Re: known TCP vulnerability ??

• Previous message: Li, Qing: "known TCP vulnerability ??"
• In reply to: Li, Qing: "known TCP vulnerability ??"
• Next in thread: Don Lewis: "Re: known TCP vulnerability ??"
• Reply: Don Lewis: "Re: known TCP vulnerability ??"
• Reply: Garrett Wollman: "Re: known TCP vulnerability ??"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Date: Fri, 11 Feb 2005 21:19:16 +0100
To: "Li, Qing" <qing.li@bluecoat.com>

"Li, Qing" wrote:
>
> http://www.kb.cert.org/vuls/id/464113
>
> http://www.linuxsecurity.com/content/view/104980/98/
>
> Ran the packet tests against FreeBSD 5.3 and 6-CURRENT and both
> respond to the SYN+FIN packets with SYN+ACK.

This is expected behaviour because of FreeBSD used to implement T/TCP
according to RFC1644. I haven't removed this part from TCP because
I have a better reincarnation of T/TCP without the previous shortcomings
almost ready which uses this again.

The CERT article describes how dumb firewalls with poor stateful
inspection may get fooled by this and other flag combinations.
All I can say is it's not our fault. The SYN+FIN combination is
described in RFC1644 and if the firewall gets it wrong... Well,
the real world sucks.

> Should I file a PR if there isn't one already ??

No action required here.

What you could check is whether our firewalls packages in stateful
mode (ipfw, pf, ipfilter) can be fooled by this. I doubt it but
if you can verify it, that would be great.

-- 
Andre
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"

• Previous message: Li, Qing: "known TCP vulnerability ??"
• In reply to: Li, Qing: "known TCP vulnerability ??"
• Next in thread: Don Lewis: "Re: known TCP vulnerability ??"
• Reply: Don Lewis: "Re: known TCP vulnerability ??"
• Reply: Garrett Wollman: "Re: known TCP vulnerability ??"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Relevant Pages Re: known TCP vulnerability ?? ... This is expected behaviour because of FreeBSD used to implement T/TCP ... I haven't removed this part from TCP because ... The CERT article describes how dumb firewalls with poor stateful ... What you could check is whether our firewalls packages in stateful ... (freebsd-current) Removing T/TCP and replacing it with something simpler ... I intend to remove T/TCP support from our TCP ... o The client has to enable the option in the TCP SYN request to the server. ... then it returns a unique cookie generated from ... (freebsd-arch) Removing T/TCP and replacing it with something simpler ... I intend to remove T/TCP support from our TCP ... o The client has to enable the option in the TCP SYN request to the server. ... then it returns a unique cookie generated from ... (freebsd-net) Re: [fw-wiz] Source of T/TCP traffic ... > TCP option to the packets. ... > First question: Do anyone in this forum know of a product that does ... Are you sure that this is actually T/TCP you're seeing? ... Any firewall that requires SYN/SYNACK/ACK will prevent T/TCP ... (Firewall-Wizards) Re: [fw-wiz] PIX responding with SYN+ACK to SYN+ACK probe sent on open port ... syn+ack flags on the first packet could mean t/tcp (similar to tcp ... I can't remember the rfc number) this packet could even contains datas ... an almost standard tcp session in 2 or 3 packets! ... (Firewall-Wizards)