Firewalls: Short revisit of sending replies to blocked packets.

Firewalls
(July 1995)

Indexed By Thread: [Previous] [Next]

Subject:	Short revisit of sending replies to blocked packets.
From:	Darren Reed <avalon @ coombs . anu . edu . au>
Date:	Mon, 17 Jul 1995 23:51:24 +1000 (EST)
To:	Firewalls @ GreatCircle . COM (Firewalls Mailing List)
In-reply-to:	<9507090807 . AA24048 @ bunya . awadi> from "Brett Lymn" at Jul 9, 95 05:37:24 pm

If you'll excuse me for digging this back up, there was one other
reason to send back TCP RSTs in response to "strange" TCP packets
(rather than just ignore them) and that is to stop miscreants from
using your firewall as a helping hand in launching an IP spoofing
attack.

With "silent" dropping of SYN-ACK packets, not destined for any
specific port and inbound to you with tight packet filtering policies,
it is possible for an "attacker" to use this to his advantage in
building an IP spoofing attack - no need to jam up a particular
(open) TCP port.  As far as I know, only Cisco and Livingston (?)
make particular usage of an "established" type filter keyword that
uses the SYN-ACK packet.

This is generally only useful if the miscreant is only concerned with
generating false information (such as sending fake mail, etc) but has
other potential.

darren

References:

Re: Sending replies to blocked packets.
From: blymn @ awadi . com . AU (Brett Lymn)

Indexed By Date	Previous:	re: [Q] Radius specs. From: paul @ hawksbill . sprintmrn . com (Paul Ferguson)
Indexed By Date	Next:	Re: RADIUS RFC (fwd) From: Greg Merrell <greg @ msm . com>
Indexed By Thread	Previous:	Re: Sending replies to blocked packets. From: blymn @ awadi . com . AU (Brett Lymn)
Indexed By Thread	Next:	Re: Sending replies to blocked packets. From: blymn @ awadi . com . AU (Brett Lymn)