Firewall Wizards mailing list archives
Re: CIsco PIX vulnerable to TCP RST DOS attacks
From: Mikael Olsson <mikael.olsson () clavister com>
Date: Wed, 05 May 2004 15:01:27 +0200
"Ahmed, Balal" wrote:
If a PIX, or any other firewall/device for that matter, is performing NAPT/Hide NAT/PAT/NAT then as far as the TCP conversation is concerned is it a connection end point or a transit device ?
Conceptually, it is a transit device, however ...
[...] Having said this, I have seen PIX's teardown connections on seeing a RESET-O arrive from the outside. Does this mean that the PIX IS susceptible to the TCP RST vulnerability due to the way Cisco have implemented NAT?
It used to immediately tear down connections immediately upon receiving any RST with matching IPs and ports. This was changed back in 2000: http://www.cisco.com/warp/public/707/pixtcpreset-pub.shtml where they verify the sequence number of the RST. However, as far as I know (though note that I'm in no way a cisco/pix expert) they'd still tear down the connection immediately upon receiving a RST, so this would still make the NAPT implementation vulnerable to a sequence sweep of RSTs. Assuming you know the source port, that is. HOWEVER, predicting the source port on a busy NAPT is no fun - you go from ~32K packets * a few ports to try to ~32K packets * 64K ports [1]. This is quite a lot of packets. Just trying all of them in a meaningful time would mean a packet rate comparable to an all-out DDoS, which is an attack in and of itself - and a much more "meaningful" one, at that. I still believe that the #1 impact of this vulnerability, as seen in an Internet-wide perspective, is killing BGP sessions in core routers. Do it a few times to trigger route flap detection, and you'll isolate large chunks of the net from eachother, or, worst case, from the rest of the Internet. -- Mikael Olsson, Clavister AB Torggatan 10, Box 393, SE-891 28 ÖRNSKÖLDSVIK, Sweden Phone: +46 (0)660 29 92 00 Mobile: +46 (0)70 26 222 05 Fax: +46 (0)660 122 50 WWW: http://www.clavister.com [1] possibly divided by the number of simultaneous connections to the same endpoint if "killing some connections for the fun of it" is all you're after. _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- CIsco PIX vulnerable to TCP RST DOS attacks Ahmed, Balal (May 05)
- <Possible follow-ups>
- Re: CIsco PIX vulnerable to TCP RST DOS attacks Paul D. Robertson (May 05)
- Re: CIsco PIX vulnerable to TCP RST DOS attacks Shimon Silberschlag (May 05)
- RE: CIsco PIX vulnerable to TCP RST DOS attacks Melson, Paul (May 05)
- Re: CIsco PIX vulnerable to TCP RST DOS attacks Mikael Olsson (May 05)
- RE: BGP TCP RST Attacks (was:CIsco PIX vulnerable to TCP RST DOS attacks) Josh Welch (May 05)
- Re: BGP TCP RST Attacks (was:CIsco PIX vulnerable to TCP RST DOS attacks) Chuck Swiger (May 05)
- RE: BGP TCP RST Attacks (was:CIsco PIX vulnerable to TCP RST DOS attacks) Gwendolynn ferch Elydyr (May 05)
- Re: BGP TCP RST Attacks (was:CIsco PIX vulnerable to TCP RST DOS attacks) Henning Brauer (May 06)
- RE: BGP TCP RST Attacks (was:CIsco PIX vulnerable to TCP RST DOS attacks) Josh Welch (May 05)
- RE: CIsco PIX vulnerable to TCP RST DOS attacks Ahmed, Balal (May 05)
- CIsco PIX vulnerable to TCP RST DOS attacks Dario Calia (May 05)