Bill,
Actually, by non-first fragments I mean all but the first IP fragment, not
non-SYN packets. An IP fragment attack is very different than a SYN attack,
and potentially more dangerous.
In most situations, only the first IP fragment contains the upper layer port
information, so all subsequent IP fragments contain no upper layer info to
check. Since traditional packet filters don't maintain state, they don't
know that the next fragment should be dropped because it contains no upper
layer port information.
I say "most situations" because it is possible to craft a non-first IP
fragment in such a way that it contains an incorrect offset so that when the
packets are re-assembled it contains upper layer port information that would
normally only be present in the first IP fragment.
In this way, an attacker could send an initial packet which might make it
through a packet filter, say a UDP packet from source port 53, but the next
fragment will have the offset crafted such that when the end host
re-assembles the packet, the source and destination ports are different than
they were in the first IP fragment. This can be particularly nasty because
it may allow an attacker to actually complete a connection to a host on a
port that it might otherwise not be able to, instead of just a DoS attack.
If your router is only a portion of your security perimeter, this may not be
a big problem, since you also have a firewall. If your really concerned
about this you should upgrade to an IOS that supports the Firewall Feature
Set with the fragmentation checking . (verions 12.0.4T and higher if memory
serves)
HTH,
Kent
Bill Fox wrote:
> ----- Original Message -----
> From: Kent Hundley <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>; firewalls <[EMAIL PROTECTED]>
> Sent: Monday, October 04, 1999 11:35 PM
> Subject: RE: Router ACL's
>
> >Bill,
>
> >Comments imbedded:
>
> <snips>
>
> >Without more specific information, it's hard to give a complete answer.
> >It's possible that the IP packets are non-first fragments or that
> >someone is purposely using a hacking tool that crafts packets designed
> >to make it through non-stateful filtering routers. (i.e. set the ACK or
> >RST bit) Most cisco ACL's won't filter non-first IP fragments. You can
> >enable filtering of all fragments in certain IOS versions, but it's an
> >all or nothing process unless you use the Firewall Feature Set, and even
> >then you'll need version 12.0.
>
> By 'non-first' I'm assuming you mean other than SYN's? So, if non-SYN
> packets are received at the (non-stateful) interface, they're not dropped,
> even if the packet's IP is in the ACL? I'm still running 11.2 IOS, BTW.
> Definitely in need of an upgrade <g>.
>
> >Without knowing more about exactly what packets your seeing hit your
> >firewall and what your ACL entries looks like, there's no way to give a
> >more specific answer.
>
> A typical ACL entry would be:
>
> access-list 100 deny tcp any host xxx.xxx.xxx.xxx
>
> The list would be assigned as 'in' on the interface.
>
> I've tossed a 'log' onto the end for the hosts that have been punching
> through, and I see logged denials. But I still see quite a few entries
> from the same IP's that have made it to the firewall logs, too. That's
> why I'm groping. :)
>
> >HTH,
> >Kent Hundley
>
> Thanks Kent, & all the other list members who've dropped me tips.
>
> --Bill
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
