Re: iptables question

To: Andres Roldan <aroldan@fluidsignal.com>
Cc: Debian Security <debian-security@lists.debian.org>
Subject: Re: iptables question
From: Jayson Vantuyl <kagato@souja.net>
Date: Wed, 28 May 2003 00:36:04 -0500
Message-id: <20030528053604.GG7093@yagami.infodump.net>
In-reply-to: <7dk7ccdlep.fsf@void.central.fluidsignal.com>
References: <7dk7ccdlep.fsf@void.central.fluidsignal.com>

On Tue, May 27, 2003 at 06:23:10PM -0500, Andr?s Rold?n wrote:
> Hi.
> 
> I was reading about certain kind of attacks about TCP sequence and I was
> wondering whether iptables is vulnerable to theses attacks. Especifically,
> whether iptables is capable to know if a RELATED or ESTABLISHED package is
> sent with a sequence number prediction attack and whether iptables is capable 
> to know if the IP address has been spoofed by these means.
It think you're talking about severing connections or inserting data in
them by predicting sequence numbers.

The sort answer is, nothing can.  The problem is that there is no way to
verify the source address and these are really valid packets.

You do have options:

1.  Use IPsec
  This *will* verify the source cryptographically, but it is a pain to
  set up/maitain and has its own issues.

2.  Use the grSecurity Patch
  This will prevent prediction unless someone is snooping on the
  connection (it prevents *blind* spoof attacks) by randomizing the
  source numbers.  There appears to be enough stuff in here that using
  it would be a good, paranoid approach.  You still have to build a
  kernel, but it's less work than IPsec (but *READ* the features before
  turning them on, otherwise your system may not boot).

Is that all on this?  List?

Jayson

P.S.  Hablo un poquito de Espa~ol, si no puedes entender mi respuesto.

Reply to:

References:
- iptables question
  - From: Andrés Roldán <aroldan@fluidsignal.com>

Prev by Date: unsubscribe
Next by Date: Re: VPN gateway
Previous by thread: iptables question
Next by thread: xinetd memory leak
Index(es):
- Date
- Thread