use keep state(strict) to mitigate tcp issues?

看板FB_security作者時間22年前 (2004/04/24 06:28), 編輯推噓0(000)
留言0則, 0人參與, 最新討論串1/5 (看更多)
Hi, When deploying a BSD with IPF in at the network perimeter and using rules like these: pass in .. proto tcp ... keep state(strict) it's possible to refuse tcp packets which arrive out of order. This would increase the difficulty doing blind attack resets and blind data injection attack, cause then you'd have to "guess" the exact expected number. Checpoint has a similar feature (is that right?) which is described here as the answer to the mentioned attacks: http://www.checkpoint.com/techsupport/alerts/tcp_dos.html Allthough this is nice, there is also the risk of breaking connection because it's not unlikely that packets arrive out of order. At least, that's what i think, any thoughts upon this? Bye, Mipam. _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
更多 mipam. 的文章
文章代碼(AID): #10YPYZ00 (FB_security)
更多 mipam. 的文章
文章代碼(AID): #10YPYZ00 (FB_security)