----- Original Message ----- From: "NortonNg" <[EMAIL PROTECTED]> To: "Jedi/Sector One" <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Monday, March 17, 2003 12:43 PM Subject: Re: source limit
> not need to predirect TCP ISNs for ipfw ! > ipfw doesn't store any TCP ISN in ipfw dynamic state!! > so, the spoofing packet is easy to reset the 'keep state' dynamic states if > srcip,dstip,sport,dport matched! > for ipfw2, it has store ISN info but it seem that the lookup dynamic state > code doesn't check RST flag in freebsd 4.7. > > simple DoS example: > in freebsd, if you want to limit a host can only established maximum 10 > connection to your web server, > you will add this rule: > ipfw add 100 allow tcp from any to any 80 limit src-addr 10 > > unfortunately, if you want to let 211.1.1.1 unable to connect to your web > site. just repeatly generate 10 valid SYN > packets to your web server in SYN state lifetime of ipfw. (not needed to > finish 3 way handshake). > The real traffic from 211.1.1.1 to your web server will be drop (by default > deny rule) because of > dynamic states created by rule 100 already reached the maximum (10 > sessions). > > if attacker want to reset the ESTABLISHED TCP connection from 211.1.1. to > your web server. > he can spoof TCP packet with source port 1024 to 65535 , dst port 80, src > ip=211.1.1 , dst ip = your web server. > and finally with TCP flags RST. It work in ipfw!! > for ipfw2. it seems that it may work! the sequence checking in ipfw2 still > doesn't check completely like pf or ipfilter. > > > ----- Original Message ----- > From: "Jedi/Sector One" <[EMAIL PROTECTED]> > To: "NortonNg" <[EMAIL PROTECTED]> > Cc: <[EMAIL PROTECTED]> > Sent: Monday, March 17, 2003 5:46 PM > Subject: Re: source limit > > > > On Mon, Mar 17, 2003 at 11:15:24AM +0800, NortonNg wrote: > > > ipfw limit option is easy be DoS. > > > for example: ipfw add tcp from any to 80 limit 1000 > > > > We're talking about src-addr, which enforces a limit per rule/source ip. > > > > It is only DOSable for the TCP protocol if you can spoof IP addresses > > and reliably predict TCP ISNs. There are a lot of arguments against this > > kind of limit, but per rule/source ip pairs are at least less DOSable than > > plain per rule limits. > > > > Or through a DDOS, but a firewall rule can hardly protect against this. > > > > -- > > __ /*- Frank DENIS (Jedi/Sector One) <[EMAIL PROTECTED]> -*\ > __ > > \ '/ <a href="http://www.PureFTPd.Org/";> Secure FTP Server </a> \' > / > > \/ <a href="http://www.Jedi.Claranet.Fr/";> Misc. free software </a> \/ > > > > Yes, probably, but we are talking about the high quality stateful filtering with sequence numbers checking which pf does. Since pf already has this, then if some day the src-addr limit feature is added it will use it too. -- Cheers, Niki
