I'm seeing some bad stuff on a Cisco PIX firewall. Sometimes the
firewall will completely slow to a crawl. The console output will show
nothing but the following error message displayed over and over:
fh_insertb: too many connections(12) in set
Cisco web site says that:
"IP packets fragmented into more than 12 elements cannot pass through the
PIX Firewall. When detected, the following console message appears:"
(above error message is then listed)
The obvious explanation is that someone is attacking with IP fragments.
Sniffer capture seems to prove this -- it's showing tons of TCP "invalid
frames". These frames are all alike:
IP header is 20 bytes
"More fragments" bit set to 1
"Fragment offset" is 0
Protocol is 6 (TCP)
TCP header seems to be blank.
Total size of the whole packet is 60 bytes.
Talking with Cisco, they say that the PIX is simply being overloaded
by these fragments and there's nothing that can be done on the PIX. It
has to be blocked upstream. What I'm trying to determine is:
1. If this is correct.
2. How to block it upstream on a Cisco router on a basis other than
source IP.
Intrusion detection systems are an option but I was wondering if anyone
has any suggestions on how to put in a filter on a Cisco router to filter
fragments (or at least large numbers of them). It seems like simply
blocking all fragments is a bad idea of course. But is there something
else I can do on the Cisco router to block fragments that ought to leave
innocent packets alone? Or even if I wanted to block all fragments
regardless,
how is this done?
Thank you very much for any insight!
Carl
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
