[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: syn-proxy & application-level-proxy



> So we gain:
> 1) only 2 tcp connection handled by syn-proxy:
> client <-tcp-> syn-proxy <-tcp-> server
> 2) possibility to write filter for application protocol without handling the 
> connection (no sockets or other part to rewrite).
You have two options to get data from a TCP connection.  You either
terminate both endpoints so there is technically two connections (client
to you, and you to server).  This is what you get by the rdr to
localhost.
The other option is to passively look at the traffic stream.  This
is *hard* since you have to decide how the other endpoint will
reassemble the data or you have to reassemble the data yourself before
reconstructing it and sending it to the other endpoint.  The second is
what the "reassemble tcp" scrub modifier will eventually do (I need
*alot* of time for that).
And the first option, well, it takes a few thousand of lines of code.
Go read Ptacek's and Newsham's seminal IDS paper:
  http://citeseer.nj.nec.com/ptacek98insertion.html
Then keep in mind more advance evasions have been discovered in the last
five years.
.mike