Snort mailing list archives

Re: fragroute vs. snort: the tempest in a teacup

From: Francis Cianfrocca <francis () tempest com>
Date: Thu, 18 Apr 2002 15:33:53 -0400

Sorry for changing the subject, but what is the general state of the arton application-level firewalls? Are any of them ready for prime time?

-hedd

Dug Song wrote:

On Wed, Apr 17, 2002 at 11:11:54PM +0000, Dragos Ruiu wrote:

First, this is not a snort-only issue, as I would wager other idses
have as many if not more evasion modes as well as sharing these with
Snort...


absolutely correct. Snort, i'd wager, does much better than most.

most stateful inspection firewalls and "intrusion prevention" or other
application-layer content filtering devices (e.g. Cisco NBAR) have
similar vulnerabilities that may be tested with fragroute.

Most firewalls these days (especially Linux and OpenBSD ones)
actually do reassembly inbound.


this isn't quite true. most stateful inspection firewalls do "virtual
reassembly" for IP fragments, and a few do basic window tracking for
TCP connections, but will still allow most fragroute-style attacks
through (e.g. duplicate overwriting TCP segments with older TCP
timestamp options for PAWS elimination, short TTLs, etc.).

your best bet (for the truly paranoid) is an application-layer
firewall, but we all knew that already. :-)

TCP scrubbers, as proposed by Malan, Paxson, et al. [1] [2] and
implemented by Provos, Paxson, et al. [3] [4] are a good intermediate
solution, but haven't found widespread deployment.

This was an interesting point discovered recently when it was
realized that the snort defragger was actually never getting touched
at all in some installations.


IP fragmentation is rare to begin with [5], so i wouldn't chalk this
up to firewall magic - especially when all major firewalls still pass
fragments in their default configuration, and ONLY OpenBSD pf and
Linux netfilter can actually be configured to reassemble. even fewer
track TCP windows, options, etc...

-d.

[1] http://www.eecs.umich.edu/~rmalan/publications/mwjhInfocomm2000.ps.gz
[2] http://www.icir.org/vern/papers/norm-usenix-sec-01.ps.gz
[3] http://www.openbsd.org/cgi-bin/cvsweb/src/sys/net/pf_norm.c
[4] http://www.mirrors.wiretapped.net/security/network-intrusion-detection/norm/
[5] http://www.caida.org/outreach/papers/2001/Frag/

---
http://www.monkey.org/~dugsong/

Current thread:

fragroute vs. snort: the tempest in a teacup Dragos Ruiu (Apr 17)
- Re: fragroute vs. snort: the tempest in a teacup Dug Song (Apr 18)
  - Re: fragroute vs. snort: the tempest in a teacup Darren Reed (Apr 18)
    - Re: fragroute vs. snort: the tempest in a teacup Ron DuFresne (Apr 19)
    - RE: fragroute vs. snort: the tempest in a teacup Enno Rey (Apr 19)
    - Re: fragroute vs. snort: the tempest in a teacup Marco Thorbruegge (Apr 19)
    - Re: fragroute vs. snort: the tempest in a teacup Crist J. Clark (Apr 20)
  - Re: fragroute vs. snort: the tempest in a teacup Francis Cianfrocca (Apr 18)
    - Re: Re: fragroute vs. snort: the tempest in a teacup Jason Haar (Apr 18)
- <Possible follow-ups>
- Re: fragroute vs. snort: the tempest in a teacup Brad Powell (Apr 19)
- Re: fragroute vs. snort: the tempest in a teacup Steven M. Bellovin (Apr 19)
- RE: fragroute vs. snort: the tempest in a teacup Craig, Scott (Apr 25)
  - RE: fragroute vs. snort: the tempest in a teacup Ron DuFresne (Apr 25)