> By the way, from the Cisco documentation concerning the
> "established" keyword:
>
> For the TCP protocol only: Indicates an established
> connection. A match occurs if the TCP datagram has the
> ACK or RST bits set. The nonmatching case is that of the
> initial TCP datagram to form a connection.
>
> What would happen if an attacker set the ACK or RST bits in the
> datagram to get the packet passed through as "established"?
> After the router passes it through, what will the server do with the
> packet?
>
>
> -------------------
>
> Eric Johnson
It'll pass straight through the router. Since the destination TCP stack
won't be in a suitable state to receive an ACK packet, normal behaviour is
to "ignore" the packet and send a RST back to the source IP address.
This has all sorts of implications. If you have a nasty enough forged packet
you can cause interruption to the TCP stack, if it's vulnerable. You can
also use this for host scanning - you can even get an OS fingerprint out of
some systems.
However, since the packet never gets passed up the line by the stack (since
it's invalid) you can't really do much interesting stuff with this technique
alone.
Cheers,
--
Ben Nagy
Network Consultant, CPM&S Group of Companies
PGP Key ID: 0x1A86E304 Mobile: +61 414 411 520
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
