On Tue, 13 Dec 1994, david r coelho wrote:
> My first line of defense for our network uses a router to filter
> out all new TCP sessions (e.g. with SYN). We let in all established
> sessions, and then do additional filtering with a firewall. The
> idea is that the router lets anything go out, but only lets
> established sessions come in.
> My question is, is there a vulnerability whereby the established
> incoming TCP packet could be used to open a new TCP session
> (say login, telnet, etc) or is the unix (SunOS in my case) kernel
> tight enought to reject these packets.
It would seem to me that if one host C were to snoop an active telnet
session say, between hosts A and B, grab a string of frames, spray the
recieving host B momentarily, then repeatedly spray host A (or knock down
host A by some other means) while resending the copied string of frames
and adding to them whatever one would like while also keeping the packet
signatures the same -- that whomever is behind host C could become
the new active session in place of A.
If the preceding BS is true, then what can any kind of firewall SW/HW
do to detect such an intrusion, short of encrytion strategies?
Will FWTK detect such an intrusion?
> david r. coelho email: drc @
> personal productivity tools, inc
> 43000 christy street voice: (510) 440-3050
> fremont, ca 94538-3198 usa fax: (510) 770-0728