* Fixing TCP sequence approximation problems using iptables and tools
@ 2008-08-29 17:21 Alex Judd
0 siblings, 0 replies; only message in thread
From: Alex Judd @ 2008-08-29 17:21 UTC (permalink / raw)
To: netfilter; +Cc: 'Alex Judd'
Hi list
My first post here so briefly Hi.
I wanted to see if anyone out there had any experience of using iptables and
tools to fix a vulnerability we have in the TCP of our Linux kernel which
according to our PCI evaluations leaves us open to TCP sequence
approximation hacking.
"TCP Sequence Number Approximation Based Denial of Service"
THREAT:
TCP provides stateful communications between hosts on a network. TCP
sessions are established by a three-way handshake and use random 32-bit
sequence and acknowledgement numbers to ensure the validity of traffic. A
vulnerability was reported that may permit TCP sequence numbers to be more
easily approximated by remote attackers. This issue affects products
released by multiple vendors.
Basically as far as I can see PF on OpenBSD has the ability to do this by
normalizing the TCP packets
Ref:
http://www.section6.net/wiki/index.php/Setting_up_a_Firewall_NAT_using_PF
# Normalizes packets and masks the OS's shortcomings such as SYN/FIN packets
# [scrub reassemble tcp](BID 10183) and sequence number approximation
# bugs (BID 7487).
scrub on $extif reassemble tcp no-df random-id
Has anyone any experiences with this using a Linux based kernel to fix this?
Many thanks
Alex
Skywire | www.skywire.co.uk
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2008-08-29 17:21 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2008-08-29 17:21 Fixing TCP sequence approximation problems using iptables and tools Alex Judd
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox