Firewall Wizards mailing list archives
RE: CIsco PIX vulnerable to TCP RST DOS attacks
From: "Ahmed, Balal" <balal.ahmed () capgemini com>
Date: Wed, 5 May 2004 16:40:15 +0100
Cisco have advised me that PIX Images need to be upgraded to special release versions which have to be obtained through TAC. They have not explained how the new image will mitigate this vulnerability though. The latest Checkpoint HotFix can mitigate this for the entire network that is segmented by a module. Checkpoint do this by checking Sequence numbers in RST packets and discard out of state RST packets. This has the potential to break Legacy non RFC compliant apps. It would be nice to have a detailed breakdown and analysis from Cisco regarding this. -----Original Message----- From: firewall-wizards-admin () honor icsalabs com [mailto:firewall-wizards-admin () honor icsalabs com] On Behalf Of Mikael Olsson Sent: 05 May 2004 14:01 To: Ahmed, Balal Cc: 'firewall-wizards () honor icsalabs com' Subject: Re: [fw-wiz] CIsco PIX vulnerable to TCP RST DOS attacks "Ahmed, Balal" wrote:
If a PIX, or any other firewall/device for that matter, is performing NAPT/Hide NAT/PAT/NAT then as far as the TCP conversation is concerned is
it
a connection end point or a transit device ?
Conceptually, it is a transit device, however ...
[...] Having said this, I have seen PIX's teardown connections on seeing a RESET-O arrive from the outside. Does this mean
that
the PIX IS susceptible to the TCP RST vulnerability due to the way Cisco have implemented NAT?
It used to immediately tear down connections immediately upon receiving any RST with matching IPs and ports. This was changed back in 2000: http://www.cisco.com/warp/public/707/pixtcpreset-pub.shtml where they verify the sequence number of the RST. However, as far as I know (though note that I'm in no way a cisco/pix expert) they'd still tear down the connection immediately upon receiving a RST, so this would still make the NAPT implementation vulnerable to a sequence sweep of RSTs. Assuming you know the source port, that is. HOWEVER, predicting the source port on a busy NAPT is no fun - you go from ~32K packets * a few ports to try to ~32K packets * 64K ports [1]. This is quite a lot of packets. Just trying all of them in a meaningful time would mean a packet rate comparable to an all-out DDoS, which is an attack in and of itself - and a much more "meaningful" one, at that. I still believe that the #1 impact of this vulnerability, as seen in an Internet-wide perspective, is killing BGP sessions in core routers. Do it a few times to trigger route flap detection, and you'll isolate large chunks of the net from eachother, or, worst case, from the rest of the Internet. -- Mikael Olsson, Clavister AB Torggatan 10, Box 393, SE-891 28 ÖRNSKÖLDSVIK, Sweden Phone: +46 (0)660 29 92 00 Mobile: +46 (0)70 26 222 05 Fax: +46 (0)660 122 50 WWW: http://www.clavister.com [1] possibly divided by the number of simultaneous connections to the same endpoint if "killing some connections for the fun of it" is all you're after. _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards Our name has changed, please update your address book to the following format for the latest identities received "recipient () capgemini com". This message contains information that may be privileged or confidential and is the property of the Capgemini Group. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- CIsco PIX vulnerable to TCP RST DOS attacks Ahmed, Balal (May 05)
- <Possible follow-ups>
- Re: CIsco PIX vulnerable to TCP RST DOS attacks Paul D. Robertson (May 05)
- Re: CIsco PIX vulnerable to TCP RST DOS attacks Shimon Silberschlag (May 05)
- RE: CIsco PIX vulnerable to TCP RST DOS attacks Melson, Paul (May 05)
- Re: CIsco PIX vulnerable to TCP RST DOS attacks Mikael Olsson (May 05)
- RE: BGP TCP RST Attacks (was:CIsco PIX vulnerable to TCP RST DOS attacks) Josh Welch (May 05)
- Re: BGP TCP RST Attacks (was:CIsco PIX vulnerable to TCP RST DOS attacks) Chuck Swiger (May 05)
- RE: BGP TCP RST Attacks (was:CIsco PIX vulnerable to TCP RST DOS attacks) Gwendolynn ferch Elydyr (May 05)
- Re: BGP TCP RST Attacks (was:CIsco PIX vulnerable to TCP RST DOS attacks) Henning Brauer (May 06)
- RE: BGP TCP RST Attacks (was:CIsco PIX vulnerable to TCP RST DOS attacks) Josh Welch (May 05)
- RE: CIsco PIX vulnerable to TCP RST DOS attacks Ahmed, Balal (May 05)
- CIsco PIX vulnerable to TCP RST DOS attacks Dario Calia (May 05)