[27526] in bugtraq
Re: Ambiguities in TCP/IP - firewall bypassing
daemon@ATHENA.MIT.EDU (Luis Bruno)
Sat Oct 19 15:46:17 2002
Date: Sat, 19 Oct 2002 06:04:27 +0000
From: Luis Bruno <lbruno@zbit.pt>
To: bugtraq@securityfocus.com
Message-ID: <20021019060427.GA4629@useful.yi.org>
Mail-Followup-To: bugtraq@securityfocus.com
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <E182eK8-0002KW-00@giles.striker.ottawa.on.ca>
X-Send-Missiles-To: Viseu, Portugal - UTM 29T 629481 E 4511776 N - 576m
Alan DeKok wrote:
> Benjamin Krueger <benjamin@seattlefenix.net> wrote:
> > > [snip RFC 1025 (TCP and IP bake-off)]
> >
> > Identify what the packet should be, and treat it as such? If that is
> > the correct way to handle these packets, then these stacks are correct.
>
> So... what should the packet be? As I said, the spec is ambiguous.
> If you don't know what the packet is, you obviously don't know how to
> treat it.
Think of ECN; should older stacks simply reject a packet with Syn+0x42
because they don't know what 0x42 is?
If I've understood correctly, you were suggesting to drop "bad" packets.
I agree; only let established traffic through your firewall, and only
let packets with Syn or Syn+Ack set and with Fin and Rst unset establish
state in the firewall. Ignore the rest of the flags.
Of course, if anyone finds this un-interoperable, please chime in!
