Paul Wilders
February 25th, 2002, 09:22 AM
{QUOTE-> Summary
The following is the complete paper published by: Arne Vidstrom.
Trojans normally use ordinary TCP or UDP communication between their client and server parts. Any firewall between the attacker and the victim that blocks incoming traffic will usually stop all Trojans from working. ICMP tunneling has existed for quite some time now, but if you block ICMP in the firewall, you will be safe from that. This paper describes another concept that is called ACK Tunneling. ACK Tunneling works through firewalls that do not apply their rule sets on TCP ACK segments (ordinary packet filters belong to this class of firewalls).
Details
A short description of TCP and the way firewalls handle it:
TCP is a protocol that establishes virtual connections on top of IP. A session is established when the client sends a SYN (synchronize) segment, the server responds with a SYN/ACK segment, and the client confirms with an ACK (acknowledge) segment. All traffic in the following session consists of ACK segments.
Ordinary packet filtering firewalls rely on the fact that a session always starts with a SYN segment from the client. Thus, they apply their rule sets on all SYN segments, and simply assume that any ACK segments are part of an established session. More advanced firewalls apply their rule sets on all segments, including ACK segments. Some firewalls are configurable, so you can choose between the two ways to handle ACK segments. The reason to configure a firewall not to apply the rule set on ACK segments is workload. While a session can contain thousands or millions of ACK segments, it only contains one SYN segment. This way you can decrease the workload on the firewall considerably, and save money on expensive hardware. Remember, you cannot establish a TCP session against an ordinary system through any of these two kinds of firewalls if they are set up to block incoming connections.
When ACK Tunneling can be applied
Consider the following case. You have a firewall that does not apply its rule set on ACK segments. The rules are to block UDP and ICMP completely, to block all incoming TCP connections, and to allow all outgoing connections. Also to block any other protocols. The attacker sends a Trojan by mail to a user on the inside of the firewall. The user runs the Trojan.
Now what? How can the attacker on the outside contact the Trojan on the inside? There are at least two ways. <-QUOTE}
Read the full story here:
www.securiteam.com/securityreviews/5OP0P156AE.html
The following is the complete paper published by: Arne Vidstrom.
Trojans normally use ordinary TCP or UDP communication between their client and server parts. Any firewall between the attacker and the victim that blocks incoming traffic will usually stop all Trojans from working. ICMP tunneling has existed for quite some time now, but if you block ICMP in the firewall, you will be safe from that. This paper describes another concept that is called ACK Tunneling. ACK Tunneling works through firewalls that do not apply their rule sets on TCP ACK segments (ordinary packet filters belong to this class of firewalls).
Details
A short description of TCP and the way firewalls handle it:
TCP is a protocol that establishes virtual connections on top of IP. A session is established when the client sends a SYN (synchronize) segment, the server responds with a SYN/ACK segment, and the client confirms with an ACK (acknowledge) segment. All traffic in the following session consists of ACK segments.
Ordinary packet filtering firewalls rely on the fact that a session always starts with a SYN segment from the client. Thus, they apply their rule sets on all SYN segments, and simply assume that any ACK segments are part of an established session. More advanced firewalls apply their rule sets on all segments, including ACK segments. Some firewalls are configurable, so you can choose between the two ways to handle ACK segments. The reason to configure a firewall not to apply the rule set on ACK segments is workload. While a session can contain thousands or millions of ACK segments, it only contains one SYN segment. This way you can decrease the workload on the firewall considerably, and save money on expensive hardware. Remember, you cannot establish a TCP session against an ordinary system through any of these two kinds of firewalls if they are set up to block incoming connections.
When ACK Tunneling can be applied
Consider the following case. You have a firewall that does not apply its rule set on ACK segments. The rules are to block UDP and ICMP completely, to block all incoming TCP connections, and to allow all outgoing connections. Also to block any other protocols. The attacker sends a Trojan by mail to a user on the inside of the firewall. The user runs the Trojan.
Now what? How can the attacker on the outside contact the Trojan on the inside? There are at least two ways. <-QUOTE}
Read the full story here:
www.securiteam.com/securityreviews/5OP0P156AE.html