-----Original Message----- From: UNIRAS (UK Govt CERT) [mailto:uniras@;niscc.gov.uk] Sent: 31 October 2002 14:28 To: [EMAIL PROTECTED] Subject: UNIRAS Brief - 383/02 - NISCC - Potential crafted packets vulnerability in firewalls
-----BEGIN PGP SIGNED MESSAGE----- - ------------------------------------------------------------------------ ---------- UNIRAS (UK Govt CERT) Briefing Notice - 383/02 dated 31.10.02 Time: 14:25 UNIRAS is part of NISCC(National Infrastructure Security Co-ordination Centre) - ------------------------------------------------------------------------ ---------- UNIRAS material is also available from its website at www.uniras.gov.uk and Information about NISCC is available from www.niscc.gov.uk - ------------------------------------------------------------------------ ---------- Title ===== NISCC Security Advisory: Potential crafted packets vulnerability in firewalls Detail ====== There have been reports to several major CERTs of attacks that can bypass packet filter firewalls. There has also been discussion on Bugtraq (see http://online.securityfocus.com/archive/1/296558/2002-10-19/2002-10-25/1 ). In this thread the Linux 2.4.19, Sun Solaris 5.8, FreeBSD 4.5 and Microsoft Windows NT 4.0 are identified as vulnerable. These attacks use specially crafted TCP packets with the SYN (synchronise) and FIN (final) flags set. Although crafted packets of this kind are not uncommon in probes on firewalls as a means of identifying the operating system, it appears that some packet filter firewalls will forward such packets because the FIN flag is interpreted as a request to end the TCP session, while the targeted host on the internal network interprets the SYN flags as a request to start a TCP session. This technique has been used to effect a SYN flood denial of service attack on the targeted host. To prevent this type of attack, packets that do not form part of the normal TCP state should be filtered. Expected states are packets with the following flags set: SYN, ACK (acknowledgement), SYN/ACK, RST (reset), RST/ACK, FIN and FIN/ACK. The PSH (push) and URG (urgent) flags may also be set in packets but they are used to prioritise processing of a packet. It follows that flag combinations such as SYN/FIN, SYN/RST, RST/FIN and a packet with no flags set (called null) should be treated as anomalous and should be filtered. Certain types of firewall are not vulnerable to this type of attack, namely circuit gateway (or proxy) or application proxy firewalls. These firewalls do not forward TCP packets; they establish a separate connection between the firewall and the recipient for the services proxied. If your firewall does not support filtering of TCP flags and is a packet filter firewall, you should contact your firewall vendor to determine if your firewall is vulnerable. A workaround solution in case the firewall is vulnerable is to install another firewall in front of the vulnerable firewall that does provide flage filtering functionality. - ------------------------------------------------------------------------ ---------- For additional information or assistance, please contact the HELP Desk by telephone or Not Protectively Marked information may be sent via EMail to: [EMAIL PROTECTED] Tel: 020 7821 1330 Ext 4511 Fax: 020 7821 1686 - ------------------------------------------------------------------------ ---------- Reference to any specific commercial product, process, or service by trade name, trademark manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favouring by UNIRAS or NISCC. The views and opinions of authors expressed within this notice shall not be used for advertising or product endorsement purposes. Neither UNIRAS or NISCC shall also accept responsibility for any errors or omissions contained within this briefing notice. In particular, they shall not be liable for any loss or damage whatsoever, arising from or in connection with the usage of information contained within this notice. UNIRAS is a member of the Forum of Incident Response and Security Teams (FIRST) and has contacts with other international Incident Response Teams (IRTs) in order to foster cooperation and coordination in incident prevention, to prompt rapid reaction to incidents, and to promote information sharing amongst its members and the community at large. - ------------------------------------------------------------------------ ---------- <End of UNIRAS Briefing> -----BEGIN PGP SIGNATURE----- Version: PGP 7.0.4 iQCVAwUBPcE4gIpao72zK539AQHWRQQAt8vYN7Lns+NPQaP4ISH0e5Ppn/W3uo7i CATo9Ukr/aCQ+rHC5X3zH2lyM8tz4F9ze7R2v1wOwgNMNFDK8TgjLmhlPV/NB9R5 LnXlUiulAJ5PytNn6osEDRzXzX77QKyTOuD2c/yAOqJGyPiShKMgpWgp72B0Jz37 0LsLQDo7hN8= =4RHU -----END PGP SIGNATURE----- IWS INFOCON Mailing List @ IWS - The Information Warfare Site http://www.iwar.org.uk