[ale] TCP, Apache, & security

Yu, Jerry zyu at Ptek.com
Fri Jul 14 15:30:53 EDT 2000



An 'RST' packet will be sent back to the client (to the source IP in the
step 3 packet), since the server received an ACK which the server has no
knowledge of (Someone pointed out the TCP RFC earlier). The server think
it's from a stale old connection attempts thus asking for a connection
reset.

This actually can be, and is, used as a hack to probe ports which are
protected by a packet filter from receiving SYN packets (aka, inbound
TCP connection initiation). The port scanner will send an ACK packet,  
which cheats its way through the server's packet filter. The port under
question will be marked as 'alive' when the port scanner gets a 'RST'
packet back from the target server.



On Thu, 13 Jul 2000, Randy Janinda wrote:

#Caution: I may be off my rocker.
#
#During a learning session here I theorized that someone could change
#their IP address in the middle of an HTTP session and still be able to
#execute the GET/POST/etc.. on the webserver. I need some clarification
#from those who know:
#
#It takes only 3 packets to 'hit' a webserver:
#
#1) Client send SYN /w SEQ #
#2) Server repsondes with ACK/ SEQ #
#3) Client sends ACK /w data (GET / HTTP/1.0.........)
#
#What happens if the client sends back a different source IP address in packet
##3? Will the packet still get handed to the webserver for processing
#or will the OS see the change, think the flags (ACK, no SYN) are
#invalid and drop the packet? Remeber, only the source IP was changed,
#not the source port, or anything else.
#
#Just wondering and learning,
#
#Randy
#--
#To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.
#

Jerry Yu				mailto: z.yu at ptek.com
Systems Engineer			https://punch/~zyu
PTEK Holdings, Inc.			+1-404-262-8544 (O)

--
To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.





More information about the Ale mailing list