From: Cedric Blancher <blancher@cartel-securite.fr>
To: Anders Fugmann <afu@fugmann.dhs.org>
Cc: netfilter@lists.netfilter.org
Subject: Re: NEW vs INVALID
Date: 01 Oct 2002 13:19:42 +0200 [thread overview]
Message-ID: <1033471182.878.146.camel@elendil> (raw)
In-Reply-To: <3D996546.3070408@fugmann.dhs.org>
Le mar 01/10/2002 à 11:05, Anders Fugmann a écrit :
> Cedric Blancher wrote:
> > By the way, I was wondering why --syn was "only" equivalent to :
> > --tcp-flags SYN,ACK,RST SYN
> > And not to :
> > --tcp-flags SYN,ACK,RST,FIN SYN
> The tcp-flags would then not match packets with the SYN & FIN bits set,
> which is actually connection request, with should be closed immdiatly
> after opening.
Well, as SYN,FIN packet is quite nonsense, for a FIN is destined to
close an established connection (both parts) or spot a connection
establishment (client) and thus should not be received on CLOSED, LISTEN
or SYN-SENT, for while connection is not established, server sends RST.
But RFC does not cover the SYN,FIN case. Well, in fact, if we're in
LISTEN state, we are likeley to stop processing flags when we see SYN
set (and RST,ACK not set), and so do not check FIN bit value. But it
tells that a FIN should be discarded if received on CLOSED, LISTEN or
SYN-SENT state.
| eighth, check the FIN bit,
|
| Do not process the FIN if the state is CLOSED, LISTEN or SYN-SENT
| since the SEG.SEQ cannot be validated; drop the segment and
| return.
> The syn-fin is widly used to scan hosts, and should be
> dropped.
Yeah it surely should ;) By the way, this harmless, for there's no valid
application for SYN,FIN packets.
> But still - it is a connection request and should therfore be
> caught by --syn.
I do not agree on the meaning of such a packet, but it is true that RFC
does not explicitly forbid this kind of flags setting, although it is
clear that a --syn packet must have RST and ACK set to 0 (for RST and
ACK value are checked _before_ SYN one). So, it can be understood this
way, and this should close the debate.
Ahhhh, the art of understanding RFCs :))))
--
Cédric Blancher
Consultant en sécurité des systèmes et réseaux - Cartel Sécurité
Tél: +33 (0)1 44 06 97 87 - Fax: +33 (0)1 44 06 97 99
PGP KeyID:157E98EE FingerPrint:FA62226DA9E72FA8AECAA240008B480E157E98EE
next prev parent reply other threads:[~2002-10-01 11:19 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2002-09-30 10:18 NEW vs INVALID Jens Lechtenbörger
2002-09-30 14:39 ` Anders Fugmann
2002-10-01 8:49 ` Cedric Blancher
2002-10-01 9:05 ` Anders Fugmann
2002-10-01 11:19 ` Cedric Blancher [this message]
2002-09-30 15:26 ` Cedric Blancher
2002-09-30 15:50 ` Jens Lechtenbörger
2002-10-01 10:33 ` Martijn Klingens
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1033471182.878.146.camel@elendil \
--to=blancher@cartel-securite.fr \
--cc=afu@fugmann.dhs.org \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.