not need to predirect TCP ISNs for ipfw ! ipfw doesn't store any TCP ISN in ipfw dynamic state!! so, the spoofing packet is easy to reset the 'keep state' dynamic states if srcip,dstip,sport,dport matched! for ipfw2, it has store ISN info but it seem that the lookup dynamic state code doesn't check RST flag in freebsd 4.7.
simple DoS example: in freebsd, if you want to limit a host can only established maximum 10 connection to your web server, you will add this rule: ipfw add 100 allow tcp from any to any 80 limit src-addr 10 unfortunately, if you want to let 211.1.1.1 unable to connect to your web site. just repeatly generate 10 valid SYN packets to your web server in SYN state lifetime of ipfw. (not needed to finish 3 way handshake). The real traffic from 211.1.1.1 to your web server will be drop (by default deny rule) because of dynamic states created by rule 100 already reached the maximum (10 sessions). if attacker want to reset the ESTABLISHED TCP connection from 211.1.1. to your web server. he can spoof TCP packet with source port 1024 to 65535 , dst port 80, src ip=211.1.1 , dst ip = your web server. and finally with TCP flags RST. It work in ipfw!! for ipfw2. it seems that it may work! the sequence checking in ipfw2 still doesn't check completely like pf or ipfilter. ----- Original Message ----- From: "Jedi/Sector One" <[EMAIL PROTECTED]> To: "NortonNg" <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Monday, March 17, 2003 5:46 PM Subject: Re: source limit > On Mon, Mar 17, 2003 at 11:15:24AM +0800, NortonNg wrote: > > ipfw limit option is easy be DoS. > > for example: ipfw add tcp from any to 80 limit 1000 > > We're talking about src-addr, which enforces a limit per rule/source ip. > > It is only DOSable for the TCP protocol if you can spoof IP addresses > and reliably predict TCP ISNs. There are a lot of arguments against this > kind of limit, but per rule/source ip pairs are at least less DOSable than > plain per rule limits. > > Or through a DDOS, but a firewall rule can hardly protect against this. > > -- > __ /*- Frank DENIS (Jedi/Sector One) <[EMAIL PROTECTED]> -*\ __ > \ '/ <a href="http://www.PureFTPd.Org/";> Secure FTP Server </a> \' / > \/ <a href="http://www.Jedi.Claranet.Fr/";> Misc. free software </a> \/ >
