[14375] in bugtraq
Re: PIX DMZ Denial of Service - TCP Resets
daemon@ATHENA.MIT.EDU (Darren Reed)
Wed Mar 22 01:40:58 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Message-Id: <200003211525.CAA02867@cairo.anu.edu.au>
Date: Wed, 22 Mar 2000 02:25:16 +1100
Reply-To: Darren Reed <avalon@COOMBS.ANU.EDU.AU>
From: Darren Reed <avalon@COOMBS.ANU.EDU.AU>
X-To: andrew@CITEC.NET
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <B3D6883199DBD311868100A0C9FC2CDC046B72@protea.citec.net> from
Andrew Alston at "Mar 20, 0 01:59:49 pm"
In some mail from Andrew Alston, sie said:
[...]
>
> On recieving a RST packet (TCP Reset) from a given host with the correct
> source and destination port, the PIX will drop the state entry for that
> particular connection, which means the tcp connection dies due to the fact
> that no state entry the external box can no longer talk to the internal
> box.
[...]
> seq = rand() % time(NULL); /* Randomize our #'s */
> ack = rand() % time(NULL); /* Randomize ack #'s */
[...]
There have been many different ways in which it has been possible to
exercise this particular target, over the years. The general problem
here is that the PIX doesn't really provide connection security like
it should and if FW-1 is vulnerable to the same problem, then I should
be a millionaire (;-) by now.
The general gist of this problem is poorly implemented TCP connection
state tracking. You *must* track window sizes and sequence numbers
and acknowledgments to at least reduce the chance of any given TCP
packet from "outside" actually being part of that connection.
Darren
