[27528] in bugtraq
Re: Ambiguities in TCP/IP - firewall bypassing
daemon@ATHENA.MIT.EDU (David Wagner)
Sat Oct 19 16:52:35 2002
X-Envelope-To: bugtraq@securityfocus.com
To: bugtraq@securityfocus.com
From: daw@mozart.cs.berkeley.edu (David Wagner)
Date: 19 Oct 2002 00:18:50 GMT
Message-ID: <aoq8da$ceh$2@abraham.cs.berkeley.edu>
X-Complaints-To: news@abraham.cs.berkeley.edu
Paul Starzetz wrote:
>We believe that the flaws we have detected have a big impact on
>design of firewalls and packet filters since an improper implementation
>can easily lead to serious security problems.
Is there any reason to expect that such improper implementation
would be common?
As far as I know, the common case is packet filters that look at
only the ACK and SYN bits. A typical configuration: All incoming
packets with the ACK bit set are allowed, as are all outgoing packets.
The anomalies you found don't seem to pose any problems for such a
style of configuration.
Are you aware of any common configurations that are at risk?
