This was on BugTraq recently.

Can someone familiar with ipf's guts explain in more detail what would
constitute a situation where one is vulnerable to a DOS using this
method?

Thanks in advance.


----- Forwarded message from Yiming Gong <yiming@security.zz.ha.cn> -----

From: "Yiming Gong" <yiming@security.zz.ha.cn>
Subject: ipfilter  denial of service problem
Date: Mon, 6 Jan 2003 11:15:40 +0800

Below is an ipfilter security issue, and my previous mail to author
Darren was bounced back, so I think maybe I should mail it to this
mailing list.

Overview
--
Anytime ipfilter see a packet with ACK bit set without the previous SYN,
it will marked it as TCPS_ESTABLISHED in it's state table, and for
ipfilter will soon notice the RESET packet send back by the system
application, it will then change it's ttl in state table to 1 minute,OK,
it's good.

But If an attact send packet with ACK bit set and bad checksum, ipfilter
will happily add an "ESTABLISHED" session into it's state table which
will wait 120 hours to timeout instead of the normal 1 minutes! 

So using this way an evil guy can easily  destroy  the network
connection of any system with ipfilter installed in a few minutes!


proof of concept
--
[yiming@security.zz.ha.cn]#hping -s ip.of.spoofedandtrusted.box -A
ip.of.target.box  -p 22 -c 1 -b

you will immediately see a a long wait ttl of 120 hours, like this

security.zz.ha.cn,1235  server,22     4/0  tcp       1        40
119:59:48

Affected Versions:
--
I've test the following version of ipfilter

IP Filter: v3.4.30 

IP Filter: v3.4.29 (400)


a chinese vesion of these security issue is at

http://security.zz.ha.cn 

Best wishes!
 
-- 
?????????????? 



Yiming Gong 
Senior System Administrator 
China Netcom
yiming@security.zz.ha.cn 
http://security.zz.ha.cn 
0086-371-7934907 


----- End forwarded message -----