Paul Starzetz wrote: >We believe that the flaws we have detected have a big impact on >design of firewalls and packet filters since an improper implementation >can easily lead to serious security problems. Is there any reason to expect that such improper implementation would be common? As far as I know, the common case is packet filters that look at only the ACK and SYN bits. A typical configuration: All incoming packets with the ACK bit set are allowed, as are all outgoing packets. The anomalies you found don't seem to pose any problems for such a style of configuration. Are you aware of any common configurations that are at risk?
