OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: PIX DMZ Denial of Service - TCP Resets
From: Darren Reed (avalonCOOMBS.ANU.EDU.AU)
Date: Tue Mar 21 2000 - 09:25:16 CST

In some mail from Andrew Alston, sie said:
[...]
>
> On recieving a RST packet (TCP Reset) from a given host with the correct
> source and destination port, the PIX will drop the state entry for that
> particular connection, which means the tcp connection dies due to the fact
> that no state entry the external box can no longer talk to the internal
> box.
[...]
> seq = rand() % time(NULL); /* Randomize our #'s */
> ack = rand() % time(NULL); /* Randomize ack #'s */
[...]

There have been many different ways in which it has been possible to
exercise this particular target, over the years. The general problem
here is that the PIX doesn't really provide connection security like
it should and if FW-1 is vulnerable to the same problem, then I should
be a millionaire (;-) by now.

The general gist of this problem is poorly implemented TCP connection
state tracking. You *must* track window sizes and sequence numbers
and acknowledgments to at least reduce the chance of any given TCP
packet from "outside" actually being part of that connection.

Darren