Re: Commercial stack fragility (Was RE: Cert Advisory 2002-03 and HP JetDirect)

[Andrew M Hoerter <amh () POBOX COM>]

On Wed, 27 February 2002 A.D., Brewis, Mark wrote:

> Quite often these are commercial, off the peg TCP/IP stacks.  I have seen
> some dreadful examples, both in terms of fragility and of TCP sequence
> number generation.  I've seen sequential, sequential based on standard
> increments, and repeating sequences.
>
> [...]
>
> Compromise a network via the printers and you will have a network managers
> attention.  The only problem lies in the paucity of solutions available to
> correct the issue.

Although it won't guard against attacks from within, one excellent
solution to this problem is an appropriately designed firewall.  The
latest release of OpenBSD[1] contains a new packet filter (`pf') which 
can help protect buggy TCP stacks.  Two features will be of interest:

*  The 'modulate state' directive, which causes a highly random initial
   sequence number to be substituted for those supplied by a less
   vigilant stack.

*  The 'scrub' directive, which causes full fragment reassembly and 
   other packet normalization to take place before delivery to possibly
   fragile stacks.

[1] http://www.openbsd.org/

-- 
"Everyone may openly covet everyone else's property, as long as he 
appeals to democracy; and everyone may act on his desire for another 
man's property, provided that he finds entrance into government."
       -- Hans-Hermann Hoppe