[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    Re: PIX DMZ Denial of Service - TCP Resets
From:       Guido van Rooij <Guido.vanRooij () NL ! ORIGIN-IT ! COM>
Date:       2000-03-27 11:57:43
[Download RAW message or body]

On Wed, Mar 22, 2000 at 02:25:16AM +1100, Darren Reed wrote:
>
> The general gist of this problem is poorly implemented TCP connection
> state tracking.  You *must* track window sizes and sequence numbers
> and acknowledgments to at least reduce the chance of any given TCP
> packet from "outside" actually being part of that connection.
>

The current implementation of this in IPfilter will be covered in
a paper that is due for SANE2000 (http://www.nluug.nl/events/sane2000/).

The submitted paper can be found at
http://www.iae.nl/users/guido/papers/tcp_filtering.ps.gz

Comments are welcome!

-Guido

[prev in list] [next in list] [prev in thread] [next in thread]