Bugtraq mailing list archives
Re: ipfilter denial of service problem
From: Darren Reed <avalon () coombs anu edu au>
Date: Tue, 7 Jan 2003 09:58:18 +1100 (Australia/ACT)
In some mail from Yiming Gong, sie said:
Below is an ipfilter security issue, and my previous mail to author Darren was bounced back, so I think maybe I should mail it to this mailing list.
Actually, you consistently sent email to the wrong place, in the wrong manner. There's an email address posted on IPFilter's web page, along with in the distribution that you could of (and did not) send email to about this.
Overview -- Anytime ipfilter see a packet with ACK bit set without the previous SYN, it will marked it as TCPS_ESTABLISHED in it's state table,
This only happens if you are using "keep state" rules without "flags S" and that is something that I (and others) actively discourage people from doing, in general unless they are doing it for a specific reason.
and for ipfilter will soon notice the RESET packet send back by the system application, it will then change it's ttl in state table to 1 minute,OK, it's good. But If an attact send packet with ACK bit set and bad checksum, ipfilter will happily add an "ESTABLISHED" session into it's state table which will wait 120 hours to timeout instead of the normal 1 minutes! So using this way an evil guy can easily destroy the network connection of any system with ipfilter installed in a few minutes!
This is not an IPFilter problem, per se, but a known limitation of using any limited resource to allocate state table sessions and is not anything new to me (at least). In fact you don't even need to use that particular packet sequence to do it. This is being more properly addressed in upcoming versions of IPFilter. Presently, in order to combat this, IPFilter will goto more effort to free up state table entries if it detects the table is full. Darren
Current thread:
- ipfilter denial of service problem Yiming Gong (Jan 21)
- Re: ipfilter denial of service problem Russ Dill (Jan 06)
- Re: ipfilter denial of service problem Darren Reed (Jan 06)