Re: ipfilter denial of service problem

[Darren Reed <avalon () coombs anu edu au>]

In some mail from Yiming Gong, sie said:
> Below is an ipfilter security issue, and my previous mail to author
> Darren was bounced back, so I think maybe I should mail it to this
> mailing list.

Actually, you consistently sent email to the wrong place, in the wrong
manner.  There's an email address posted on IPFilter's web page, along
with in the distribution that you could of (and did not) send email to
about this.

> Overview
> --
> Anytime ipfilter see a packet with ACK bit set without the previous SYN,
> it will marked it as TCPS_ESTABLISHED in it's state table,

This only happens if you are using "keep state" rules without "flags S"
and that is something that I (and others) actively discourage people
from doing, in general unless they are doing it for a specific reason.

> and for
> ipfilter will soon notice the RESET packet send back by the system
> application, it will then change it's ttl in state table to 1 minute,OK,
> it's good.
>
> But If an attact send packet with ACK bit set and bad checksum, ipfilter
> will happily add an "ESTABLISHED" session into it's state table which
> will wait 120 hours to timeout instead of the normal 1 minutes!
>
> So using this way an evil guy can easily  destroy  the network
> connection of any system with ipfilter installed in a few minutes!

This is not an IPFilter problem, per se, but a known limitation of
using any limited resource to allocate state table sessions and is
not anything new to me (at least).  In fact you don't even need to
use that particular packet sequence to do it.  This is being more
properly addressed in upcoming versions of IPFilter.

Presently, in order to combat this, IPFilter will goto more effort
to free up state table entries if it detects the table is full.

Darren