[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: source limit



----- Original Message -----
From: "NortonNg" <norton@iss.com.tw>
To: "Jedi/Sector One" <j@pureftpd.org>
Cc: <pf@benzedrine.cx>
Sent: Monday, March 17, 2003 12:43 PM
Subject: Re: source limit
> not need to predirect TCP ISNs for ipfw !
> ipfw doesn't store any TCP ISN in ipfw dynamic state!!
> so, the spoofing packet is easy to reset the 'keep state' dynamic states
if
> srcip,dstip,sport,dport matched!
> for ipfw2, it has store ISN info but it seem that the lookup dynamic state
> code doesn't check RST flag in freebsd 4.7.
>
> simple DoS example:
> in freebsd, if you want to limit a host can only established maximum 10
> connection to your web server,
> you will add this rule:
> ipfw add 100 allow tcp from any to any 80 limit src-addr 10
>
> unfortunately, if you want to let 211.1.1.1 unable to connect to your web
> site. just repeatly generate 10 valid SYN
> packets to your web server in SYN state lifetime of ipfw.  (not needed to
> finish 3 way handshake).
> The real traffic from 211.1.1.1 to your web server will be drop (by
default
> deny rule) because of
> dynamic states created by rule 100 already reached the maximum (10
> sessions).
>
> if attacker want to reset the ESTABLISHED TCP connection from 211.1.1. to
> your web server.
> he can spoof  TCP  packet with source port 1024 to 65535 , dst port 80,
src
> ip=211.1.1 , dst ip = your web server.
> and finally with TCP flags RST. It work in ipfw!!
> for ipfw2. it seems that it may work!  the sequence checking in ipfw2
still
> doesn't check completely like pf or ipfilter.
>
>
> ----- Original Message -----
> From: "Jedi/Sector One" <j@pureftpd.org>
> To: "NortonNg" <norton@iss.com.tw>
> Cc: <pf@benzedrine.cx>
> Sent: Monday, March 17, 2003 5:46 PM
> Subject: Re: source limit
>
>
> > On Mon, Mar 17, 2003 at 11:15:24AM +0800, NortonNg wrote:
> > > ipfw limit option is easy be DoS.
> > > for example: ipfw add tcp from any to 80 limit 1000
> >
> >   We're talking about src-addr, which enforces a limit per rule/source
ip.
> >
> >   It is only DOSable for the TCP protocol if you can spoof IP addresses
> > and reliably predict TCP ISNs. There are a lot of arguments against this
> > kind of limit, but per rule/source ip pairs are at least less DOSable
than
> > plain per rule limits.
> >
> >   Or through a DDOS, but a firewall rule can hardly protect against
this.
> >
> > --
> >  __  /*-      Frank DENIS (Jedi/Sector One) <j@42-Networks.Com>     -*\
> __
> >  \ '/    <a href="http://www.PureFTPd.Org/";> Secure FTP Server </a>
\'
> /
> >   \/  <a href="http://www.Jedi.Claranet.Fr/";> Misc. free software </a>
\/
> >
>
>
Yes, probably,
but we are talking about the high quality stateful filtering with
sequence numbers checking which pf does.
Since pf already has this, then if some day the src-addr limit feature is
added it will use it too.
--
Cheers,
Niki