TCP DoS attack

["Ravi Kumar" <ravivsn () rocsys com>]

Hi,
One of my colleagues is testing a firewall product. He has written up a one
program which disconnects the TCP connection.  This is the following setup.

PC (TCPClient)----------Firewall-----------------------------PC(Server)
                                                            |
                                                            |
                                                       Compromised Device


Test program  does following.
-        Reads the packets on the wire
-        If it is TCP SYN packet, it immediately send TCP packet with SYN
with its own Initial sequence number and ACK with client sequence number.

Behavior on PC(TCP Client):
-        It is observed that, actual TCP connection to the server succeeds
only 30 to 40% of the time.



We feel that, if SYN+ACK packet from Server goes first, then the connection
get established.

For this attack to succeed, the attacker should be able to see the traffic.
How real is this threat?
We tried to convince ourselves that, this is not realistic threat in the
sense that all devices would be protected in the path. If this is the case,
what is the need for IPSec, which indicates that it is needed to protect
traffic?

Comments?
I guess, firewalls in between can't do much from these kind of DoS attacks.
It might, at maximum, can detect some anomaly.
What could be the solution? IPSec between Client and Server OR firewall and
Server network?

Thanks
Ravi


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards