On Wed, 27 February 2002 A.D., Brewis, Mark wrote: > Quite often these are commercial, off the peg TCP/IP stacks. I have seen > some dreadful examples, both in terms of fragility and of TCP sequence > number generation. I've seen sequential, sequential based on standard > increments, and repeating sequences. > > [...] > > Compromise a network via the printers and you will have a network managers > attention. The only problem lies in the paucity of solutions available to > correct the issue. Although it won't guard against attacks from within, one excellent solution to this problem is an appropriately designed firewall. The latest release of OpenBSD[1] contains a new packet filter (`pf') which can help protect buggy TCP stacks. Two features will be of interest: * The 'modulate state' directive, which causes a highly random initial sequence number to be substituted for those supplied by a less vigilant stack. * The 'scrub' directive, which causes full fragment reassembly and other packet normalization to take place before delivery to possibly fragile stacks. [1] http://www.openbsd.org/ -- "Everyone may openly covet everyone else's property, as long as he appeals to democracy; and everyone may act on his desire for another man's property, provided that he finds entrance into government." -- Hans-Hermann Hoppe
