[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: pf blocks ACK response

To: "Darren Reed" <avalon@coombs.anu.edu.au>, <frank@lugh.de>
Subject: Re: pf blocks ACK response
From: "Eduardo B. Fonseca" <ebf@cwb.fnn.net>
Date: Tue, 19 Mar 2002 21:32:56 -0300
Cc: <misc@openbsd.org>
References: <200203192354.KAA10674@caligula.anu.edu.au>

If you are not gonna help, please, shut up.

Thanks.

Eduardo.

----- Original Message -----
From: Darren Reed <avalon@coombs.anu.edu.au>
To: <frank@lugh.de>
Cc: <misc@openbsd.org>
Sent: Tuesday, March 19, 2002 8:54 PM
Subject: Re: pf blocks ACK response


> Hmmm, this might be someone's idea of syn-spoofing protection.
>
> In some mail from Frank Lingott, sie said:
> >
> > Daniel Hartmeier wrote:
> > >
> > > On Tue, Mar 19, 2002 at 10:34:27AM -0600, Ramon Reyes Carrion wrote:
> > >
> > > > I am having a problem with OpenBSD 3.0-stable (sunday night's CVS
> > > > repository version, compiled and installed; but the problem is not
new!)
> > > > and I assume it is related with pf.
> > >
> > > Thank you for including the right logs. As bizarre as it might sound,
> > > that external host actually seems to have a broken stack.
> > >
> > > I took the liberty of connecting to it myself, with pf completely
> > > disabled:
> > >
> > > 62.65.145.30.5678 > 148.223.71.252.25: S [tcp sum ok]
> > > 673148648:673148648(0) win 16384 <mss 1460,nop,nop,sackOK,nop,wscale
> > > 0,nop,nop,timestamp 1420189029 0> (DF) [tos 0x10] (ttl 64, id 62470)
> > > 148.223.71.252.25 > 62.65.145.30.5678: . [tcp sum ok]
> > > 3620818647:3620818671(24) ack 674148648 win 16384 (DF) [tos 0x10] (ttl
> > > 28, id 62470)
> > >
> > > My SYN goes out with initial sequence number 673148648. What _should_
> > > come back is a SYN+ACK that acks my ISN+1.
> > >
> > > What actually comes back is a plain ACK (no SYN flag) for sequence
> > > number 674148648. That's exactly 1000000 too much (you got the same
> > > offset in your logs).
> > >
> > > It's not a valid TCP handshake at all. I doubt _anyone_ can connect
> > > to that external host. If you have administrative control over it (or
> > > know someone who does), it might be worth investigating what's broken
> > > there. But this is certainly not caused by your pf.
> > >
> > > Daniel
> >
> > I did some tests from home.
> >
> > The first was on a linux-box via ssh,i have only user access there.
> > Therefore no tcpdump - sorry.
> >
> > frankli@majestic () telnet 148.223.71.252 25
> > Trying 148.223.71.252...
> > Connected to customer-148-223-71-252.uninet.net.mx (148.223.71.252).
> > Escape character is '^]'.
> > 220 inf1fw1.queretaro.gob.mx Generic SMTP handler
> > quit
> > 221 inf1fw1.queretaro.gob.mx connection
> > Connection closed by foreign host.
> > [~]
> > frankli@majestic ()
> >
> > frankli@majestic () uname -rs
> > Linux 2.4.8-26mdk
> > [~]
> > frankli@majestic ()
> >
> > You see - it's the famous buggy kernel 2.4.
> > It must have some magic in it's IP-stack,it
> > is able to connect to the other box.
> >
> > frank@bardioc:~ > telnet 148.223.71.252 25
> > Trying 148.223.71.252...
> >
> > One of my old linux-boxes/kernel2.2.14.
> > No connect - the same tcpdump as yours.
> >
> > bash-2.05# tcpdump -i tun0 port 25
> > tcpdump: listening on tun0
> > 23:18:47.680551 80.144.154.226.54334 > 148.223.71.252.smtp: S
> > 3398322261:3398322261(0) win 32120 <mss 1460,sackOK,timestamp 4381626
> > 0,nop,wscale 0> (DF)
> > 23:18:48.027103 148.223.71.252.smtp > 80.144.154.226.54334: .
> > 895645034:895645054(20) ack 3399322261 win 32120 (DF)
> > 23:18:50.672142 80.144.154.226.54334 > 148.223.71.252.smtp: S
> > 3398322261:3398322261(0) win 32120 <mss 1460,sackOK,timestamp 4381926
> > 0,nop,wscale 0> (DF)
> > 23:18:51.015102 148.223.71.252.smtp > 80.144.154.226.54334: . 0:20(20)
> > ack 1 win 32120 (DF)
> > 23:18:56.670650 80.144.154.226.54334 > 148.223.71.252.smtp: S
> > 3398322261:3398322261(0) win 32120 <mss 1460,sackOK,timestamp 4382526
> > 0,nop,wscale 0> (DF)
> > 23:18:57.008589 148.223.71.252.smtp > 80.144.154.226.54334: . 0:20(20)
> > ack 1 win 32120 (DF)
> > 23:19:08.670886 80.144.154.226.54334 > 148.223.71.252.smtp: S
> > 3398322261:3398322261(0) win 32120 <mss 1460,sackOK,timestamp 4383726
> > 0,nop,wscale 0> (DF)
> > 23:19:09.015107 148.223.71.252.smtp > 80.144.154.226.54334: . 0:20(20)
> > ack 1 win 32120 (DF)
> > 23:19:32.670916 80.144.154.226.54334 > 148.223.71.252.smtp: S
> > 3398322261:3398322261(0) win 32120 <mss 1460,sackOK,timestamp 4386126
> > 0,nop,wscale 0> (DF)
> > 23:19:33.004597 148.223.71.252.smtp > 80.144.154.226.54334: . 0:20(20)
> > ack 1 win 32120 (DF)
> > 23:20:20.670840 80.144.154.226.63062 > 148.223.71.252.smtp: S
> > 3398322261:3398322261(0) win 32120 <mss 1460,sackOK,timestamp 4390926
> > 0,nop,wscale 0> (DF)
> > 23:20:21.020114 148.223.71.252.smtp > 80.144.154.226.63062: .
> > 895645034:895645054(20) ack 3399322261 win 32120 (DF)
> > 23:21:56.670732 80.144.154.226.63062 > 148.223.71.252.smtp: S
> > 3398322261:3398322261(0) win 32120 <mss 1460,sackOK,timestamp 4400526
> > 0,nop,wscale 0> (DF)
> > 23:21:57.002938 148.223.71.252.smtp > 80.144.154.226.63062: . 0:20(20)
> > ack 1 win 32120 (DF)
> >
> > This dump is from my OpenBSD-Router.
> > The OpenBSD-Box itself can not connect.
> >
> > Dont know if this helps,if not delete it.
> >
> > regards
> >
> > frank

Follow-Ups:
- Re: pf blocks ACK response
  - From: Darren Reed <avalon@coombs.anu.edu.au>

References:
- Re: pf blocks ACK response
  - From: Darren Reed <avalon@coombs.anu.edu.au>

Prev by Date: Re: SSL cert per virtual host.
Next by Date: Re: pf blocks ACK response
Prev by thread: Re: pf blocks ACK response
Next by thread: Re: pf blocks ACK response
Index(es):
- Date
- Thread