This is just another variation on the source spoofing scheme. The most
recent variations I'm aware of are:
* straight spoofing: you can "establish" a connection by spoofing the
source IP address, sending the SYN, and guessing the ACK sequence
number (can be done if you can establish any connection such as FTP/SMTP
to get the current sequence number). Once connection established, you
can get off a few packets before losing sequence number sync.
- so be sure "outbound" packets on an interface don't originate from
that interface's address range, and/or
- insure no incoming packets from other interface(s) don't originate
from the protected interface (as applicable)
* router filter "established" connection filter modifier. cisco and some
others allow low-overhead filtering by permitting established connections
to bypass filtering overhead. This was broken not long ago by submitting
a fragmented packet, and the re-assembled packet propagated the "connection
established" header. Fixed in cisco rev 10.2 or thereabouts.
- disable "established" keyword if you have the router processor overhead
to spare
Jeff Kell <[log in to unmask]>