I can think of one reason why I wouldn't want a packet with a forged ACK bit in. For
instance, if an enormous amount of packets with a forged ACK bit are let in to the
same destination, this could cause a denial of service attack to that destination if
the bandwidth is high enough.
But you are mostly right, in 99% of the cases, I don't see where this forged ACK bit
is really a problem, unless there is some type of TCP Hijack occuring, in which case
you have more than just a forged ACK bit.
There could be some extremely rare case where an insider has set up a machine that
responds to this connection by effectively ignoring the first ACK bit, but then again,
why not just initiate the conversation from the inside?
> - -----Original Message-----
> From: Jim Johnson [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, April 18, 2000 8:42 AM
> To: '[EMAIL PROTECTED]'
> Subject: Why is a forged ACK bit packet bad? (was Re: Packet Filtering
> vs. Proxy)
>
> If I understand the below email correctly, it's saying that if you forge a
> packet with the ACK bit set it will get by the packet filter. The only way
> to prevent this is by using a stateful packet filter that "remembers"
> connections. I understand all of this ok, but what I don't understand is
> why letting a packet with a forged ACK bit through is such a bad thing.
>
> According to the book "Building Internet Firewalls" (published by Oreilly)
> it says in the last paragraph on page 188 that a packet with a forged ACK
> bit isn't a problem. To quote them, here's the last paragraph:
>
> "Why can't an attacker get around this by simply setting the ACK bit on the
> first packet? If he does, the packet will get past the filters, but the
> destination will believe the packet belongs to an existing connection
> (instead of the one with which the packet is trying to establish a new
> connection). When the destination tries to match the packet up with the
> supposed existing connection, it will fail because there isn't one, and the
> packet will be ignored."
>
> So can someone tell me what the problem is with letting a packet that
> contains a forged ACK bit in?
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
