We use cookies on our website to ensure we provide you with the best experience on our website. By using our website, you agree to the use of cookies for analytics and personalized content.This website uses cookies. More Information
It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda NextGen Firewall X

Message 'TCP Header has an Invalid ACK Number' reported in firewall history

  • Type: Knowledgebase
  • Date changed: 8 years ago
Solution #00005193 
 
Scope:
This solution replies to:
- NG Firewall firmware versions 4.2.x, 5.0.x, 5.2.x
- netfence firmware versions 4.2.x

 
Symptoms:

This message is reported in the firewall histpry (will be displayed only with activated "drop"-cache):

 

  FWD     eth0     192.168.1.1     192.168.1.100     TCP22     drop     TCP Header has an Invalid ACK Number,150955093

 

What does it mean?

 

Solution:

The TCP protocol provides multiple mechanisms to guarantee reliable and sequential delivery of data from sender to receiver. To ensure that no data is lost, each packet is equipped with a sequence number, which the recipient uses to restore the correct packet order. Furthermore, for packets it has received successfully, the recipient returns an acknowledgement, that is an acknowledgement number, to the sender, thereby incrementing the transmitted sequence number.

During connection establishment, the host initiating the connection sends a SYN packet provided with a pseudo-random Initial Sequence Number (ISN) to the recipient. The receiving host replies with an SYN-ACK packet that contains both an acknowledgement for the received packet as well as an own pseudo-random initial sequence number. During data transfer, the sequence numbers that the hosts have initially agreed upon are incremented with each transmitted data segment and the recipient acknowledges every successfully transferred segment.

The phion netfence firewall keeps track of sequence and acknowledgement numbers during a TCP session, and as from the initial TCP handshake that introduces the sequence numbers, calculates expected values for each proximate packet.

An attacker who is not able to trace transmitted packets could use a spoofed source IP to manipulate or disrupt the communication between sender and recipient. To prevent these so-called IP spoofing attacks, the Barracuda NG Firewall drops packets with unexpected acknowledgement numbers.

 

For further information on TCP protocol operation, please refer to RFC 793 - Transmission Control Protocol.

 

 

Link to This Page:
https://campus.barracuda.com/solution/50160000000IKZmAAO