Re: [FW1] DoS question

[Lance Spitzner <lance@stan.ksni.net>]

On Tue, 7 Sep 1999 Alan.Trevillion@bankofamerica.com wrote:

> Just to clarify though, does that mean that B cannot send to A with the SYN and
> ACK bit set  if it is  within the TCP timeout ?

I think you getting the details confused with the basics.  B either CAN  send any
return packet to system A (except for SYN), or B CANNOT send any return packet to 
A.  It all depends if there is a session built for it in the connections table.

> If so what was the Inspect script fix for that helped reduce the risk of a DoS
> attack ? , as I am in 2 minds whether to implement it or not. What would I gain
> by installing the Inspect Script fix ?

The Inspect Script supplied by CheckPoint applies to initiating connections,
not return packets.  Specifically, the initiating of connections with non
SYN packets (such as ACK or Null packets).  

You gain protection from a possible DoS attack that is most likely 
initiated from the internal network.

You lose the ability to maintain your connections table when you reinstall
a rule base. 

For more info, I recommend you review the paper again on the FW-1 State
Table.  It takes a couple of reads to really understand all of it, at
least it did for me :)

Lance Spitzner
http://www.enteract.com/~lspitz/papers.html



================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================