[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: source limit



not need to predirect TCP ISNs for ipfw !
ipfw doesn't store any TCP ISN in ipfw dynamic state!!
so, the spoofing packet is easy to reset the 'keep state' dynamic states if
srcip,dstip,sport,dport matched!
for ipfw2, it has store ISN info but it seem that the lookup dynamic state
code doesn't check RST flag in freebsd 4.7.
simple DoS example:
in freebsd, if you want to limit a host can only established maximum 10
connection to your web server,
you will add this rule:
ipfw add 100 allow tcp from any to any 80 limit src-addr 10
unfortunately, if you want to let 211.1.1.1 unable to connect to your web
site. just repeatly generate 10 valid SYN
packets to your web server in SYN state lifetime of ipfw.  (not needed to
finish 3 way handshake).
The real traffic from 211.1.1.1 to your web server will be drop (by default
deny rule) because of
dynamic states created by rule 100 already reached the maximum (10
sessions).
if attacker want to reset the ESTABLISHED TCP connection from 211.1.1. to
your web server.
he can spoof  TCP  packet with source port 1024 to 65535 , dst port 80, src
ip=211.1.1 , dst ip = your web server.
and finally with TCP flags RST. It work in ipfw!!
for ipfw2. it seems that it may work!  the sequence checking in ipfw2 still
doesn't check completely like pf or ipfilter.
----- Original Message -----
From: "Jedi/Sector One" <j@pureftpd.org>
To: "NortonNg" <norton@iss.com.tw>
Cc: <pf@benzedrine.cx>
Sent: Monday, March 17, 2003 5:46 PM
Subject: Re: source limit
> On Mon, Mar 17, 2003 at 11:15:24AM +0800, NortonNg wrote:
> > ipfw limit option is easy be DoS.
> > for example: ipfw add tcp from any to 80 limit 1000
>
>   We're talking about src-addr, which enforces a limit per rule/source ip.
>
>   It is only DOSable for the TCP protocol if you can spoof IP addresses
> and reliably predict TCP ISNs. There are a lot of arguments against this
> kind of limit, but per rule/source ip pairs are at least less DOSable than
> plain per rule limits.
>
>   Or through a DDOS, but a firewall rule can hardly protect against this.
>
> --
>  __  /*-      Frank DENIS (Jedi/Sector One) <j@42-Networks.Com>     -*\
__
>  \ '/    <a href="http://www.PureFTPd.Org/";> Secure FTP Server </a>    \'
/
>   \/  <a href="http://www.Jedi.Claranet.Fr/";> Misc. free software </a>  \/
>