A forged Ack bit does the following:
Ack Scanning "is great for testing firewall rulesets. It can
NOT find
open ports, but it can distinguish between filtered/unfilterd
by sending an
ACK packet to each port and waiting for a RST to come back.
Filtered ports
will not send back a RST (or will send back ICMP
unreachables)."
[http://www.insecure.org/nmap/index.html]
Therefore an Ack scan (using forged ACK bit) could easily map your entire
firewall rulebase. Not the kind of recon I would like to have any would-be
intruder to have on my site!
-Igor Gashinsky, GCIA
At 02:27 PM 4/19/00 -0400, Geoff Gates wrote:
>I can think of one reason why I wouldn't want a packet with a forged ACK
bit in. For instance, if an enormous amount of packets with a forged ACK
bit are let in to the same destination, this could cause a denial of
service attack to that destination if the bandwidth is high enough.
>
>But you are mostly right, in 99% of the cases, I don't see where this
forged ACK bit is really a problem, unless there is some type of TCP Hijack
occuring, in which case you have more than just a forged ACK bit.
>
>There could be some extremely rare case where an insider has set up a
machine that responds to this connection by effectively ignoring the first
ACK bit, but then again, why not just initiate the conversation from the
inside?
>
>
>> - -----Original Message-----
>> From: Jim Johnson [mailto:[EMAIL PROTECTED]]
>> Sent: Tuesday, April 18, 2000 8:42 AM
>> To: '[EMAIL PROTECTED]'
>> Subject: Why is a forged ACK bit packet bad? (was Re: Packet Filtering
>> vs. Proxy)
>>
>> If I understand the below email correctly, it's saying that if you forge a
>> packet with the ACK bit set it will get by the packet filter. The only way
>> to prevent this is by using a stateful packet filter that "remembers"
>> connections. I understand all of this ok, but what I don't understand is
>> why letting a packet with a forged ACK bit through is such a bad thing.
>>
>> According to the book "Building Internet Firewalls" (published by Oreilly)
>> it says in the last paragraph on page 188 that a packet with a forged ACK
>> bit isn't a problem. To quote them, here's the last paragraph:
>>
>> "Why can't an attacker get around this by simply setting the ACK bit on the
>> first packet? If he does, the packet will get past the filters, but the
>> destination will believe the packet belongs to an existing connection
>> (instead of the one with which the packet is trying to establish a new
>> connection). When the destination tries to match the packet up with the
>> supposed existing connection, it will fail because there isn't one, and the
>> packet will be ignored."
>>
>> So can someone tell me what the problem is with letting a packet that
>> contains a forged ACK bit in?
>>
>
>-
>[To unsubscribe, send mail to [EMAIL PROTECTED] with
>"unsubscribe firewalls" in the body of the message.]
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
