[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: source limit
----- Original Message -----
From: "NortonNg" <email@example.com>
To: "Jedi/Sector One" <firstname.lastname@example.org>
Sent: Monday, March 17, 2003 12:43 PM
Subject: Re: source limit
> not need to predirect TCP ISNs for ipfw !
> ipfw doesn't store any TCP ISN in ipfw dynamic state!!
> so, the spoofing packet is easy to reset the 'keep state' dynamic states
> srcip,dstip,sport,dport matched!
> for ipfw2, it has store ISN info but it seem that the lookup dynamic state
> code doesn't check RST flag in freebsd 4.7.
> simple DoS example:
> in freebsd, if you want to limit a host can only established maximum 10
> connection to your web server,
> you will add this rule:
> ipfw add 100 allow tcp from any to any 80 limit src-addr 10
> unfortunately, if you want to let 188.8.131.52 unable to connect to your web
> site. just repeatly generate 10 valid SYN
> packets to your web server in SYN state lifetime of ipfw. (not needed to
> finish 3 way handshake).
> The real traffic from 184.108.40.206 to your web server will be drop (by
> deny rule) because of
> dynamic states created by rule 100 already reached the maximum (10
> if attacker want to reset the ESTABLISHED TCP connection from 211.1.1. to
> your web server.
> he can spoof TCP packet with source port 1024 to 65535 , dst port 80,
> ip=211.1.1 , dst ip = your web server.
> and finally with TCP flags RST. It work in ipfw!!
> for ipfw2. it seems that it may work! the sequence checking in ipfw2
> doesn't check completely like pf or ipfilter.
> ----- Original Message -----
> From: "Jedi/Sector One" <email@example.com>
> To: "NortonNg" <firstname.lastname@example.org>
> Cc: <email@example.com>
> Sent: Monday, March 17, 2003 5:46 PM
> Subject: Re: source limit
> > On Mon, Mar 17, 2003 at 11:15:24AM +0800, NortonNg wrote:
> > > ipfw limit option is easy be DoS.
> > > for example: ipfw add tcp from any to 80 limit 1000
> > We're talking about src-addr, which enforces a limit per rule/source
> > It is only DOSable for the TCP protocol if you can spoof IP addresses
> > and reliably predict TCP ISNs. There are a lot of arguments against this
> > kind of limit, but per rule/source ip pairs are at least less DOSable
> > plain per rule limits.
> > Or through a DDOS, but a firewall rule can hardly protect against
> > --
> > __ /*- Frank DENIS (Jedi/Sector One) <j@42-Networks.Com> -*\
> > \ '/ <a href="http://www.PureFTPd.Org/";> Secure FTP Server </a>
> > \/ <a href="http://www.Jedi.Claranet.Fr/";> Misc. free software </a>
but we are talking about the high quality stateful filtering with
sequence numbers checking which pf does.
Since pf already has this, then if some day the src-addr limit feature is
added it will use it too.