In message <9311251417 .
AA03687 @
lemon .
jts .
com>, you write:
>I have the following concern: The "established" keyword is supposed to
>prevent connections unless the ACK or RST bits are set. Is it possible
>that someone can spoof/fake/munge a connection by hacking said bits?
>
>My understanding of TCP says "no", but my paranoia says "watch out!"
The destination host of a TCP packet should either drop such a
spoofed packet or possibly send a packet that would terminate the connection.
But there is no way to initiate and/or sustain a connection this way so that
real data could flow. There still remains the possibility of denial-of-service
type attacks that would have no particular use for return packets. I have
always wondered at the realistic possibility of such attacks in practical
setups (if your site has a 56k line, for instance... from the standpoint of
bare IP transport and TCP without connections, is there any way you could do
this? It seems to me that only a badly designed system wouldn't be able to
handle the load, and so it would be only a matter of system bugs), but your
level of paranoia will determine your firewall needs.
On another side note, you should figure in the human factors involved
with such a setup. I have worked at a site that used something to this effect,
and it creates a lot of headaches when novice users can't understand why they
can telnet and send mail out, but FTP won't work. On the other hand, it at
least allows some commonly used things like telnet to be run from PC- or Mac-
based clients that are easier to use than their *IX counterparts.
-Craig
References:
|
|
