packet should be, and treat it as such? If that is
> > the correct way to handle these packets, then these stacks are correct.
>
> So... what should the packet
there are distinct performance
advantages for HTTP?
-Original Message-
From: Alun Jones [mailto:alun@;texis.com]
Sent: 18 October 2002 22:28
To: [EMAIL PROTECTED]
Subject: Re: Ambiguities in TCP/IP - firewall bypassing
At 03:55 PM 10/18/2002, Benjamin Krueger wrote:
> One could also make
On Sat, 19 Oct 2002, Florian Weimer wrote:
>
> As a result of this bug, it's quite complicated (if not impossible in
> some configurations) to properly filter connection attempts to Linux
> hosts on Cisco IOS routers.
Actually, not really provided you are IOS 11.3 or higher.
> If your acces
Paul Starzetz <[EMAIL PROTECTED]> writes:
> * Linux 2.4.19
>
> The examination of the source code of the TCP engine reveals that a
> TCP connection can be opened by any combination of the TCP flags
> having the SYN bit set and the ACK bit reset. For example we can open
> a TCP connection by sendin
* Alan DeKok ([EMAIL PROTECTED]) [021018 13:21]:
> Paul Starzetz <[EMAIL PROTECTED]> wrote:
> > There are ambiguities in implementations of the TCP/IP suite for various
> > operating systems.
>
> What about the specifications?
>
> In my (admittedly quick) readings of RFC 793 and RFC 1122, I
At 03:55 PM 10/18/2002, Benjamin Krueger wrote:
One could also make a case for continuing to abide by the cardinal
rule "Be permissive in what you accept, and strict in what you send".
Tough call, but its difficult to justify describing stacks that are
permissive as "highly bogus" or "lazy" give
1. Abstract
---
There are ambiguities in implementations of the TCP/IP suite for various
operating systems. Even if this fact has been used since a long time in
different software for OS fingerprinting, no real attempt has been made
to identify the security impact of the differences in
13 matches
Mail list logo
