> Darren Reed <darrenrat_private> 01/10/00 03:13AM >>> > >Here's something for folks out there to have a think about. > >You have your dialup PC, sitting at home, gatewaying your >workstation from which you surf away on the web. Your link >drops, you redial and get a new IP# for your NAT sessions. > >For at least some period of time, your old IP# may be black >holed, or worse, allocated to another Internet user. The >second case is worse because small amounts of your web session >*may* leak to someone else. > >Whatever the case, there is a period of time in which the original >endpoints believe a connection exists, which no longer does. Should >a pre-emptive strike be lunched by the firewall to blow these away >by doing something like sending TCP RST's ? What about for DNS/NTP >queries - are ICMP unreachables appropriate ? > >Darren > Attempting to terminate the connection seems like a good idea, but how is it done reliably in an environment where the firewall does not terminate the data-link connection to one side of the connection? In a dialup environment I would guess that you would look for host/destination unreachables from some point inside the firewall and close the connections based on that info. Of course that would require filtering on each line to prevent a DoS where one inside attacker host spoofs unreachables which would cause the firewall to close active connections to the victim host. What happens in a broadcast capable environment where the blackhole exists for a longer period (say an arp timeout)? Also in this environment the unreachables have to be filtered at two layers, the typically static data-link and the dynamic network. Regards, --tcw
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:56:54 PDT