[27538] in bugtraq
Re: Ambiguities in TCP/IP - firewall bypassing
daemon@ATHENA.MIT.EDU (Lyndon Nerenberg)
Mon Oct 21 13:07:57 2002
Message-Id: <200210201903.g9KJ3P88042521@orthanc.ab.ca>
To: bugtraq@securityfocus.com
In-Reply-To: Message from Luis Bruno <lbruno@zbit.pt>
of "Sat, 19 Oct 2002 06:04:27 -0000." <20021019060427.GA4629@useful.yi.org>
Date: Sun, 20 Oct 2002 13:03:25 -0600
From: Lyndon Nerenberg <lyndon@orthanc.ab.ca>
>Think of ECN; should older stacks simply reject a packet with Syn+0x42
>because they don't know what 0x42 is?
>
>If I've understood correctly, you were suggesting to drop "bad" packets.
>I agree; only let established traffic through your firewall, and only
>let packets with Syn or Syn+Ack set and with Fin and Rst unset establish
>state in the firewall. Ignore the rest of the flags.
>
>Of course, if anyone finds this un-interoperable, please chime in!
Before people get too paranoid about accepting packets I recommend
they read RFC 3360: Inappropriate TCP Resets Considered Harmful.
1. Introduction
TCP uses the RST (Reset) bit in the TCP header to reset a TCP
connection. Resets are appropriately sent in response to a
connection request to a nonexistent connection, for example. The TCP
receiver of the reset aborts the TCP connection, and notifies the
application [RFC793, RFC1122, Ste94].
Unfortunately, a number of firewalls and load-balancers in the
current Internet send a reset in response to a TCP SYN packet that
use flags from the Reserved field in the TCP header. Section 3 below
discusses the specific example of firewalls that send resets in
response to TCP SYN packets from ECN-capable hosts.
[ ... ]
--lyndon
