[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW1] DoS question

To: fw-1-mailinglist@lists.us.checkpoint.com
Subject: Re: [FW1] DoS question
From: Alan.Trevillion@bankofamerica.com
Date: Tue, 07 Sep 1999 16:04:45 +0100

Thanks for your reply,

Just to clarify though, does that mean that B cannot send to A with the SYN and
ACK bit set  if it is  within the TCP timeout ?
If so what was the Inspect script fix for that helped reduce the risk of a DoS
attack ? , as I am in 2 minds whether to implement it or not. What would I gain
by installing the Inspect Script fix ?

Thanks

-Alan

Lance Spitzner <lance@stan.ksni.net> on 09/07/99 03:35:25 PM

To:   Alan Trevillion@BOFA
cc:   fw-1-mailinglist@lists.us.checkpoint.com
Subject:  Re: [FW1] DoS question

On Tue, 7 Sep 1999 Alan.Trevillion@bankofamerica.com wrote:

> But if you send a packet with the SYN and ACK bit set, could you not fool the
> firewall into thinking that it was a repy ? , hence my question about the
> reverse rule.

Let's say you only have 1 rule in your rule base:

A can talk to B.

This means A can initiate a connection to B, but B cannot initiate
a connection to A.  When A sends its first packet to B initiating
the connection, FW-1 looks to see if the session is allowed.  Based
on our single rule above, it is allowed, so the packet goes through
and the session is built in the connections table, with a timeout
limit.  This now means that B can send whatever packets it wants
to A during that time out, as long as both source/dest IPs and
source/dest ports match up.

Now, if there is no session in the connections table, B cannot
send any packets to A, regardless of the make and model.  The
only way B can ever send packets to A is if:

1.  A has already sent a packet to B, building a connections table.

2.  You add a new rule allowing B to talk to A

Hope that helps ...

Lance Spitzner
http://www.enteract.com/~lspitz/papers.html

================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Prev by Date: Re: [FW1] Looking for TCP based VPN
Next by Date: [FW1] running webservers behind firewall
Prev by thread: Re: [FW1] DoS question
Next by thread: Re: [FW1] DoS question
Index(es):
- Date
- Thread