This is the mail archive of the ecos-discuss@sourceware.org mailing list for the eCos project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: Re: SYN problem with new TCP/IP stack


> Whaddayathink?

Hi Grant

For things like this i generally go back to the FreeBSD sources and
study them.

I don't see anything in the latest code which indicates that this
"problem" has been fixed. Im actually woundering if this is
deliberate. 

It looks like some firewalls will block SYN packets to established
connections:

http://www.checkpoint.com/appint/appint_transport_layer.html

It seems to me the ACK reply is a bad idea. It provides an attacker
with the sequence number and so allows it to hijack the connection.

Having said that, it looks like Linux 2.6.15 will send an ACK.

So, well, err. I think you should take this up with the FreeBSD
people. Find out if they think this is a bug or a security feature.

        Andrew

-- 
Before posting, please read the FAQ: http://ecos.sourceware.org/fom/ecos
and search the list archive: http://ecos.sourceware.org/ml/ecos-discuss


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]