Classnotes | UNIX03 | RecentChanges | Preferences The section "IP Tables Connection Tracking: Fact and Myth" in pages 465 through 468 of the book has some very interesting information about some common misunderstandings about IP Tables. We will only touch on some of these items in class.
TCP Sequence Spoofing Attacks
Neither IP Tables nor IP Chains filters out packets with bad TCP sequence numbers and, thus, both leave open the small vulnerability of an attack. Many platforms, including most Windows dialects, some UNIX versions, and even ancient Linux versions (prior to 2.0 kernel) fail to randomize TCP sequence numbers. This vulnerability is explained in "TCP Sequence Spoofing Exlpained" on page 243, and defeating it is discussed in "Defeating TCP Sequence Spoofing" on page 246. You can also find pertinent information on this type of attack in "Fighting Connection Hijacking and ICMP Attacks" on page 468.
None of these we will have time to go into in this class.
IP Connection Tracking Not Needed?
The bigesst risk that connection tracking can prevent is an attack on the port on which a client is listening while awaiting a server's response. Some clients will accept packets from any IP and port that sends packets to them and some are vulnerable to buffer overflow attacks. The only way to protect such a client is to ensure that only a server with which it initiates communication is allowed to send packets to it.
Most System Administrators don't realize that IP Chains' IP Masquerading (NAT) already has this state capability and will drop packets sent to its ports that were being forwarded to IP Masquerading systems from someplace other than the IP and port with which the Masqueraded system initiated communication. Thus, if all vulnerable systems are IP Masqueraded with IP Chains, they already have this protection. Or, if all of your systems with weak network stacks are IP Masqueraded systems, you already have state protection tracking.
IP Tables' connection tracking's only apparent advantage is in protecting non-IP Masqueraeded systems with weak network stacks and in allowing things like Active FTP from clients behind it safely.
