Remote host replies to SYN+FIN

zaterio · Fri Sep 23, 2005 1:12 am

HI

I run nessus client in my DMZ server (192.168.2.2), the nessus server are in another subnet (192.168.3.254),the router is a Mikrotik 2.8, the follow vulnerability was found:

The remote host does not discard TCP SYN packets which
have the FIN flag set.

Depending on the kind of firewall you are using, an
attacker may use this flaw to bypass its rules.

See also : http://archives.neohapsis.com/archives/ ... /0266.html
http://www.kb.cert.org/vuls/id/464113

Solution : Contact your vendor for a patch
Risk factor : Medium
BID : 7487

I want to know how i can configure the mikrotiks firewall to fix the problem.

thank you in advance

zaterio

changeip · Fri Sep 23, 2005 9:14 am

You can write a rule to stop that if you wish.

Sam

Roman · Fri Sep 23, 2005 1:15 pm

/ip firewall filter add chain=input protocol=tcp tcp-flags=fin,syn action=drop

zaterio · Sun Sep 25, 2005 2:09 am

/ip firewall filter add chain=input protocol=tcp tcp-flags=fin,syn action=drop

OK, thanks for the answers but the code is for mikrotik 2.9, the 2.8 version dont have the tcp-flags options.......any suggestions?

zaterio

sten · Mon Sep 26, 2005 1:27 am

SYN+FIN is legal for TTCP (a transacation oriented version of TCP).
SYN+FIN is not an illegal combination and the authors of the risk assesment software you run really have something to learn. SYN+FIN is also used in port scanning too but in network world, anything used constructivly can be used destructivly. Packets don't carry user motives and if they did, could you trust them?

Roman · Mon Sep 26, 2005 4:34 pm

OK, thanks for the answers but the code is for mikrotik 2.9, the 2.8 version dont have the tcp-flags options.......any suggestions?
zaterio

with 2.8 it's not possible -- you can define only syn there